Section 20.1. Introduction

20.1. Introduction

Soon after I started work on my comprehensive privacy tool, I discovered that I could not decide which features it should include. Privacy tools were a new category of software tools in 1995: many had very specific and novel features that were critical to some people but useless to others. There was no consensus on which features were important to have. Nobody even knew which of the tools that were available for download even worked!

Trolling on the Internet I found some web sites that had basic descriptions of some programs; sometimes, these sites even included ratings. But I couldn't find any comprehensive catalogs of the tools that were available.

The community of people who were actually developing these tools reflected this state of confusion. Many people were working on many products, but little communication was taking place among them. Without marketing experience, open source and independent developers had difficulty communicating why their products were actually needed. Meanwhile, those companies that had strong marketing frequently promoted their products with explanations that often devolved into impenetrable euphemisms.

I realized that I needed to perform a more thoughtful and systematic analysis. No one had yet examined privacy tools from the end user's perspective. How could this be done?

At the time my study took place, personal security solutions such as ZoneAlarm , PGP, and The Anonymizer were new and growing in popularity among Internet users. I began examining these tools specifically in terms of what privacy benefits they offered to the user. Upon examining the 134 tools, systems, and services that I thought had some relationship to privacy, I ended up with a large list of privacy features. As the work progressed, I began to see patterns emerge and could place tools and features into categories. At some point during the process, I began to refer to my collection of tools as the privacy space. I gave the tools, systems, and services within the privacy space the generic label of solutions.

Time has passed since my initial survey of privacy space solutions. Many solutions have been added to the privacy space and others have disappeared or have become insignificant. Despite the ever-changing nature of the privacy space, the framework I developed remains relevant. However, before I can discuss the Privacy Space Framework and why it is useful to us, first we must place this work into the larger context of privacy, especially online privacy.

20.1.1. Privacy

Noam talks about privacy as the place where the information rights of different parties collide.^[1] Everyone needs privacy, but there are no "one-size-fits-all" remedies or equations that can decide how privacy should be balanced against other goods. Privacy is inherently a matter of individual choices and needs, a flux that is bounded by societal factors and personal preferences. To Noam, privacy is fundamentally about the flow of personal information between parties that have different preferences for how that information should be utilized.

^[1] Eli Noam, "Privacy and Self-Regulation: Markets for Electronic Privacy," in Privacy and Self Regulation in the Information Age (Washington, D.C.: U.S. Department of Commerce, 1997).

Technology has a strong influence on our attitudes toward privacy and on how much (or how little) privacy individuals can attain. This is because the balance that Noam describes is inherently altered by the dropping cost of mass surveillance and data retention technologies. The fact that large amounts of information can be economically collected and used increases the desire of organizations to do so.

As online communication becomes more commonplace and as more information becomes available via the Internet, it is imperative that the ability of individuals to control the dissemination of their personal information keeps pace. One common way to help individuals keep pace is to prevent or limit information exchanges through the use of policy, law, and regulation. An obvious problem with such collective solutions is that the individual's perspective and individual choice almost invariably suffer. Another problem with these solutions is that they can produce a smokescreen that results in no real progress toward the goal of enhancing privacy.

Another approach to the privacy problem is to engage individuals with an array of technological privacy solutions. These solutions allow individuals to extend their senses into the cyberrealm and become aware of the information that is flowing away from each of us.

Each of us constantly makes choices whether to communicate our identities, ideas, and preferences. McLean calls this form of privacy access privacy.^[2] Allowing access to personal information may not be a decision that we spend much time contemplating in some cases, but it is a conscious choice.

^[2] Deckle McLean, Privacy and Its Invasion (Westport, CT: Praeger Publishers, 1995).

Despite the dour outlook for privacy in America documented by numerous scholars^{[3], [4], [5], [6]}, all is not lost. As individuals, each of us has the ability to retain some control over our personal information flows. Choosing tools that allow us to better understand and enforce our preferences is of paramount importance. Informed choices come from being aware of what information is being passed. The privacy space framework helps inform such choices by giving individuals a tool for making well-considered choices when it comes to their privacy.

^[3] Simson Garfinkel, Database Nation: The Death of Privacy in the 21st Century (Sebastopol, CA: O'Reilly Media, 2000).

^[4] Amitai Etzioni, The Limits of Privacy (New York: Basic Books, 1999).

^[5] B. Meeks, "The Privacy Hoax," Communications of the ACM 42:2 (1999).

^[6] Winn Schwartau, Information Warfare: Chaos on the Electronic Superhighway (New York: Thunder's Mouth Press, 1996).

20.1.2. Exoinformation

We must expect to reveal a great deal about ourselves in everyday interactions. We continually shed information about ourselves, usually with no thought whatsoever because the process is so unavoidable. This kind of personal information "broadcast" was noted by Singleton during a workshop pertaining to online profiling.^[7] Or, as Sanchez says so succinctly: "Merely by walking outdoors, we put ourselves in the public domain."^[8]

^[7] Solveig Singleton, "Comments Submitted in the FTC/NTIA Workshop on Online Profiling," Cato Institute [cited Oct. 3, 2004]; http://www.cato.org/pubs/wtpapers/991018comments.html.

^[8] Julian Sanchez, "The Privacy Cage," Liberzine.com [cited Feb. 6, 2001]; http://www.liberzine.com/juliansanchez/010205privacy.htm.

Exoinformation is the word that I use to describe what Singleton and Sanchez are talking about. Exoinformation has become an important commodity; companies such as DoubleClick, Inc. gather it up and piece it together to build mosaics that more or less reflect the preferences of individuals and society as a whole. Exoinformation is gleaned from the tidbits of information that we give off during information-seeking activities. Like pottery shards, arrowheads, or other disassociated artifacts that archaeologists use to glean knowledge of past civilizations, the string you used in a search query, the timestamp of a request, a logged event on a server, or the URL typed into a browser window are all left-behind remnants of a life. As with archaeology, each individual tidbit is insignificant. But patterns emerge when the fragments are combined. Many people believe that this ability to cross-reference exoinformation and make sense out of it will one day become a powerful tool.

Although it is tempting to define exoinformation solely in terms of the human-computer interface,^[9] the term can be applied universally to all of the informational byproducts of an individual's life activities.

^[9] Benjamin Brunk, "Exoinformation and User Interface Design," ASIS&T Bulletin (Aug./Sept. 2001).

Westin used the term data shadow^[10] to describe exoinformation, and Olsen used the term data exhaust.^[11] Why do we need a new term when we have been talking about this concept for years?

^[10] Alan Westin, Privacy and Freedom (New York: Atheneum, 1967).

^[11] S. Olsen, "Web Browser Offers Incognito Surfing," CNET News.com [cited Feb. 1, 2003].

Although the concept of exoinformation is not new, never before have we had a clear and descriptive term that was not itself a metaphor that needed to be explained and that opened itself up to argument. McLean^[12] noted that our vocabulary on privacy is extraordinarily small. By standardizing on this word exoinformation, I hope that we can stop discussing the existence of this privacy leakage and start discussing what to do about it.

^[12] Ibid.

^[a] Tor Nrretranders,

EXAMPLES OF EXOINFORMATION

Information is constantly escaping us without our knowledge. Some of this information is private information that we would rather others not see. For example, if you create a document in Microsoft Word and someone edits it for you using the Track Changes feature, the comments and edits can remain with the document even after you select Accept Changes. A third party with access to the document can recover data that most people think was deleted. It was not until several very public incidents in which hidden information was disclosed publicly that Microsoft developed and released a special add-in to "remove hidden data."^[a]

Another example involves email. Suppose that someone sends you a message with a "Reply-to:" header field that redirects any replies to a different email address. Many people have been embarrassed (and even fired) for accidentally posting a message reply to a mailing list or a group of email lists instead of to an individual. A great deal of harm can ensue because an email tool's user interface does not safeguard against such actions.

The final example involves tracking web users with "web bugs,"^[b] which normally take the form of 1x1-pixel invisible images. Suppose that someone posting a message to a message board includes a link to a web bug located on her own web server. Every time someone reads her message, the web bug image is loaded and the server hosting it logs the access. Unless message board surfers make note of images linked to externally, they have no way to even know their access has been logged by a third party. Their presence on that message board, in that thread, has been logged. More comprehensive use of web bugs on a message board could allow a third party to discover a wealth of information about the browsing habits and locations of otherwise anonymous peers visiting that message board.