SCN: Online Personal Privacy Act

[Steve]

x-no-archive: yes

==================


(Chris Wenham, Salon)---Outrage surged through users of the 
KaZaA file-sharing utility when they learned, early in April, that a 
new breed of spyware had been installed on their computers. 
KaZaA, probably the most popular heir to Napster's throne, was 
already well known for coming bundled with a wide variety of 
parasite programs that serve up advertisements, track Web-surfing 
activity, and otherwise cause mischief. But the newest arrival 
topped anything seen before in scope or ambition.   

A company called Brilliant Digital had surreptitiously installed 
software in computers running KaZaA. Once activated, the 
software would set up a distributed computing network, allowing 
Brilliant to hijack the resources of thousands of personal 
computers to serve the needs of its own customers. Brilliant's plan 
is to use the computer processing power generated by the network 
to serve technologically advanced advertisements and track how 
users react to those ads.   

As the newest assault on Internet privacy, Brilliant's plan pressed 
hard on an online hot button. Indeed, the tracking of personal data 
riles enough people that a new bill that purports to protect online 
privacy was introduced in Congress just last week. As the bill -- 
sponsored by Sen. Ernest "Fritz" Hollings, D-S.C., and titled the 
Online Personal Privacy Act (S. 2201) -- notes, consumers fear 
there's too little privacy online and too much sharing of sensitive 
personal information among the business elite. Up to a third of 
them have been submitting bogus data about themselves in an 
attempt to protect their privacy, and "tens of billions of dollars in e-
commerce" have been lost due to privacy fears, the bill warns.   

But Hollings' bill should outrage Internet users just as much as 
Brilliant Digital's spyware. For while it talks a good game about 
protecting "sensitive" information, the truth is that it would place a 
congressional stamp of approval on precisely the kinds of 
practices that purveyors of spyware are eager to engage in.   

The fact that Hollings is behind this bill should be the first clue 
about the real agenda it serves. Hollings is also a sponsor of the 
Consumer Broadband and Digital Television Promotion Act 
(CBDTPA, formerly known as the SSSCA), a bill that requires all 
new computers and other digital information devices to come with 
copy protection software and/or hardware installed on them. It 
would also outlaw any effort to reverse-engineer or disable any 
copy-protection format -- a measure that some observers believe 
will cripple software development -- particularly in the open-source 
and free-software communities. 

CBDTPA is ostensibly based on the premise that consumers won't 
sign up for broadband ISP access until Hollywood puts its content 
online, and Hollywood won't do that until its sure its intellectual 
property will be safe. But the bill isn't really about the "promotion" 
of broadband at all. Hollings is one of the Senate's largest 
recipients of entertainment industry campaign contributions, and 
the bill is squarely aimed at protecting that industry's interests.   

Likewise with the Online Personal Privacy Act. It is masquerading 
as pro-consumer when in fact it is pro-business. The new 
legislation is similar to laws passed in Europe that divide your 
personal information into two types. The first is "sensitive" 
information, such as your financial and medical history, race, 
lifestyle, religion, political affiliation, and sex life. The second is 
"nonsensitive" information, and among that will include your name, 
address, and records of anything you buy or surf on the Internet. 
Under the act, business can't collect or divulge the sensitive bits 
without your express consent, but anything classified as 
nonsensitive can be freely collected and sold at will.   

But the nonsensitive clause is a huge gaping loophole through 
which business will ride roughshod. Never mind that part about 
"sensitive" information being forbidden. Most things that 
businesses want to know about us can be inferred just by 
examining the things we buy, read and click on. If they can put that 
information together with our names, which the bill allows, then any 
concept of "privacy" protection is rendered meaningless. The 
Online Personal Privacy Act legitimizes the kind of intrusive 
spyware program activity that is currently proliferating.   

It's no secret, of course, that your lifestyle can be inferred just by 
examining the things you buy, read and click on. Humans are noisy 
beasts; we leave a staggering number of clues to our vices, ills 
and perversions in everything we touch. In a database geek's 
lexicon, our habits are not normalized -- they contain excessively 
redundant information, so if you hide one fact it can still be 
deduced by the imprint it makes on the rest.   

No part of a lifestyle can be completely hidden if one wants to 
participate in modern society. The dietary laws of many religions 
will show up on supermarket receipts. Religious migratory habits 
will be obvious, too -- from the haj of a Muslim to the conspicuous 
18- to 24-month absence of a Mormon on a mission. Your money 
problems could be discovered by an analysis of your austerity, 
your age group by the perfume you buy, or your sexual orientation 
by the brands you're loyal to.   

And yet, despite this abundance of accidental data, businesses 
have always had difficulty collecting enough to make it useful. Bar 
code scanners in supermarkets aren't sufficient because they 
capture only a fragment of a consumer's activity. Marketers have 
also encountered obstacles assembling the resources necessary 
to process all that information. And up until recently, they've been 
limited mostly to targeting statistical clumps of people, rather than 
actual individuals.   

But the advances in technology symbolized by spyware from 
companies such as Brilliant Design promise to solve the technical 
problems while the Hollings bill ensures that such practices are 
legal.   

Spyware programs use a variety of technologies. Setting "cookies" 
on your hard drive identifies you to particular Web sites, and "Web 
bugs" -- invisible image files on Web pages -- in conjunction with 
cookies help track movement through the Web. They make the 
problem of collecting data and associating it with a unique entity 
easy. The next step is getting your name, which can be done as 
soon as you make an impulsive click to buy something from a site 
that is sharing information with the spyware loaded on your 
computer.   

This kind of individualized tracking used to be impossible, 
especially for print media, where the latency, or time lag, between 
an ad placement and its response was too long and the results too 
generalized. Today, however, the individually targeted, latency-
free abilities of modern spyware make it easy to automate on a 
massive scale. They get to work the instant you begin surfing 
bugged Web pages, identifying you by an anonymous number at 
first until you finally blunder into any of the million opportunities -- 
such as ordering a product online -- that tie your number and all its 
cataloged kinks to a name.   

It's true that most companies practicing these data-gathering 
techniques have long since responded to consumer backlash and 
provided an opt-out mechanism for users. Opting out will either 
suspend their data collection activities on you, or withdraw your 
name from the lists they share with other companies. But with 
hundreds of such databases currently in existence, how does one 
hunt down the instructions for opting out of so many and still 
maintain a social life?   

The problem of finding the sheer computer horsepower necessary 
to manipulate captured data may also soon be a thing of the past. 
This detective work is not easy for silicon to do: Neural nets, 
classification trees, rule inductions, genetic algorithms and other 
methods all take their toll on processor power, which means 
somebody's got to pony up the megahertz to do it. But if Brilliant 
Digital is any indication, that somebody will soon be you.   

Brilliant Digital's new generation of spyware has been inspired by 
distributed computing projects such as SETI at Home, but it has the 
ethics of a cuckoo bird. The parasite, hidden within a harmless-
looking 3-D viewer called b3d, piggybacks on KaZaA and installs 
itself with minimal notification. It's so subtle that most of the KaZaA 
network's users weren't aware they had it until recently; the only 
hint of what Brilliant's program would be doing was buried within a 
5,000-word license of the kind that most anxious users skip past in 
a hurry. Yet once installed, the parasite runs constantly in the 
background of your computer's consciousness, soaking up any 
CPU cycles and disk space that you don't happen to be using 
yourself, and turning them over to do the work of Brilliant's 
customers through a private network called Altnet.   

Brilliant claims on its Web site that Altnet will be used only to 
render video and 3-D animation for media-rich advertisements, but 
it doesn't really matter if they've shanghaied your computer to draw 
the next Cap'n Crunch commercial or calculate the probability that 
you're a transvestite: Altnet, and the parasites that will follow in its 
footsteps, still provide the opportunity for a business to annex your 
resources to liberate their own, so they can run more important 
programs: programs that may just untie your whole intimate 
biography.   

With the logistics solved, all that's left is the legitimacy and a kick 
in the pants for consumer motivation. Again, it's Hollings to the 
rescue, giving marketers, credit analysts, insurance companies, 
employers and all the others everything they need, as though it 
were written out on a shopping list.   

Hiding behind aggressive wording that makes it seem as if it'll be 
safe to go back online are two giveaway exceptions in the bill's 
text. The first is the allowance of "cookies or other tracking 
technology" to gather the data that Hollings considers to be 
"nonsensitive" -- such as your browsing and shopping habits. This 
would include the entire range of spyware now in the wild, 
constraining them only with the feeble requirement to provide 
"robust notice" of their activity, like the robust notice you'll find if 
you have the strength and the legal wit to get through KaZaA's 
5,000-word license.   

The second is that any inferred knowledge won't be considered 
"personally identifiable" and will therefore be protected under law, 
leaving data-mining experts with the freedom to continue mapping 
your psyche with their robot cartographers and sharing the results 
with their partners. With names and e-mail addresses 
conspicuously missing from the act's definition of "sensitive" 
information, Hollings' idea of classifying the levels of your privacy 
is like trying to cut hot custard pudding in half.   

In one swoop, Hollings not only makes it possible for businesses to 
accelerate into this brave new world of automated lifestyle 
profiling, but also fools consumers into a false sense of security 
that'll have them buying more, and more often. Perhaps you don't 
care if the credit card company knows what ills you suffer from, or 
if Amazon has twigged to the kinks you practice in the bedroom. 
Maybe you're comfortable with being lost in a crowd of millions of 
Internet surfers, enjoying the same kind of anonymity an ant enjoys 
in his hive. But did you click on that suggestive banner ad out of 
random curiosity or because they gotcha?   


Copyright 2002 Salon.com





* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *