Business Threats to Privacy

Which is more of a threat to your privacy, the government or the business community? Business has never been about doing what is best for the consumer. Business is concerned with making money, and a good way to make money is to keep the consumer happy and paying for more services and products. If consumer privacy happens to be one of the casualties of doing business, so be it. Only recently have we seen a real regard for consumer privacy by business entities and government agencies. The U.S. attitude toward the privacy issue has been that of an observer rather than of an active participant up until the last few years. As new laws are being passed that try to protect consumers, business entities have become more active in lobbying against such laws. The business community would rather use technology and industry pressure to keep consumer data secure than have government regulations in place to restrict and often cost them money in the implementation of the requirements of the laws.

Businesses operate on incentives. If consumers retaliate and advocacy groups provide a strong enough outcry, a business will change tactics and policies if its monetary rewards are affected. In the past, this has been enough to protect consumers in some fashion. But with the development of technology that has made violating a consumer's right to privacy very easy, the government has needed to step in and pass laws that adversely affect the business community.

Online Privacy Alliance

With the advent of legal action being a new threat to the business model when it concerns consumer privacy, businesses are finding they need to fight back and attempt to stem the tide of new privacy laws. One such initiative is the Online Privacy Alliance (OPA). This group of companies is organized to lobby against legislative proposals that infringe on privacy in three main aspects: identifying costs that regulations would impose on business and consumers, questioning how U.S. Internet laws would apply to non-Internet industries, and identifying the use of technology to secure privacy rather than the use of laws.

Members of the Online Privacy Alliance include Microsoft, AOL Time Warner, IBM, AT&T, BellSouth, and Sun Microsystems. In association with the Direct Marketing Association (DMA), they have been lobbying against privacy laws, as has the DMA been doing against laws that affect the advertising industry. These groups are concerned with the various laws of different states and pending legislation that makes doing business nationally difficult because of new costs that will be incurred to implement new privacy rules and build technology to address consumer privacy needs. The driving factor is cost to the industry. One set of numbers thrown around about costs conclude that proposals to limit companies from sharing or selling customer information could cost 90 of the largest financial institutions $17 billion a year of added expense. Of course, a large part of this cost will be passed on to the consumer. Although these numbers are not verifiable, all industry studies have found a large cost of following the proposed privacy laws, and businesses will do whatever they can to avoid those costs.

In much the same way that tobacco lobbyists persuade legislatures to limit tobacco laws, organizations such as the OPA seek to limit government control of their ability to limit consumer privacy rights. Many companies now have privacy policies because of market pressures, but they will do what they can to limit further restrictions on their ability to make a profit using consumer data.

Data Mining

One of the most invasive and damaging of business practices is data mining, which basically is the act of compiling databases of consumer information; aggregating it; and extracting useful information, such as geographic buy trends, personal preferences, financial information, and so on. With a large database, a company can perform specific target marketing or even sell pieces of that database for a profit. Database extraction techniques have become continuously more sophisticated, and marketing companies have developed a whole new service based on selling such information. Data miners espouse the benefits of their business; there is improved customer service by insurance firms, banks, and department stores. Everything is known about a customer when he calls in so the company can provide personalized service.

Data mining understandably worries privacy advocates. With laws such as HIPAA and GLB allowing the sharing of consumer information, aggregating personal medical, insurance, and financial information can lead to the development of large databases ripe for the plundering. With data being at the fingertips of businesses, they can control how much information and what type of data/advertising they send to consumers. Consumers now have no control over receiving spam mail. This is not illegal, but it does violate consumer privacy. Consumers now have no control over how a company can gain access to their information. When they submit pieces of information through Web site registrations or by browsing sites that retain data about them, the aggregation of all this data can profile the consumer without their explicit knowledge. Legislation is supposed to protect consumers from having their data shared and keep it secure through use of technology, but as we have discussed, companies just have to go through a few hurdles before they share consumer information.

Data mining is not a centralized activity. There is no one place you can restrict data to prevent data mining. Companies that want your information will go through numerous methods, from buying e-mail lists to purchasing lists of customers' buying habits from a merchant. The rest of this book covers steps and procedures you can follow to limit the information you make available to the world to limit the information gold that companies seek when it comes to your personal data.

Credit Bureaus and Information Brokers

If you have applied for a job recently, you know that many companies now check your credit history as part of their background checking processes. The U.S.'s big three credit bureaus—Experian Inc., Equifax Inc., and Trans Union Corp.—sell credit information to organizations doing background checks. Associated Credit Bureaus Inc., a Washington-based trade group, estimates that 600 million reports were sold in 2000, including such data as a person's name, age, Social Security number, and past and current addresses.

Several laws have been passed that attempt to protect consumer credit information, including the following:

• Truth in Lending Act— Credit grantors must provide you with the annual percentage rate (APR) of any loan prior to signing. This tells consumers what they will actually be paying for a loan.

• Equal Credit Opportunity Act— Prohibits discrimination against you because of age, sex, marital status, race, color, religion, national origin, or receipt of public assistance.

• Fair Credit Billing Act— Allows for the prompt correction of errors on a credit account and prevents damage to your credit record while disputing an item.This can often happen during an identity theft compromise.

• Fair Credit Reporting Act— Protects consumers from incorrect credit reporting to credit bureaus that can ruin their credit and hurt them in the future.

• Fair Debt Collection Practices Act— Prohibits debt collection agencies from abusive collection practices that could be a hassle to consumers.

With the advent of the Web, a number of companies sell reports with personal data online for such things as locating people and performing job background checks. Much of this data comes from credit reports. An example of a typical Web site that performs this function is Discreet Research (http://www.discreetresearch.com/), shown in Figure 4.2. By signing up using a credit card online, you can begin researching anyone and finding public information. Such information is purchased from other information brokers for a fee. Another popular search Web site is Whowhere.com (http://www.whowhere.com), which enables users to order a background check on any individual in the database. This public record report includes property ownership, civil judgments, driver's license physical description, and summary of assets. A vast amount of information is available out there that is public and that many people would really not want known by just anyone.

If you want to obtain your own credit report, you can contact any of the major credit bureaus and provide the following information to receive a report:

• Full name, including any maiden name

• Current address

• Previous address (if needed for five-year credit history)

• Daytime telephone number

• Social Security number

• Date of birth

• Copy of driver's license (or utility bill to prove address)

• Signature

• Fee

Closely tied to the retrieval of credit history is the ability to find people more easily with the Internet. There has been a great reduction in costs of finding someone and delving into the details of his life. In the past, investigators were required to do this, but now it can be done for free or a small fee. The capability to link data from different sources to track someone has been a fundamental shift in finding and detailing a person's life. And it's all legal.

Companies that perform these searches get data from a variety of sources, such as paid subscriptions to credit bureaus, buying lists of information from marketers, capturing information through survey process, and so on. There are numerous ways to do this with the development of technology, and it will only become more invasive. One disturbing case of using data collected on the Internet was Aware Woman Center For Choice, Inc. v. Raney, No. 6:99cv00005 (M.D. Fla., filed January 21, 1999). An abortion clinic sued a number of ISPs, alleging that anti-abortionists had used Internet services accessible via the ISPs to trace names and addresses of visitors to the clinic, who they then sent harassing letters to in protest of abortion. Information can even be captured through mistakes made by companies. On January 20, 1999, a Fox News Web site displayed street and e-mail addresses of Ohio residents. On another occasion, Yahoo! admitted that it had revealed customer addresses, partial credit card numbers, products ordered, and amounts spent on nutritional products on a Yahoo! store demo site, and Nissan sent a listing of 24,000 addresses to everyone in its mailing list. All these sources of data lead to specific personal profiles that compromise every aspect of consumer information.

Mobile Phone Invasion

The proliferation of the cell phone as it relates to invasion of privacy is just beginning to be understood. Cell phone technology has already moved beyond just making a phone call. With cell phones you can wirelessly browse the Web, make purchases online, check your stock, and send e-mail. This technology will rapidly expand over the next several years, but we are already seeing abuses of individual privacy. The laws regarding mobile phone use are much weaker than those that apply to Internet use.

Cell phones can already be used to locate people within a certain distance. The U.S. Federal Communications Commission issued a mandate stating that by October 2001, all wireless 911 calls must be pinpointed within 410 feet. This technology could conceivably be turned over to business functions, such as rental car agencies, that can track a consumer in distress and be used to get traffic updates when you are driving. The applications are numerous, but so is the potential for abuse. The Big Brother metaphor will arise when law enforcement can track you down whenever you make a phone call. This geolocation technology will rapidly expand as the technology becomes more inexpensive and standardization occurs by companies on the technology.

We have already seen abuses of cell phone messaging technology with spam messages already arriving on consumers' phones. Unlike with e-mail spam, the customer must pay for incoming as well as outgoing calls and messages. Think about combining spam with location technology, and you can see that at some point, when you walk down the street and pass a store, the store will receive your cell phone location and send you an advertisement because you are nearby. That is a scary thought—personalization of advertisements based on where you are at any given time with your cell phone. The idea of a wireless spam bill has been discussed in the U.S. but has not made much progress. The Wireless Ad Association released a list of industry guidelines that says, “The WAA does not condone wireless targeted advertising or content (push messaging) intentionally or negligently sent to any subscriber's wireless mobile device without explicit subscriber permission and clear identification of the sender.” This is one of the few positive steps in cell phone privacy concerns.

Another potential legal invasion of your privacy is Web-based caller ID. When you surf the Web with your cell phone, your cell phone number is broadcast to the Web site. You number can be logged and associated with the Web site you visit and purchases you make. It's easy to see how your cell number and shopping preferences can then be sold to a marketing company and mass mailings sent to you based on your cell phone browsing habits.

Today there are still few wireless Net subscribers in the United States, but the Asian and European markets are expanding rapidly. A Banc of America report said about 6.6 million people around the world subscribed to wireless phone data service at the end of 1999, but this number will increase to nearly 400 million by 2003. It is predicted companies will spend about $700 million on wireless advertising by 2005.

The use of wireless advertising and spamming is too far ahead of the current laws and even proposed laws for wireless security. It took years for laws to be passed on spamming, and it will probably take several years before sufficient laws are passed to protect wireless devices.

Forces Driving Legal Business Threats to Privacy

Business functions because of one reason—money. The growth of the Internet can be attributed to the need for businesses to expand and conquer new markets. There are a number of reasons that drive businesses to utilize personal information in the ways they do.

Globalization

The Internet and new technologies have made the global marketplace a reality. In the past, sharing information was not an easy process. With the advent of large multinational networks and use of the Internet, transferring data, buying and selling data, and accessing data are easy. With all this access, more people and businesses have access to your information and can exploit your personal information. It is estimated that these connections are increasing by 10% every month, which means the threat to your privacy is increasing by 10% a month.

To compete on a global basis, companies must get customers from all over the world. Laws in different countries may be more or less restrictive when it comes to protecting consumers, but there are always ways around laws—especially the vague ones that currently exist regarding privacy.

Complexity

New technologies bring complexity to any network or organization, but implementations and usage can be flawed. Consumers have to rely on companies to protect their information, but the connectivity and technology has become so sophisticated, large corporations are having a difficult time keeping up with threats to new technologies. Detecting problems in a complex network can take weeks or months, and during this time consumer data can be subject to attack. The number of users, applications, and hardware is no longer static and usually not centrally controlled, providing many access points to data.

Training system administrators in just the use of the technology is time-consuming and fraught with problems. Now these same administrators must be concerned with security measures and protection of data. They also must understand how to respond to an attack, track down a break-in to their complex systems, and determine the damage, which can cross subdivisions of a company or different countries in which the company operates. With new functionality being brought to the organization because of technology, companies are forced to decrease their time to market with products and services. This fast-paced deployment of technology is usually one of the major reasons hackers can compromise a system and gain access to consumer information: A system weakness hasn't been patched because of the haste of implementation, and a backdoor is left open in to the environment. Security becomes an afterthought in implementing new technology.

Most legal and regulatory requirements do not state, in any depth or detail, what the security requirements are for consumer data and the controls surrounding access and implementation of the technology. Across countries, this becomes even more difficult when it comes to designing compatible computer systems and technologies while still keeping good security measures in place. The technology has become the access point to compromising consumer information. Because so many functions are provided by business applications and sharing among companies has become so widespread, it's next to impossible to understand how your information is being used and where it is going.

Legal Requirements

As stated earlier, in the section “Government Threats to Privacy,” the legal environment directly affects the consumer. The same threats to the consumer posed by government agencies and laws can also be a threat to businesses. Business entities are usually the implementers of government laws involving consumer personal information. State and national boundaries have made coming up with standards on privacy issues that all businesses can follow difficult. What might be legal in one country might not be in another. The strict requirements of the EU Directives might protect consumer data in the EU, but after it gets transferred outside the EU, that data can be subject to lax laws in other countries and the consumer information could get compromised anyway.

Functioning on a global scale does not mean that your information will have the same security measures applied to it across countries. The lack of details in laws makes it easy for a business to interpret the law in such a fashion that enables it to do business easily and conveniently. This can mean that the intent of the law to protect your information does not materialize in practical applications of the law.

The legal controls over consumer data carry very weak or no punishments for lack of compliance in most cases. Only recently have hackers been prosecuted and sentenced to jail time. For businesses, such threats of punishment are almost nonexistent. Breaking the privacy laws currently in place, because of little consumer pressure or advocate group pressures, results in very little monetary or criminal punishments. If businesses face no real punishments in bending and even breaking legal restrictions on the privacy of your data, there is not much to stop them from making money off your information wherever possible.

Criminal Threat

Criminal hacker activity against businesses ends up being attacks against you as an individual. The data and credit card information do not belong to the business, but to the consumer. When a hacker breaks into a company and posts its customers' credit card information on the Web, it hurts the business, but the individuals are the ones ultimately being attacked. The perpetrator of criminal threats might be an insider or external to the organization. The activity might be from an individual, a loosely knit group, organized criminal elements, corporations, or governments. If the business does not take these threats seriously, it can have weaknesses in its environments. A compromise of its systems might not cause financial loss, but it can seriously affect the personal information of consumers.

It is not illegal to have weaknesses in a business network, and it is not illegal to now have standards and built-in security for the company's site. A consumer has no say in whether the business is actively trying to protect her information and no recourse should the business be hacked and data stolen.

A business that has weak security controls faces no real legal problems unless it does not adhere to very specific requirements in the laws covering computer security. If a hacker breaks into a company and steals all your data, there is no legal threat to the company. This weak stand on computer security by many companies can directly affect you, but it is perfectly valid for a business to have weak security standards without regard for your information.