Link title
How Data Gathering on the Internet Compromises (Your) Privacy
The Internet Ate My Privacy!
We decided to narrow the scope to the internet and privacy concerns regarding data collection via the internet.
Based on our discussion, my thought is that we should have an initial position on the subject, i.e. internet data collection violates certain privacy rights. If we start from a position supporting a large zone of individual privacy, internet data collection is likely to cross into the zone and violate an individual's notion of privacy. Why? The collection of data about an individual's surfing habits may allow a third person to create a profile about a person. However, such process requires many assumptions and a subjective interpretation of data. As Ryan pointed out, data collection is preferable in some instances to create an enhanced experience (i.e. Amazon suggesting other titles consistent with a person's prior browsing). However, profiling can certainly be incorrect and used by third parties in a negative fashion (the government, insurance companies, credit bureaus, etc.). Once we assume that internet data collection impacts privacy, the paper flows as orginally planned - Do current laws (here and abroad) adequately protect individuals from internet privacy concerns? What tech devises are used to collect data on the internet and how do they work (spyware, etc.)? What non-legislative solutions are possible to limit internet data collection with respect to privacy? What legal solutions are possible - legislative efforts, constitutional amendments?
While other subtopics will focus on defense, this subtopic will focus on how privacy comes under attack through the Internet. It will cover the technical means by which privacy is or could be compromised on the Internet. This will include a discussion of: Cookies Data mining (as enhanced by the internet) Increased opportunities for deception Sneaky tricks (scams, hustles, duping, phishing, and some of the myriad other ways to dupe people into handing over the keys) Ease of data gathering Government "spyware," with emphasis on the post-9/11 era Technological failings -- shortfalls in IE and other internet software Summary of the Notification/Opt-in (etc.) process that is the ideal
A. Notification/Consent/Opt-In/Retribution, etc. B. Threats to privacy/new opportunities for invasion 1. Data Mining 2. Cookies 3. Spyware 4. Government "spyware," with emphasis on the post-9/11 era C. Shortfalls and problems because of current privacy law D. Technological failings -- shortfalls in IE and other internet software E. Sneaky ways around current laws: scams, tricks
We need an explicit goal. The data gathering capabilities available through the Internet impact a person’s privacy. This paper examines exactly how this happens, what you can (currently) do about it, relevant current law, and provides several pertinent recommendations about what to do next.
A cookie is a small text file placed on a user’s computer when the user accesses a particular website. Its primary purpose is to store small amounts of data relevant to the website. It can also be used to collect information about the person using the website (the host of the cookie). There are different types of cookies: permanent cookies remain on a user’s computer for varying lengths of time, ranging from hours to years. Session cookies expire when the user exits the browser. These are often used for making a shopping cart or counting the number of unique visitors to a site. Can be placed on a computer without a user’s knowledge, such as when a particular type of banner [?] appears on a website. A cookie is a small text file placed on a consumer’s computer hard drive by a Web server. The cookie transmits information back to the server that placed it and, in general, can be read only by that server. For more information on cookies, see, e.g., <http://www.cookiecentral.com
“Web bugs” are also known as “clear GIFs” or “1-by-1 GIFs.” Web bugs are tiny graphic image files embedded in a Web page, generally the same color as the background on which they are displayed which are invisible to the naked eye. The Web bug sends back to its home server (which can belong to the host site, a network advertiser or some other third party): the IP (Internet Protocol) address of the computer that downloaded the page on which the bug appears; the URL (Uniform Resource Locator) of the page on which the Web bug appears; the URL of the Web bug image; the time the page containing the Web bug was viewed; the type of browser that fetched the Web bug; and the identification number of any cookie on the consumer’s computer previously placed by that server. Web bugs can be detected only by looking at the source code of a Web page and searching in the code for 1-by-1 IMG tags that load images from a server different than the rest of the Web page. At least one expert claims that, in addition to disclosing who visits the particular Web page or reads the particular email in which the bug has been placed, in some circumstances, Web bugs can also be used to place a cookie on a computer or to synchronize a particular email address with a cookie identification number, making an otherwise anonymous profile personally identifiable. See generally Comments of Richard M. Smith; see also Big Browser is Watching You!, CONSUMER REPORTS, May 2000, at 46; USA Today, A new wrinkle in surfing the Net: Dot-coms’ mighty dotsize bugs track your every move, Mar. 21, 2000 (available at <http://www.usatoday.com/life/cyber/tech/cth582.htm>).
The FTC’s Four Fair Information Practices:
Notice
Choice
Access
Security
(Enforcement) – the 5th horseman of the privacy apocalypse.
Spyware -- software that collects information about the use of the computer and periodically relays that information back to a collection center. Alternatively, also refers to software that can record a person’s keystrokes and make it available to another party.
Profile-based advertising, aka online profiling. I like this sentence from SB3: In the online world, every consumer inquiry about a product and every ad viewing may quickly become incorporated into a detailed profile that will remain hidden from the consumer. How exactly is this done?
How Online Profiling Works Reference [6] provides an excellent anecdotal illustration of how online profiling works. In technical terms, the process is as follows: 1. When the user first enters a site, the browser automatically sends some information to the server so that the site can communicate with the user’s computer. Information such as browser type, browser version, hardware version, operating system, and the language used by the computer, as well as the computer’s IP address. 2. The server responds by sending back appropriate HTML code for the requested page. A user may get a different layout when requesting a web page from a wireless PDA versus a desktop PC, for example. 3. Embedded in the HTML code that the user receives is an invisible link to the online profiling site. The browser automatically sends (gets triggered) another HTTP request which his browser type and operating system; the language(s) accepted by the browser; the address of the referring Web page 4. Based on this information, the online profiler places a banner ad in the space at the top of the page. The ad will appear as an integral part of the page. 5. The online profiler can now place a cookie with a unique ID number on the user’s computer, if there isn’t one there already. 6. As the user moves around between web sites serviced by the online profiler (network advertiser), the network advertiser can build a profile of the user. Each time the user visits a new site or clicks a link serviced by the particular advertiser, more information gets transmitted, which helps to build the detailed profile.
The most consistent and significant concern expressed about profiling is that it is conducted without consumers’ knowledge.35 The presence and identity of a network advertiser on a particular site, the placement of a cookie on the consumer’s computer, the tracking of the consumer’s movements, and the targeting of ads are simply invisible in most cases.
Anonymity and privacy on the Internet. As one of the commenters put it, current profiling practices “undermine[] individuals’ expectations of privacy by fundamentally changing the Web experience from one where consumers can browse and seek out information anonymously, to one where an individual’s every move is recorded.”34
Data correlation/Data gathering
Phishing, the latest in the long line of Internet fraud schemes, tricks E-mail recipients into providing their private financial and password information to a site posing as a trusted site. A phishing incident typically starts with an E-mail purportedly delivered from a site you trust with your financial information--your online bank, credit-card companies, mortgage companies, ISPs, and large E-commerce sites. The latest form of phishing starts with a crisis of some type to get your attention. The E-mail announces a security breach, or a problem with your account. The senders also give you a short deadline and try to frighten you enough to respond without thinking too carefully. Perhaps your account will be terminated if you don't respond quickly, or they threaten financial losses or a security breach, or that you won't be able to buy through that account anymore. The phishing E-mail typically contain the logos of the site being spoofed, and often contain legitimate links to that site, with one or two exceptions. Those exceptions link you to a rogue site (or even a hacked section of the legitimate site) where you are asked to sign in (login and password) and in many cases to provide updated account information, Social Security numbers, names, addresses, and even mother's maiden name. Once that information is collected, the phishers sell it or use it themselves to empty your bank account, charge items to your existing credit cards or new credit cards applied for in your name, and even blackmail you. Thereafter, it becomes a typical identity-theft scheme and travels the normal distribution channels to criminals on and of
Definitions: consumer data demographic data “psychographic”data advertising networks cookie phishing web-bug
References 1. Surfer Beware III: Privacy Policies without Privacy Protection. http://www.epic.org/reports/surfer-beware3.html 2. For a spoof of a look at how databases can be used to correlate information: http://www.aclu.org/pizza/. This is relevant because its both humorous and an example of how you could tie vast bits of information together. 3. A look at online advertising from a marketer’s perspective. http://www.claria.com/advertise/oas_archive/contextual_advertising.html?pub=imedia_module 4. Phishing Vulnerabilities In Microsoft's Internet Explorer, Plus A New Server-Access Ploy Jan. 26, 2004 http://www.informationweek.com/story/showArticle.jhtml?articleID=17500195 5. Immunity from the Pop-up Plague: http://www.businessweek.com/technology/content/sep2003/tc20030912_0013_tc073.htm 6. Online Profiling: A Report to Congress: http://www.ftc.gov/os/2000/06/onlineprofilingreportjune2000.pdf 7. Privacy Online: Fair Information Practices in the Electronic Marketplace (May 2000), http://www.ftc.gov/ reports/privacy2000/privacy2000.pdf 8. Online Profiling: A Report to Congress Part 2 Recommendations http://www.ftc.gov/os/2000/07/onlineprofiling.htm
