Nowhere to hide / A special report on privacy

Date Tue, 9 Jan 2001 13:53:18 -0500

[: hacktivism :]

Nowhere to hide / A special report on privacy

As monitoring tools multiply, society
weighs your privacy against profit,
public interest in knowing

Tyler Hamilton


Two astronauts hold a secret meeting in a tightly sealed space pod,
detailing through whispers a plan to seize control of their
computer-hijacked vessel. In the background, the hijacker - a malfunctioning
supercomputer named HAL 9000 - silently observes the movement of their lips,
processes the data and analyzes the meaning of their supposedly private

It's a chilling scene.

As filmmaker Stanley Kubrick demonstrated in his sci-fi movie classic, 2001:
A Space Odyssey, it's virtually impossible to conceal one's privacy in an
age where technology rules the day - and in many cases, runs amok.

In the 33 years since Kubrick released his film, our technological odyssey
has become more science than fiction. The year is 2001. We live in a highly
connected digital society, one that's capable of peeking into our personal
worlds, taking detailed snapshots and following the trail of electronic
cookie crumbs we leave behind.

The threat to individual privacy is more real than ever, as more consumer,
financial and medical data is collected as fuel for our burgeoning
electronic economy. Governments watch and track us in the name of health and
welfare. Businesses monitor and study us to sell more goods and keep their
employees honest.

`If there is no demonstrated need for the information, it should be gone.'

- Bruce Phillips, Canada's former privacy commissioner

`It's not like there's this evil intention. Part of (the fear) is that
nobody actually follows the data trail.'
- Valerie Steeves, Carlton University law professor

Sometimes we know it's happening. Sometimes we don't. Either way, privacy
breaches are being felt and noticed. Consider the following:

The U.S. Federal Bureau of Investigation has called ``identity theft'' - a
form of fraud through impersonation - the fastest growing crime in North
America, partly because of the ease with which personal data can be accessed
through computer systems and the Internet;

A perceived lack of privacy and security on the Internet continues to be
cited in Canadian and U.S. studies as the leading factor holding back the
growth of e-commerce. Meanwhile, a recent Canadian study found that half of
commercial Web sites in Canada don't have policies aimed at protecting
consumer privacy;

According to Denver-based research firm The Privacy Foundation, workplace
surveillance was the leading privacy concern in 2000, an issue that has
lowered staff morale at many companies.

Privacy advocates say the need to protect our lives from unwanted,
unnecessary and malicious intrusions has come to a critical juncture. But
where do we draw the line? And what are the rules for crossing that line?
The answers will have profound social, economic and legal implications for
businesses, governments, consumers and citizens.

``We have an enormous obligation to get it right,'' says Marc Rotenberg,
executive director of the Electronic Privacy Information Center in
Washington, D.C. ``Privacy has become a global issue. It has become a
political issue. It has become a technological issue. It has become an issue
for the courts.''

In the United States, more than two dozen companies have been sued for
tracking online consumers without their consent, including Internet
advertising firm DoubleClick Inc. and defunct e-tailer More
than 65 privacy-related bills are currently pending in Congress.

Meanwhile, the U.S. Federal Trade Commission has unofficially accepted a
role as privacy watchdog. So far, it has taken action against nearly 200

``Yes, we actually pay people to surf the Net,'' says FTC commissioner
Mozelle Thomson. ``This issue is on the front burner.''

In Canada, the legislators have been busier than the lawyers.

Last week, a new federal law - formerly known as Bill C-6 - came into force
that gives Canadian consumers more control over how their information is
collected and used in the private sector. The new legislation, which
complements the existing public sector Privacy Act, aims to promote
electronic commerce by creating an online environment of trust and respect.

But that's just the beginning of Canada's privacy odyssey. The provinces -
except for Quebec, which already has private-sector legislation - will soon
be jumping in with their own draft bills, laying the foundation for future
laws to deal with health records, genetic testing and surveillance in the

`These are huge issues that as a society we have to confront.
Privacy will be the defining issue of this new decade we're entering.'
- George RadwanskI, Canada's privacy commissioner

``These are huge issues that as a society we have to confront,'' says George
Radwanski, the country's new federal privacy commissioner, whose policing
powers now extend to the private sector.

``Privacy will be the defining issue of this new decade we're entering,'' he
says. ``My role is to be the champion of Canadians in this regard and to
make them aware of these issues.''

A fishbowl society

Radwanski points out that privacy is not absolute. We reveal much about
ourselves by simply opening up a bank account, handing in a résumé for a
job, or walking out our front door to pick up the daily newspaper.

Still, he says privacy in the electronic age is deteriorating at an alarming
rate. To make matters worse, it has become increasingly difficult to
pinpoint just who's watching us and where our personal information is

Stealth video cameras record us in parking lots, elevators and office
buildings. Software keeps track of our keystrokes, e-mails and the Web sites
we visit. Radio scanners frequently intercept our wireless phone calls, and
satellite-tracking technologies can trace the location of vehicles, not to
mention the fashionable ``smart'' devices we carry with us.

In the United States, the FBI is using a technology called Carnivore that
can target and randomly read e-mail as it passes through gateways to the
Web. The software was designed to net criminals, but critics charge that it
catches much more than it should.

As the motto on one electronic surveillance Web site reads: ``In God we
trust. All others we monitor.''

Biometric technologies have even made it possible for computers to spot us
in crowds, recognize us through our own unique odours and identify us
through the rhythm of our walk. About a year ago, a computer scientist at
Carnegie Mellon University in Pittsburgh taught a computer to read lips -
just like HAL.

Sadly, real-time surveillance is just the tip of the iceberg. Below the
surface lie large masses of personal databanks, increasingly organized and
often unprotected from hackers, disgruntled employees and old-fashioned
criminals. Governments, businesses and law enforcement agencies use
powerful, memory-rich databases known as ``data warehouses'' to
electronically store and analyze this information, creating a way to sketch
eerily accurate profiles of our lives.

``This is all being linked together,'' says Austin Hill, president of
Montreal-based Zero-Knowledge Systems Inc., a developer of software that
lets people conceal their online identities.

Hill says the Internet, helped by its multimedia cousin the World Wide Web,
has made it easier than ever to collect, share, replicate, move and link
this information. And it can do it at lightning speeds, thanks to advances
in fibre-optic technologies that transport data as pulses of light.

The Internet has essentially become a universal repository for personal
data, easily accessible by a growing number of Web-enabled devices - from
laptops and Palm organizers to ``smart'' phones and fridges.

Michael Power, a privacy expert and partner with Canadian law firm Gowlings,
likes to think of data as a liquid. ``Information flows like water,'' he
explains. ``If it hits something it just finds another way to get around

Still, the question remains: Why collect all this data in the first place?
In the public sector, politicians argue that getting a better understanding
of constituents allows them to do their jobs properly and keep the streets
safer at night. Whether it's a gun registration database, a criminal DNA
repository or the latest Statistics Canada census, the idea is to use this
data to shape policy, improve government services and limit dangers to

``The policy-makers are very much into an efficiency mode of thinking,''
says Valerie Steeves, a law professor at Ottawa's Carleton University and a
specialist in privacy policy. ``There's a real resistance to stopping the

In Ontario, the government is pushing through a plan to issue multi-purpose
``smart cards'' that would combine a person's photograph with health,
driver's license, birth certificate and other information. A computer chip
embedded within the card would keep updated records of an individual's
interaction with hospitals, courts and traffic cops.

The provincial government is also building a network that would integrate
information flowing through the justice system, meaning lawyers, courts and
police could access a common pool of data. A similar network is planned for
health care.

Nationally, the federal government has been no less active. Its Government
On-Line initiative aims to provide electronic access to all federal programs
and services by 2004, changing the way citizens file taxes or apply for

This spring, Ottawa will spend about $400 million and employ 40,000 staff to
collect personal data for this year's Statscan census. Beginning May 15,
more than 30 million Canadians will be asked intimate questions about their
lives, and many will be legally required to divulge their income, ethnicity,
disabilities - even sexual orientation.

In exchange for the intrusive questionnaire, the government promises

Where does the information end up? In a database where it undergoes
statistical analysis, just like all census information from the past. And
for the first time, Statscan will allow certain individuals to file their
information over the Internet.

``It's not like there's this evil intention,'' says Steeves, referring to
the many instances where governments collect sensitive personal information.
``Part of (the fear) is that nobody actually follows the data trail.''

That said, the Big Brother envisioned by George Orwell in his book 1984
doesn't look so threatening when measured against big business. The desire
to monitor employees and the thirst for consumer data has grown to
unprecedented levels in the corporate world.

Video surveillance, keystroke monitoring, e-mail filtering and voice-mail
recording are now common features in the workplace, where an increasing
number of employers are asserting their right to audit the productivity of
their staff and protect themselves from potential lawsuits.

In the United States alone, two-thirds of corporations monitor their
employees to some degree, according to the American Management Association.

Meanwhile, the value of personal information as a well-focused marketing and
advertising tool has soared in the Internet and computing age. Data mining
and analysis software is helping online and off-line companies know their
customers better, whether the goal is understanding buying behaviour, making
note of product preferences or anticipating future purchases.

Ultimately, advertising can be directed and personalized to build stronger
customer relationships and sell more Gap jeans, Coke products or Trojan
condoms. This explains why more than 85 per cent of all Web sites collect
personal information from online visitors.

For dot-coms such as DoubleClick and, this information is
critical to their existence. For loyalty programs like Air Miles, such
information is their existence.

The threat

Jason Catlett, a leading privacy guru south of the border and founder of
advocacy firm Junkbusters Corp., says the detail and quality of information
being collected is becoming more and more invasive, and it's doubling every
two years.

``There's a real danger here of concentration of information, because it
provides a single point of failure,'' says Catlett. ``If there's no one
watching the shop, then the shoplifters are going to run amok.''

For many people, the response is: so what. How, they ask, can something as
simple as data represent a threat or danger? The answer to this question
goes far beyond the annoyance of spammers, junk mailers and telemarketers.
Rather, it deals with the risks posed by stalkers, thieves, suspicious
lovers, curious employers and overly snoopy insurance companies.

Consider the following two cases:

Last month, it was discovered that an outlaw biker gang had infiltrated
Quebec's automobile-insurance board and, by accessing its computer systems,
tracked down the addresses and phones numbers of rival gang members, police
officers and journalists.

Police suspect that confidential data was wrongfully obtained on Journal de
Montreal reporter Michel Auger - who was shot five times on Sept. 13 in his
newspaper's parking lot - and may have been passed along to his assailants,
making it easier to track him.

In 1997, a grandmother from Ohio received a letter from a prison inmate in
Texas who knew intimate details about her life, such as how often she uses
sleeping aids, deodorizers and hemorrhoid medication. The inmate, a
convicted rapist, also offered in his letter to fulfill her sexual desires
and fantasies when he was eventually released from prison.

Needless to say, the woman suffered months of emotional and psychological
torture. It was eventually discovered that the inmate bought the data from
another prisoner. Apparently, the second inmate had a data entry job as part
of a prison-labour program. The data in question was an elaborate consumer
survey the woman had filled out earlier.

``Don't blame things like the Internet,'' says Catlett. ``Blame the increase
in the amount of data, and the lack of controls in handling it.''

It's not that consumers never knowingly hand over their information.
Generally, people don't hesitate to participate in online surveys or loyalty
programs if it means discounts on merchandise or better, more personalized
customer service. What many don't know is where their personal data could
end up.

The cases, unfortunately, are plentiful. In British Columbia in the
mid-1990s, three staff at a Vancouver abortion clinic found out that their
license plate numbers had been obtained through an RCMP computer system. It
was later discovered that the officer who accessed the records had passed
along the personal data to his mother - a worker with an anti-abortion

David Flaherty, then privacy commissioner of British Columbia, used that
case as part of a larger investigation into the abuses with motor vehicle

``I've done some work more recently with abortion clinics,'' says Flaherty,
who now works as a privacy consultant. ``Their staff literally have to look
under their cars for bombs before they get into them.''

Flaherty - who considers privacy a human right - says there is a blind
assumption among many individuals that safeguards for protecting personal
information are being followed. He says most organizations have no interest
in unnecessarily invading people's privacy, but mistakes do happen.

``I'm surprised at how many people work in some of these database-intensive
industries with access to information,'' he says. ``Sure, they all have
confidentiality agreements - big deal.''

Whether it's an innocent slip of the mouse, a case of taking kickbacks, or a
security oversight that is sniffed out by hackers, employees that have
access to computer systems within an organization are often the weakest link
when it comes to protecting privacy.

Network firewalls, biometric technologies, security passwords and encryption
software can help, but only if processes and procedures are closely followed
and audited.

According to research firm IDC Canada Ltd., accidents and human error - not
hackers - pose the biggest security threat to business computer networks and
Web sites in Canada. When such systems hold vast amounts of personal data, a
security risk instantly becomes a privacy risk.

It's no wonder Bruce Phillips, Canada's former privacy commissioner, decided
last spring to blow the whistle on a huge database system created by Human
Resources Development Canada. The database, designed for no apparent
purpose, carried detailed profiles on more than 33 million Canadians -
information gathered without their knowledge or consent.

``If there is no demonstrated need for the information, it should be gone,''
says Phillips, explaining that purpose and consent are two basic principles
to which organizations should adhere.

HRDC tried to defend the database as a research tool, but two weeks later,
under the weight of public criticism, it pulled the plug.

Privacy risks grow even larger when such information is being gathered by
profit-driven Web ventures that are far less stable than government.

Take, an online retailer that filed for bankruptcy in June.
Despite assurances in its privacy policy that it would protect the personal
information of its customers and never share that data with third parties,
Toysmart decided to auction off its customer list to the highest bidder as a
way to help pay off its debts.

Last year, more than 210 ``dot-coms'' went belly up, according to San
Francisco-based consulting firm The closures left 15,000
people out of work and hundreds of detailed customers lists at the mercy of
disgruntled employees and anonymous buyers.

``There is an awful lot of data out there floating around with nobody
willing to protect it,'' says Catlett, adding that the case
demonstrates what companies are willing to do when backed against a wall.
``You don't want some pervert calling up your kids pretending to be Ken and
asking for Barbie. (The Toysmart customer list) deserves protection.''

But even genuine attempts at protection often fail:

In January, 1999, a security oversight with the Web site exposed
detailed personal information on tens of thousands of Canadians who had
filled out a ``confidential'' survey for the popular rewards program.

In all, 82 categories of information were open for view, including data
about types of credit cards held, the number of cars owned and whether the
person was a pet owner or mobile-phone user. Fortunately, credit card
numbers and data on specific product purchases were not revealed;

Last April, Toronto-based wireless service provider Look Communications also
blamed human error for a security breach that left hundreds of customer
files - including phone and credit card numbers - exposed on the Internet., Microsoft Corp., Yahoo Inc., AT&T Corp. and Nissan Motor Co.
Ltd. are among a list of well-known companies that have experienced similar

Then there are the blatant attacks. Online auction site admitted
last month that someone had breached their computer systems and possibly
stolen up to 3.7 million credit card numbers and other customer information.

The fact that so much data is floating around unguarded or under attack
explains why identity theft - the use of another person's identity to commit
fraud - has quickly become the fastest growing crime in North America.

These days, crawling around in garbage dumpsters, picking pockets and
raiding mailboxes has been replaced by Internet search engines,
do-it-yourself hacker kits and online services that do all the dirty work
for a nominal fee.

`As search engines become more powerful, they become a way to aggregate that
information. That's how you create a profile on somebody.'
- Michael Power, partner with Gowlings law firm

``If it goes into a computer system, you never know where it's going to show
up,'' explains Power, the partner with Gowlings. ``As search engines become
more powerful, they become a way to aggregate that information. That's how
you create a profile on somebody.''

Once that profile is created, it's easy for someone you've never met to
impersonate you, make purchases under your name, access bank accounts and
commit other crimes. Then one day, you get an unpleasant surprise: Your bank
account is empty, your credit cards are run up, your credit record is shot
and you've been wrongfully linked to a number of criminal offences.

Clearing up that mess and trying to restore your reputation often creates
emotional, psychological and economic suffering .

In one high-profile case, Mari Frank, an attorney from Laguna Niguel,
Calif., discovered that someone had purchased a sports car, spent more than
$10,000 at Toys ``R'' Us Inc., damaged a rental car and accumulated $50,000
in debt using personal information that could have easily been found on the

Many novice Internet users respond to unsolicited e-mails that promise
rewards in exchange for detailed data about them. Others fill out
information to gain access to certain sites on the Web. Where this
information ends up is anyone's guess.

In Canada, cases of identity theft have been harder to track because most
law enforcement authorities here lump the crime under the umbrella of
general fraud.

``There's no program to deal specifically with the issue of identity
theft,'' says Sgt. Paul Marsh, spokesperson for the RCMP. ``Our current
reporting does not break out fraud done online.''

Marsh says the offences of personation and fraud currently found in the
Criminal Code have been considered adequate to address the question of
identity theft, but he adds that the RCMP is examining ways of statistically
distinguishing off-line and online fraud within its computer systems.

Such statistics may be necessary to prepare for tomorrow. Many privacy
advocates point out that the fears we exhibit today are largely related to
the dangers that lie in the future if the privacy issue isn't adequately

For example, the collection of health and medical information by
governments, non-profit groups, pharmacies, doctors, hospitals and medical
information Web sites raises the issue of how this information - if it's
stolen, monitored, leaked, shared or sold - can be used to discriminate
against people.

``It's particularly difficult with health care to guard against secondary
uses, because the insurance and drug industries are so much a part of the
medical sector,'' says Steeves, the Carleton University law professor.

Steeves says the spectre of eugenics is very real in an age where animals
have already been cloned and genetic defects can be easily recorded. In the
workplace, drug tests that can also detect whether a woman has stopped
taking the birth control pill could easily lead to dismissal in advance of
maternity leave.

Getting a job or life insurance could also become more difficult if a
genetic flaw that ``may'' lead to future illness raises a red flag.

A new dot-com in the United States called First Genetic Trust has created
what it calls a ``genetic banking'' service. For a fee, the company
collects, analyzes and maintains an individual's genetic data for
confidential and secure storage, or use in ongoing clinical trials.

The potential value of the service is compelling when applied to medical
research, drug discovery and personalized diagnosis and treatment of
genetically related illness. But what if the company goes bankrupt? It begs
the question at a time when bankrupt companies like are making
headlines by trying to sell off customer lists.

``There's all sort of privacy rhetoric,'' says Steeves. ``But very little
privacy protection.''

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: :]