You watch the Web, and the Web watches you. With a few notable exceptions, every time you look at a page on the World Wide Web, somewhere there is a computer that makes note of this fact. Visit a web site designed for parents of small children, then visit another site that is devoted to consumer electronics, and somewhere a computer slowly builds a profile of your interests. Take a few minutes to “register” for an account with your email address, and you’ll soon start receiving a stream of emails in your inbox hawking “special offers.”
As the Web has created unprecedented opportunities for consumers, it has also created heretofore unimaginable possibilities for marketers, sales organizations, hucksters, tricksters, and outright criminals. A marketing company that puts a billboard up by a highway is content knowing how many cars per day drive by its sign. That same company putting a banner advertisement up on a popular web site would like to know far more information about the people seeing its message—where they live, whether they get their Internet access from a business or through a university, what other web sites the person has visited, and sometimes, even their email addresses. It can be exceedingly difficult to determine the effectiveness of billboards and magazine advertisements. Web advertisements, by contrast, can be metered, examined, and analyzed. All of this power comes at a price to individual privacy, because detailed statistics require more detailed data collection.
The underlying technology of the Internet and the Web was designed to transfer information, not protect the privacy of people who use that information. There are now a whole host of web technologies that make it possible for web sites and third-party services to collect information on web users.
This chapter introduces the broad issue of privacy on the Web and the growing privacy threats. In Chapter 9 we’ll describe some straightforward approaches that you can use to protect your privacy. Then in Chapter 10 we’ll take a look at some additional software that you can run on your computer to further protect your privacy while enjoying the benefits of the Internet and the Web.
As with most big concepts, people have different definitions for the word privacy. The Merriam-Webster dictionary dates the word privacy back to the 15th century and defines it as “the quality or state of being apart from company or observation” and “freedom from unauthorized intrusion.”[98]
In a famous 1890 article in the Harvard Law Review,[99] Samuel Warren and Louis Brandeis argued that there should be a right to privacy, and that right should “protect those persons with whose affairs the community has no legitimate concern, from being dragged into an undesirable and undesired publicity” and “protect all persons, whatsoever; their position or station, from having matters which they may properly prefer to keep private, made public against their will.”
Interestingly, Warren and Brandeis wrote that “truth of the matter published does not afford a defense.” They held that a person’s privacy is violated by a portrayal of that person’s private life whether the portrayal is accurate or inaccurate. Finally, they wrote that: “The absence of `malice’ in the publisher does not afford a defense. Personal ill-will is not an ingredient of the offense, any more than in an ordinary case of trespass to person or to property.” Over the past 110 years, the privacy violations described in the Warren/Brandeis paper have been reduced to four torts in American law:
- Privacy intrusion
- Disclosure of private facts
For example, the publication of private information about an individual for which the public has no compelling interest to have this information known.
- Portrayal of information in false light
For example, publishing lurid details of a person’s private life that aren’t actually true, or information that is strictly true but easily misinterpreted. This tort is similar to defamation, but it is not the same: works that do not defame can nevertheless portray a subject in false light. The false light tort is most common in works that fictionalize real people.
- Appropriation
For example, using a person’s name or likeness for a commercial purpose without that person’s permission.
The Harvard Law Review article was the basis for much legislation and litigation in the following years. But despite their vision, Warren and Brandeis didn’t create a framework that extended to the computer age, where personal information for millions is now routinely collected, tabulated, indexed, used, and sold. Although similar to the tort of appropriation, the intrusions we face in the computer age have a distinctly different flavor.
In 1967, Columbia University professor Alan Westin created a new definition for privacy that seemed more appropriate to the computer age. Westin defined the term informational privacy as “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”[100]
All of these types of privacy come into play on the Web today. Stalkers, spammers, and nosy family members routinely intrude into our mailboxes. Gossips and buggy programs alike distribute private facts beyond their intended audience. Some web sites will appropriate the names of their subscribers and use this information in marketing. Distributing information about a demographic, and then saying that a particular user is a member of that demographic may constitute false light. But the largest number of violations of personal privacy on the Web today fall into Westin’s characterization of informational privacy—that is, many individuals have lost the ability to control how and to what extent information about them is communicated to marketing firms, government agencies, and nosy neighbors in the world’s electronic village.
The first thing that’s apparent when you start to pick apart Westin’s definition of information privacy is that there are many different kinds of “information” the definition can be applied to. The word “information” in Westin’s definition could apply to a person’s name, and it would certainly apply to a piece of paper that had a person’s name, his Social Security number, and the list of web sites that the person had visited over the past month. But what if that piece of paper showed only the list of web sites and the first three digits of the person’s Social Security number—would that piece of paper be considered personal information?
To deal with questions like this, academics have subdivided the term “information” into many different subcategories. A few of them are:
- Personal information
Information about a person. Your name, your date of birth, the school you attended, and the names of your parents are all personal information.
- Private information
Personal information that is not generally known. Some kinds of private information are protected by law. For example, in the United States education records are considered private and cannot be released without the permission of the individual (or the individual’s parent or guardian, in the case of a minor). Bank records are protected by law, although banks are allowed to sell the names and addresses of their customers for marketing purposes.
Most people have a large amount of information that they consider private but that is not protected under the law. For example, you might consider the name of the first person that you kissed to be private. Other information should be treated as private, even though it is widely available. For example, most people regard their Social Security numbers as private, even though they are available in many databases. This ambiguity arises in part because private is not a synonym for secret or confidential.
Whether or not a particular piece of information is private frequently depends on the context. For example, if your name is in a telephone directory, that information is not private. But if that directory is on the computer of an individual who is engaged in illegal activity, you might wish to keep the fact that your name is in his address book extremely private.
- Personally identifiable information
Information from which a person’s name or identity can be derived. Some personally identifiable information is obvious, such as a person’s name or an account number. Some personal information, such as your shoe size, is not generally identifiable.
- Anonymized information
The reverse of personally identifiable information. This is personal or private information that has been modified in some way so that identities of the individuals from whom the information was collected can no longer be discerned.
- Aggregate information
Statistical information combined from many individuals to form a single record. One of the best examples of aggregate information is the statistics on census tracts that are released by the U.S. Census Bureau. According to the Bureau, “Census tracts usually have between 2,500 and 8,000 persons and, when first delineated, are designed to be homogeneous with respect to population characteristics, economic status, and living conditions. Census tracts do not cross county boundaries. The spatial size of census tracts varies widely depending on the density of settlement. Census tract boundaries are delineated with the intention of being maintained over a long time so that statistical comparisons can be made from census to census.”[101]
In practice, these categories of personal information are far more fluid than it may seem at first. Often, aggregate information and anonymized information can be combined to identify and reveal particular characteristics of an individual. This process is called triangulation . For example, if you have a class with ten students, and you know that nine of the students are men and one of the students is pregnant, you know with some certainty which student in the class is pregnant. If you have a list of the names of the individuals in the class, you probably know the name of the woman who is pregnant, because most names are strongly identified with a particular gender.
Many Internet users are surprised how easy it is to determine identity from the seemingly anonymous information they provide to web sites. For example, some web sites require a person register with a name and address, while other web sites require only a Zip code and birthday. Yet for many people in the United States, there are only ten or so people who live in the same Zip code and share the same birthday. Consider:
Number of individuals in the U.S. = approximately 284,000,000 (as of April 2001)Number of birthdays in the U.S. = 365.25Number of individuals in the U.S. with each birthday = 284,000,000 / 365.25 = approximately 777,549[102]Number of Zip codes in the U.S. = approximately 100,000Number of individuals in each zip code with the same birthday = 777,549 / 100,000 = approximately 8 people
Thus, a web site that asks a visitor for a birthday, a Zip code, and an age is actually asking its visitors for personally identifiable information, even though it appears to be only asking for aggregate information. If that web site is hooked into the credit files of a company such as Equifax or Experian, the web site might, in turn, have access to information that the visitor considers personal and private, but that is, in fact, quite public and frequently shared among business partners.
[99] Samuel Warren and Louis Brandeis, “The Right of Privacy,” Harvard Law Review 4 (1890), 193. It’s at http://www.lawrence.edu/fac/boardmaw/Privacy_brand_warr2.html. The right to privacy is not without limit. Warren and Brandeis made clear exceptions for the distribution and publication of court records. They also wrote that the right to privacy ceases once facts about an individual are published by that person or with his consent.
[100] Westin, Alan. Privacy and Freedom, Atheneum Press, Boston, 1967.
[102] This example assumes an even distribution of birthdays throughout the year and people throughout Zip codes, which is a simplification, but not a very big one.