Are We Losing our Privacy in the Information Age?

by: Linda Chang

An interview with Internet security expert Katherine Myronek

Eyemine News

On the Internet, enormous amounts of information are sent and received every minute and every second of the day, in a continuous and tireless traffic that knows no boundaries-neither time zones, politics, nor culture. The World Wide Web is just that, a gigantic web in which we are all connected and brought into community with each other in one way or another.

A well-worn truism has it that the world is becoming ever smaller. With advancements in technology, our ability to interact and communicate with other people-whether down the street, across the country, or around the world-has increased dramatically. On the Internet, enormous amounts of information are sent and received every minute and every second of the day, in a continuous and tireless traffic that knows no boundaries-neither time zones, politics, nor culture. The World Wide Web is just that, a gigantic web in which we are all connected and brought into community with each other in one way or another.

But while it may be true that physical distance has been all but nullified in the information age, at least in terms of being an impediment to communication, the horizons of knowledge and information available to any individual has, at the same time, broadened immeasurably. For each of us, the world is also a bigger place, filled with possibilities and loaded with choices that did not exist even a generation ago. Perhaps a little like Alice in Wonderland, we are caught between being both big and small, in a landscape that is continually changing. One minute we're spanning the globe on the information freeway, accessing data and connecting with friends at virtually instantaneous speed; the next, we're the powerless recipients of mass-generated spam mail, or the targets of an endless barrage of advertisements from companies that can identify us by name and number.

Where does the truth lie in this curiously evolving world of the Internet? In this world, information is the rabbit, but where is it taking us? To find out, eyemine spoke with Katherine Myronek, a respected statistician and an advocate for individual privacy on the Internet.

The Internet has revolutionized the way that we approach information by gathering a variety of previously fragmented sources in one easily accessible place. On the Internet, search engines and other databases further organize data in ways that make them more accessible to manipulation, by companies as well as by individuals. We gain access to information and other products from the Web, but often at the price of foregoing our privacy.

Eyemine: As more and more [information] has come on the Internet, it is no longer just related to search engines, we're seeing a [new] phenomenon of data-warehousing and data-mining. Could you tell us about the phrase data-mining and how you understand it as opposed to the idea of pure data collecting and reporting, and also what is meant by a data-mining tool?

Katherine: For the average person, if you have a business and a database of customers, data-mining means essentially a tool that you can buy, which sits on top of your database, and which you can use to look at where your customers live versus how much they buy versus when did they buy it. With [this sort of] data-mining, you're looking for very simply qualitative information. You're looking for a bit of a correlation, which might make you think, Okay, well let's try a couple of experiments; there seems to be a connection between this type of customer and how they're buying. Let's put some coupons in the mail and see what they do. In this case, data-mining is just a way for business owners to test their hypotheses; it's a brain-storming tool, it's not used to find some statistical significance or scientific advance.

Eyemine: Let's talk more about this. You mentioned businesses trying to learn more about the customer-one catch phrase related to this is CRM, customer relations management. And this really gets to the crux of what I wanted to discuss, which is privacy. Has the methods used by businesses-surveys and registration forms-been standard practice? Maybe you can talk about some of the good and the bad, the problems, associated with data-mining on the part of businesses, and maybe we can start thinking about the balance and the solutions.

Katherine: Basically what the Internet is doing [with respect to the problem of privacy] is, it's spreading the problem faster; it's not necessarily making the problem larger. Ten years ago, if you were a company that decided that you wanted to do a big promotional campaign, and wanted to send advertising information to, say, everyone in Mountain View between the ages of 30 and 40 who owns a dog-you could actually do that pretty well… That kind of information existed without the Internet. The difference is, now that there are a lot more companies collecting this information, it's a lot easier for them to collect this information, and each of them individually doesn't really see the danger, or the issues having to do with privacy. All they're doing is collecting information on, say, how much toothpaste you use-what is the problem in that? They aren't necessarily thinking about the larger picture, which is that they have your email address, or they have your IT address. Especially now that a lot more people are doing these connections, your IT address is no longer just some dial-in thing on AT&T, it's actually more like individually identifiable information. This is actually going to be an issue that's coming up, because a lot of people are claiming that they're not collecting individually identifiable information, under the idea that everybody is a dial-up customer, but that's no longer the case.

Eyemine: We can also look at the privacy issue from the opposite perspective, in terms of consumer protection and credit reporting bureaus. You can choose to think of it as a real customer service because it allows you to protect your credit by letting you see how often someone has requested your report, and who. It's funny because in the 1970's and 80's credit reporting bureaus were actually the standard if you wanted to buy something large or if you were getting a rental. We've been talking about what's really been changing, with respect to access to individually identifying information and the need to see the larger picture are people are conducting more activities online. We are assuming that privacy on the Web is going to be an issue because we assume that people are going to continue to buy things online, or continue to use some sort of registration form online. So it's almost like the left and the right: while we support Internet growth, we're also assuming it, and that's when things like consumer privacy online become bigger issues. My question is, where do you see the Internet going? And what does that do to things like data-mining?

Katherine: The Internet is going-well, I hope the Internet is going-[in a direction] where people are becoming more aware of [how it affects] privacy. Twenty years ago, if you wanted to find out about a person, if you wanted to do the equivalent of individual data-mining, you had to work at it, or you had to hire a private investigator. Granted, some things were easier-you could go and get driver's license information in the way that you can't do now because of anti-stalking laws, which is a good thing-but you'd actually have to decide that you wanted to do this. Nowadays that kind of individual data-mining is almost a throwaway item. You could do it even without meaning to do it if you have a sufficiently large database-you could just put things together.

I think that now with privacy on the Internet, there are enough people who care about this, who are starting to set up systems and to say, 'If you go to the mall with cash, you can pretty much go to any of the stores, you don't even have to say anything, you can just put the item down, they tell you it costs $20, you give them $20, and you leave. Shouldn't there be something equivalent on the Internet, where you have some sort of micropayment or trusted cash system?' You can walk around with the digital equivalent of a $20 bill, you can give it to people and there are ways for the company to test to make sure that it's not a counterfeit digital dollar bill. And if it's all right, they should be able to accept that. They're getting the money, they're not necessarily getting personally identifiable information. Or maybe they'll decide, 'We'll give you a discount, 10% off if you'll give us a little more information.' Maybe people would be willing to trade about this, and perhaps start building little agents which would negotiate this sort of thing for them.

I want to go back to one thing, about privacy and fraud protection. The question is, are they really different things? If a hacker gets into a computer and finds out information about you, including your social security number, they can now get into everything. They can call or go online and for $60 they can get all of the publicly available information about you within, I suppose, an hour. But, if the fact that someone got your social security number didn't allow them to get your information out of anywhere else, then that would give you a lot more fraud protection because they wouldn't be able to immediately say, Hi, my name is John, this is my social security number, and I want you to open up an account in my name, or I want you to give me extra credit, and I want you to change the address. They wouldn't be able to do that, they'd have to find the individual information from each company, and that would be a lot harder to do.

The Internet may already be ubiquitous in our lives, but it is very much a technology in evolution. Just as the Internet affects our lives, our actions and responses to it are also daily shaping the future of the Internet.

Eyemine: I wanted to talk about privacy conferences that are taking place? What is the representation at these conferences? What is the sort of population of people that you often see involved in these conferences?

Katherine: The population tends to be the people who have been with the Internet since the beginning, these are people who in the 70's and 80's were using the Internet long before the Web was invented. And these are people who realize that the Internet is still in its infancy and the tiny nudges you give it right now are going to make significant differences as far as where the Internet is going to be in twenty or thirty years. Given the early recognition that using the Internet, you are able to get information a lot more quickly-that the same information that would have taken you twenty hours to get in the past, now takes you three seconds. So that what cost a lot before is now essentially free, you can automate whatever the item is-you can automate getting information, you can automate violating privacy, you can automate credit card fraud or identity theft…Because it's cheap, it's free, you have to design protections from the beginning, before it becomes an issue, and figure out ways to get people involved, to get the average person to care about this before it becomes something that they need to care about.

Eyemine: You've talked about things like digital currency and digital cash. How soon do you see that happening?

Katherine: I think that what it comes down to is if there's a sufficient number of people who care about [privacy], then the market is going to respond by providing companies who will be able to provide you with digital cash, for example. And once that happens, once it's created, it'll be just as easy to use digital cash as it would be to use an ordinary credit card. So pretty much it really depends on how people want to design things right now, and that's why privacy experts are working hard on it-they want to design privacy into the system from the get-go. Because twenty years from now, when things are as automated as can be, you can get the exact same level of service with or without the privacy attached to it. For example, your medical company, it knows what you're doing as far as your medicine is concerned, and your bank knows information about your stock account, but whether or not they're able to share that information with each other doesn't make any difference as far as how your life is. It makes their life easier, to be able to get all this information, but actually it doesn't do anything for you. And so if there's a system which is set up with equal amounts of service from your point of view, but one has more privacy than the other, then you can make your decision on which one to use.

Eyemine: To get back to my earlier question about the communities and the populations you would see at privacy conferences…why is it that among the individuals who started using the Internet in the beginning, before it became the World Wide Web, why is there a deeper level of sensitivity or concern for things like privacy?

Katherine: Well, when twenty years ago when people were starting to worry about the overuse of pesticides, for example, the first conferences were predominantly attended by scientists and epidemiologists, and people like that, because they were the first people to notice, and to see what could happen. And because of that, they started talking about it earlier than everyone else, and it's a natural outcome. And with the Internet, there are a lot of people who're saying, We've created something very new and very wonderful, but it's still young, it needs to be protected. And if we believe in individual civil rights, let's make sure that, at the minimum, it's designed into the system, so that if a person wants to they can retain the same level of privacy that they have in the regular world.

One way of understanding the problem of privacy on the Internet is in terms of the tragedy of the commons. As a common resource, the Internet is subject to abuses that result from the aggregate effect of many individuals each acting in his or her own interest.

Katherine: In the original idea of the tragedy of the commons the example was, in England, you would have a common area, a large central square, and the surrounding farmers would gather together and each person could put ten cows to pasture on the commons. And the commons could support, say, 100 cows. But maybe one farmer thinks, well, with the first 100 cows on it, if there were one extra, that's not going to make much of a difference [to the commons], it's just a little bit of marginal extra. And that's true. But when everybody thinks the same thing, and there are suddenly another 20 or 30 cows on the commons, the commons gets ruined. And in fact, maybe through overgrazing it becomes less productive, and can only support 70 cows, or 50 cows. The Internet is a commons. There was, and in fact still is, an Internet resource called usenet, which was a discussion group that started up long before the Web. It was decentralized, nobody was controlling it…It was a wonderful discussion place. You had 30,000 discussion groups, some with tens of thousands of people on them, discussing all sorts of information. The problem was that in the early 90's, some people started realizing that they could send advertisements to various groups…and soon everybody started doing the same thing, and the usenet groups were flooded with spam, [and people] didn't want to use usenets anymore, because it was becoming a burden.

The Internet is truly a commons because it exists across national and political boundaries. However, different countries face very different concerns where virtual reality meets social and cultural realities.

Eyemine: We have a contact, Veronica Endo, who works between in Latin America. She wrote an article about the excitement surrounding the Internet in Chile, and the potential for shopping online. But recently there were over a million dollars worth of excess charges made through recently established credit cards, through one or two of the Latin American banks. [But] if you check with someone in Veronica's circle, they don't think about data-mining so much as a privacy issue, as a mismanagement of things online. Is it just a matter of time before they become a little more concerned about things like privacy? Because I definitely don't get the sense, at least from her circle, that they're worried about anti-privacy, because first of all, the Internet is quite a new phenomenon for them, and it's not so much privacy that they're trading of as that it's a status symbol, as well as the customization and the efficiency of it. So I'm wondering, is it cultural? Is [privacy] a purely American preoccupation?

Katherine: Actually in Europe, privacy protection is much stronger as far as companies having databases of information. Only recently an agreement has been worked out between the United States and Europe that would allow companies that work in both regions to keep the information that they have. The United States was about to be treated as a pariah because companies in the U.S. aren't really held to a high standard as far as what they do with the information. That's starting to change a bit, but in Europe I think they care about it more. It depends on attitudes toward government: some people say, in Europe they're worried more about companies, they don't care quite as much about government. In the U.S., people care very much about government issues [related to privacy], witness the [protests about] the census questions.