The Evolving Technologies Of Internet Privacy

Policy Backgrounders | Privacy

No. 156
Friday, April 27, 2001
by Gregory F. Rehmke

Government Threats To Privacy

The increasingly robust private-sector privacy standards and privacy software tools contrast sharply to the vague and hypocritical efforts of governments (here and in Europe) to promote top-down privacy standards for Web sites.

Failing to Follow Internet Privacy Policy. When the inspectors general of all U.S. federal agencies began auditing government Web sites, audits of the first 16 agencies disclosed dozens of violations of administration privacy policies.6 Many government sites that had been banned from using cookies were using them. Some sites that collected personal information did not have a posted privacy policy, and some collected e-mail addresses without the user's knowledge.

Table IV - Consumers International Survey of U.S. Versus E.U. Web Site Privacy Protection Policies

"Federal government Web sites have not been following privacy rules being pushed on the private sector."

The Federal Trade Commission was embarrassed when it was reported that the stringent privacy rules it was pushing on private sector e-commerce sites were not even adhered to by federal government Web sites.7 A General Accounting Office study found only 3 percent of audited government sites followed the FTC's proposed rules. The other 97 percent, including the FTC's own Web site, used the same "opt-out" policies that most private Web sites used and which the FTC was trying to ban.

The White House Office of National Drug Control Policy allowed advertisers on its Web site to store cookies on visitors' computers.8

The Wall Street Journal reported recently on the ironic results of detailed privacy regulations in the European Union.9 Consumers International, a United Kingdom-based consumer organization, surveyed over 700 major Web sites in the E.U. and U.S. where people were likely to be asked for personal information. The results must have surprised privacy advocates who complain about the lack of privacy regulation in the U.S. and call for "stronger" top-down privacy regulations like those passed by the European Commission. The Journal reported that "Internet users' privacy is better protected in the U.S. than in Europe, despite the raft of privacy regulations that have been approved by the European Commission over the past five years." [See Table IV.]

The article further noted, "The U.S. model of voluntary self-regulation of the use of private data collection online appears to work better."

"Despite a raft of privacy regulations in Europe, Internet users' privacy is better protected in the U.S."

Fighting Individuals' Internet Privacy. In Crypto: How the Code Rebels Beat the Government - Saving Privacy in the Digital Age,10 Steven Levy describes frantic National Security Agency (NSA) efforts to keep strong encryption technology inside the "triple fence" of NSA headquarters. Gradually through the 1980s and 1990s outside cryptographers developed private-sector encryption software, and entrepreneurs tried to make these software tools popular. Federal government agencies tried everything they could to stop the release of this technology. And had they been successful, private citizens today would not be able to protect their communications over the Internet. (Or at least the public would not have been allowed strong enough encryption to keep their communications private from government snoops.)

The government was concerned because it believed cheap or free encryption software would allow criminals, terrorists and tax-evaders to encrypt their e-mail and Web browsing so powerfully that even the FBI, CIA and NSA would not be able to decode them. That may be okay for average citizens, but what about criminals and potential terrorists? This is a reasonable concern but not one that is easily dealt with. Just as strict gun-control laws could help keep guns out of the hands of everyone except criminals, strict encryption-control laws could restrict use by everyday citizens but not computer-literate criminals and terrorists.

"Federal agencies have tried to keep strong encryption technology away from private citizens."

The FBI Carnivore project was designed to sift through e-mail and Internet browsing by tapping into Internet Service Providers' hardware. Since most people don't bother to encrypt their e-mail correspondence, this allows the FBI to execute searches once they have proper warrants that identify the people whose e-mail and Internet access they wish to tap. Critics of Carnivore have been concerned that its technology was likely to allow other people's e-mail to be searched at the same time but without benefit of warrants.

The FBI responded by addressing the most glaring problem with their Carnivore project - its name. So now it is called DCS1000, which stands for "digital collection system."

Invading Privacy On and Off the Internet. The private sector has moved rapidly to provide an expanding array of privacy-protecting products and services - none of which would have been available to consumers if the government had had its way in keeping encryption technology classified. Now many people want Congress to step in and regulate privacy standards in the private sector. But these standards are a moving target, and no one can know where they will be in one, three or five years (unless they are hit with heavy-handed regulation, in which case innovative privacy technologies will likely migrate overseas). Further, there are valid questions about the will of government to protect private-sector privacy.

James Plummer, in an article in Ideas on Liberty, notes that the real privacy problems are not with private-sector activities anyway but with those of the public sector, both on the Internet and elsewhere.11 Plummer lists 10 major privacy concerns that come from the public sector:

  1. Federal Web sites (97 percent of which violate FTC-promoted privacy standards).
  2. Mailboxes (the Post Office now requires those who want private postal boxes to show two forms of identification).
  3. Brady Law databases (the FBI is creating a national database of firearm owners).
  4. "Know Your Customer" (Congress is pushing banks to snoop on customers and report any "abnormal" activity to the government).
  5. National ID (such schemes are pushed for health, immigration reform and other reasons every few years).
  6. Wiretaps (the 1994 Communications Assistance for Law Enforcement Act (CALEA) forced phone companies to help track a growing amount of phone and cell phone information).
  7. Internal Revenue Service audits (information in our tax returns is supposed to be private, but it is available to other federal agencies and not well protected from electronic intrusion, according to the General Accounting Office).
  8. Filegate. Another oldie but goodie, this one is still having repercussions today. When more than 900 FBI files of Republican political appointees mysteriously appeared in the White House, the Clintons blamed a "bureaucratic snafu." Depositions by Linda Tripp and others taken in the ongoing civil litigation12 have revealed that information from the files was copied into White House databases for later use.
  9. Echelon (a global automated eavesdropping operation run by the U.S., U.K., Canada, Australia and New Zealand that only the French seem to oppose, because they have their own).
  10. DCS1000 (formerly Carnivore).

Read Article as PDF