ARTS & FARCES internet

Consider the following events from the first quarter of 1999 as evidence that the weasels are continuing apace, without regard for data privacy rights:

• Intel shipped its latest microprocessor with an embedded serial number that can be used to uniquely identify a computer. When confronted by privacy and consumer activists, Intel refused to remove the number but agreed to provide software that would hide the number. Within a day programmers demonstrated that what software could turn off, other software could turn back on.
• Sun announced technology to interconnect disparate electronic devices by assigning an identification number to each device.
• Microsoft was found to be including identifying numbers in documents created with its office productivity software and operating systems without the knowledge or control of the user.
• Microsoft acknowledged it collected unique identification numbers during the registration process of its Windows 98 operating system software and shared that identification number with its Web sites.
• TRUSTe issued a statement of finding that Microsoft’s actions did not violate the TRUSTe license agreement because the personal information was not collected on the microsoft.com Web site. Microsoft is one of TRUSTe’s largest financial supporters.
• Microsoft and TRUSTe jointly announced a “Privacy Wizard” designed to help Web sites adhere to user requests with regard to personal data.
• Colorado, Florida, and South Carolina sold driver’s license information.
• The U.S. Secret Service underwrote the development efforts of a private company to create a national database of driver’s license photographs.
• Federal regulators announced they were abandoning the controversial “Know Your Customer” program that would expand bank surveillance of consumers. Privacy and consumer advocates were outraged because banks are already required to monitor “suspicious” banking activities. According to the American Bankers Association survey, more than 88 percent of American banks were already geared up for the “Know Your Customer” program.
• Raytheon claimed that its employees were divulging company secrets and obtained subpoenas forcing Yahoo to reveal the identities of anonymous users of its online forum.
• A computer vendor announced it would supply a free Internet connection and computer to anyone who filled out a consumer profile and agreed to accept constant advertising based on that profile.

During the first few months of 1999, the framework of the argument over data privacy has subtly morphed from the context of protecting individual privacy to the level of technical difficulty inherent in denying access to the data collecting weasels.

Computer and telecommunications industry experts are starting to acknowledge, quietly, that it may indeed be impossible to protect individual privacy while simultaneously allowing information to flow between interconnected devices. As the defining characteristics of computers and telecommunications devices continue to converge, most experts agree that identification information will be necessary for any device to attach to the network.

“Judge Brandeis’s definition of privacy was ‘the right to be left alone,’ not the right to operate in absolute secrecy,” Paul Saffo of Menlo Park, California’s Institute for the Future told the New York Times’ John Markoff in early March 1999.

Privacy and consumer advocates, on the other hand, worry about the trend of all-inclusive and pervasive surveillance networks allowing individual behavior online to be tracked. Security can be easily separated from identity through the use of strong, non-escrowed, public-key cryptography, they argue.

Meanwhile the weasels have started to apply pressure to support their cause. In mid-March 1999, fifteen graduate students from Georgetown University’s McDonough School of Business conducted a survey of the privacy policies of several hundred randomly selected Web sites. The findings of the survey will be used in a Federal Trade Commission (FTC) report to Congress on consumer privacy protection laws.

Critics question the validity of the survey because it is funded by industry groups who have actively resisted any form of government regulation of data privacy, including the Direct Marketing Association. Industry groups like the Direct Marketing Association have successfully blocked privacy legislation in the past, claiming it would restrict their business activities.

At the same time, the weasels are fighting with the U.S. Commerce Department over the agency’s proposed guidelines for complying with European Union (EU) privacy laws that went into effect in October 1998. Large American companies like America Online and Disney say they will not endorse the guidelines until they can ascertain how much it will cost to implement and how it will be enforced. The companies are also concerned that it not be used as model legislation in the United States.

The EU’s Data Protection Directive prohibits the transmission of personal data to any country without regulations that provide adequate data protection. Central to the EU’s directive is the assumption that information collected for one purpose may not be used for any other purpose without the informed consent of the person about whom the information was collected. U.S. privacy policies do not meet the EU standards.

The weasels are winning. It is as clear as a weasel’s sharp teeth that industry self-regulation has failed. The urgent need is clear for government regulation assuring data privacy in compliance with the EU Data Protection Directive.