Privacy Issues

Court Says eMail Isn't Private ... OKs snoopting by email providers

Yahoo, AOL and others can open your e-mail — all with the courts’ OK
Late last month, the First Circuit Court of Appeals in Massachusetts upheld a lower court’s ruling that stated an Internet service provider did not break the law when it read e-mail stored on its computer servers. The 2-to-1 decision supported the owner of a rare book business, called Interloc, who used an e-mail service he provided to customers to read incoming messages sent by Internet book dealer Amazon.com in 1998.The business owner was indicted on wiretapping charges in 2001.

The Center for Democracy and Technology, a privacy advocacy organization based in Washington, D.C., has said the federal court’s decision undermines citizens’ e-mail privacy."The decision potentially creates a loophole for law enforcement access to e-mail," the organization stated on its Web site, "and exposes the inadequacy of current law against (the Internet service provider’s) use of the customer’s e-mail for their own business purposes and without notice or consent."

Is Yahoo tracking you online?

Yahoo is now using something called "Web Beacons" to track Yahoo Group users around the Net and see what you are doing and where you are going - similar to cookies. Take a look at their updated privacy statement:

About half-way down the page, in the section "Outside the Yahoo! Network", you'll see a little "click here" link that will let you "opt-out" of their new method of snooping. I strongly recommend that you do this.

Once you have clicked that link, you are opted out. Notice the "Success" message the top the next page.

Be careful because on that page there is a "Cancel Opt-out" button that, if clicked, will *undo* the opt-out.

New Technology Sniffs Employee Offenders (Wired News, December 13, 2002) The software watches what employees do, and in some cases matches that usage data with employees' personal profiles to pick out the worker who is most likely to turn to a life of crime. . . . Some systems administrators at large companies said they are increasingly being asked to quietly collect digital evidence on difficult employees -- those who are in danger of being fired, or who have just been fired. . . . Companies are also employing snoopy software to make sure their employees aren't stockpiling corporate secrets. . . . Savvydata's RedAlert goes a step further, collecting, consolidating and analyzing internal and external employee information to determine an individual's threat to the organization. Savvydata claims RedAlert can predict which employee is most likely to be involved in malicious activities such as theft of sensitive information. . . . RedAlert 2.0 includes the company's newest security offering, Intelligent Information Dossier plus. IID+ is an optional subscription-based component that allows corporate IT folks to research employees' criminal histories, credit information, financial asset details, friends and associates. . . . That data can be combined with RedAlert's collection of internal data -- such as what files employees accessed, the contents of their e-mails and what company policies they violated -- to draw what Savvydata reps describe as a "clear picture that can be used in determining an employee's risk to your organization." . . . "I understand why you'd need something like this if you are the CIA, but for standard biz use ... I just don't think I'd work at a company that used these sorts of tools."

New Technology Sniffs Employee Offenders (Wired News, December 13, 2002) The software watches what employees do, and in some cases matches that usage data with employees' personal profiles to pick out the worker who is most likely to turn to a life of crime. . . . Some systems administrators at large companies said they are increasingly being asked to quietly collect digital evidence on difficult employees -- those who are in danger of being fired, or who have just been fired. . . . Companies are also employing snoopy software to make sure their employees aren't stockpiling corporate secrets. . . . Savvydata's RedAlert goes a step further, collecting, consolidating and analyzing internal and external employee information to determine an individual's threat to the organization. Savvydata claims RedAlert can predict which employee is most likely to be involved in malicious activities such as theft of sensitive information. . . . RedAlert 2.0 includes the company's newest security offering, Intelligent Information Dossier plus. IID+ is an optional subscription-based component that allows corporate IT folks to research employees' criminal histories, credit information, financial asset details, friends and associates. . . . That data can be combined with RedAlert's collection of internal data -- such as what files employees accessed, the contents of their e-mails and what company policies they violated -- to draw what Savvydata reps describe as a "clear picture that can be used in determining an employee's risk to your organization." . . . "I understand why you'd need something like this if you are the CIA, but for standard biz use ... I just don't think I'd work at a company that used these sorts of tools."

USA PATRIOT ACT Court Battle
EPIC (Electronic Privacy Information Center) today [September 20, 2002] joined with a coalition of civil liberties groups to urge a secret appeals court to reject a government bid for broadly expanded powers to conduct "national security" surveillance on U.S. citizens. In a "friend of the court" brief filed with the Foreign Intelligence Surveillance Court of Review (FISCR), the groups said that expanding such powers would jeopardize fundamental constitutional interests, "including the First Amendment right to engage in lawful public dissent, and the warrant, notice, and judicial review rights guaranteed by the Fourth and Fifth Amendments."

At issue in the case is whether new Justice Department surveillance rules seeking to use looser foreign intelligence standards to conduct criminal investigations in the United States are constitutional and permissible under the USA PATRIOT Act adopted by Congress after the September 11 terrorist attacks. The civil liberties brief urges the FISCR to uphold a decision of the Foreign Intelligence Surveillance Court, which in May unanimously rejected the government's bid for expanded powers. In its decision, the intelligence court documented abuses of "national security" warrants by both the Bush and Clinton Administrations, including serious errors in approximately 75 applications for foreign intelligence surveillance.

At a hearing last week, members of the Senate Judiciary Committee, which has oversight of the Justice Department, also condemned the government's position. "We need to do our work well and ensure that domestic surveillance is aimed at true national security targets and does not simply serve as an excuse to violate the Constitutional rights of our own citizens," said Committee Chairman Patrick J. Leahy (D-VT). "The abuses of the past are far too fresh simply to surrender to the executive branch unfettered discretion to determine the scope of these changes."
After the lower court's decision was made public in late August, the civil liberties groups notified the FISCR that they intended to file a brief. The groups had hoped to submit their brief before the appeals court met to review the case, but the secret court met on September 9 and only the government was allowed to present arguments. EPIC joined the American Civil Liberties Union, Center for Democracy and Technology, Center for National Security Studies, Electronic Frontier Foundation, and the Open Society Institute in submitting today's brief.

The civil liberties amicus brief is available at:
http://www.epic.org/privacy/terrorism/fisa/FISCR_amicus_brief.pdf

Background information on the Foreign Intelligence Surveillance Act, including the current controversy, is available at:
http://www.epic.org/privacy/terrorism/fisa

The text of the USA PATRIOT ACT is available at:
http://www.epic.org/privacy/terrorism/hr3162.html

Spyware Creeps into Your Computer
(Chris Wenham, Salon.com, May 2, 2002)
Outrage surged through users of the KaZaA file-sharing utility when they learned, early in April, that a new breed of spyware had been installed on their computers. KaZaA, probably the most popular heir to Napster's throne, was already well known for coming bundled with a wide variety of parasite programs that serve up advertisements, track Web-surfing activity, and otherwise cause mischief. But the newest arrival topped anything seen before in scope or ambition. . . . A company called Brilliant Digital had surreptitiously installed software in computers running KaZaA. Once activated, the software would set up a distributed computing network, allowing Brilliant to hijack the resources of thousands of personal computers to serve the needs of its own customers. . . . Hollings' bill should outrage Internet users just as much as Brilliant Digital's spyware. For while it talks a good game about protecting "sensitive" information, the truth is that it would place a congressional stamp of approval on precisely the kinds of practices that purveyors of spyware are eager to engage in. . . . the Online Personal Privacy Act. It is masquerading as pro-consumer when in fact it is pro-business. . . . Spyware programs use a variety of technologies. Setting "cookies" on your hard drive identifies you to particular Web sites, and "Web bugs" -- invisible image files on Web pages -- in conjunction with cookies help track movement through the Web. They make the problem of collecting data and associating it with a unique entity easy. The next step is getting your name, which can be done as soon as you make an impulsive click to buy something from a site that is sharing information with the spyware loaded on your computer. . . . In one swoop, Hollings not only makes it possible for businesses to accelerate into this brave new world of automated lifestyle profiling, but also fools consumers into a false sense of security that'll have them buying more, and more often.

Microsoft Has Shelved Its Internet 'Persona' Service - the threat of Hailstorm has passed for now
(John Markoff, New York Times, April 11, 2002)
Microsoft has quietly shelved a consumer information service that was once planned as the centerpiece of the company's foray into the market for tightly linked Web services. . . . The service, originally code-named Hailstorm and later renamed My Services, was to be the clearest example of the company's ambitious .Net strategy. It was intended to permit an individual to keep an online persona independent of his or her desktop computer, supposedly safely stored as part of a vast data repository where there could be easy access to it from any point on the Internet. . . . after nine months of intense effort the company was unable to find any partner willing to commit itself to the program . . . "They ran into the reality that many companies don't want any company between them and their customers," . . . Microsoft was unable to persuade either consumer companies or software developers that it had solved all of the privacy and security issues raised by the prospect of keeping personal information in a centralized repository . . . American Express officials have told computer industry executives that they remain concerned about being displaced by Microsoft's brand in such a partnership. . . . the Hailstorm plan quickly became a lightning rod for privacy advocates who saw dangers in concentrating vast amounts of personal information in a single repository. . . . Last fall a coalition of privacy groups complained in a letter to the Federal Trade Commission about the potential risks inherent in Microsoft's collecting personal information from and about several hundred million personal computer users.

Colorado Upholds Rights of Anonymity, Privacy in Bookseller Records
(EPIC, April 11, 2002)
In a First Amendment case with national significance, the Colorado Supreme Court ruled this week that a Denver bookstore does not have to give sales records to police seeking information in a drug investigation. . . . The case arose after Tattered Cover, a Denver-based bookstore, challenged a court order for book purchase records. The local drug task force police sought the records after finding a Tattered Cover Book Store envelope containing a methamphetamine lab and drug-making "how-to" books outside a mobile home they raided in Denver. . . .The state Supreme Court, in a 51-page opinion overturning the district court opinion, recognized that the First Amendment and a section of the Colorado Constitution "protect an individual's fundamental right to purchase books anonymously, free from governmental interference." Customer purchase records enjoy First Amendment protection and may only be disclosed to the police if there is a "compelling need" that outweighs the interests of the customers. The court concluded that, in this case, the law enforcement need was not sufficiently compelling to outweigh the harm threatened, in part because law enforcement officials sought the purchase record for reasons related to the contents of the books that the suspect may have purchased, and in part because the police had reasonable alternative measures of investigation at their disposal.

National ID cards being slipped in under our noses
Finding Pay Dirt in Scannable Driver's Licenses
(Jennifer 8. Lee, New York Times, March 21, 2002)
One by one, they hand over their driver's licenses to a doorman, who swipes them through a sleek black machine. If a license is valid and its holder is over 21, a red light blinks and the patron is waved through. . . . But most of the customers are not aware that it also pulls up the name, address, birth date and other personal details from a data strip on the back of the license. Even height, eye color and sometimes Social Security number are registered. . . . "You swipe the license, and all of a sudden someone's whole life as we know it pops up in front of you," said Paul Barclay, the bar's owner. "It's almost voyeuristic." . . . Now, for any given night or hour, he can break down his clientele by sex, age, ZIP code or other characteristics. If he wanted to, he could find out how many blond women named Karen over 5 feet 2 inches came in over a weekend . . . Scanners that can read the licenses are slowly proliferating across the country. So far the machines have been most popular with bars and convenience stores . . . The electronic trails created by scanning driver's licenses are raising concerns among privacy advocates. Standards and scanning, they say, are a dangerous combination that essentially creates a de facto national identity card or internal passport that can be registered in many databases.

CIA Web Site Tracks Visitors With Cookies
(Brian McWilliams, Newsbytes.com, March 18, 2002)
A Web site operated by the Central Intelligence Agency is marking visitors with a unique identification tag or "cookie" that violates federal privacy guidelines and the agency's own privacy policy., according to Public Information Research, a non-profit group. . . . The CIA's Electronic Reading Room site, which provides online access to previously released CIA documents, places a "persistent" cookie on visitors' computers when they visit the site. . . . Designed to remain on the visitor's computer until December 2010, the cookie contains the user's Internet protocol address as well as a unique identification number, Newsbytes has confirmed. . . . The keywords you put in for searching on FOIA documents can reveal a lot about you. The CIA can use these cookies to reconstruct who is interested in what. Even if you browse from several different ISPs, they can use your cookie's unique ID to tie all your searches together," said Brandt.

Stores' Microchips Will Track Every Move
(Carl Limbacher and NewsMax.com Staff, March 14, 2002)
"In ten years nearly every consumer item will probably bear a tiny chip that continually broadcasts its existence to radio-frequency readers at loading docks, store shelves, entrances, security stations and parking lots - just about everywhere," . . . A Sam's Club under construction outside Tulsa, Okla., is installing the system, already in use at a Gap store in suburban Atlanta; a Prada boutique in Manhattan; a McDonald's in Boise, Idaho; and Star City Casino in Sydney, Australia. . . . "Privacy advocates are quaking over the prospect that anyone with a radio-frequency reader, including the government, could find out where a passerby had purchased his shoes. It would be easy for Wal-Mart, say, to use its in-store readers to figure out which competitors its customers frequented. Even scarier, some credit-card issuers are considering implanting radio tags in their plastic cards," Forbes Global says. . . . Lee Tien, a lawyer with the San Francisco watchdog group Electronic Frontier Foundation, warned "there will be times when that information will be demanded by the government for purposes of investigation."

Privacy International
On March 4, 2002, Privacy International presented the 4th annual UK "Big Brother" awards to the government and private sector organisations that have done the most to invade personal privacy in Britain. . . . Four "Big Brother" awards were presented to the individuals, organizations, and departments which have done most to invade personal privacy. A "lifetime menace" award was also be given. . . . "Winston" awards were also be given to individuals and organisations which have made an outstanding contribution to the protection of privacy, as well as to people who have been victims of privacy invasion.

Gartner Reports Strong Opposition to a U.S. National Identity Program
(The Gartner Group, March 12, 2002)
41 percent of U.S. citizens are opposed to the creation of a national identification database to identify citizens and visitors to the United States. Only 26 percent of U.S. citizens agreed that such a database should be established. Opposition to such a database was particularly strong in the southern, western, and midwestern regions of the United States. . . . "The technology is ready now. Public opinion is not," said Richard Hunter, GartnerG2 vice president and research director, security. "Our survey shows that the public supports a national ID only for very specific, limited purposes, and people are quite suspicious of what governmental agencies might do with it." . . . "The distrust of public institutions as keepers of a national ID database that we see in our study tells us that the public is worried about the potential for abuse," Hunter says. "The government hasn't done a good job of explaining to the public how it's going to protect from misuse all the information it gathers about them. If there's a plan, the public doesn't know about it."

Guess who's tracking you by cell phone?
(Ben Charny, ZDNet News, February 27, 2002)
The nation's cell phone service providers will soon know exactly where every one of their customers is, at all times, and privacy rights groups are asking what they plan to do with the information. . . . "There are some things you don't mind other people knowing, but your location isn't one of them," said Gary Laden, a privacy program director for BBBOnline, a Better Business Bureau subsidiary. . . . Sprint is already offering an Enhanced 911 (E911) system in Rhode Island and sells a pair of phones that work on the system. In a year, Verizon Wireless says nearly half of all new handsets activated will have this capability. The FCC expects 95 percent of the cell phones sold in the United States by 2005 will meet the FCC guidelines.