SCN: Online Personal Privacy Act
Steve
steve at advocate.net
Sat Apr 27 09:06:16 PDT 2002
x-no-archive: yes
==================
(Chris Wenham, Salon)---Outrage surged through users of the
KaZaA file-sharing utility when they learned, early in April, that a
new breed of spyware had been installed on their computers.
KaZaA, probably the most popular heir to Napster's throne, was
already well known for coming bundled with a wide variety of
parasite programs that serve up advertisements, track Web-surfing
activity, and otherwise cause mischief. But the newest arrival
topped anything seen before in scope or ambition.
A company called Brilliant Digital had surreptitiously installed
software in computers running KaZaA. Once activated, the
software would set up a distributed computing network, allowing
Brilliant to hijack the resources of thousands of personal
computers to serve the needs of its own customers. Brilliant's plan
is to use the computer processing power generated by the network
to serve technologically advanced advertisements and track how
users react to those ads.
As the newest assault on Internet privacy, Brilliant's plan pressed
hard on an online hot button. Indeed, the tracking of personal data
riles enough people that a new bill that purports to protect online
privacy was introduced in Congress just last week. As the bill --
sponsored by Sen. Ernest "Fritz" Hollings, D-S.C., and titled the
Online Personal Privacy Act (S. 2201) -- notes, consumers fear
there's too little privacy online and too much sharing of sensitive
personal information among the business elite. Up to a third of
them have been submitting bogus data about themselves in an
attempt to protect their privacy, and "tens of billions of dollars in e-
commerce" have been lost due to privacy fears, the bill warns.
But Hollings' bill should outrage Internet users just as much as
Brilliant Digital's spyware. For while it talks a good game about
protecting "sensitive" information, the truth is that it would place a
congressional stamp of approval on precisely the kinds of
practices that purveyors of spyware are eager to engage in.
The fact that Hollings is behind this bill should be the first clue
about the real agenda it serves. Hollings is also a sponsor of the
Consumer Broadband and Digital Television Promotion Act
(CBDTPA, formerly known as the SSSCA), a bill that requires all
new computers and other digital information devices to come with
copy protection software and/or hardware installed on them. It
would also outlaw any effort to reverse-engineer or disable any
copy-protection format -- a measure that some observers believe
will cripple software development -- particularly in the open-source
and free-software communities.
CBDTPA is ostensibly based on the premise that consumers won't
sign up for broadband ISP access until Hollywood puts its content
online, and Hollywood won't do that until its sure its intellectual
property will be safe. But the bill isn't really about the "promotion"
of broadband at all. Hollings is one of the Senate's largest
recipients of entertainment industry campaign contributions, and
the bill is squarely aimed at protecting that industry's interests.
Likewise with the Online Personal Privacy Act. It is masquerading
as pro-consumer when in fact it is pro-business. The new
legislation is similar to laws passed in Europe that divide your
personal information into two types. The first is "sensitive"
information, such as your financial and medical history, race,
lifestyle, religion, political affiliation, and sex life. The second is
"nonsensitive" information, and among that will include your name,
address, and records of anything you buy or surf on the Internet.
Under the act, business can't collect or divulge the sensitive bits
without your express consent, but anything classified as
nonsensitive can be freely collected and sold at will.
But the nonsensitive clause is a huge gaping loophole through
which business will ride roughshod. Never mind that part about
"sensitive" information being forbidden. Most things that
businesses want to know about us can be inferred just by
examining the things we buy, read and click on. If they can put that
information together with our names, which the bill allows, then any
concept of "privacy" protection is rendered meaningless. The
Online Personal Privacy Act legitimizes the kind of intrusive
spyware program activity that is currently proliferating.
It's no secret, of course, that your lifestyle can be inferred just by
examining the things you buy, read and click on. Humans are noisy
beasts; we leave a staggering number of clues to our vices, ills
and perversions in everything we touch. In a database geek's
lexicon, our habits are not normalized -- they contain excessively
redundant information, so if you hide one fact it can still be
deduced by the imprint it makes on the rest.
No part of a lifestyle can be completely hidden if one wants to
participate in modern society. The dietary laws of many religions
will show up on supermarket receipts. Religious migratory habits
will be obvious, too -- from the haj of a Muslim to the conspicuous
18- to 24-month absence of a Mormon on a mission. Your money
problems could be discovered by an analysis of your austerity,
your age group by the perfume you buy, or your sexual orientation
by the brands you're loyal to.
And yet, despite this abundance of accidental data, businesses
have always had difficulty collecting enough to make it useful. Bar
code scanners in supermarkets aren't sufficient because they
capture only a fragment of a consumer's activity. Marketers have
also encountered obstacles assembling the resources necessary
to process all that information. And up until recently, they've been
limited mostly to targeting statistical clumps of people, rather than
actual individuals.
But the advances in technology symbolized by spyware from
companies such as Brilliant Design promise to solve the technical
problems while the Hollings bill ensures that such practices are
legal.
Spyware programs use a variety of technologies. Setting "cookies"
on your hard drive identifies you to particular Web sites, and "Web
bugs" -- invisible image files on Web pages -- in conjunction with
cookies help track movement through the Web. They make the
problem of collecting data and associating it with a unique entity
easy. The next step is getting your name, which can be done as
soon as you make an impulsive click to buy something from a site
that is sharing information with the spyware loaded on your
computer.
This kind of individualized tracking used to be impossible,
especially for print media, where the latency, or time lag, between
an ad placement and its response was too long and the results too
generalized. Today, however, the individually targeted, latency-
free abilities of modern spyware make it easy to automate on a
massive scale. They get to work the instant you begin surfing
bugged Web pages, identifying you by an anonymous number at
first until you finally blunder into any of the million opportunities --
such as ordering a product online -- that tie your number and all its
cataloged kinks to a name.
It's true that most companies practicing these data-gathering
techniques have long since responded to consumer backlash and
provided an opt-out mechanism for users. Opting out will either
suspend their data collection activities on you, or withdraw your
name from the lists they share with other companies. But with
hundreds of such databases currently in existence, how does one
hunt down the instructions for opting out of so many and still
maintain a social life?
The problem of finding the sheer computer horsepower necessary
to manipulate captured data may also soon be a thing of the past.
This detective work is not easy for silicon to do: Neural nets,
classification trees, rule inductions, genetic algorithms and other
methods all take their toll on processor power, which means
somebody's got to pony up the megahertz to do it. But if Brilliant
Digital is any indication, that somebody will soon be you.
Brilliant Digital's new generation of spyware has been inspired by
distributed computing projects such as SETI at Home, but it has the
ethics of a cuckoo bird. The parasite, hidden within a harmless-
looking 3-D viewer called b3d, piggybacks on KaZaA and installs
itself with minimal notification. It's so subtle that most of the KaZaA
network's users weren't aware they had it until recently; the only
hint of what Brilliant's program would be doing was buried within a
5,000-word license of the kind that most anxious users skip past in
a hurry. Yet once installed, the parasite runs constantly in the
background of your computer's consciousness, soaking up any
CPU cycles and disk space that you don't happen to be using
yourself, and turning them over to do the work of Brilliant's
customers through a private network called Altnet.
Brilliant claims on its Web site that Altnet will be used only to
render video and 3-D animation for media-rich advertisements, but
it doesn't really matter if they've shanghaied your computer to draw
the next Cap'n Crunch commercial or calculate the probability that
you're a transvestite: Altnet, and the parasites that will follow in its
footsteps, still provide the opportunity for a business to annex your
resources to liberate their own, so they can run more important
programs: programs that may just untie your whole intimate
biography.
With the logistics solved, all that's left is the legitimacy and a kick
in the pants for consumer motivation. Again, it's Hollings to the
rescue, giving marketers, credit analysts, insurance companies,
employers and all the others everything they need, as though it
were written out on a shopping list.
Hiding behind aggressive wording that makes it seem as if it'll be
safe to go back online are two giveaway exceptions in the bill's
text. The first is the allowance of "cookies or other tracking
technology" to gather the data that Hollings considers to be
"nonsensitive" -- such as your browsing and shopping habits. This
would include the entire range of spyware now in the wild,
constraining them only with the feeble requirement to provide
"robust notice" of their activity, like the robust notice you'll find if
you have the strength and the legal wit to get through KaZaA's
5,000-word license.
The second is that any inferred knowledge won't be considered
"personally identifiable" and will therefore be protected under law,
leaving data-mining experts with the freedom to continue mapping
your psyche with their robot cartographers and sharing the results
with their partners. With names and e-mail addresses
conspicuously missing from the act's definition of "sensitive"
information, Hollings' idea of classifying the levels of your privacy
is like trying to cut hot custard pudding in half.
In one swoop, Hollings not only makes it possible for businesses to
accelerate into this brave new world of automated lifestyle
profiling, but also fools consumers into a false sense of security
that'll have them buying more, and more often. Perhaps you don't
care if the credit card company knows what ills you suffer from, or
if Amazon has twigged to the kinks you practice in the bedroom.
Maybe you're comfortable with being lost in a crowd of millions of
Internet surfers, enjoying the same kind of anonymity an ant enjoys
in his hive. But did you click on that suggestive banner ad out of
random curiosity or because they gotcha?
Copyright 2002 Salon.com
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list