Corporate and Government Databases

The practice of gathering personal information about customers and citizens by corporations and governments is well established. Software is available which is dedicated to analyzing data collected by company Web sites, direct-mail operations, customer service, retail stores and field sales. Web analysis and marketing software enables Web companies to take data about customers stored in large databases and offer these customers merchandise based on past buying behavior, either actual or inferred. It also enables targeted marketing to individuals using e-mail. Governments routinely collect personal information from official records of births, deaths, marriages, divorces, property sales, business licenses, legal proceedings and driving records. Many of the databases containing this information are going online.

Financial Information Databases

The recent deregulation of the financial services industry has made it possible for banks, insurance companies and investment companies to begin working together to offer various financial products to consumers. Personal financial information that was kept separate before deregulation can now be aggregated. In fact the ability to mine customer data is one of the driving forces behind the creation of large financial conglomerates. Services can be offered to customers based on their information profiles. Banks that finance company alliances can disseminate personal information about their customers to third parties without their permission and may even decline to alert a customer if someone is snooping in the customer’s account. Even though companies may choose not to sell personal information to third parties, companies within an alliance may use the data themselves to push financial products and services.

Large credit bureaus such as Equifax and Trans Union have traditionally been a source of information about a person’s credit worthiness. Their databases contain information such as a person’s age, address and occupation. Credit bureaus have begun to sell personal information to retailers and other businesses.

Online banking presents another challenge to PIP. Many banks store customers’ addresses and social security numbers in the same records. The information, once retrieved, can be used to reroute credit card mailings or open new accounts.

Medical Information Databases

Like personal financial information, medical information is for most people a very private matter. Despite this fact, there is a wealth of personal medical data in government and institutional databases. Although many of these government database records are stripped of information which could be used to identify individuals (such as Social Security numbers), it is still possible to link the records to private sector medical records using standard codes for diagnoses and procedures employed by the United States healthcare system. The codes are usually included on insurance claims and hospital discharge records.

Much personal health information that is available to the public is volunteered by individuals themselves, by responding to 800 numbers, coupon offers, rebate offers and Web site registration. The information is included in commercial databases like Behavior-Bank sponsored by Experian, one of the world’s largest direct-mail database companies. This information is sold to clients interested in categories of health problems, such as bladder control or high cholesterol. Drug companies are also interested in the commercial databases.

Medical information databases are available through private networks. However, this situation is quickly changing. Healtheon and other healthcare companies are competing to get doctors to write prescriptions over the Internet and to persuade people to place their personal health records on the Internet.

E-Mail

E-mail accounts for 70% of all network traffic and is susceptible to tampering and snooping. In many companies, employee e-mail communications are routinely monitored. Loss of workday productivity is often cited as the major concern for businesses that monitor e-mail. However, many companies worry about possible litigation stemming from sexually charged e-mail. Companies are also concerned with activity which may expose the company to breach of contract, trade secret, and defamation lawsuits.

Employee’s invasion of privacy claims have not been upheld in the United States courts, which argue that, since employers own the computer equipment, they can do whatever they want with it. The 1986 Electronic Communication Privacy Act grants employers the right to review stored communications on a company’s computer system.

Wireless Communications

A monitoring operation run by the U.S. National Security Agency called Echelon uses satellite technology to listen in on virtually all international and (to a limited degree) local wireless communications, including phone calls, faxes, telexes, e-mail and all radio signals including short- wave, airline and maritime frequencies. The operation listens for certain target words. When a target word is encountered, the transmission is sent to humans for analysis. Echelon is designed primarily for non-military targets, including governments, organizations and businesses around the globe.

Wireless advertising promises to pose a host of challenges for privacy advocates. Wireless service providers know customers’ names, cell phone numbers, home and/or office addresses, and the location from where a customer is calling as well as the number a customer is calling. Each wireless phone has a unique identifier that can be used to record where in the physical world someone travels while using the cell phone. In addition, the Federal Communications Commission requires cell phone service providers to be able to identify the location of a caller who dials 911, the emergency number. Most likely cell phone manufacturers will meet this requirement by embedding a Global Positioning System chip in all cell phones. Since a cell phone service provider can track the location of a 911 call, it will also be able to track the location of any other call as well.

Clickstream Tracking

As with e-mail technology, productivity and legal liability concerns are also paramount in companies’ decisions to track the behavior of employees when using the Internet. Software programs have been specifically designed to monitor when employees use the Internet and which sites they visit. Telemate.Net can examine company network activity and produce reports identifying and ranking the company’s heaviest individual Internet users. It lists the sites most visited by members of the whole company or by members of individual departments within the company, and if desired can list sites visited by individual employees and rank them by roughly two dozen categories.

Internet companies monitor Internet user behavior by a number of means, primarily to gather data about shopping and buying preferences with a view toward developing “user profiles.” These technological means primarily involve the creation and use of cookies. Cookies are text files created by a Web server and stored on a user’s hard disk. A cookie is a set of fields that a user’s computer and a server exchange during a transaction. Web servers work with ad placement companies that resell advertising space from popular sites. These companies maintain large databases in which are recorded details about who looks at which pages. When a user connects to a Web site, the browser checks the cookies on the hard drive. If a cookie matches the site’s URL, the browser uploads the cookie to the Web site. With the information contained in the cookie, the site can run programs which personalize site offerings and/or track the user’s activity while online.

It should be noted that U.S. government agencies also track the browsing and buying habits of Internet users. A congressional report released in April 2001 found that 64 federal Web sites used files that allow them to track the browsing and buying habits of Internet users. Among the agencies were the Departments of Education, Treasury, Energy, Interior and Transportation, as well as NASA and the General Services Administration.

Hardware and Software Watermarks

Hardware and software identifiers (“watermarks”) can also be used to identify individual users. Every Ethernet card used in computer communications has its own MAC (Medium Access Control) address, a 48-bit number sent in the header of every message frame. As the Ethernet standard evolves into a wide-area communications protocol, this identifier may become of increasing concern to Internet users intent on protecting their privacy.

Microsoft Corporation includes a unique numeric identifier into every copy of its Office program. When a Microsoft Office document is created, it is watermarked with this unique identifier. The creator of the Melissa virus was apprehended when he posted documents to a Web site frequented by virus makers. Authorities used the watermark found in the Melissa virus to match the watermark found in the documents.

Biometric Devices

Various devices are available that identify people through scans of their faces, hands, fingers, eyes or voice recognition. Biometric devices create a statistical profile by assessing a number of biological characteristics. As the equipment used to take the measurements decreases in cost, it becomes economical to scan millions of faces and other characteristics into a computer database. Digital photography adds to the growing volume of non-text data about people. Privacy advocates object to the fact that much of the measurement taking happens without the knowledge or explicit cooperation of a subject, which can lead to abuses of the technology. The Electronic Frontier Foundation has noted that a bank that has collected face scans of ATM customers could sell this information to another company for a purpose not related to banking. Though not as simple as text data, biometric data can be transmitted on the Internet with little difficulty.