The digital devices you use to organise your life are keeping very detailed notes. Is personal technology worth its cost in personal privacy?
Marisel Garcia first suspected something was amiss with her laptop when she noticed that the tiny activity light above the built-in camera flickered whenever she was in front of it. She also thought the PC's battery was draining faster than normal.
When she took her laptop to a friend who worked in technology, he found that someone had installed software that allowed the computer to be controlled remotely. What's worse, that person had been taking photos through her webcam.
Investigators say the spyware had been created and installed by Craig Matthew Feigin, a 23-year-old student at the University of Florida, who had previously offered to fix a problem with Garcia's computer. Police arrested Feigin, who now faces a charge for computer tampering, to which he has pleaded not guilty. In his statement to police, Feigin described how he had configured the software to take snapshots of anyone who moved in front of the webcam. He eventually amassed more than 20 000 images of Garcia, her boyfriend and other friends, and sent snapshots of their most private moments over the Internet to contacts in Eastern Europe.
Considered tech-savvy around campus, Feigin was often approached by students who needed help with their computers, and Garcia was in town visiting friends when she asked for his help to make her PC run faster. He admitted to investigators that he had installed the same software on PCs belonging to more than half a dozen other women.
According to court records, Garcia used her laptop the way many people do today – as a communications link that’s always online and carried from room to room for e-mailing, instant messaging and shopping. This type of open digital pipeline connecting private space and the public Internet is swiftly becoming the norm in many countries where broadband has become the norm. Plus, many people now have 3G phones. These are the twin pillars of our digitally connected modern society: high-speed broadband connections have transformed the way people use the Internet at home and at work, while 3G cellular networks have allowed us to take that digital connection on the road.
As these powerful networks have evolved, so have the devices we use to access them. Personal computers, once self-contained processing machines, have become permanently connected devices. Most software also requires an Internet link to work properly; in fact, the latest trend in “cloud computing” moves software off the computer altogether. The evolution in cellphones has been even more dramatic. These were once analogue devices designed exclusively for making phone calls; now they are data-centric mini-computers with integrated satellitetracking capability. With each new gadget we buy and use, we make a choice to further integrate our lives into the public Internet. That decision has enormous implications for our conventional understanding of privacy and personal space.
Our digital tools provide an open window to our lives, and a long list of curious characters – hacker peeping Toms, corporate marketers, jealous jilted lovers, snooping government agencies – are eager to look inside. And the digital portrait they see is more detailed than ever. According to market research firm IDC, the average person has an online digital presence of 45 GB – about half of which is created by outside sources. This digital shadow of our lives is coloured in with e-mails, photo posts, password hints, Facebook friend requests and location-based queries flowing fluidly in and out of the electronic devices we bring with us everywhere.
Mobile Positioning System
Cellular phones are the most ubiquitous locationaware devices on the planet: their very operation depends on knowing where the user is. Any phone can determine its own location (and thus the location of the user) by triangulating from multiple cell towers, then send that information back to the wireless service provider. This ability makes it possible to route calls efficiently to subscribers, and it can often save lives. In 1996, the Federal Communications Commission mandated that US cellular providers phase in location-aware Enhanced 911 (E911) capabilities on most cellphones by 2012 to determine the position of a caller in an emergency to within 100 metres. Just last June, two hikers who wandered off course in Alaska’s Denali National Park were found a few days later when rescue workers tracked them through their cellphones.
Many newer phones are shipping with embedded GPS antennas, giving them location and mapping capabilities that rival embedded navigation systems in cars. But since phones are two-way communications systems, they are open to a variety of uses beyond tracking and simple navigation.
Many companies are taking advantage of these capabilities to help manage time cards, monitor fuel consumption and ensure that workers aren’t slacking off. Gearworks, based in Minnesota, provides location-tracking services to the transportation, infrastructure and healthcare industries. Phones outfitted by Gearworks operate like digital foremen for employees in the field. They can navigate an employee to a job site, record the amount of time it took to get there and perform the job, then allow him to remotely punch out when the job is done.
According to Gearworks co-founder and chief technology officer Rob Juncker, devices using his company’s locationtracking technology explicitly inform users that they are being tracked. Employees have the option of temporarily disabling the tracking feature for “privacy breaks”.
Many emerging businesses are using the native tracking ability of modern cellphones to sell location-based information as a lifestyle service to consumers. Startup companies such as Loopt and Whrrl offer everything from real-time directions to information on local restaurants, movie showings and friends in the area. The trend toward location tracking is expected to become the future model for mobile advertising and marketing, serving up ads and special deals not only targeted at you personally, but relevant to where you are geographically.
Yet legal standards of privacy for use of your location data are inconsistent at best. “The law says that information can’t be disclosed without prior opt-in from the consumer, but that law only applies to telecommunications carriers,” says Jim Dempsey, vice-president for public policy at the Centre for Democracy and Technology. “But many entities handling location information, or with access to it, are not telecom carriers.”
A survey of the privacy policies of many location-based service providers shows how fluid the traffic in personal location data has become. Because many of these services are opt-in, once the user has agreed to the terms, his phone can be tracked even when the application is turned off. And the data collected, along with other personal information, can and will be shared with advertising and marketing partners – that is, in fact, the business strategy of these services.
A personalised marketing campaign offering discounts at the burger shop around the corner may seem relatively innocuous, but as more cellphone users embrace location-aware phones, their devices automatically create a worldwide web of evidence that can easily show up in court.
Seattle lawyer Albert Gidari represents a number of wireless carriers. He has seen at least two civil suits so far in which companies have sought location data from providers. One of these cases, brought by a large insurance company, sought location data on a subscriber who was suspected of stealing and setting fire to his own car to recover the insurance payout.
Both cases were ultimately abandoned by the plaintiffs because of costs. But Gidari suspects the reason more cases don’t involve requests for location data is that litigants simply aren’t aware it’s available. “What I think is on the horizon is that in every insurance case involving a distracted driver, someone’s going to ask, ‘Was the driver on the phone?’ and ‘Was the driver texting at the time of the crash?’”
The tracking technology in cellphones is exploited not just by businesses and the courts. An established market exists for consumer spyware programs that can be installed on cellphones. Dozens of Web sites advertise GPS tracking devices and stealth software, encouraging users to “catch a cheating spouse” or “keep a watchful eye on your children”. For relatively little money, suspicious or obsessed amateur detectives can outfi t themselves with an arsenal of spy gear. Some of these services let users log into a Web page and get daily reports of their subjects’ movements and even chart their activity using Google Earth, the search giant’s free satellite imagery software.
Too often, these tools end up in the hands of stalkers and obsessed former lovers. According to Cindy Southworth, director of the Safety Net Project – a non-profit organisation that trains law-enforcement offi cers to understand the role of technology in domestic abuse – computer spyware and GPS tracking services are showing up in a huge number of stalking and domestic violence cases. “We get at least one call a week on a new case where spyware is being misused in stalking and ex-lover cases,” Southworth says.
In 2006, Washington state resident Sherri Peak suspected that her estranged husband Robert was tracking her movements. An investigator confi rmed her fears: Robert Peak had hidden a cellphone and a GPS tracking device in the dashboard of her car. Peak rigged the phone so he could dial in silently and listen in on his wife, while tracking her movements on his laptop computer. Peak pleaded guilty to felony stalking and was sentenced to eight months in prison.
The wealth of free content and services that Web surfers fi nd so valuable is largely supported by a hidden economy. Companies give away software and services in exchange for the ability to collect and share data about where users go online, as well as what they’re searching for or buying. With advertisers under pressure to collect ever more detailed information on consumers, the stakes are enormous. According to a report commissioned last year by the Interactive Advertising Bureau, online advertising in the US grossed R210 billion in 2007, trumping radio (R200 billion) and broadcast television (R190 billion).
“Free Web services aren’t free,” says Gregory Conti, a computer science professor at the United States Military Academy at West Point. “We pay for them with micropayments of personal information. Users aren’t entirely oblivious to the fact that information is being collected, and they’re doing a cost–benefit analysis, but they’re not thinking longterm.”
Just how much data are advertisers collecting and sharing? In a study commissioned by The New York Times, Internet research firm ComScore found that on average Yahoo and its advertising-partner networks collect more than 2 500 bits of data monthly from each user. Every time Yahoo users enter a search query, their profiles become more detailed.
Advertisers piece together digital dossiers on consumers by collecting these tiny fragments of information. But the mother lode of personal data is in the hands of the Internet service providers (ISPs), who know exactly who their subscribers are, where they live, where they go online and with whom they communicate. Because a service provider is the point of first contact between a consumer and the Internet, all data traffic going in and out of his or her household goes through the ISP’s routers. Logs of that information can be stored on an ISP’s servers for an indefinite period of time. With such a wealth of valuable information, some ISPs are starting to share this data with marketers.
In May 2008, St. Louis-based Charter Communications, the third-largest publicly traded cable operator in the United States, announced plans to serve customers with ads based on the content of the Web sites they visited. The company that powers this so-called “deeppacket inspection” service, NebuAd, had similar deals with more than a dozen other USbased ISPs. After a public outcry, the House Energy and Commerce Committee last summer opened an inquiry into NebuAd’s controversial tactics, forcing the company to put a temporary hold on its technology for tracking ISP customers.
ISPs are prohibited by law from sharing the content of their customers’ digital correspondence, but the peripheral details of your browsing, e-mailing and online shopping habits are fair game. “The only thing that would prevent an ISP from giving away or selling this data to marketers is its own privacy policies,” says Kevin Bankston, a senior staff attorney with the Electronic Frontier Foundation. “So there’s a big question right now of which ISPs are selling what data to whom, and the answer is we really don’t know.”
The privacy cloud
The one foolproof counter-measure to prevent prying marketers and hacker snoops from digging into your data has always been to yank the lead. Data can’t be siphoned off an unconnected computer. But consumers are increasingly leaving everything from e-mail to photos to documents on off-site data-storage services – a trend known as cloud computing. Tech heavyweights such as Amazon, Google, IBM, Intel, Microsoft and Yahoo market the services as everything from disaster backup and recovery solutions to Web-based software that allows consumers to get access to and work on their files from any digital device on the planet. The advantage of this approach is obvious: If your data isn’t located on any one machine, it can never be lost or corrupted. But when your personal data isn’t on your personal computer, it’s out of your control.
Experts warn that data left in the cloud does not enjoy the level of legal and privacy protections as the same data residing on the user’s home PC. “The police can get into your home only if they have a search warrant, but the laws for police access to remote servers are much looser,” says Peter Swire, a former privacy advisor to the Clinton administration who now teaches cyberspace law at Ohio State University’s College of Law. “That means in civil or criminal litigation, or a divorce case, you may not know if someone is looking at your files. You have to hope the provider objects.”
Cloud-based social-networking sites such as Facebook and MySpace push the privacy envelope even further, encouraging users to post and share massive amounts of personal data that can be scooped up and stored indefinitely. And in an increasing number of cases, information that people willingly post about themselves online is coming back to haunt them. “The problem is that teenagers, college students and even some adults who ought to know better are not thinking through the long-term consequences of putting up so much personal information,” says Daniel Solove, author of The Future of Reputation: Gossip, Rumour, and Privacy on the Internet. “Today’s reality is that, once something is out in the public, it usually stays there.”
A Pennsylvania woman is currently embroiled in a lawsuit against Millersville University alleging that the school denied her a teaching degree after viewing a photo on her MySpace page titled “drunken pirate”, which shows her sipping from a plastic cup while wearing a pirate hat. Stacy Snyder was of legal drinking age when she posted the photo, but she claims university officials called the snapshot “unprofessional”, and said that it could have offended students at a local high school where she was a student teacher. The university has declined to comment on the case, pending a decision by the judge.
High school seniors and recent university graduates have good reason to be nervous if they’ve posted overly personal data on their social networking pages. According to a survey released in September by education services provider Kaplan, 10 per cent of admissions officers surveyed admitted viewing applicants’ MySpace and Facebook pages. Another survey conducted by CareerBuilder found 22 per cent of hiring managers used social networking sites to evaluate job applicants, and more than one-third reported finding content that disqualified candidates.
As more personal information is pumped into the cloud, the ability to search through it becomes more sophisticated. That makes digging up intimate details on others even easier. Millions of amateur photographers upload photos to the Web with little regard for the staying power of the medium.
In September, Google launched a new version of its Picasa photo-organising software that uses facial recognition technology to help users identify people in their pictures. Anyone can tag a photo with your name and Google will store that facial fingerprint indefinitely. Picasa’s facial recognition will then try to tag any subsequent photos of you it can find. Another Picasa feature, “geo-tagging” (adding geographical data to shots), allows you to overlay images on Google maps. Although Google has implemented privacy safeguards – users can tag photos only in their own accounts’ Web albums – some experts worry that Picasa and other cloud services need to provide consumers with additional protection.
“What’s to stop a zealous prosecutor from searching the State’s digital database of driver’s licence photos for people under 21 whose online Flickr photos show them engaged in underage drinking?” writes Raeanne Young, a programme associate at the Centre for Democracy and Technology. “What’s to stop an employer from doing the same with a photo taken by a video camera in the lobby of the building where you went for your job interview?” Legally, not much. Those photos could show up in court as well. Law enforcement can search even password-protected online accounts without your knowledge, as long as they can obtain a court order.
Richard Stallman, founder and president of the Free Software Foundation, condemns cloud computing and free Web-based services as a trap for consumers. “To use these things is to close your eyes to the question of whom these machines are really serving,” he says.
None of these technologies ever truly feels like a trap until it’s too late – when your embarrassing photos are posted online by your angry ex, when your cellphone data becomes damning evidence against you in court, or when the ads delivered to your e-mail in box become disturbingly personal. And it may turn out that the technological trade-off is unavoidable – to be a part of our digitally connected society requires a redefinition of privacy. The only other option is to unplug completely.
“Webcams are only as secure as the computer they’re connected to,” says computer security expert John Pironti of Getronics, “and many computers aren’t very secure.” Plenty of software exists in