Attack of the Web Snoop
By Seth Ross
Most civilized people agree that privacy is a fundamental human
right. Every individual has the right to be left alone, to be secure
in his or her personal life, and to freely surf and communicate
over the Internet without having to worry about leaking private
information to untrusted and possibly hostile parties.
Sadly, the fundamental right to privacy is under withering assault
on the Internet. Through a combination of greed and ignorance, the
Internet - one of our civilization's greatest inventions - is now
being deployed as the greatest privacy-destroying technology ever.
You may think you're alone in your thoughts as you surf the web.
But as Deep Throat says on the X-Files, "There's always someone
watching, Mr. Mulder."
The Internet is eliminating personal privacy as corporate web
sites track and profile visitors, maintain cookie "dossiers", and
correlate visitor identities and interests with third-party marketing
databases. This is offensive, because you are what you browse.
Unknown third parties are observing the web pages you view, the
searches you make, and the things you buy. In general, they're getting
inside your head. It's just as if someone analyzed every book you
read or movie you watched - only more cross-referenced and precise.
Do you think I'm being alarmist? Over-the-top? The list of sites
that have been caught destroying Internet user privacy is long and
growing. Consider the following recent news items (many of them
sparked by Internet consultant Richard M. Smith):
- Last month, DoubleClick was skewered in the press for planning
to correlate visitors to the 2500 sites in its ad network to large
off-line consumer databases. The furor was such that the company
to back off, at least for now. Smith has posted an interesting
explanation of how
banner ad network tracking works.
- Leading medical sites have been dinged for selling highly sensitive
information about their visitors. Last month, an
investigative report by a healthcare trade group found that
visitors to health-related web sites are not anonymous, even if
they think they are, and personal information shared with these
sites is highly vulnerable.
- Last month, H&R
Block's online tax filing service exposed some customers'
sensitive financial records to other customers.
- Last October, Smith disclosed that the RealJukeBox player software
sending off information to RealNetworks about users' music-listening
habits, along with a unique player ID number that can reveal user
identity. The company quietly changed
- Amazon.com subsidiary Alexa
was caught sucking up personal information back in December.
Anyone browsing the web faces a severe threat model, one far worse
than the Distributed Denial of Service attacks covered in the past
two issues. You have to assume that all your travels on the web
are recorded and stored in one or more databases. You have to assume
that personal information - from your name and address to the things
you buy - is captured and linked to those databases. Assume that
your boss/spouse/parents/insurer/credit card company will gain access
to this information about you. Assume that your credit card company
and the credit bureaus will know when you surf to a bankruptcy or
credit repair site. Be prepared for credit rejections based on your
browsing habits. Assume that your health insurance company will
know when you surf to a medical site and look up a disease or health
condition that you're concerned about. Be prepared for higher insurance
rates based on your browsing habits.
All major sites post privacy policies full of high-minded language
about privacy that boil down to a harsh truth: We can do whatever
we want with our information on you, including the most personal
financial and health-related information.
Take Yahoo! for example. Here's an excerpt from its policy:
Yahoo! may disclose or access account information when
we believe in good faith that the law requires it and for administrative
and other purposes that we deem necessary to maintain, service,
and improve our products and services.
Note the weasel language about "other purposes we deem necessary".
Essentially, Yahoo! can disclose your personal information whenever
and however it sees fit.
for Microsoft's Passport system:
Microsoft Web sites will disclose Personal Information
if required to do so by law or in the good-faith belief that such
action is necessary to (a) conform to the edicts of the law or comply
with legal process served on Microsoft or the site; (b) protect
and defend the rights or property of Microsoft, this Web site, or
participating Web sites; and, (c) act under exigent circumstances
to protect the personal safety of users of Microsoft, this Web site,
or the public.
Note the company's problematic language about defending its rights.
Judging from the company's extensive legal problems, Microsoft has
a very broad view of its rights.
These and many other major sites also bear seals from "trust"
organizations like TRUSTe. While these seals are designed to improve
consumer confidence, they in fact are meaningless. According to
When you see our TRUSTe seal, you can be assured that
the Web site will disclose:
Note that there's absolutely no stipulation that TRUSTe sites actually
preserve privacy. While there is a requirement for notification, privacy
policies are full of legal obfuscations and escape clauses, as noted
above. Most of the privacy violators cited above are TRUSTe members.
Despite several well-publicized breaches, not one TRUSTe seal has
been revoked. Beware of anyone who strips you of a fundamental right
while claiming to defend it.
- What personal information is being gathered about you
- How the information will be used
- Who the information will be shared with, if anyone
- Choices available to you regarding how collected information
- Safeguards in place to protect your information from loss,
misuse, or alteration
- How you can update or correct inaccuracies in your information.