privacy essay.doc
TRANSCRIPT
Diluting the Transparency of the New Media
The inherent functionality and nature of the Internet as a multi-directional transactional
information depository is at the heart of the issues related to privacy and how enterprises and the
general public utilize and interact with the Internet. The Internet has been described as the ‘new
media', a new way of communicating and interacting with people that has never existed in the
past. Innovative business models have developed over the past decade that have solely relied on
this new level of interaction and have developed lucrative value propositions, which has taken
traditional media from a passive to an active experience. The excitement and value of the
Internet as a medium has revolved around the ability of enterprises to actively develop
relationships and provide a new level of interaction with customers that was never before
possible. Traditional media publishers typically collected demographic information through
mass surveys and telemarketing, however the usefulness of this information was limited
considering that the majority of respondents of surveys are those who are not satisfied; the
Internet has reduced the application of this rule. Enterprises have migrated or initiated their
business models to the Internet, such as AOL Time Warner1 and MusicMatch2, in response to
this medium’s ability to collect and analyse information that was difficult or even impossible to
assemble. Traditional media has undergone a convergence with technology that is changing the
shape of our social economic interface, more pervasively convergence is decisively altering our
social interaction. InteractiveWeekly.com describes digital convergence as the idea of
seamlessly merging or integrating applications (not applications in the sense of software) and
technologies.3 Carly Fiorina, CEO of Hewlett Packard, suggests that a “new wave of technology
1 AOL Time Warner is a traditional conglomerate of Internet and communication infrastructures, traditional print, television and motion picture media.2 MusicMatch provides an Internet Radio service that monitors a user’s preferences and adjusts the content accordingly.3 Ken Soohoo. Digital Convergence Means Keeping it Simple for the Consumer. October 22, 2001 <http://www.Interactiveweekly.com/article>.
will empower customers - transforming how we do business, transforming how we create value,
and transforming entire industries.”4 Technology analysts have described the last quarter of the
twentieth century as the “Age of Information”, an idea substantially supported by the ease of
accessing and collecting data that has been created by the capabilities of the Internet and
eCommerce.
It is the intent of this paper to discuss the impact of the Internet as a transactional
environment that can cultivate the relationships between consumers and enterprises, and how the
Internet has facilitated the collection of personal information causing attentiveness to privacy
issues. The goal of this paper is to discuss the issues at hand and examine how the legal arena
and enterprises have responded to privacy concerns, and/or how they still need to respond. This
discussion will include issues that primarily exist in Canada and the United States of America.
However, there will be some discussion of other international initiatives.
Succession of Transparency
Since the inception of print, radio, and television these mediums have remained generally
passive in nature, limited in their capacity to communicate and interact with consumers.
Collecting market information traditionally is time consuming and, at best, produced a
generalization of the target market. Consequently, consumers were ultimately in control of their
personal information and their degree of interaction with advertisers and marketers. One may
argue that there did not exist a transparency of the medium. Advertisers and marketers were
passively interacting with consumers, more importantly consumers were aware of the medium’s
influence. These mediums have remained relatively unchanged, in their delivery of information;
however advertisers and marketers have matured in the way they interact with consumers.
Naomi Klein, author of No Logo, describes maturity in the delivery of the advertising and the
4 Carly Fiorina, Technology, Business and our way of life: What’s Next. Minneapolis, Minnesota, September 26, 2001 <http://www.hp.com/hpinfo/execteam/speeches/fiorina/minnesota01.htm>.
‘message’ during the 1970s, 80s and 90s giving support and longevity to the theories put forth by
Marshall McLuhan; specifically that ‘the medium is the message.’ Klein identifies “branding” as
a means of creatively enhancing a static and passive medium. Branding effectively increases the
ability of advertisers and marketers to develop a method of interacting with consumers while
creating a transparent interface. Two examples of enterprises that have effectively utilized this
transparency of advertising and marketing are Starbucks and the producers of the television
series “Dawson’s Creek.”5
Scott Bedbury, Vice President of Marketing for Starbucks suggests “consumers don’t
truly believe there’s a huge difference between products, which is why brands must establish
emotional ties with their customers through the Starbucks Experience.”6 The Starbucks
experience was adapted and refined to respond to those individuals that participated in the
Starbucks Experience.7 Essentially, Starbucks proactively observed and collected information
while consumer participated in the Starbucks experience to discover information about their
consumers thereby creating a transparent interface, which enhanced traditional mediums of
advertising and marketing. Some may consider observation and surveillance as an invasion of
privacy, yet many would argue that by simply participating in society one must expect a level of
observation and surveillance. This issue will continue to develop during the discussion of this
paper, particularly in response to data collection via new technology and the Internet, which will
facilitate electronic observation and surveillance. Nonetheless, it is important at this stage of the
discussion to recognize that personal privacy has been somewhat diminished due to the
transparent interface of consumer experience oriented enterprises. The Gartner Group, a
technology strategy and research firm, suggests that observation and surveillance should be
5 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 22 – 40.6 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 22.7 Naomi Klein, No Logo. (New York: Picador USA, 1999), pp 19 – 23.
considered as a positive contribution to the consumer experience. However, they are quick to
recognize the invasive nature that observation and surveillance creates when considering
consumer privacy.8
Another example, the television series Dawson’s Creek and its cooperation with clothing
enterprise J. Crew, demonstrates how media and the practice of branding have become quietly,
or transparently, integrated into our media enhanced culture. In the television series,
“[n]ot only did the characters all wear J. Crew clothes, not only did the windswept, nautical set make them look as if they had stepped off the pages of a J. Crew catalog, and not only did the characters spout dialogue like “He looks like he stepped out of a J. Crew catalog,” but the cast was also featured on the cover of the January J. Crew catalog.”9
This example does lack a direct link to privacy issues, however it is important in that it clearly
demonstrates how culture, media and advertising have become transparent. More importantly,
this example illustrates how consumers are becoming subject to the power and control of the
medium - a complementary notion to our discussion in the coming sections.
Shrinking Private and Public Space
The convergence of technology with media further enhances this transparent interface
with consumers. Naomi Klein makes an assertion that through branding and the creativity of
traditional media there is a perception that private and public space is shrinking.10 Moreover, this
assertion can be extended to suggest that as media migrates to a more interactive medium, the
Internet, there is an increasing encroachment on public space and privacy. For example, Jeff
Bezos, CEO of Amazon.com, describes his organization and business model not as a bookstore
(as was their initial product offering), but as an information broker. Amazon.com has openly
articulated to their customers that they are capable of collecting and maintaining a database of
8 Gartner Group, Surveillance and Privacy: Technology and Opportunities. Jackie Fenn, 1 April 2002, p 19 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 42.10 Naomi Klein, No Logo. (New York: Picador USA, 1999), pp 60 – 80.
interests and reading habits, thereby suggesting the ability to profile consumers. This is a major
enhancement and an example of increasing the transparency of collecting and observing
consumers via the Internet and ‘the experience’. Previously, consumers, if transacting through
cash, only shared limited information while participating in traditional shopping malls.
However, eCommerce requires information to deliver products and complete credit card
transactions, thereby contributing to the ability to electronically collect, warehouse and analyze
consumer information. More importantly, the Internet is capable of monitor and recording
interests and buying habits. When considering a shrinking of private and public space, consider
that Amazon.com describes its business model as maintaining two types of customers:
consumers looking for books and publishers looking for consumers.11 This invasive environment
is allowing enterprises to more efficiently target consumers thereby contributing to the
contraction of personal space.
As discussed previously, consumers have traditionally maintained a choice as to the
degree that they participated in the public theater. However, the Internet has created an
economic environment that places control and knowledge in the hands of the enterprise to which
they can manipulate consumers via their personal information and actions. Consider the
previous discussion regarding Starbucks and their ability to control and adapt the experience or
the medium (advertising to pull consumers to their products), to respond and target certain types
of consumers. Furthermore, consider the social control and influence that J. Crew communicates
through television by persuading the cultural fabricate to value their products. The central
concept is that much of this influential control and conditioning - resulting in observation and
data collection - is performed with little knowledge by the consumers thereby violating what
could be considered private.
11 EPIC, Request for Participation and Comment from the Electronic Privacy Information Center. Accessed March 2002 <http://www.epic.org>.
Enterprises are driven by the desire to target individuals likely to purchase items or
respond to certain types of advertising. More importantly, enterprises are trying to reduce the
costs associated with marketing and are increasingly becoming aware of how collecting personal
information will effectively and efficiently predict and target consumers. AOL Time Warner
Chairman, Steve Case, comments that he must deliver on promises made to Wall Street while
balancing the privacy concerns of consumers with profits. Steve Case expressed concerns about
how the United States Congress may ‘crack down’ on practices such as data mining, which was
one of the primary reasons for the AOL merger with Time Warner.12 By bringing consumer
information from both enterprises together, AOL Time Warner is capable of boosting revenues
through cross-business collaboration or cross-selling.13
Digital Trails
It is at this stage of the discussion that the real issues involving privacy and the Internet
begin to take shape and can be easily identified with the convergence of technology and media,
which contributes to the transparency of the medium with respect to user information. Practices
such as Data Mining, Data Matching, Adware, and Spyware are all contributing to a new
transparency of the Internet to which consumers are ultimately unaware of the abilities of
enterprises to collect and make use of personal information. By simply posting a message to the
Internet, it is possible to aggregate a message and all information attached, such as one’s name,
IP address14, network name and interests. By simply participating and interacting with the
Internet a user should expect that they are dynamically sharing and disseminating information.15
Can one then assume an expectation of privacy when participating in the public arena and be
12 The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002, p 1.13 The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002, p 2 – 3.14 An identifier for a computer or device on a network. Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicates. Source: www.webopedia.com.15 Steve Gibson of GRC.com is an excellent resource to read about issues of security on the Internet and the information which one is potentially sharing and disseminating within a public network.
immune to observation and surveillance? In short, this would be a dangerous expectation, and
one that many consumers made when they chose to purchase a coffee at Starbucks. Furthermore,
the Internet (which is a public network) and the inherent technological abilities of an
electronically supported transactional medium should suggest to the majority of consumers that
there is a possibility that personal space will be encroached upon. The aforementioned practices
of Data Mining, Spyware and others, utilize and/or capture a digital trail which advances and
enhances an organization’s ability to observe and survey the general public. As our previous
assertion suggested, there is a shrinking of public and private space due to these practices. Of
interest are the comments by AOL Time Warner executive Vice President for global and
strategic policy, who suggests that:
[the United States] Congress should pass legislation requiring companies to provide consumers with notice of privacy policies and give them a choice about how their data can be used. Any further restrictions would inhibit ‘flexibility.’16
In effect, an enterprise is calling upon the government to put in place guidelines and laws which
will inform consumers as to the collection and exploitation of their digital trail, yet it does not
condemn the practice of this invasive technology.
Through this statement AOL Time Warner is responding to the inherent transparency of
advertising and marketing, and is charging government to reduce the transparency of the Internet
in response to the invasive nature of the medium. It would be fair to suggest that AOL Time
Warner is recognizing the vast complications involving privacy and are demonstrating a social
responsibility to protect consumers. Moreover, AOL Time Warner is also suggesting that there
is a strong possibility that consumers will remove themselves from the Internet and regard
eCommerce as an insidious medium capable of profiling, classification, discrimination and
dilution of personal space.
16 The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002, p 3.
Enhancing the Medium?
Capturing Data/Information
Previously, it was discussed that public and private institutions have or are planning to
implement practices which will collect and make use of personal information. It is important to
recognize that there are two phases to this issue. The first being the collection of data through
technologies that either actively or passively monitor a user’s Internet activity. DoubleClick, the
recognized leader in user data collection, whose goal is to make their clients ”marketing work
better.” DoubleClick proposes to deliver a more complete understanding of consumers
effectively reach and influence their consumers and measure the results of their client marketing
efforts with a new level of accuracy.17 DoubleClick’s primary technology utilizes cookies18,
which capture certain parts of the communication with DoubleClick clients or affiliates.
Webopedia describes the purpose of a cookie as a means to:
Identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages.19
This explanation provides the general function of cookie technology, however DoubleClick has
adapted this technology to allow them to capture any information that a user gets or posts. As
recorded by the court during a review of litigation involving the Web Users (Plaintiff), sought an
injunction regarding monetary relief for injuries suffered as a result of actions on the part of
DoubleClick by collecting information via a GET command:
17 http://www.doubleclick.com/us/corporate/about/, accessed April 2002.18 A cookie is a message given to a Web browser by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server. source: Webopedia.19 <http://www.webopedia.com>, 13 May 2002 – search term: cookie.
“submitted as part of a Web site’s address or “URL,” in what is known as a “query string.” For example, a request for a hypothetical online record store’s selection of Bon Jovi albums might read: http://recordstore.hypothetical. com/serach?terms=bonjovi. The URL query string begins with the “?” character meaning the cookie would record that the user requested information about Bon Jovi.”20
A POST occurs when a user :
“fill[s]-in multiple blank fields on a webpage. For example, if a user signed-up for an online discussion group, he might have to fill-in fields with his name, address, email address, phone number and discussion group alias. The cookie would capture this submitted post information.”21
Another technology, which DoubleClick utilizes, are tags imbedded in GIF images placed on
their client’s websites. GIF tags are the size of a single pixel and are invisible to users. These
tags record a user’s movements throughout a website allowing DoubleClick to capture the
information a user sought and viewed.22
DoubleClick provides an example of how organizations can effectively and efficiently
monitor and capture user information. The Internet is full of these services, which enhance the
marketing power of enterprises, yet they argue that this in turn provides for an enhanced
experience for the user. DoubleClick’s main business model attempts to read a user’s
doubleclick_cookie.txt and then populates allocated advertising space on the affiliated/client
website with targeted content.
It would be careless to suggest that DoubleClick is not enhancing the experience of the
Internet, however their means of providing this experience is somewhat questionable. Clearly,
this example illustrates the increased transparency that the Internet yields to advertisers and
marketers to enhance and effectively use this medium. Moreover, there is an increased
transparency and decreased awareness of the user as to how they interact with enterprises and
20 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 10.21 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 10.22 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 10.
how they are targeted to effect their social economic behaviour. There are a number of issues
related to this litigation, and it will be further investigated in subsequent sections. It is important
to realize that DoubleClick is only one of the numerous organizations that have developed their
entire business model on this elusive aggregation of data.
Other enterprises of note that participate in this elusive aggregation of data are vx2 and
Aureate/Radiate. Both of these enterprises share many of the same value propositions that
DoubleClick proposes. However, these software offerings have created a new industry and are
contributing to concerns of personal privacy. Spyware and Adware is “any software that
covertly gathers user information through the user’s Internet connection without his or her
knowledge, usually for advertising purposes.”23 These software applications create a new degree
of transparency and are somewhat likened to a Trojan Horse virus.24 The insidious
characteristics of these applications is that they are constantly monitoring and relaying
clickstream25 information back to a remote database, are always on, and are imbedded in the
operating system of your computer. This seamless integration allows for captured keystrokes
(such as credit card numbers), scans files on the user’s hard drive and effectively ‘snoops’ about
the computer.26 The potential impact of these devices in regards to privacy is tremendous, and
the United States Congress has addressed this ‘breed’ of software in recent legislation (S.197 –
Spyware Control and Privacy Protection Act of 2001), which will be discussed later. For our
current purposes, Spyware and Adware do enhance the Internet experience, much like
23 <http://www.webopedia.com>, search term: Spyware. 24 A Trojan Horse is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy. Source: Webopedia.25 A clickstream is a record of a user's activity on the Internet, including every Web site and every page of every Web site that the user visits, how long the user was on a page or site, in what order the pages were visited, any newsgroups that the user participates in and even the e-mail addresses of mail that the user sends and receives. Both ISPs and individual Web sites are capable of tracking a user's clickstream. Source: Webopedia.26 <http://www.webopedia.com>, search term: spyware.
DoubleClick, by providing content that is more likely to be of interest and relevance to a
particular user. However, there is a real concern regarding the method of providing this
experience, which clearly has become intrusive in nature. Moreover, many of these applications
purposely attempt to disrupt the experience of the user by providing pop-up ads27 that interrupt
the user but provides scores of impressions for the advertiser.
Business Intelligence
Collecting data is one thing, putting the information to use is another issue. Richard
Hunter, author of World Without Secrets, presents the principle that “when everything is known,
no one knows everything.”28 Although many technology advances certainly make surveillance
more effective, many obstacles remain which will allow enterprises to achieve a high level of
effectiveness and analysis of the data. Sophisticated artificial intelligence software such as SAS
Enterprise Miner (www.sas.com) has removed some of the obstacles involved with making use
of data. Tools such as SAS allow for enormous sets of data to be analyzed, recognizing patterns
and predicting the likelihood of future behaviour based on like-minded records. These abilities
lend to the danger that individuals will be discriminated against based on potential and
likelihood, rather than exhibited characteristics.
Research performed by Garnter in February of 2002 observes that 60 percent of
companies are using business intelligence, yet only 10 percent of this 60 percent are effectively
using business intelligence data; obtaining quality data tends to be the biggest problem with
implementing business intelligence. Most enterprises recognize the potential of these practices
and techniques due to the potential for creating greater customer loyalty.29 Enterprises such as
Yahoo! exploit these predictive models to provide personalization of services and targeted
27 Pop-up Ads are advertisements that open a separate instance of your web browser and display an advertisement. source: Webopedia28 Gartner Group, Surveillance and Privacy: Technology and Opportunities. Jackie Fenn 1 April 2002, p 3.29 Computing, Gathering Intelligence for a more efficient Business. 21 February 2002, p 2.
advertising, yet must implement a balance between personalization and privacy which
demonstrates their awareness of the hazards of a transparent ability to market and target
consumers.
Data Matching
The potential to pool data to employ data mining techniques creates a unique issue in the
realm of privacy. Legislation has been responding to this issue by limiting enterprises to use
data beyond that of the original purpose communicated to the user. However, privacy policies
are known to be generic and vague, and allow for the enterprise to change their minds at any
time. AOL Time Warner notes that data matching for the purpose of cross-selling their services
and products was the main reason that drove the merger of these two organizations. DoubleClick
acquired Abacus Direct Corporation for more than one billion dollars with the suspicious
intention and potential to data match to improve third party marketing efforts, not their own.
Abacus maintained a database of direct market records, which consisted of names, addresses,
telephone numbers, retail purchasing habits and other personal information, for which they claim
to have for 90 percent of United States households. A United States Federal Trade Commission
investigation ensued shortly after DoubleClick amended its privacy policy removing the
assurance that information gathered by DoubleClick would not be matched or associated with
third party data that was personally identifiable.30
The Legal Response
New Zealand, a leader in privacy legislation, was one of the first nations to respond to the
threat of the above-mentioned technologies and practices. The New Zealand Act, enacted as
early as 1993, addressed both public and private sectors and the potential to collect publicly
available information. New Zealand defined publicly available information as “personal
30 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 12.
information that is contained in a publicly available publication,” such as a magazine, book, and
newspaper which is generally available to members of the public. Of note to our discussion is
the fact that public registers are considered publicly available information. Access to registry
information becomes an issue when referring to data collection, mining and matching. The
availability of public registers allows for the matching of personally identifiable information
from sources such as electoral lists, drivers licenses and telephone registries. By simply
obtaining a telephone number, it is possible to discover the location of a household, age of the
residents, and their general income based on the type/age of car they drive. This information can
then be mined to predict the household’s interests, political tendencies, buying patterns and
brand loyalty propensity. New Zealand responded to this concern by applying four privacy
principles to the use of public register:
Personal information shall be made available from a public register only by search references that are consistent with the manner in which the register is indexed or organized.
Personal information obtained from the public register shall not be re-sorted, or combined with personal information obtained from any other public register, for the purpose of making available for valuable consideration personal information assembled in a form in which that personal information could not be obtained directly from the register.
Personal information in a public register shall not be made available by means of electronic transmission, unless the purpose of the transmission is to make the information available to a member of the public who wishes to search the register.
Personal information shall be made available from a public register for no charge or for no more than a reasonable charge.31
In terms of data mining and matching, this legislation was a major step towards the protection of
privacy although its intent was to put in place principles for using publicly available information.
Nonetheless, it is a response to the mode in which technology is changing the private sector’s use
of publicly available personal information.
31McCarthy Tétrault, Publicly available personal information and Canada’s Personal Information Protection and Electronic Documents Act. Rick Shields, 12 October 2000, p 31 – 32.
Technology has fundamentally altered the mode of accessibility, delivery and speed of
acquiring data. Therefore, “the central legal issue, not surprisingly, has involved determining
the point at which personal information ceases to be private or confidential, and becomes public.
The general rule that has emerged is that information, whether personal or otherwise, becomes
publicly available and ceases to be private/confidential when it has become accessible by the
public by any means.”32 This has become the standard for the Canadian Federal Courts and
should present a number of concerns when considering the ability of technology to glean user
information from a public network. Does this further support the assertion made earlier, that by
simply participating within the online public world, one should expect to broadcast personal
information for government and enterprises to capture and exploit? This remains to be
challenged and applied, however it is necessary to recognize the potential dilemmas and
confusion that previous legislation has created.
The Personal Information Protection and Electronic Documents Act (PIPEDA) helps provide
some clarity and further protection of privacy. This legislation puts in place guidelines and laws
that both the public and private sectors must adhere to when collecting and working with
personally identifiable information. Privacy Commissioner of Canada, George Radwanski,
asserts that “ [p]rotecting our privacy helps protect our independence, our ability to control our
own lives, and our freedom to make our own decisions.”33 In short, PIPEDA provides the public
control over their personal information by requiring organizations to obtain consent to collect,
use and disclose information about an individual. Furthermore, the Canadian Standards
Association (CSA) Model Code lies at the heart of PIPEDA and is granted legal effect by virtue
of its inclusion. The CSA Code puts forth ten principles that seem somewhat more like
32 McCarthy Tétrault, Publicly available personal information and Canada’s Personal Information Protection and Electronic Documents Act. Rick Shields, 12 October 2000, p 8.33 Office of the Privacy Commissioner of Canada, A Guide for Canadians: Your Privacy Rights – Canada’s Personal Information Protection and Electronic Documents Act. February 2001, p 2.
corporate best practices. These principles are: Accountability, Identifying Purpose, Consent,
Limiting Collection, Limiting Use, Disclosure, and Retention, Accuracy, Safeguards, Openness,
Individual Access and Challenging Compliance. For our purposes, the principles of Identifying
Purpose, Providing Consent, Limiting Collection and Limiting Use, Disclosure, and Retention
encompass the relevant issues capable of diluting the transparency of the Internet, thereby
transferring awareness and control of personal information back to the individual.
Identifying Purpose requires organizations to identify and document the purpose for which
information is being collected. As well, an organization should only collect information that is
necessary to fulfill the purpose of collection. Furthermore, if the collected information is to be
used for another purpose, this must be communicated to the individual and consent granted.
Consider the practice of Spyware, this technology clearly violates these principles by collecting
any and all information that is entered into the computer or may reside on a media storage
device. Moreover, the principle of consent maintains that “an organization, shall not, as a
condition of the supply of a product or service, require an individual to consent to the collection,
use or disclosure of information beyond that required to fulfil the explicitly specified, and
legitimate purposes.”34 Interesting are the practices of software developers that utilize solutions
from the Gator Advertising and Information Network (GAIN) and other Adware/Spyware
software. As a condition of using certain software a user must accept the installation of
GAINware, additional software that collects information regarding a user. GAIN professes not
to collect personally identifiable information, yet they do make reference to:
Which web pages your computer views and how much time is spent at those sites Your response to the ads displayed Standard web log information and system settings35
What software is on your computer
34 Michael Geist, Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001), p 282.35 Web logs and systems settings tend to maintain user logins, passwords and usually a personally identifiable user name.
Your first name, country, and five digit ZIP code Your GAINware usage characteristics and preferences36
In today’s age of Data Matching and Mining, there is a strong possibility that the information
collected by GAIN is capable of collecting personally identifiable information. For example, by
collecting the first name, country, zip code, and web log information it is possible to match a
captured user login that is a unique and personally identifiable piece of information. McVeigh v.
Cohen is an excellent example in American case law. McVeigh composed and submitted an
email to an individual who then used his user name to find McVeigh’s member profile and was
able to identify McVeigh who was enlisted with the United States Navy and was profiled as a
homo-sexual and thereby in breach of United States military law.37
Clearly, these four CSA principles go hand in hand to protect the privacy of individuals.
However, there remains the issue of jurisdiction and enforcing such laws. The examples
provided were heard in the United States, yet the services and issues transcend borders.
Implementing such principles on a public and uncontrolled medium is somewhat ineffective.
However, the Government of Canada has fulfilled their obligation to provide Canadians with
knowledge and awareness of the issues at hand. More importantly, ”the central obligation of the
new privacy legislation is the need for data collectors to provide transparent privacy policies so
that Canadians are accurately informed about who is collecting their data, why it is being
collected, and how it will be used.”38
Unlike Canada, the United States has not implemented comprehensive legislation that
sets forth principles similar to PIPEDA. A discussion with Brian Keith, Partner with the law
firm Borden, Ladner, and Gervais in Toronto, suggests that the United States has responded to
36 Gator Privacy Statement included with the ad supported full version of the DIVX Playa. The DIVX Playa is a media player similar to Windows Media Player found at www.divx.com. Gator can be found at www.gator.com.37 Michael Geist, Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001), p 270 – 272.38 Michael Geist, Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001), p 273.
privacy issues in a manner that is abuse driven, rather than the Canadian principle driven
approach. In this sense, one could argue that the United States has created an environment that is
responding to the technical abuses and transparency provided to advertisers and marketers,
which is an inherent component of the medium. The Spyware Control and Privacy Act of 2001
provides “for the disclosure of the collection of information through computer software, and for
other purposes.”39 Furthermore this Act provides a response to the technical abilities of the
Internet. The Act additionally states that:
Any computer software made available to the public, whether by sale or without charge, that includes a capability to collect information about the user of such computer software, the hardware on which such computer software is used, or the manner in which such computer software is used, and to disclose to such information to any person other than the user of such computer software.40
A key concept within this Act is the response to the collection of any information that is about
the user which is somewhat different than ‘personally identifiable information’. Yet the Act
does share some similarities in that it requires a ”clear and conspicuous” written “description of
the information subject to collection and the name and address of each person to whom such
computer software will transmit,” in addition to, “…how to disable such capability…[and
provide a user] of such computer software provides affirmative consent, in advance, to the
enablement of the capability.”41
Certainly, this Act is a response to the abusive nature of the technology on the Internet
and may prove more useful at diluting the transparent nature of the Internet. Brian Keith
provides further insight by noting that George Radwanski, Federal Privacy Commissioner, has
spoken out against the Canadian Government and its lack of guidance and leadership to Industry
to create a list of acceptable software applications and practices such as data mining, matching
39 Spyware Control and Privacy Protection Act of 2001, S.197, p 1.40 Spyware Control and Privacy Protection Act of 2001, S.197, p 2.41 Spyware Control and Privacy Protection Act of 2001, S.197, p 2.
and collection technology that do not conflict with privacy legislation. This may be an inherent
fault concerning the way in which privacy legislation in Canada was adopted. In short, some
may argue that Canada’s hastily enacted privacy legislation was enacted in response to strict
European Union Directives - while the United States has laboured providing basic voluntary Safe
Harbour conventions and focusing on the pending issues and abuses. For example, the United
States has enacted legislation to protect children on the Internet and has identified clear
guidelines for financial institutions and the intrinsic concerns of financial privacy in an electronic
age.
Ontario has proposed legislation to replace PIPEDA (as is the province’s right to do so as
outlined in PIPEDA), which attempts to create ‘comprehensive privacy legislation’ which
conveys to the people on Ontario confidence that their personal information is protected when
dealing with the private and public sector. The proposal suggests that the government believes
that it is important to strike a balance between an individuals right to control their personal
information, while at the same time meeting the needs of the private sector to encourage
commerce in a digital economy.42 An initial review of the proposal suggests that the proposed
legislation corresponds with the principles outlined in PIPEDA. Of interest is the expanded
definition of personal information to include any information about an individual that can be
manipulated and used to identify or contact an individual.43 This suggests a movement towards a
discussion regarding the technical abilities of an enterprise to match and mine data. A further
addition is an opt-out clause, whereby consumer and users are assumed to have opted-out of
providing information, unless they explicitly provide consent or an action to allow for the
collection of information. The Canadian Marketing Association (CMA) has addressed this issue
42 Ministry of Consumer and Business Services, A consultation on the Draft: Privacy of Personal Information Act, 2002. Ontario Proposed Privacy Legislation, p 2.43 Ontario Proposes Disastrous Legislation, <http://www.the-cma.org/regbulletins/reg-114.html>, p 3.
extensively since it dramatically affects the ability of advertisers and marketers to perform their
purposeful functions. An assumed opt-out does remove a certain negative transparency of
interactive mediums, yet obstructs many of the inherent functions of a digital economy and the
ability to enhance and make use of the medium. Many users are unaware of their required action
to opt-in, much like they are unaware of opting-out; an interesting conundrum. Brian Keith
shared a comment made by George Radwanski whereby Radwanski stated that as Privacy
Commissioner he would not support or enforce an assumed opt-out. Radwanski believes that
this clause goes against the very nature of humanity and its social function to perform functions
for others without their consent. In other words, one could never perform random acts of
kindness without first asking for permission; clearly a balance needs to be realized.
The proposed Ontario Legislation is taking a number of steps towards the protection of
privacy and reducing the transparency of collecting information in an undisclosed fashion. One
may argue that Ontario is beginning to respond by drafting legislation from the viewpoint of
protecting the public from abusive practices, much like the United States. However, this
proposed legislation is far from addressing the concerns of privacy and the convergence of
technology. The United States appears to be ahead of Canada and other nations in its attempt to
isolate the impact of technology on privacy, particularly addressing the process of collecting data
such as the Spyware Control and Privacy Protection Act of 2001.
Maturing Legislation and Litigation
Privacy law is very much in its infancy and will continue to develop in response to
technical abilities and the processes of collecting information. Currently there are few cases
involving the convergence of privacy and technology, of those many have been settled out of
Court and are cases heard in the United States. Throughout the available cases, it is interesting
to note that many were tried not on privacy pertaining to data collection issues, but rather the acts
pertaining to computer fraud and abuse, electronic communication and privacy, and wiretapping.
A common thread throughout this legislation pertains to authorized surveillance of
communications which indirectly deals with data collection. However, as noted previously, the
United States tends to deal with abusive actions than the deeper principles and consequences of
electronic communication which may prove to limit the ability to take action on abuses of
technology.
DoubleClick tends to be the prominent figure and has been accused of misconduct on
many occasions. Earlier, this paper discussed a class action case in which DoubleClick was
accused of collecting information such as names, and email addresses. Within this case exists
three main issues: intercepting communications, active participation and interaction with a web
site and authorized access to a user’s computer. Under the Electronic Communications Privacy
Act (ECPA), the Plaintiffs charged DoubleClick with the unauthorized interception of a private
communication between two users. The ECPA defines a ‘user’ as “any person or entity who (A)
uses an electronic communication service; and (B) is duly authorized by the provider of such
service to engage in such use.”44 This is an important definition in that it recognized that a Web
Server is an entity of communication, and therefore capable of providing consent to a third
party’s participation in the communication. However, the plaintiffs do attempt to argue that on
the basic principle of property and privacy rights, they are the only users that are allowed to
provide consent to access their personal computers. Yet the United States Congress was clear to
note that those who are intended to receive a communication are capable of providing consent.
Thus, DoubleClick’s clients have provided consent to incept the communication and collect any
information that a user sends or requests from the website. The Plaintiffs subsequently attempt a
44 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 16.
similar charge by virtue of the United States Federal Wiretap Act. The act provides for criminal
punishment and a private right of action against:
any person who-- (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept wire, oral, or electronic communication [except as provided in the statute].45
However, this act also provides an exemption in that:
It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or any State.46
Again, DoubleClick is afforded consent by their clients to intercept the communication of users
who have actively participated with a website that is affiliated with DoubleClick.
Finally, the third claim was charged under the Computer Fraud and Abuse Act (CFAA).
This act addresses:
“whoever…intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains…information from any protected computer if the conduct involved an interstate or foreign communication…shall be punished as provided in subsection (c) of this section.47
DoubleClick did not contests that the Plaintiffs’ computers were ‘protected’ under the CFAA and
that accessing these computers was unauthorized. However, the Plaintiffs were required to
demonstrate a loss or damage of which must exceed $5 000 per Plaintiff. This brings to question
the value that one places on information and whether personal information should be considered
and treated as a commodity. In terms of this case, the harvesting of ‘user’ information was not
granted economic value, thus loss or damage was not demonstrated. The case was concluded
with the defendant’s motion to dismiss granted, but the plaintiffs’ ‘Amended Complaint’ was
45 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 20.46 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 20.47 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 25.
dismissed with prejudice as the Judge noted that United States Congress was considering
legislation that would specifically recognize and regulate the online harvesting of user
information. Of note, the Judge also suggested that some of the considerations by Congress
made “exceptions for conduct like DoubleClick’s.”48
The DoubleClick case demonstrates how enterprises are allowed to generate a
transparency of the Internet and encourages harvesting of user information by allowing the
convergence of surveillance technologies and practices intended to protect individuals from
criminal misconduct resulting in loss or damage. Furthermore, this case demonstrates that there
is a lack of perceived value towards personal/user information, more specifically economic
value, within the current legal arena. Should there be a formula that denotes the economic value
of user information? In response to avenues of litigation for users, this would provide a method
of proving damages and thus allow for a successful charge under the CFAA. Accordingly, the
legislation ignores the privacy issues of users in regards to electronic communications. This
discussion begs the question: should the deceptive collection of personal information be deemed
a criminal offence? Furthermore, should the definition of personal information be extended,
beyond even that of the proposed Government of Ontario legislation which proposes any
information about an individual that can be manipulated and used to identify or contact an
individual, to include clickstream data that in effect observes and monitors individuals?
Legislation has yet to adequately discuss these methods of surveillance, however enterprises
must recognize that these techniques may negatively impact the potential to develop customer
loyalty and confidence, while encouraging electronic commerce. DTM Research v. AT&T,
indirectly related to this discussion, contains an interesting comment by AT&T. AT&T declined
to award a contract to DTM Research to make use of their data mining techniques because
48 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 33.
AT&T believed that issues of customer confidentiality cautioned against awarding the contract to
a third-part considering that this action may involve sharing confidential consumer information.
Although these comments may have been made with prejudice to legitimize declining the
contract, this comment does demonstrate that enterprises have a responsibility to themselves, but
more importantly to the consumer, to maintain confidence.
A final case provides depth to the argument that by making information generally
available to the public, as suggested in Canadian legislation, does not necessarily mean that this
information may be collected. EF Cultural v. Explorica involves two student discount travel
agencies who were in direct competition and were partaking in an active price war. Explorica
constantly undercut EF Cultural and was able to do this by querying and extracting information
directly from the EF Cultural website. Explorica developed a software scraper, also called a
robot49, that surgically submitted queries to the EF Cultural website which aggregated all the
potential rates and schedules that EF Cultural offered to its clients. As this was only a request
for a preliminary injunction, on appeal from the United States District Court for the District of
Massachusetts, it can only be noted that the court found that EF Cultural “would likely prove that
Explorica violated the CFAA when it used EF Cultural’s website in a manner outside the
‘reasonable expectations’ of both EF [Cultural] and its ordinary users.”50 Therefore, could one
argue that accessing a personal computer, much like DoubleClick did for the purpose of
collecting user information is outside ‘reasonable expectations’ of the user? Searching for cases
proposing this argument did not yield success, however it seems fair to suggest that this is a
49 A Robot is a program that runs automatically without human intervention. Typically, as robot is endowed with some artificial intelligence to help accomplish its task and react to different situations it may encounter. source: Webopedia.50 EF CULTURAL TRAVEL BV, EF CULTURAL TOURS BV, EF INSTITUTE FOR CULTURAL EXCHANGE, INC., EF CULTURAL SERVICES BV, AND GO AHEAD VACATIONS, INC., Plaintiffs, Appellees, v. EXPLORICA, INC., OLLE OLSSON, PETER NILSSON, PHILIP GORMLEY, ALEXANDRA BERNADOTTE, ANDERS ERIKSSON, DEBORAH JOHNSON, AND STEFAN NILSSON, Defendants, Appellants, 274 F.3d 577 (2001) (US Court of Appeals for the First Circuit), p 5.
conceivable argument when consider that users are generally unaware of such privacy concerns
and that the transparency of the Internet and lack of appropriate controls continue to suppress
these concerns.
Conclusion
Privacy concerns are real and government bodies are attempting to address the issues that
have evolved due to the expansion and usability of the Internet. However, there is a considerable
need for legislation to identify and put in place guidelines and law that will realize the
technological capabilities of the Internet and the impact on privacy. Canada and other nations
have identified the principles of protecting privacy while the United States has begun to address
the specific technological capabilities. The Internet provides and facilitates for an almost
unlimited means of communication that reaches into the social and cultural structure of our
societal infrastructure. Additionally, advances in information technology and data management
offer the promise of a new and prosperous knowledge-based economy.
Naomi Klein suggests that Branding, and arguably Internet privacy issues, are “stripping
the hosting culture [the Internet] of its inherent value and treating it as little more than a
promotional tool.”51 The use of data mining, matching and collection techniques have clearly
demonstrated that the Internet can and will be used as a promotion tool. However, at issue is the
Internet’s capability to provide organizations to transparently integrate their marketing and
advertising practices reducing user awareness and resulting in manipulation or an enhanced
experience. Yet as this transparency increases, legislators are attempting to remove a degree of
transparency while attempting to maintain transparent privacy policies and practices to
encourage eCommerce and allow for the functionality of a knowledge-based economy. As in all
societal structures, striking a balance is the key component to a successful integration of any
51 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 39.
social, economic and political issue. However, in a technologically enhanced society, should the
public expect a level of surveillance and observation? Many would argue that our digital
economy is being disengaged from our social rights, namely privacy. Yet society continues to
demand personalized, enhanced, and new services, which inherently demands personal/user
information. Just as technology has the capability to abuse individual rights, it also has the
ability to protect and secure these rights. In brief, enterprises should recognize the necessity to
integrate privacy and security into their software and business practices52 allowing legislators and
enforcement agencies to focus on those who abuse the power of the Internet.
52 Message delivered by Ann Couvoukian during a lecture delivered to Dalhousie Law students: February 2002.
Bibliography
Fiorina, Carly. Technology, Business and our way of life: What’s Next. Minneapolis, Minnesota, September 26, 2001 <http://www.hp.com/hpinfo/execteam/speeches/fiorina/minnesota01.htm>.
Geist, Michael. Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001).
Klein, Naomi. No Logo. New York: Picador USA, 1999, p 22 – 40.
Soohoo, Ken. Digital Convergence Means Keeping it Simple for the Consumer. October 22, 2001 <http://www.Interactiveweekly.com/article>.
Articles
Computing, Gathering Intelligence for a more efficient Business. 21 February 2002.
EPIC, Request for Participation and Comment from the Electronic Privacy Information Center. Accessed March 2002 <http://www.epic.org>.
Gartner Group, Surveillance and Privacy: Technology and Opportunities. Jackie Fenn, 1 April 2002.
Ministry of Consumer and Business Services, A consultation on the Draft: Privacy of Personal Information Act, 2002. Ontario Proposed Privacy Legislation.
Office of the Privacy Commissioner of Canada, A Guide for Canadians: Your Privacy Rights – Canada’s Personal Information Protection and Electronic Documents Act. February 2001.
Ontario Proposes Disastrous Legislation, <http://www.the-cma.org/regbulletins/reg-114.html>.
Tétrault, McCarthy. Publicly available personal information and Canada’s Personal Information Protection and Electronic Documents Act. Rick Shields, 12 October 2000.
The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002.
http://www.doubleclick.com/us/corporate/about/, accessed April 2002.
Legal Resources
DTM RESEARCH, L.L.C., Plaintiff-Appellee, and UNITED STATES OF AMERICA, Intervenor-Appellee, v. AT&T CORPORATION, Defendant-Appellant, 245 F.3d 327 (2001) (U.S.Court of Appeals for the Fourth Circuit).
In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.).
Spyware Control and Privacy Protection Act of 2001, S.197.
EF CULTURAL TRAVEL BV, EF CULTURAL TOURS BV, EF INSTITUTE FOR CULTURAL EXCHANGE, INC., EF CULTURAL SERVICES BV, AND GO AHEAD VACATIONS, INC., Plaintiffs, Appellees, v. EXPLORICA, INC., OLLE OLSSON, PETER NILSSON, PHILIP GORMLEY, ALEXANDRA BERNADOTTE, ANDERS ERIKSSON, DEBORAH JOHNSON, AND STEFAN NILSSON, Defendants, Appellants, 274 F.3d 577 (2001) (US Court of Appeals for the First Circuit).
Websites
Definitions: <http://www.webopedia.com>.