Massive Tracking of Web Users Planned -- Via ISPs!
From
PFIR - People For Internet Responsibility <pfir@pfir.org>
Date
Thu, 20 Apr 2000 19:14:02 -0700 (PDT)
[: hacktivism :]
[ To subscribe or unsubscribe to/from this list, please send the
command "subscribe" or "unsubscribe" respectively (without the
quotes) in the body of an e-mail to "pfir-request@pfir.org". ]
Greetings. Since I felt that the topic of today's PRIVACY Forum
Digest might be of significant interest to the readers of this list,
I have included today's Digest below. My apologies to anyone who might
receive duplicate copies via other venues.
--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
----------------------------------
PRIVACY Forum Digest Thursday, 20 April 2000 Volume 09 : Issue 13
(http://www.vortex.com/privacy/priv.09.13)
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
Cable & Wireless USA, Cisco Systems, Inc.,
and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
CONTENTS
Massive Tracking of Web Users Planned -- Via ISPs!
(Lauren Weinstein; PRIVACY Forum Moderator)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are via an automatic list server system;
for subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the list server system. Please follow the instructions above
for getting the list server "help" information, which includes details
regarding the "index" and "get" list server commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum
materials is also available through the Internet World Wide Web (WWW) via
the Vortex Technology WWW server at the URL: "http://www.vortex.com";
full keyword searching of all PRIVACY Forum files is available via
WWW access.
-----------------------------------------------------------------------------
VOLUME 09, ISSUE 13
Quote for the day:
"Have marshmallows got pits?"
-- Shemp (Shemp Howard)
"All Gummed Up" (Columbia; 1947)
----------------------------------------------------------------------
Date: Thu, 20 Apr 2000 18:04:08 -0700 (PDT)
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Massive Tracking of Web Users Planned -- Via ISPs!
Greetings.
This is not a delayed April Fools' Day joke. It's all too real,
and I assume that you're already sitting down.
Picture a world where information about your every move on the Web,
including the sites that you visit, the keywords that you enter into search
engines, and so on, are all shipped off to a third party, with the willing
cooperation of your Internet Service Provider (ISP). None of those pesky
cookies to disable, no outside Web sites to put on block lists--just a direct
flow of data from your ISP to the unseen folks with the dollar signs (or
pound, yen, euro, or whatever signs) gleaming brightly in their eyes behind
the scenes. You'll of course be told that your information is "anonymous"
and that you can trust everyone involved, that you'll derive immense benefits
from such tracking, and that you have an (at least theoretical) opt-in or
opt-out choice.
But just for some frosting on the cake, also picture that if you avail
yourself of the opportunity not to participate in such tracking (via opt-out
or opt-in choices), that you either cannot use the associated ISPs at all, or
will be faced with paying significantly higher fees than persons who are
willing to play along with tracking.
As you have no doubt guessed by now, this is not a theoretical scenario.
We're on the verge of starting down the slippery slope to this end right
now, with the imminent operations of Predictive Networks
(http://www.predictivenetworks.com) and other similar businesses also in the
works.
When I recently learned about Predictive (which has apparently been
established for some time and seems to be well funded), I naturally visited
their Web site, which was sadly lacking in obvious specifics such as an
actual posted privacy policy. (I've since been told that this is a temporary
condition which will shortly be remedied.) I spoke briefly with the firm's
president and had a much more detailed chat with his V.P. for Business
Development, and received an e-mailed copy of their privacy privacy. Both
of these fellows were polite, cordial, and willing to provide me with the
information I desired about their plans.
Unfortunately, the more that I learned from these sources, the
increasingly concerned I became.
In brief, Predictive's business is to engage ISPs (not just "free" ISPs
where usage tracking has become typical, but conventional fee-based ISPs as
well) in arrangements where the ISP will directly feed Web usage data to
Predictive. The firm also claims to be working with Internet backbone
providers. To quote from Predictive's privacy policy:
"Predictive Networks uses Digital Silhouettes to match Internet content
and advertising with appropriate subscriber recipients. As a result,
subscribers receive information that appeals to their current needs and
interests. To develop a Digital Silhouette, The Predictive Network
analyzes URL click-stream data, such as web pages visited, and date and
time of visit. URLs are then evaluated against more than 120 affinity
and demographic categories, and assigned a score between zero and one.
The resulting Digital Silhouette is simply an anonymous set of numerical
probabilities inferred from subscriber behavior. URL histories are not
permanently stored and the data in the Digital Silhouette is not
personally identifiable."
and:
"To provide subscribers with content most relevant to their current
interests, The Predictive Network may retain key words from Internet
searches. These key words are attached to the subscriber's anonymous
Digital Silhouette and, like the Digital Silhouette itself, are not
personally identifiable. The Predictive Network also gathers data about
a subscribers' response to messages and content, which is used to
fine-tune future messages and message format."
It is Predictive's contention that they do not maintain an ongoing history
of sites visited (URLs), and that the Digital Silhouettes are maintained in
an "anonymous" fashion--so they feel that there is no violation of users'
privacy.
But outside of the fact that keyword search terms *themselves* can often
contain personally-identifiable or other sensitive data, also note from the
Predictive privacy policy that:
"To optimize the format of the content delivered to subscribers, the
anonymous Digital Silhouette may include specifications about the
subscriber's computer, such as processor type, browser plug-ins and
available memory. For some of our ISP partners, Predictive Networks
may provide a built-in dialer system. Should an ISP select this
option, The Predictive Network may require subscribers to furnish their
ISP user name and password. This information will be used strictly for
account authentication purposes and will not be associated with the
subscriber's anonymous Digital Silhouette. Our ISP partners can also
the leverage the power of The Predictive Network for customer service
purposes. Should a subscriber's ISP select this option, the ISP user
name may be matched with the Digital Silhouette ID number. This will
allow The Predictive Network to send specific individuals important
customer service information. In addition, some subscribers may elect
to have email service from their ISP. Subscribers on The Predictive
Network that choose this option may be required to supply Predictive
Networks with their email address. This information is used for email
notification only."
In other words, there is a variety of personally-identifiable information
that you may need to provide to Predictive at various times, and you are
expected to trust Predictive not to purposely or accidentally misuse this
data. You also must trust that Predictive will not associate this
information with your "Digital Silhouette" in any manner--nor let anyone
else make such an association. One wonders what would happen in the face of
a court order to provide associated data for a civil or criminal proceeding
or investigation.
Most of the familiar problems we've seen in the past with so-called
"anonymous" tracking systems are present in this case. Privacy policies can
be changed at any time (e.g., the recent DoubleClick fiasco). Detailed data
that is theoretically discarded in the process of building "anonymous"
profiles could be preserved at any time, simply through software
alterations. The very *existence* of these sorts of data collection and
tracking infrastructures is of great concern. Even with the best of
intentions, the possibility for abuse is impossible to ignore--and as we
know there is a vacuum of laws to provide consumers with useful protections
in these areas.
Predictive claims that all of this effort is to bring better services to
Web users. Their apparent view is that tracking people's usage to figure
out what sorts of ads to send them is far better than simply *asking* people
to select the sorts of materials that they might wish to receive.
Of course, whenever you use automated techniques to try figure out what
people want based on the Web sites they happen to visit, there is the
possibility of embarrassing errors. For example, people may be suckered into
pornography sites by misleading banner ads, and not be at all interested in
receiving adult-oriented advertising. Similar errors relating to other
topic areas can occur from any number of the inadvertent Web sites that all
of us hit in the process of typical Web browsing. Predictive will let
people see the profiles that have been built about them--but sometimes you'll
have to *pay* for the privilege! There are other interesting catches
as well:
"In developing our anonymous subscriber Digital Silhouettes, Predictive
Networks captures, analyzes and then discards URL click-stream data.
While we do not permanently retain a record of each subscriber's usage,
we can, upon request, make their Digital Silhouette available to them
for review. Any subscriber on The Predictive Network has the right to
view their Digital Silhouette free of charge twice during the calendar
year. Subscribers will be charged $50.00 per request thereafter.
Subscribers can obtain a copy of their Digital Silhouette by emailing
Predictive Networks at silhouette@predictivenetworks.com. The email
request must contain the subscriber's anonymous ID number, which can be
found on their computer by holding down the shift key and
right-clicking on about. The corresponding Digital Silhouette will be
emailed back to the subscriber within approximately ten business days.
Subscriber should note that by emailing Predictive Networks, they may
be "identifying" themselves to the Company. While we do not
incorporate this information into our Digital Silhouettes, we do
maintain a separate record of Digital Silhouette requests for
accounting and billing purposes. Should a subscriber object to any or
all of the information contained in their Digital Silhouette, they can
opt-out of The Predictive Network permanently, or opt-out and
re-register, which will erase the existing Digital Silhouette and begin
a new one. Again, Predictive Networks urges subscribers to consult
their Internet service provider before opting-out as doing so may
affect their Internet service and/or their Internet service rate."
The last sentence above is of *special* interest to the question of how
"optional" this tracking really would be. It is apparently Predictive's
intention to encourage ISPs, both free and the conventional fee-based types,
to partner with them to create new revenue streams for the ISPs (and for
Predictive, of course). It would appear to be the plan that in most cases
any use of free ISPs who have associated themselves with Predictive would be
predicated on your acceptance of the tracking. You can opt-out, or refuse to
opt-in, but then you can't use the ISP. Not much of an option! The details
about the tracking may also be buried within an ISP's own privacy or other
policy statements, making it even less likely that most people will ever
bother reading or understanding all of the detailed ramifications of their
using these systems.
It also appears to be Predictive's intention to encourage fee-based ISPs to
offer lower rates to users willing to be tracked. This can rapidly degrade
into a coercive situation where users who do not wish to participate in such
tracking will be forced to pay ever higher rates simply to maintain the same
level of privacy and non-tracking that they had in the first place (as the
immortal Alice learned, "running faster and faster to stay in the same
place"...) Can ISPs resist this temptation? If not, the *fundamental*
structure of the Internet and Web will be permanently changed in a manner
that could make reasonably-priced, non-tracked Internet access a rapidly
fading memory, and make all of the abuse potentials of these tracking
technologies the status quo engrained within the Internet infrastructure.
After Predictive gets their privacy policy online at their Web site, I urge
everyone interested in these issues to read the entire text. There are many
other interesting sections, such as how they're dealing with the issue of
tracking children under the age of 13 (vis-a-vis the new Federal Trade
Commission regulations on this topic). Basically, Predictive says that you
either must keep such children away from the computer, or must agree that
it's OK for the children to be tracked. It's all or nothing.
Predictive of course says that they are very concerned about privacy.
They told me that they're forming a "privacy advisory board"--and so on.
I have a different suggestion. How about if the users of the Internet and
World Wide Web, the millions and soon billions of individuals, take a stand
while we still have the opportunity? We still have the chance to say that
our personal information is our own and that our Web browsing behavior is
private. We may yet be able to successfully assert that we won't be
manipulated, coerced, or otherwise "bribed" into allowing our Web activities
to (as "The Prisoner" put it) be "pushed, filed, stamped, indexed, briefed,
debriefed, or numbered!"
The Internet and Web have tremendous commercial potential. But it can be
achieved ethically and without the use of obnoxious technologies that are
being shoved down our throats like feed for animals destined for the dinner
table. The firms who view the Internet as little more than a "cash cow" are
already placing the software rings in our noses in an effort to see us made
easier to manipulate and control.
The stink of the slaughterhouse may not be far away.
--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
------------------------------
End of PRIVACY Forum Digest 09.13
************************
[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]