Privacy

Nowhere -- and No Way -- to Hide

Cecille Isidro — Tue, 13 Nov 2007 16:06:00 -0500

Privacy doesn't mean anonymity. Think about that for a bit -- and get used to it.

Or if you don't like it, get a plan. But it had better be a good one.

On Oct. 23, Donald Kerr, deputy director of the Office of National Intelligence, outlined the new order of things: "Too often, privacy has been equated with anonymity; and it's an idea that is deeply rooted in American culture." Well, yes, the Bill of Rights, for instance, includes protections against "search," as well as "seizure." But that was then. As Kerr put it, "In our interconnected and wireless world, anonymity -- or the appearance of anonymity -- is quickly becoming a thing of the past."

Kerr's speech got little notice until The Drudge Report highlighted an Associated Press write-up. No doubt, of course, the Office of National Intelligence will soon issue a soothing statement assuring us that the government indeed respects your privacy and your anonymity. And we've all heard that line before: "Nothing to see here folks, just move along." Then Uncle Sam will resume perfecting his warrantless surveillance.

In fact, the old equation -- privacy equals anonymity -- is being buzz-sawed six ways.

First and most obviously, terrorism concerns. If you're walking through Times Square carrying a backpack and acting strangely, inquiring minds will want to know why. And Godspeed to cops brave enough to tap that shoulder.

Second, and closely related, the proliferation of cameras and Webcams. Nobody likes to be spied on, but many people -- including parents keeping tabs on baby-sitters -- like to spy. In the coming face-off, the spies have it.

Third, health insurance. We have decided, collectively, to be generous with each other in terms of "human services." But though most Americans are happy to operate a welfare state for Americans, they draw the line at subsidizing the world. So as a matter of administrative necessity, the Nurse State will have to know exactly who you are -- and your legal status.

Fourth, the reality that medical treatment now depends on medical information. If doctors are to help you, they need to know your medical history -- not just blood type and allergies, but everything about you, including your genetic background. Such monitoring is fraught with controversy -- recent headline in The New York Times: "In DNA Era, New Worries About Prejudice" -- but this is the era of the instant Q-Tip identity test.

Fifth, Google and the basic nature of the Information Age. Once upon a time, people cared about bushels of wheat. Then it was tons of pig iron. Now it's bits and bytes. If you ever wondered why the Googlers can give you search engines -- and Gmail, and everything else -- for free, it's not because they are necessarily nice guys. In fact, they've built a $200-billion company by studying you closely.

And the database beat goes on: Just yesterday Network World reported that IBM is buying Cognos for $5 billion. Never heard of Cognos? Well, that's OK; the worldwide "business intelligence software vendor" based in Canada has most likely heard of you.

Sixth, the realization that the planet is getting smaller. If we can agree that pollution is a serious concern, it follows that ore-smelting in China or deforestation in Brazil, is a threat to everyone everywhere. Down the road of those concerns lies a massive global government, which will want to know if you're smoking too many cigarettes.

So what to do? Go off the grid? Become a hermit? That's one way, although, the eye in the sky, of course, will always be looking down from its orbit. But surely there are other ways to escape -- virtual reality, digging deep underground, traveling to space. People are going to try them all, and a huge privacy protection industry is destined to emerge.

But then, of course, everyone else will be curious as to what's being hidden, and why.

Scarlet Letters, Digitized

Cecille Isidro — Mon, 06 Aug 2007 12:59:00 -0400

Did you see that YouTube video of an Australian priest hurling abuse at a motley crew of skateboarders in front of Melbourne’s St. Patrick’s Cathedral? Well, his superiors did, and last week the Rev. Mgr. Geoff Baron was placed on indefinite leave.

And what about the famous, Pulitzer Prize-winning novelist’s cringe-making "personal" e-mail about his wife leaving him for Ted Turner? Gawker highlighted it last week with this in the precede: "insane insane INSANE."

Heck, you might say, they had it coming. But think again. What if one of your worst moments -- when you’ve lost your temper or judgment -- wound up on the World Wide Web for all to ridicule? Even on your best day, how do you feel about people posting your image or your words without your approval?

When we talk of privacy in the Internet age, we mostly speak of financial information and the mounds of data that search engines keep on our e-behavior. But more and more, digital media and the relative anonymity of the Web enable netizens to expose, call out and shame others in cyberspace.

Once upon a time, we thought that the Internet would usher in a new era of free human expression, interconnectedness and understanding. But increasingly we’re finding that it actually nurtures our baser instincts and enables social behaviors that date back to when we lived in caves. Snitching, for example.

Sure, there are benefits. Cellphone calls have helped state troopers catch drunk drivers. Video postings have featured politicians saying stupid things, which I figure is a public service. Last month, a Washington liquor store owner helped police catch an armed robber after he posted surveillance video on YouTube. Earlier this year, a YouTube video of high school students firing weapons and igniting explosives helped police in Connecticut foil an alleged bomb plot.

But for the most part, "gotcha" moments on the Web have less to do with real crime and punishment than they do with old-fashioned public shaming. Who needs a scarlet letter when I can embarrass you digitally on the Internet?

Any netizen with a cell cam -- and a nosy sense of right, wrong, crime and punishment -- can act as a social enforcer, wielding the mass medium of the Internet. Celebs such as Michael Richards, caught spewing racial epithets, seem like fair game. But in one case in South Korea, the Web made an international pariah out of a nobody. After a young woman’s dog pooped inside a subway train, a fellow passenger took photos of her and posted them on a popular blog. Within hours, she was labeled with a name that’s unprintable in a family newspaper, and within days her identity was revealed.

Given her rude behavior, most observers cheered this incident of Internet vigilantism, but did the punishment match the offense? Search engines have long memories, and unlike other, more temporal forms of shaming -- say a misdemeanor ticket or even community service -- the South Korean dog owner will forever be known as, well, you know.

And individuals aren’t the only ones using the Net to bring people into line. States have launched sites to post the names of people and businesses that owe back taxes. Maryland calls its site "Caught in the Web"; Wisconsin nails the phenomenon: "Website of Shame."

A few years ago, George Washington University law professor Daniel J. Solove wrote an essay in which he challenged the idea that the threat to our privacy in the Internet age is akin to the constant surveillance of Big Brother. Referring primarily to the scores of public and private agencies collecting data on us all, Solove argued that a better metaphor for life in cyberspace is Kafka’s The Trial, the story of Joseph K., a man who awakens one morning to find he is under arrest and then begins a frustrating quest to discover why. As K. wanders the city, encountering a farrago of lawyers, priests, citizens and functionaries, his impotence and paranoia expand. In the end, he faces no direct accusers, never has a day in court, and condemns himself.

I think the same analysis applies to Internet shaming. You never know who’s snapping an illicit picture or video, or when and where your name or face could appear on the Web. It’s not so much a centralized authority we fear but our fellow citizens, who now have the capacity to grab little pieces of our lives, pass judgment on them and project them across the globe.

So, just in case anyone’s watching, you better behave.

A Card We Should All Carry

Cecille Isidro — Tue, 21 Feb 2006 00:00:00 -0500

As states get ready to comply with a law passed last May and roll out Real IDs (think 50 flavors of enhanced drivers' licenses that will also, for lack of anything more suitable, regulate access to airplanes, bars and banks), it might be time to consider a national identification card. Unfortunately, two camps own the conversation.

Security heavies and cultural conservatives say a national ID is necessary to protect us from Islamic terrorists and illegal immigrants. Libertarians and government-wary leftists fret about privacy. Progressives and moderates have never shown much enthusiasm for the debate. But there are lots of reasons they should find the idea of a national ID appealing. Among them:

HEALTH CARE Today, if you go to the emergency room, your medical history is whatever you remember to tell your doctor. Health care reformers long to build an electronic health database so medical records can follow patients wherever they go. Congress passed legislation in 1996 to safeguard just such a database. A national ID network could provide the backbone, and the security.

VOTER EMPOWERMENT In 2004, Republican Party officials sent thousands of volunteers to challenge voters at the polls. They claimed Democrats were registering felons, illegal immigrants and people with fake names. Democrats said Republicans were trying to discourage voting in Democratic-leaning counties. Enough already: a national ID could replace voter registration bureaucracy and speed all citizens to the polls.

POVERTY Without a stable address or the cash to pay registration fees, the homeless struggle to get a valid photo ID. Even the working poor can find themselves without ID if a few parking tickets hit at the wrong time, and their drivers' licenses are suspended. A national ID would make it easier for the now officially anonymous to claim benefits, apply for work, get health care, cash a check, enter a government building or open a savings account.

EDUCATION The No Child Left Behind Act relies on broad and potentially misleading measures to guess at school quality, because there is no way to track individual children from grade to grade and see how they progress. School districts have no way to know which students quit school and which ones have just moved across town, which means federal accountability schemes have no way of factoring in dropout rates. A national ID database could allow for more honest accounting.

SOCIAL WELFARE The tangle of agencies that work with the disadvantaged have no good way to share data. It was only a decade ago, for example, that researchers began proving that federal spending to reduce homelessness cuts costs in the prison, health care and welfare systems. A national ID database might lead to better allocation of resources, and quicker responses to emerging needs.

IMMIGRATION A national ID would help Immigration and Customs Enforcement shift its emphasis off impoverished undocumented workers and onto the often unscrupulous businessmen who hire them. For now, if a businessman, a farmer or a labor contractor gets pulled over driving a truckload of illegal immigrants, they can play dumb even if they sold the workers their fake IDs. "The workers aren't going to say anything, because they need the job," says Brian Poulson, the customs enforcement chief for California's Central Valley. "Am I going to get any material witnesses? No." The government's only real option is to arrest the laborers. "It's only the little guy that gets hurt," he says.

All this is not to dismiss privacy concerns. They are huge. But the notion of a national ID created to empower citizens, rather than just monitor us and protect us from foreigners, might inspire progressives and centrists to design a card that works. Or at least broaden the conversation.

From Typhoid Mary to Diabetic Debbie

Cecille Isidro — Wed, 15 Feb 2006 00:00:00 -0500

On Jan. 15, New York City began requiring local clinical laboratories to report to the city health department the results of blood sugar tests performed on citizens. The department plans to use the information to improve surveillance for diabetes, which afflicts an estimated one out of eight New Yorkers and to "target interventions." Specifically, if you live in New York and have trouble resisting sweets, your doctor may soon receive a call from the health department suggesting that he or she needs to persuade you to change your lifestyle.

What makes this development so extraordinary in the annals of American public health is that diabetes is not a disease you can catch from, or give to, anyone else. U.S. governments have a long history of imposing quarantines and otherwise restricting the liberties of people suspected of carrying contagious disease. Early in the last century, for example, the very same New York City health department famously exiled Mary Mallon (aka "Typhoid Mary"), along with many other infectious patients, to a tiny island "colony" in the East River.

Policies that require the reporting of sexually transmitted diseases to public health authorities similarly derive justification from the threat of contagion. Even recently enacted smoking bans in New York and elsewhere were passed only after the public accepted findings that secondhand smoke poses a serious health threat to others.

But diabetes, though now a fearsome epidemic, is not communicable; nor do the behaviors that lead to the disease (primarily lack of exercise and improper diet) put others at risk of illness. It cannot even be said of diabetics, as is often said of illegal drug users, that their habits foster a life of crime or fund crime syndicates and terrorist networks. So how does it become a matter of public interest that governments monitor the medical records of individual citizens for telltale signs of high blood sugar--much less that they "target interventions"? Isn't this the ultimate example of the nanny state run amok?

Many Americans no doubt will say so when they first learn of this and other infringements on medical privacy. But a hard truth is emerging in our time that should caution against snap judgments on the issue: Maintaining medical privacy has become more and more expensive, both to individuals and to the public. The emerging question is whether medical privacy is a basic right or something more akin to a privilege for which those who want it should pay, rather than shifting the cost to others.

The primary reason for the increasing cost of medical privacy is the increasing prevalence of chronic diseases such as diabetes. Diseases of this kind, which have become the leading causes of illness and death in advanced societies, typically can neither be prevented nor cured nor even much ameliorated except by changes in diet and lifestyle--changes that most of us, including myself, are disinclined, perhaps even genetically so, to make.

The medical treatment of chronic diseases typically requires highly coordinated and continuing care. It usually involves an array of specialists engaged in care ranging from surgery to intensive patient education, physical therapy, attempted behavioral modification and, especially in the case of diabetes, constant monitoring.

Moreover, advancing our understanding of how best to cure and manage such diseases requires assembling vast amounts of medical data about populations as a whole. There can be no "evidence-based" medicine without collecting evidence about what works for most people most of the time.

Taken together, all this means that the gathering and sharing of medical information is becoming more and more crucial to the effective practice of medicine, as well as to keeping it affordable for most citizens. This is one big reason why a broad consensus is emerging, ranging from Hillary Clinton to Newt Gingrich, behind the idea that every American should have a lifelong, electronic medical record. The promise is that such records would lead not only to better coordination of care among different providers but to fewer medical errors, more scientific medical practices, and ultimately, greatly reduced costs.

But the trade-off for any increase in the flow of medical information is of course a potentially huge loss of individual privacy. In what instances and circumstances are such trade-offs worth it? This is the new threshold issue in American health care. Medical privacy is not free. Lack of free-flowing information in the health care system drives up the cost of health insurance and contributes to the problem of the uninsured. For the population as a whole, it impedes the safe and effective practice of medicine, retards development of medical protocols based on science, and in all these ways and more reduces productivity and life expectancy. Medical privacy is not simply a question of individual right, even for individuals whose medical problems might at first seem purely their own concern.

We'll Just Shoot First, Ask Questions Later

Cecille Isidro — Thu, 20 Jun 2002 00:00:00 -0400

Did you hear about the government's new plan to launch anticipatory strikes against evildoers?

No, not President George W. Bush's policy, announced on June 1, of "preemptive action when necessary to defend our liberty and to defend our lives." That's old news. Now it's time to look ahead, to "Minority Report," the new Steven Spielberg movie, which offers a window into the dystopic future when government power is taken to extremes. If the film scares you, remember, it isn't "only a movie" -- it's real life, too.

"Minority Report," set in 2054, imagines that the government has set up a Department of Precrime, using the clairvoyance of three mutant "precogs" to see criminality before it happens. But sometimes the visions of the precogs differ, in which case a minority report is filed, alongside the majority report. And so the plot thickens.

The film gets its eerie resonance from the rush of reality, from what's happening in the here and now. Already, Uncle Sam is using spooky techniques of profiling and data-mining to gain clues about things to come. In the words of FBI Director Robert Mueller: "What we need to do better is be predictive ... We have to develop the capability to anticipate attacks."

President Bush believes that future attacks will come from the "axis of evil," the three countries -- North Korea, Iran, Iraq -- that he singled out for stigma in his State of the Union address. But there's a bug in the "Bush Doctrine." Put bluntly, Bush's "preknowledge" about these nations puts him in the distinct minority.

For openers, take North Korea. South Korea, as well as every other Asian state, believes that North Korea is more likely to starve its own citizens than attack its neighbors.

As for Iran, just on Monday, the 15-member European Union decided to open formal trade relations with Tehran, despite strong objections from Washington. The Europeans have long done business with Iran, but their decision underscores their rejection of Bush's Iran-isolating policy.

Indeed, America has, in effect, filed two Iranian minority reports. First, the United States is in the lonely position of declaring a trade embargo that the rest of the world ignores. Second, at the same time, bizarrely enough, the Bush administration has ended up on the same side as Iran in its reluctance to ratify the United Nations Convention on the Elimination of All Forms of Discrimination Against Women. And so it's America -- plus Iran -- against the 169 countries that have ratified this equal-rights treaty.

But, of course, in the Bush view, the big enchilada of evil is Iraq. And it takes no special powers to divine the commander-in-chief's intentions: "I made up my mind that Hussein needs to go," Bush said on April 4. And leading Democrats agree that a U.S.-imposed "regime change" in Iraq is a matter of when, not if.

But here again, in its preoccupation with Baghdad, America is in the world minority, destined to attack alone -- although perhaps a couple of other countries will provide token support. To be sure, hawks on Iraq insist that many countries secretly support American pre-emption. But consider: According to this scenario, countries would be lying when they said they opposed Bush administration military action. But if a country is willing to lie to the world publicly about its true policy, how do we know that in fact that same country isn't lying to the United States privately?

The answer, of course, is to move from one-on-one pre-emption to planetary persuasion. That is, if Bush has a good case against Iraq, let him take it to the world. Let him turn his present-day minority into a future anti-Saddam majority.

But if he insists on acting alone, if other countries see an Iraq attack as merely the arbitrary use of Pentagon power, then one need not be a precog to see what will happen next. If America, the global leader, lets loose a new doctrine of pre-emption, then other countries, too, will feel emboldened to identify "pre-aggression" all around them, launching unilateral attacks of their own whenever it suits them. That's a forecast based on history, not technology.

But in the age of loose nukes, the idea of America's greenlighting a return to earlier lawless eras, those of lone-wolf attacks across sovereign borders, is scarier than anything in the movies.

From Russia with Lopht

Cecille Isidro — Wed, 01 May 2002 00:00:00 -0400

Had Alexey Vladimirovich Ivanov been born in Chicago rather than Chelyabinsk, he'd likely be well on his way to joining the geek elite. His three-page resume lists computer skills that would dazzle any Silicon Valley headhunter. According to his employment history, Ivanov began working at a regional telephone company in Russia while still in his mid-teens, installing Web servers and Cisco routers. His programming talents include tricky languages like C++ and Perl, and he has mastered 18 difference operating systems, from Linux to Solaris. But Chelyabinsk, a Stalinist burg located in the Ural Mountains, is a pretty bleak place to grow up. The town has twice endured nuclear catastrophe -- an arms plant dumped waste in a local lake for years, and in 1957 a nearby nuclear weapons factory showered the vicinity with 70 tons of radioactive dust -- making Chelyabinsk one of the world's most polluted cities. Investors run from its poisonous legacy, so Chelyabinsk relies on the basics of a Soviet-era economy, munitions and metallurgy. "There is not actually to much places where person can use his computer skills for significant amount of money," sighs Ivanov, 21, who mastered computers while horsing around in a lab a Chelyabinsk university, where his mother once taught history. "It is very difficult to get a job."

Given his dim prospects in Russia, the e-mails that Ivanov began receiving in June 2000 seemed especially wondrous. The messages came from Invita Security, a Seattle-based company on the lookout for "security talent" -- an industry euphemism for hackers. Invita was familiar with Ivanov's work as co-founder of a kontora, or unofficial company, known as tech.net.ru. Part Web design firm, part freelance security consultancy, tech.net.ru was reputed to be an audacious cracker of American networks. After compromising a company's severs, Ivanov would contact its system administrator and request money -- usually upwards of $5,000 -- in exchange for revealing security holes.

The Invita executives said they were seeking hackers who could exploit security flaws in the networks of potential clients, who would then feel a need to enlist Invita's services. The company especially welcomed foreign hackers, who could operate beyond the reach of the FBI; it asked Ivanov to prove his prowess by hacking Invita's own computers, which he did with ease. Impressed, Invita asked Ivanov ad his 26-year old tech.net.ru partner, Vasiliy Gorshkov, to fly to Seattle to discuss job offers.

On November 10, 2000, just hours after landing at SeaTac Airport, Ivanov and Gorshkov were arrested and charged with conspiracy, computer fraud, hacking, and extortion. Invita was not a shady security company at all, but part of the ingenious FBI sting designed to ensnare the two Russians. To federal prosecutors, the pair were among the Internet's most brazen outlaws. Ivanov now sits in a Hartford prison, preparing for a trial that could help define a wide-open area of law. The case could also help determine how far investigators patrolling cyberspace's anarchic nooks and crannies can bend privacy rules, international treaties, and constitutional law governing searches and seizures.

For the FBI, luring Ivanov and Gorshkov to the United States was a first, small victory in the campaign against the cybercrime that flourishes behind the former Iron Curtain. Russia, Ukraine, and Romania are hotbeds for hackers, many of who get their start pirating Western software; in Russia, where nearly 90 percent of software is bootlegged, a Microsoft Windows CD retails for less than $2. Since online fees in Russia can hit $1.20 per hour -- a steep price in a country where even college professors like Ivanov's mother earn abut $150 a month -- kids often steal Internet Service Provider passwords using tips most likely gleaned from the 50,000-circulation Khaker, one of Russia's most popular hacker magazines. An epidemic of stolen passwords forced America Online and CompuServe to abandon their Russian operations in 1997.

In the West, mischievous teen geeks usually mature into law-abiding adults -- today's password thief is tomorrow's Java programmer. In Russia, however, where as many as half of the country's software companies may have collapsed in 1998, upward mobility through legitimate tech work is rate. "There is a very large group of educated individuals in Eastern Europe, people that have degrees in computer science, in mathematics," says Arif Alikhan of the computer crimes section at the U.S. Attorney's office in Los Angeles. "And I think the economic circumstances sometimes make it very, very attractive to commit crimes."

Russian mafiosi recruit hackers to plunder credit card numbers from e-commerce sites, but freelance electronic blackmail is also commonplace. Last March, for example, the Justice Department warned that hacker gangs in Russia and Ukraine had stolen more than 1 million credit card numbers from American servers. In October 2000, a cyber-raid on Microsoft that exposed top-secret source code was traced to St. Petersburg. And in August of the same year, two Kazakh men were arrested in London for trying to extort $200,000 from Michael Bloomberg, the billionaire turned New York City mayor, whose passwords they had filched.

Prosecutors allege that tech.net.ru's schemes ranged from larceny to blackmail. A government trial brief states that Ivanov and Gorshkov set up a website, PayPai.com, to trick customers of the online payment service PayPal. Thousands of PayPal users got e-mails with links to PayPai.com, where they were prompted to enter their account details, including the user names and passwords. The lawyers say the two Russians used the account information to purchase computer parts and other goods, which they had shipped to nearby Kazakhstan.

In the Wild West-like Russian hinterlands, hustling like this is part of the survival game. But tech.net.ru may have been unusually reckless and greedy. Ivanov is said to have hacked into perhaps dozens of American networks, exploiting unpatched holes in Windows NT servers and using programs like L0phtCrack, a legendary tool developed by a hacker collective based in Cambridge, Mass., that's often used to crack passwords. According to prosecutors, Ivanov would then notify a network's system administrator of lapses, identifying himself as a member of "The Expert Group of Protection Against Hackers." The e-mail would end with a not-so-subtle demand for a payoff in exchange for tips on how to improve security.

If an administrator didn't respond favorably, Ivanov allegedly turned cranky. On February 3, 2000, for example, after a Connecticut company called the Online Information Bureau rebuffed his initial solicitation, Ivanov sent a follow-up:

[Name redacted], now imagine please Somebody hack you network (and not notify you about this), he download Atomic software with more than 300 merchants, transfer money, and after this did 'rm-rf/'[a Unix command that deletes directories] and after this you company be ruined. I don't want this, and because this i notify you about possible hack in you network, if you want you can hire me and i'm always be check security in you network. What you think about this?

Unwilling companies were punished. According to the government's brief, after an ISP called Speakeasy Network repeatedly refused to pay Ivanov for his discoveries, "Ivanov and/or his co-conspirators then deleted files on one of Speakeasy's main computers. In addition, a few months later, a customer of Speakeasy named BP Radio learned that credit card information from its customers had been posted on a Russian website. Speakeasy lost BB Radio's business as a result."

For a supposed mastermind, however, Ivanov -- known online as "subbsta" -- was surprisingly carefree with his identity. Along with his request for $1,000 -- $1,500-a-month job as a "security consultant," he sent photos of himself to Speakeasy. He also befriended Jim Fitzgerald, network manager at CTS Network Services, a San Diego-based ISP that Ivanov hacked in the fall of 1999. Unlike Speakeasy, CTS hired Ivanov as an independent contractor and even gave him a shell account, which enabled him to store files on the company's machines. Fitzgerald and Ivanov corresponded frequently about security issues via e-mail and Internet Relay Chat, which allows for real-time conversations.

Had tech.net.ru been a bit less bold, it might have evaded FBI scrutiny. Companies hate to admit they've been hacked, so they seldom report intrusions. "If some guy comes in and roots your box and defaces your server, people would like to know who that is," says Greg Shipley, the chief technology officer of Neohapsis, a Chicago-based security firm. "But if it involves tracking the intruder across five countries and 20 machines, most people just don't pursue it unless there are huge monetary losses." Yet if a hacker demands too much, Shipley adds, then "he's asking for it."

By the summer of 2000, tech.net.ru seemed to be asking for it. The growing list of alleged victims included ISPs in Washington, Ohio, and Connecticut, as well as banks in Los Angeles and Waco. Stephen C. Schroeder, an assistant U.S. Attorney in the Western District of Washington, says that Russian authorities were contacted several times without result. "The last time I checked, we do not have an extradition treaty with Russia," he says. "In the e-mail correspondence both to the undercover people and the victims, the taunt was repeated over and over again -- We're in Russia, you can't touch us, the FBI can't get us in Russia."' The Russian interior ministry's "Department R," which fights cyber-crime, can barely keep up with the kontoras kontoras in St. Petersburg and Moscow, much less police a distant outpost like Chelyabinsk.

But Ivanov's apparent carelessness gave the FBI its break. Some victimized companies passed along e-mails in which Ivanov made little or no attempt to conceal his identity or contact information. Ivanov's lawyers say Fitzgerald gave key aid to the inquiry by handing the FBI a copy of the contents of the Russian's CTS shell account, where he had imprudently stored 38,000 credit card numbers. Ivanov's biggest misstep, of course, was leaping at Invita's offer; he was so excited by the opportunity that he even suggested bringing his "business partner" -- the previously unknown Gorshkov -- to the meeting. At Invita's "headquarters," the two Russians were asked to hack a test network. The quicker, more computer-savvy Ivanov did most of the work. Meanwhile Gorshkov, his tongue loosened by 30 hours of travel and a touch of vodka, gabbed nonstop. While they boyish-looking Ivanov tapped away on his Toshiba laptop and listened to Russian pop music, the balding Gorshkov mused to FBI agents about the availability of pirated software in Chelyabinsk ("You can buy it almost in any shop…even in supermarket, where they sell milk"), fishy banking practices in Kazakhstan ("There are a lot of, ah, companies of people in Russia that can help you to open any offshore firm or accounts"), the history of tech.net.ru ("Actually, our firm is, initially, it was created as hackers' club"), and the sinister ways of Russia's domestic intelligence agency, a successor to the KGB, ("If they take you, you'll go to jail -- or you'll work for them").

But the agent posing as Invita's president had little success in getting the two to incriminate themselves more specifically. When the agent asked about whether the Russians had access to stolen credit card numbers, for example, Gorshkov answered like a lawyer: "We'll never, when we're here, we'll never say that we got access to credit card numbers…The fact is that, that this kind of question is better discussed in Russia." He also laughingly dodged questions about how tech.net.ru was bankrolled: "Well, it, it's ah, sort of personal question, and here in America not talk about it."

Hoping to interest Invita in his Web design skills, Ivanov showed off an e-commerce site he'd designed for a photo developer. The best tipoff he gave the FBI was an account of how one company paid him $4,000 for demonstrating how a hacker might steal money from its electronic accounts. "They think I can, ah, do something bad for company," said Ivanov. "And, ah, because this, they sent, ah, pack of money to me. For trust."

Extracting confessions from the Russians was not the sting's main goal, however. The Invita network was outfitted with a "sniffer," a surveillance program that logged Ivanov's and Gorshkov's key strokes as they worked. When the pair accessed their home machines in Chelyabinsk to download hacking tools, the sniffer covertly recorded their user names and passwords. The FBI then used that information to hack the Russians' machines and capture 250 gigabytes worth of evidence. They did so without informing Russian authorities, despite a 1997 G-8 agreement that states, "Investigation and prosecution of international high-tech crimes must be coordinated among all concerned States, regardless of where harm has occurred."

On December 1, 2000, three weeks after the arrests, the FBI got a warrant to examine the data they had remotely seized. Investigators found a surfeit of evidence -- over 50,000 credit card numbers swiped from American servers, computer-generated attack logs, and security tools like LophtCrack. They also discovered that the suspects had opened several ISP accounts under the name "Greg Stivenson." In October 2000, a hacker by that name had written several e-mails to officials at PayPal, revealing a rash of security holes. One e-mail translated from Russian concluded: "Now with regard to questions of security, I can help, but all security questions will be decided not by a mere 'thank you,' because a 'thank you' doesn't put food in your mouth."

Gorshkov was held in Seattle to face federal charges in the Western District of Washington, while Ivanov was taken cross-country to stand trial in the District of Connecticut, home base for one of the companies he's accused of hacking. The Connecticut court appointed a veteran Hartford attorney, C. Thomas Furniss, as Ivanov's counsel, and he zeroed in on the question of whether Ivanov may be prosecuted in an American court for a crime he's accused of committing from abroad over the Internet. Furniss points out that no applicable federal laws explicitly address whether U.S. courts can try foreign cybercriminals. "The U.S. doesn't have the power to decide this case," he insists. "The allegation is that he did a bunch of stuff from Russia using the Internet. No country, including the U.S., owns the Internet."

In response, the U.S. government says to forget the ethereal images conjured up by the word "cyberspace." The prosecutor Schroeder argues that American courts can try Ivanov for the same reason that they can try a man who stood on the Canadian side of the border and shot someone in Washington State. "That's a pretty good analogy for sitting in Russia and victimizing networks or servers in the U.S.," he says. He also stresses language in the Computer Fraud and Abuse Act, which was amended in 1996 to expand the reach of federal law to crimes involving any computer "used in interstate or foreign commerce or communication." That authority allows the United States to prosecute foreign hackers who attack American networks, the prosecutor argues.

Furniss's motion to dismiss was denied, but he is considering an appeal. Meanwhile, the 58-year-old lawyer asked for a tech-savvy co-counsel to help him sort through the case. He got attorney Morgan Rueckert, a 32-year-old former tech-support worker at the University of Connecticut Law School. Rueckert says that Ivanov's e-mails to companies in which he'd found security holes were not extortionate, but part of the normal give-and-take between system administrators and the computer whizzes who find their weak spots: "My sense is that many system administrators, some part of them has that same hacking ethic that the hackers do. [They'll] communicate with hackers, they'll enter dialogues with them. In some cases they want to know about security holes that hackers find, and they are willing to pay hackers to disclose security holes so long as there's no damage done and customer or financial information is not compromised."

Rueckert points to Ivanov's warm e-mail relationship with CTS's Jim Fitzgerald as an example of this sort of symbiosis. Fitzgerald allowed Ivanov to maintain a CTS e-mail account in addition to the shell account. Yet when the FBI came knocking, Rueckert says, Fitzgerald turned his back on Ivanov. He helped the bureau trample on his friend's rights under the Fourth Amendment, which limit the government's power to search and seize property while investigating a crime. And he helped the bureau do an end-run around the Electronic Communications Privacy Act, which requires federal agents to obtain a specific warrant or other order before searching a suspect's data. The FBI had a grand-jury subpoena to obtain "any and all information regarding the e-mail address" that Ivanov maintained at CTS. But the order did not mention Ivanov's shell account, a separate digital entity. Fitzgerald illegally handed over the shell account's contents without prompting, Rueckert says, so all the investigation's subsequent findings must be kept out of court.

But Gorshkov's plight in Washington indicates that courts are inclined to grant cyber-cops substantial leeway. Gorshkov's attorneys argued that by waiting to get a warrant until after the data was downloaded, the government overstepped its search-and seizure authority when it hacked tech.net.ru. They also argued that the FBI violated Russian laws, which strictly forbids unauthorized trespass on hard drives. Russia's intelligence agency concurred in a November report which called the FBI's actions "illegal and criminal," though the Russian government has not protested the U.S. prosecution of Gorshkov and Ivanov.

In an order issued last May, U.S. District Judge John C. Coughenour summarily crushed the defense. The government's hack was not a search entitled to Fourth Amendment protection, he wrote, because the files remained on Gorshkov's computer in Chelyabinsk. Coughenour also said that even if the Fourth Amendment did apply to data in a foreign country, the government had good reason to conduct a warrantless search.

"Basically, the ruling says that our police officers can obtain unauthorized access to a computer for law-enforcement purposes, despite the fact that it's overseas or under the jurisdiction of another country," says Jennifer Granick of Stanford Law School's Center for Internet and Society. "That could come back to haunt us, when [foreign police] log onto our citizens' computers [in America] to take evidence to try them under their laws." Russian intelligence agents, for example, might now feel at liberty to hack American machines in the guise of "investigation."

With the evidence from the Invita sting before the jury, Gorshkov stood little chance. His lawyers called just three witnesses. One of them contended that the tech.net.ru was merely a Web design firm. "He identified a Web page that they had designed for a company," recalls Shroeder, who prosecuted the case. "That Web page, incidentally, was hosted on a hacked box that belonged to a school [district] in Michigan." The hack traced back to a computer registered to tech.net.ru. The jury deliberated for less than a day before finding Gorshkov guilty on all 20 counts of the indictment. He is scheduled to be sentenced in June.

Ivanov, meanwhile, is still being held without bail in Hartford, awaiting a trial date. Visa issues and money woes have prevented his family from visiting the United States, so he spends most of his time writing letter home in longhand. He was recently allowed some use of a laptop (no printer, no modem) to assist in preparing for trial. For a young man whose pursuit of a tech job in American may cost him many years behind bars -- he faces a likely sentence of between 10 and 20 years if convicted -- the young Russian maintains a strangely sunny outlook. "I tried to find a job in U.S. since I was about 18," says Ivanov, whose lawyers would not allow him to discuss the specifics of his case. "I could not say that it was easy. The main reason for this was, of course, to get more money for job. Eventually I was successful, and now I have three free meals every day."

His supporters back home have not been as sanguine. As news of the Invita sting spread throughout Eastern Europe's hacker scene, angry notes flooded Khaker's online message board. "Watch out Russian hackers!" Warned one anonymous poster. "You see what kind of lowlife tactics the Americans are capable of, so work more carefully!"

The Unwanted Gaze

Communications — Wed, 31 May 2000 12:30:00 -0400

A New America Event
05/31/2000 - 12:30pm

The Digital Age has brought abundance to the connected, but one commodity is growing perilously scarce: privacy. The Internet and other information technologies have made sensitive information about individuals' private lives available to employers, vendors, government authorities -- to anyone, in fact, with the right knowledge and a little money. In his new book, Jeffrey Rosen argues that legal, technological, and cultural changes undermine an individual's ability to control how much personal information is communicated to others, and he proposes… more

The Unwanted Gaze

adminn — Wed, 31 May 2000 00:00:00 -0400

I just did a search on Google. I've left Yahoo because Google works faster in searches, and Jeffrey Rosen, when you plug in his name, has 12,493 citations. Now, they are not all the same Jeffrey Rosen; I've found there were sort of two or three others. But they are quite interesting. If any of you read Jeff's front cover of The New York Times Magazine story recently -- and I actually heard it at a dinner conversation, but he validated it by putting in it in the article -- someone he knew, and I think someone I know too, did an Internet search on the man she was about to date and found out all of this information about him, some of it very embarrassing. I tried to dig into Jeff Rosen's information, through the search engine -- rather than looking at the first 40 or 50 citations, trying to jump down 2000 or so to find the real story on Jeff Rosen. I failed. But I know that in there is all sorts of information about him that he wouldn't otherwise want other people to know. And that's probably what has led him to write this important new book that has gained so much attention called The Unwanted Gaze: the Destruction of Privacy in America.

Jeff is an associate professor at George Washington University Law School, and I think equally or more important, he is the Legal Affairs Editor at The New Republic. The New Republic is a fine magazine, but there are a number of people who make it a particularly important journal to read, and Jeffrey Rosen has brought, I think, so much important scrutiny to some of the important legal issues facing the country over the last year or two. And I've been impressed with the application of his legal mind, and what he's brought to these important evolving questions on not just Internet privacy, but this new world we are going in to.

So it's a great pleasure to have Jeff Rosen here, who will speak for a few minutes. We'll follow by a round of questions and answers and then go on from there. So Jeff Rosen.

JEFF ROSEN: Thank you all so much for coming. This is the first day that the book is out, and I really can't think of a nicer place to be celebrating. The New America just is doing the most exciting work thinking through these issues, and I'm just so pleased to be here.

I thought I'd begin by trying to convince you why privacy is important. It turns out to be a much more counterintuitive idea than we would think. Everyone is for privacy in the abstract. But in fact, we are going to have to do a little bit of work together to figure out why we should actually care about privacy on the Internet.

But Steve has actually made my task much easier giving us the spectre of the most chilling idea imaginable, which is to have someone do an Internet search on you. Why is that so incredibly creepy? The story that I told at dinner, my poor friend who ran an Internet search on the guy she was set up on a blind date and found that he had been described in an online magazine -- Salon, of all places -- as one of the ten worst dates of all time. And all of these rather intimate details were fixed in her mind during their first and only dinner. So it was bad news for this poor guy. So why is it that it is so creepy to think of Steve doing an Internet search on Jeff Rosen? And of course, you know, the really juicy stuff is at 2005, or something like that. But I think it's because, in the age of the Internet, as thinking and writing and gossip and speech and sex increasingly take place in cyberspace, all of us are feeling a little bit like Monica Lewinsky.

Monica is the heroine of my book, and she's just this totemic figure. I have to say it, I can confess this now; I hope this isn't too indiscreet. I was absolutely thrilled the other day to get a telephone call from Monica's mother, saying that Monica and Marcia Lewis had read the book, and they felt so happy and so vindicated that someone had finally realized what was at stake in the whole drama that we all went through together last year. And that is privacy; not all the gossip and the tabloids and all that sort of stuff, but this notion of living in a completely transparent society. So in her memoir, which is -- I'm actually a bit of a fan of Monica's Story. I think it's a important work of constitutional scholarship. It teaches all of us, important things about privacy. It is. Actually, it's got an earnestness and a raw eloquence. And what Monica says is, the part of the Starr investigation that she found most invasive wasn't the subpoenaing of her mother or her friends, although that was bad enough. It was two things: It was the subpoenaing of her book store receipts from Kramerbooks, and also the resurrection of her undeleted e-mails and unsent love letters from the hard drive of her home computer. Prosecutors actually went back and, you know, that nothing on your hard drive is actually deleted unless you take care to use a secure, total delete program that puts X's and 0's all over the spaces. And they resurrected her undeleted e-mails and her unsent love letters. It was such a violation, she said. I felt like wasn't a citizen of this country any more. How is it possible that prosecutors were able to subpoena her unsent love letters from her hard drive?

In the 18th century, the paradigmatic example of an unconstitutional search was the search of someone's private diaries. King George III dispatched his Ken Starr figure, Lord Halifax, to search the diaries of John Wilkes, this roguish English patriot, a sort of Bob Packwood character. And Packwood objected that his diaries had been searched; he sued Kenneth Starr for trespass -- in those days, privacy was protected by notions of private property. You had to physically break into someone's home to get their diaries. And he won ruinous damages: A thousand pounds, a lot of money in its day.

Two centuries later, Bob Packwood and Monica Lewinsky tried to challenge the search of their diaries, and they found that the legal protection for private papers had evaporated. And one of my tasks in this book is to trace the legal evolution that made that invasion possible. But I also want to talk a lot about technology.

What was it that Monica found so invasive about the search of her undeleted e-mails and unsent love letters? I think it has a lot to do with what many people found so creepy and invasive about the sinister profiles of Double-Click. Remember, the uproar about Double-Click in March? Double-Click is the internet's largest advertising broker, and for a long time they had been putting cookies on our hard drives. Cookies are these little electronic files that enable them to trace the sites that we've visited and often the magazines we've skimmed and the amount of time we've spent skimming, reconstructing our reading habits with granular precision. As long as this reconstruction, these cookies were anonymous, people were happy to accept them in exchange for the efficiency of surfing more closely. But all of a sudden, in March, Double-Click announces that it's brought Abacus Direct, which is the largest direct mail company in the country, covering 90 million households, huge, and proposed to create personally identifiable dossiers linking our actual identities with our online and our off-line browsing habits. So suddenly browsing that once seem anonymous was going to be identifiable and put in personally identifiable dossiers.

People went nuts. The stock plummeted. Dot-com investors protested. And the epic Electronic Privacy Information Center threatened a suit at the FTC, and under this pressure, Double-Click backed down temporarily.

So what was it that people found so creepy about the Double-Click profiles? I think it was this notion, and this is one of the theses of the book, it was the same indignity that Monica was upset about. It was the danger of being judged out of context. What privacy protects us against is the danger of being judged out of context, of having isolated bits of information -- our reading habits, our e-mails, our gossip -- intended for one audience, recorded and then taken out of context by another audience and potentially mis-interpreted. So Monica didn't mind that her friends knew that she read Nicholson Baker's Vox, because they knew she was more than the kind of person who read a slightly dirty book about phone sex. They knew that she had many other dimensions. She does, she's a good girl, I'm a big Monica fan, so I won't hear a word against her. Similarly, if all that you know about me my silly speech I gave three years or my music habits, the music I listen to, which is kind of weird, definitely weird -- I'm not going to tell you what it is. Or the books I read. Even if the books I read aren't particularly embarrassing, you might think I'm one kind of person, whereas in fact, I'm much more than that. You just don't know me in all my rich and wondrous dimensions. Only my friends and then colleagues know me to that level.

So actually, this danger of being judged out of context is the same danger that Brandeis and Warren talked about in the most famous article on the right to privacy every written. This is in the Harvard Law Review of 1890, "The Right to Privacy." It begins, "The details of sexual relations are spread, broadcast over the columns of the daily papers. Column upon column is filled with idle gossip which can only be procured by intrusion upon the domestic circle." So what were Brandeis and Warren so upset about? Turns out it was a relatively innocuous event. It was a little gossip item in a Boston tabloid describing a lavish breakfast party that Warren had put on for his daughter's wedding. Innocent. It was like Vox. It wasn't salacious or secret. People confuse secrecy with privacy. Secrecy is just one dimension of privacy.

What Brandeis and Warren were upset about is the idea that intimate information, disclosed in the sympathetic confines of their aristocratic social circle, and understandable by that group, would be wrenched out of context and gossiped about by strangers. This is my answer to those who say, "Why be so alarmist? There's always been threats of technology to privacy." In Brandeis and Warren's era, it was the instant camera and the tabloid press. The new technologies of the Kodak camera led them to say that what used to be whispered from the closets is now shouted from the rooftops. True, technology has always changed, posing new challenges to privacy. My claim, though, is that there is a greater danger of being judged out of context in a world where so much of our public and private lives are lived in cyberspace, and therefore recorded and potentially monitored.

It use to be that gossip was, in Brandeis and Warren's day, exchanged in a drawing room and was quickly forgotten. Nowadays, we have the case of James Rutt, this Internet executive who tried to erase his own past. This is the guy the Washington Post wrote about. He spent, you know, a decade in "The Well," and AOL discussion group, and he was happy to talk among virtual friends about politics and music and his own weight problem. But suddenly he's appointed head of Netscape Solutions, I think, and he's worried that all of his gossip is going to be used against him by his business competitors and embarrass him. Rutt fortunately has a wonderful solution -- not law, but technology. "The Well," wonderfully had technology called Scribble that allowed him to go back and erase a decade of his own postings, reconstructing in cyberspace the kind of privacy that all of take for granted in real space. But in this virtual world where so much of our lives are recorded and monitored, we all have to think hard about how precisely we can protect ourselves.

So let me think a little bit about that problem right now. What is the best response to this problem of being judged out of context? Well, one response is that I'm just exaggerating, and I want you to tell me whether or not I've convinced you of this when we talk together. But there's a very respectable position that says, well, if a problem is being judged out of context, then more information is the answer. If all we know about Rosen is the weird music he listens to, well, let's know everything else that he listens to and buys. Let's actually put his Double-Click profiles up on the Web. Then everyone can look at him in all of his wondrous dimensions and will fail to misjudge him.

This view is interestingly put forward in a book by David Brin called The Transparent Society, which basically says, you already have no privacy; get over it. The battle is over. There are going to be cameras in the bedrooms. We saw that in Time Magazine last week which said that people now like having cameras in the bedrooms. So the only question is, who should have access to the cameras? And as long as the government doesn't control it and all of us have access to each other's information, we can happily spy on each other and you can enjoy each other in all of our glory, and there will be no danger of misjudgment.

I believe as passionately as I can that this view is blinkered and wrongheaded and inane and misguided. And here's some of the reasons. Even if you knew everything about me, even if you could do an Internet search on everything that I've ever said and done, you're run into the Steven C. Clemons's problem, which is that there is a whole lot of information, and all of us have limited attention spans. He had to introduce me, so he had no choice. But he only got up to page 2000, and wasn't able to do 2005. If my Internet logs were available, if the Double-Click logs were available on the Internet, you'd start clicking through it, and then pretty soon you'd lose interest, because they're not that interesting. You'd move to a more interesting Web site or click somewhere else. In a world where people are overwhelmed by information, the limits of other people's attention spans guarantee that there just isn't enough time to absorb the raw mass of data.

So for example, we have the interesting story of the Canadian Security Agency, which was doing these digital taps on people's phones; Sixty Minutes reported this. The poor mother is gossiping to her friend. She says that her son has bombed in his school play, and she's put on a list of suspected terrorists. This is the context problem. There, there was no problem of the data. It was all available. But the idiotic -- not the idiotic, the understandably limited resources of the worthy Canadian Security Agency couldn't actually read all the logs, so they started doing word searches, and they came up with this ridiculous problem of being judged out of context. So the context problem exists. Even if we have too much information, as well as too little, filtered or unfiltered information taken out of context is no substitute for the genuine knowledge that can only emerge slowly over time.

Slowly, over time. I want to talk about the temporal dimensions of privacy. Here's another reason why Brin and the transparency crowd -- these are these are the guys we are going to have to argue against, because I am telling you, the party of reticence that I'm arguing for, this is the embattled team. This position -- Brandeis and Warren's position, basically -- doesn't have a lot of friends. But I'm sure you are all on my side, so I am going to try to bring you around to the party of reticence.

Here's another reason. The character of our life, our private and public life, is transformed by the uncertainty about whether or not we are being observed. Where did I get the title for this book, The Unwanted Gaze? It comes from a lovely doctrine in Jewish law which deals with the law of what happens when your neighbor puts a window over your common courtyard and starts to observe you. And it's this doctrine called hezzek re'iyyah, which means "the injury caused by seeing," or "the injury caused by being seen." This is beautiful doctrine, because American law doesn't have a good notion of the indignity that occurs from being seen, because we think in terms of property all the time; you can't break into my house to get my diaries. Jewish law says that when your neighbor puts up the over the common courtyard, you can not only enjoin him from gazing at you, but you can order that the window be taken down, because it's the uncertainty about whether or not we're being observed that inhibits us and prevents us from acting freely in private places and causes us to lead more constricted lives. It's the uncertainty about whether or not we are being observed that changes the character of our existence.

And I think that chilling Time story about the exhibitionists who are blinkered enough -- they should be free to do this in a free society, but blinkered enough to live their lives under cameras, just to convey quite vividly the degree to which some of the character of our lives is changed by constant observations. So we just have to resist those cameras at all costs.

What can be done to resist this world of virtual exposure? Let's think of three possibilities: law, technology, and politics. First, let's think about law. Some legal protections could be resurrected. It's an outrage, and it's remarkable that in just years, this ancient prohibition against searches of private papers, a prohibition that was at the center of the Fourth Amendment to the Bill of Rights, which was reaffirmed in the in the Boyd case to include not only a search of private diaries, but even of private business papers -- that this ancient right has been whittled away over the past years without anyone even noticing it. And there's no reason that we couldn't resurrect some kind of protection for private papers. This would require a judgment. So, for example, it makes much more sense to say that the state should be able to search diaries in the Unabomber case, where the diaries were actually crucial to solving the case, than in a dismissed civil suit involving alleged perjury. In the old days, people would actually balance the seriousness of the crime against the intrusiveness of the search. So you need filtering mechanisms and special masters.

Here's a funny story. When Bob Packwood had his diaries searched, he was outraged; he objected; he cited the case of John Wilkes. He said, "This is my most intimate secrets," and he said, "The Senate should appoint a special master to decide what's relevant and what isn't." Who did he recommend? Ken Starr,
the respected former appellate judge who had been sort of a counsel for the Republicans, and unfortunately the Republicans thought that Starr was too liberal to do the job, and they turned over all the diaries. So there could be some kind of balancing that would resurrect Fourth Amendment protections.

There are other inadvertent legal forces that have contributed to this new monitoring regime, one of which is the expansion of sexual harassment law. Sexual harassment law, you know, forbids speech that creates a hostile or offensive working environment. And many of the justification that many companies have used to justify their Internet monitoring -- the American Management Association, incidentally, now tells us this year that more than half of U.S. companies monitor the Internet browsing and e-mail use of their employees -- one of the leading justifications is fear of liability for sexual harassment. Because of the uncertainty of hostile environment tests, companies have an incentive to monitor far more speech than the law actually prohibits. So this law could be refined. I won't give you the details of how I think it could, but I just want to flag the fact that this is an unintended effect of a very important legal area that might be refined as well.

Most directly relevant to, I think, your interests here today, we could think about global privacy protections. Europe has a principle that says that information disclosed for one purpose can't be disclosed for another without the consent of the individual concerned. And the Senate and the House are now considering various instantiations of this principle. The rather dreary policy debate that's going on, which
has interestingly moved much more quickly than any of us could have imagined, is between Opt-in and Opt-out. So what's the difference here? It's always hard to keep these straight. Opt-out says that the baseline is that companies can collect your data, and if you don't want them to, and then you click the little boilerplate and then they don't collect it.

I am not persuaded by the virtues of that approach. We all know about the effectiveness of the legal gobbledygook. People click past it as quickly as teenage boys click past the adult certification screens on adult Web sites. No one really reads that. And because of the counter-intuitive nature of privacy, that in fact it's just hard for people to realize exactly why it's important until it's too late -- my sense is that there should be a heightened degree of consent, something along the lines of Opt-In.

Opt-In says that they can't collect your data unless you affirmatively give consent. Now, I think Opt-In is especially important when we are talking about personally identifiable data. Cookies are maybe not so worth getting upset about, but Double-Click now is negotiating with the government and proposes to be able to have its dossiers after all, as long as people just have some kind of Opt-out provision. Not acceptable! Again, it's a very counter-intuitive notion. And people are very happy to just waive and alienate their privacy rights in exchange for free stuff, things like "Free PC" or for targeted ads.

Double-Click talks about the delirious convenience of targeted ads. Isn't it delightful, after you visit a site involving car manufacturers, to have helpful ads involving other cars or luxury boats come tripping into your living room? Isn't wonderful to save the convenience of not being bombarded with ads that you don't care about? I find it creepy. Other people may not share my intuitions. But I am saying to you that we want a high degree of consent before personally identifiable dossiers are collected, because once they are they can be misused, and people won't realize what they've done until it's too late. Employers and insurance companies and jealous ex-spouses, once these dossiers exist, there are there's really no telling what will happen to them. This is why creation of property rights and personal data may not be as effective as we might think, because people can alienate or sell their property rights, and then they can't get them back. Once I sell them to Double-Click, then it may be much harder for me to maintain some kind of limited control.

So this is just a fancy way of saying that I am not putting all of my cards in law as the mechanism that's going to save us. I do think that legal protections, basic constitutional protection, should restrain the state. But there are complicated legal issues in restraining private industry from collecting data, not least of which are First Amendment concerns. This is a yet another interesting sideline. But my friend Eugene Volokh at UCLA, a powerful libertarian, has made a strong case that would actually might violate the First Amendment, violate the commercial speech rights of Bell West, which wants to collect my selling information, my dialing information, and then sell it to its affiliates, which will then bombard me with targeted ads. Bell West, if it doesn't own the speech, the information, it's at least legally acquired, says my friend Volokh, and therefore, if we take the First Amendment seriously, there would be free speech concerns involved in restraining companies from resale -- an interesting area, very unsettled in the courts. So law is important. There are different aspects in which this battle has to be fought. But I don't think there's a global legal solution.

Next, there's technology. I like technological solutions a lot. Self-help is a great thing, so Scribble is a way of protecting ourselves. We can all go back and cover our tracks. I told in the Times piece the story of my student. He didn't want to be identified, so I called him by his first initial, K. So K is the rational man in this brave new world. He's a paranoid. He's absolutely mad. He wears green army fatigues and black boots and he spends all his time covering electronic tracks. He uses Scribble. He uses this Kremlin total delete program, which puts X's and O's all over his hard drive. He encrypts his e-mail. He has firewalls that tell any company that sends him a cookie, "Keep your cookies off my hard drive."

The guy is absolutely clinical. And he is rational to the core. All of us should be -- if all of us really informed ourselves, we would all be like K. I love K. So we too we would use anonymizers -- anonymous browsing technologies that wrap our browsing and e-mail requests in layers of encryption, and through a complicated process make it difficult to trace the original sender to the recipient, would cover our tracks in this way.

And there are others -- the technology is so interesting, and changing every day. A new company called Tacit Knowledge has just said, well, why should it be the case that e-mail is presumptively public, merely because it's stored on your employer's server? Let's architect the system so that all e-mail you send is presumptively private. It's put in a folder which can only be accessed with your personal password, not by your employer. If you want to make it public, you have to affirmatively give consent and put it in a public place. And then there are funky things that they do, like word searches of even the private folders that can enable you to send e-mail on related subjects to people who have written about what you are writing about, but people can refuse to accept this if they don't want it. So there are many ways of reconstructing in cyberspace the architecture that property used to ensure in real space, and we can be creative about this.

But ultimately I would feel that it would be a defeat for the team of reticence if all of us had to live like K, and if all of us had to wear green army fatigues and use secure total deletes and furtively anonymize our browsing technology. That would put us in the same category as citizens in the Soviet Union, who responded to constant surveillance by making telephone calls from public phone booths and paying in cash and basically exhibiting a bovine, bovine surrender to technological determinism. In the Soviet Union, privacy intrusions made citizens live like cows. I use this strong word here, because this is really what's at stake. And I think that American citizens should not have to live like cows. So technology is important, and you should inform yourself -- all of us should -- about the stakes. But I hope that we won't be driven to precisely this level.

So where does that leave us? I think it leaves us with politics. Politics turns out to be a great thing in protecting privacy. Let's think about the recent responses to the really intrusive efforts of the surveillers. When Double-Click proposed its creepy profiles, it was political protests that made them back down. And these political protests are being heard on both parties. Senator Shelby and other Republicans are among the most vigorous advocates of privacy, and the advocates of Opt-In. Our friend Congressman Barr has shown his finest colors, and is very much of a Fourth Amendment fan, and doesn't want government or private industry collecting his information. So politics can be effective.

Let's think of the other examples. I brought a Sprint Web phone. I resisted for a long time, because I haven't -- I am sort of Luddite technophobe, and I didn't want to be -- well, actually, I didn't want to be accessible. I didn't want to have to answer the cell phone. But I bought it so I could browse my new book on Amazon, because the cool wireless web sites enable you to check -- you have to check, like, seven times a day to see if the wave moves up and down. And this Sprint promptly disclosed my phone number to Amazon. The thing was architected so that they had my phone number. Outrageous. You don't have to do that in real space. There was mini -outcry, and the result was that Sprint, in a week, promised to change the wireless web phones and re-architected it not to do that.

Another example is Real Networks. When Real Networks announced that it was it had the capacity to match our listening habits on the most popular jukebox on the web with our actual identity through the use of a GUI, a globally unique identifier, assembled when we perhaps foolishly give our e-mail addresses to register for these new technologies, so in other words, they'll have the capabilities to match my e-mail address with everything I listen to -- this is the Monica problem -- people went nuts. And within an afternoon, they first said, "We've never actually united the data," but they promised to disable to the GUIs. I just heard the other day that there is some rumor that they may be re-enabling them under some new system.

So the privacy advocates are zealous, and they are our friends, and we should respect their vigilance. And so Real Networks, and then finally Intel. Intel was putting globally unique identifiers on its Pentium chips, making it possible to link every single word processing document I write with my actual identity. And people got angry about that, and they promised to disable those as well. So these are all examples of the beautiful effectiveness of politics. It was politics that forced Double-Click and Real Networks and Intel to back down. And my strong counsel to you and to all of us is to remain vigilant in the face of these new threats to privacy, never to surrender to technological determinism, and to insist on maintaining, against the odds in this brave new world of virtual exposure, the same privacy in the 21st century that we've long taken for granted in the 18th, 19th, and 20th. Thanks so much.

The New Politics

Cecille Isidro — Mon, 17 Apr 2000 00:00:00 -0400

Several years ago I was driving cross-country from Washington to Berkeley. My D.C. license plates inevitably sparked interesting political discussions along the way, especially in the Rocky Mountains, where I encountered many people with sympathy for the militias so often derided on the coasts. One conversation in particular made a strong impression.

I chatted with a nice fellow who was fishing with his son. He was discussing his firsthand experience with the federal government's abuse of power. When I told him I was on my way to Berkeley, he said, with some regret in his voice, "Those guys in the '60s had it right. I didn't realize it at the time but the antiwar radicals were patriots. They understood that the government couldn't be trusted and tried to do something about it."

Here was a guy most people would have placed on the far-right fringe of American politics expressing his admiration for those who defined the far left. Isn't that shocking? Well, yes, at first. But the more you think about it, the more it makes sense.

The so-called ideological spectrum bears a strong resemblance to a circle. Although guided by very different logic, people on the far left and far right of politics have reached similar conclusions regarding the danger of governmental abuse of power and the importance of individual rights.

The Internet often reminds us of the plasticity of political ideology. Few, if any, of the hot online issues that currently receive attention in political and policy communities have a readily identifiable ideological divide. In other words, there is no right or left in cyberspace.

I am not arguing, as some have suggested, that the Internet is post-political. On the contrary, as the Net grows, political disputes regarding technology's future will only increase. What is clear, however, is that in all such policy disputes there will be no "liberal" or "conservative" position, and partisan labels will provide little guidance. Consider a few of the most prominent issues of the moment:

Internet Taxation: Having failed to reach an agreed-upon two-thirds majority recommendation, the 18-member Advisory Commission on Electronic Commerce voted 10 to eight to a five-year extension of the moratorium on new Internet taxes. The deep divisions that kept the committee from reaching consensus didn't follow ideological or party lines. Utah Gov. Mike Leavitt, a Republican, has led the opposition to Virginia Gov. James Gilmore, also a Republican, who has led the drive to ban taxes on e-commerce.

It's possible to view this issue in ideological terms. The exemption of Internet sales from taxation is an extremely regressive tax policy. Poor people spend less money online. By exempting online purchases, the tax burden is disproportionately placed on the people who can least afford it, instead of on relatively wealthy Internet users. But that argument is rarely, if ever, invoked. Rather, attention is rationally placed on the unfairness of putting brick-and-mortar retailers at a comparative disadvantage.

Striking even closer to the concerns of public officials of all stripes, the exemption of Internet sales from taxation is a potential threat to states and localities that rely on sales taxes to finance their programs. That is a concern naturally uniting the most partisan of Democrats and Republicans.

Privacy: What is striking at the moment when it comes to privacy is that the big, bad government wolf is not a Joseph McCarthy-like reactionary or even a religious prude in the image of Pat Robertson, but more like Bill Clinton. That's right, the same president reviled by the political right as a dope-smoking, draft-dodging liberal is also feared as an information-age Big Brother. As if this does not seem weird enough, Georgia Rep. Bob Barr, conservative icon and House impeachment manager, is teaming up with the ACLU to protest Echelon (ELON) , the network of spy agencies that is monitoring all sorts of electronic global communications. Has the world gone mad?

Not really. The Internet has introduced new problems ranging from malicious hacking and sales of prescription drugs to cyberstalking. Most people want these problems addressed. Disagreement comes when the solutions more than the problems themselves frighten people. So, for example, the FBI's proposed rules, which would require computer manufacturers to make PCs eavesdropping-friendly is a step too far for many -- even if it means that some criminals may escape punishment. Others, however, are willing to let the government onto their computers to protect their children from pedophiles lurking in chat rooms. Which group of people are the liberals and which are the conservatives?

OK, let's move past the straightforward part. Many privacy advocates argue that the real danger is not from the government, but from profit-seeking corporations, greedily searching for consumer data. This is the DoubleClick (DCLK) threat. Now who can stop these companies from violating our rights? Industry self-regulation? Unlikely. Why, it's the government, of course.

Uncle Sam is being called on to restrict private firms in their collection of personal information. To the libertarian (for those who think my whole argument comes down to over-reliance on the liberal-conservative divide), this is unacceptable. The government should not be restricting the behavior of private firms. But if the government does not act, individual liberty would be, in a real sense, even more threatened, albeit by private companies.

Intellectual Property: It would surprise no one if tomorrow an Internet company patented the idea of going to work in the morning. Stories of silly patents mask a potentially debilitating problem. What is the proper extent of property rights in an information-based economy? The e-commerce patent follies raise some worries of overly aggressive protection of intellectual property rights stalling economic activity.

The coming donnybrook in the intellectual property field will concern biotechnology. Already private companies have patented sequences of the human genome. This poses a danger not only for the future of genetics-based industries but also for medical researchers. Do such patents preclude scientific investigation? If there is no commercial angle, will large pharmaceutical companies or other biotech firms invest the hundreds of millions required? Should the government bankroll research that will benefit a limited number of investors who planted their flag in this unmarked terrain? Which is of greater weight, the property rights of those who secured patents, or the health of a market for genetic innovation that could be prematurely stifled by speculation?

These are difficult questions for which ideology is no guide.

The ambiguity helps explain why neither the Republicans nor the Democrats have been able to establish themselves as the party of high tech (notwithstanding the efforts of both to do just that). Not only do tech concerns cut across party and ideological lines, but tech interests inevitably clash with core elements of each party's constituency. For example, high-tech companies' insistence on the need to raise immigration quotas offend both right-wing Republicans and the Democrats' labor base.

It is conceivable that as Internet and other technology issues take on broader societal significance, a new or existing political party will abandon positions based on old cleavages to emerge as the Party of Technology. For the immediate future, the ideologies that animate political parties will not allow any such co-optation. Both parties will continue to court Internet support, and tech leaders will continue to play both sides of the fence.

In the long run, however, the persistence of issues that do not conform to the right-left schism could finally banish this flawed paradigm to memory.

Don't Tread on Freedom

Cecille Isidro — Thu, 17 Feb 2000 00:00:00 -0500

Attorney General Janet Reno and FBI Director Louis Freeh lobbied Congress yesterday to expand the federal role in the battle against Internet crime. The Clinton administration is asking for an additional $37 million to bolster its hacker-tracking "cyberforce," among other initiatives. President Clinton this week tried to reassure Internet executives that Big Brother was not coming to the Internet. But have efforts to police cyberspace already gone too far?

There's no question that as Internet use increases, Internet use by criminals increases. Some of the dangers have been well-chronicled:

Electronic information lures thieves. Stolen "identities" allow crooks to run up credit-card bills, pass bad checks, and destroy credit histories. A well-publicized hacker has recently elevated this gambit to a new level, blackmailing an online retailer from which he stole thousands of credit card numbers.
Anonymity emboldens perverts. Purveyors of pornography -- legal and illegal- have found the Internet good for business. And sexual predators use the seemingly benign settings of chat rooms to identify and lure potential victims.
A global network multiples opportunities for economic crime. Auction sites like eBay not only facilitate honest transactions; they invite dishonest individuals to rip off trusting counterparties. Steven Kamensky, a Long Island high school student, and his father, Ira, were arrested last fall and charged with collecting more than $50,000 by allegedly defrauding eBay customers.

In another alleged racket, Alfred Flores was indicted and accused of purchasing shares of a bankrupt chain of used car dealerships. According to Securities and Exchange Commission charges, he circulated information to online traders that the company had purchased a research firm developing a cure for AIDS. He allegedly made $500,000 on the resulting increase in stock values.

Slowly, even some ardent defenders of the Internet's libertarian culture are turning to government for protection. And therein lies a hidden threat posed by Internet crime. Government agencies, struggling to combat new types of criminals, may tread upon individual rights. And the public, whipped into a frenzy by stories of Internet mayhem, may accept these intrusions too easily.

Consider Echelon, a spying network jointly operated by the national intelligence agencies of several Western countries, led by the U.S. National Security Agency. Echelon combats international terrorism by scanning millions of international communications (including e-mail) for suspicious words like revolution, manifesto and Waco. When Echelon's existence was revealed last year, its scope surprised even the most vocal alarmists. It has aroused opposition from diverse quarters, from Rep. Bob Barr (R., Ga.) to the American Civil Liberties Union.

On the domestic scene, several federal law-enforcement agencies have increased their attention to Internet crime. As part of its Operation Innocent Images, the FBI tracks adults with a suspicious interest in children. Agent Allison Mourad is one of several who spend their days "disguised" as 13-year-olds in Internet chat rooms, trying to lure pedophiles. The Securities and Exchange Commission has created a "cyberforce" to troll the Internet for scam artist, as have the Federal Trade Commission and the Food and Drug Administration, which is on the lookout for pharmaceutical sellers who do not require prescriptions.

President Clinton's Working Group on Unlawful Conduct on the Internet has proposed a Federal Intrusion Detection Network, or FIDNet, within the FBI that would monitor flows of electronic data to help track down the hackers of the future. This would create an unprecedented opportunity for the FBI to perform surveillance of all domestic communications. The proposal has drawn a flurry of objections from privacy advocates. The FBI has also proposed rules that would permit tracking of physical locations by cellular phone use and monitoring of Internet traffic under the Communications Assistance for Law Enforcement Act. (The rules are being challenged in court.) Another administration plan is LawNet," which would coordinate enforcement and prosecutorial activities around the world.

Gradual Erosion

Any of these developments may be defensible on its own. But the gradual erosion of individual rights is clear, if unintended. Each step is made palatable by the steady stream of near-hysterical reports of Internet crime. The FBI's rules that would mandate electronic backdoors to make every home computer more "eavesdropper friendly," for example, have received minimal attention or protest outside the civil liberties community.

We must guard against giving away our freedom over a panic based on hyperbolic horror stories. As Justice Louis Brandeis observed: "The greatest dangers to liberty lurk in the insidious encroachment by men of zeal, well meaning, but without understanding."