EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Privacy Topics >Electronic Commerce|
Surveillance by law enforcement is not the only online privacy risk. The growth of the Internet and electronic commerce has dramatically increased the amount of personal information that is collected about individuals by corporations. As consumers engage in routine online transactions, they leave behind a trail of personal details, often without any idea that they are doing so. Much of this information is routinely captured in computer logs.
Most online companies keep track of users' purchases. This information ranges from the trivial to the most sensitive and, unless adequately protected, can be used for purposes that seriously harm the interests of the consumer. Other companies gather personal information from visitors by offering personalized services such as news searches, free e-mail and stock portfolios. They then sell, trade, or share that information among third party companies without the consumer's express knowledge or consent. Due to its perceived value, the retention of this kind of information has become a dominant business model in the information economy.
Many online companies, for example, provide lists of their customers' e-mail addresses to companies that specialize in sending unsolicited commercial e-mail (spam). Other companies mine e-mail addresses from sources such as messages posted on mailing lists, newsgroups, or domain name registration data. In one test by the US Federal Trade Commission, an e-mail address posted in a chat room began receiving spam within eight minutes of submitting a post. Mining or harvesting e-mail addresses produces a barrage of online advertisements. Studies show that consumers resent spam both for the time it takes to process and for the loss of privacy resulting from their e-mail address circulating freely on countless directories. Furthermore, spam can result in significant economic loss to the consumer. The 2006 Annual MessageLabs Intelligence Report revealed that average spam levels reached 86.2 percent in 2006, a new high attributed to "an increase in sophistication of botnets and new targeted techniques."
In April 2006, the Organization for Economic Cooperation and Development (OECD) Task Force on Spam released its Anti-Spam Toolkit of Recommended Policies and Measures, which highlights policies and measures that the Task Force feels should be key elements of a public policy framework for addressing the issue of spam, such as legislation with clear definitions and meaningful enforcement, cooperative partnership initiatives, education outreach, and technical solutions used in combination. In November 2006, the StopSpamAlliance initiative launched an online spam information resource that provides updates on conferences, workshops and regional events.
In response to improved spam filters, much spam now includes solicitations embedded as image files that cannot be read by filters. This method further increases the bandwidth costs by increasing the message size of unsolicited emails. Technical setbacks only underline the need for legal and policy responses to the problem.
While spam refers generally to commercial email, phishing applies similar principles to criminal activity. Phishing schemes aim to fraudulently obtain sensitive consumer information using emails disguised as legitimate requests. Common examples include luring consumers to spoofed [faked] websites where they are asked to enter information including bank account numbers and passwords. It is estimated that this crime costs US companies over $2 billion annually as their customers are victimized. Phishing attacks increased significantly during 2006, with such attacks accounting for 24.8 percent of all malicious emails intercepted by one firm that analyzes spam. In 2005, phishing attacks accounted for only 13.1 percent of such traffic. The severity of the problem has led to the creation of industry working groups and numerous consumer alerts.
Many companies, including Internet Service Providers (ISPs), search engine firms, and web-based businesses, monitor users as they travel across the Internet, collecting information on what sites they visit, the time and length of these visits, search terms they enter, purchases they make, or even "click-through" responses to banner ads. In the off-line world this would be comparable to, for example, having someone follow you through a shopping mall, scanning each page of every magazine you browse though, every pair of shoes that you looked at and every menu entry you read at the restaurant. When collected and combined with other data such as demographic or "psychographic" data, these diffuse pieces of information create highly detailed profiles of individuals. These profiles have become a major currency in electronic commerce where they are used by advertisers and marketers to predict a user's preferences, interests, needs and possible future purchases. Many of these profiles are currently stored in connection with an assigned number or the user’s Internet Protocol (IP) address, exposing users to risk of the information being linked to other information, such as names and addresses, making them personally identifiable. In 2006, the search records of 658,000 Americans by America Online (AOL) demonstrated that the storage of a number as opposed to personally identifiable information does not necessarily mean that search data cannot be linked back to an individual. Although the search logs released by AOL had been "anonymized," therefore only identifying the user by a number, news reporters easily matched user numbers with identifiable individuals.
Individuals are also tracked online through "spyware," invasive software that transmits browsing habits or personal information to others. Some spyware is motivated by commercial profiling, and is primarily designed for ad targeting. Other spyware is specifically advertised as a method for spying on individuals. In at least one instance, spyware has been associated with identity theft. Spyware is generally difficult to define, and in comments to US regulators, EPIC has argued that even "legitimate" software can possess "indicia of invasiveness" that typically appear in unsavory spyware programs. Spyware is sometimes bundled with other programs, so that users download and install it without fully understanding the tracking capabilities. Spyware can also be installed by "drive by downloads," situations where individuals are tricked into accepting a program for installation, and through vulnerabilities in Internet browsers. The 2006 Global Threat Report by ScanSafe, a global provider of web security services, reported "relentless growth" in spyware in 2006, with ScanSafe’s software blocking 254 percent more instances of spyware during the year than it did in 2005. A European report called for a strong commitment by government to fight online malpractices, as well as clear organizational responsibilities for enforcement actions.
The European Commission's Working Party on the Protection of Individuals addressed the issue of governmental response to spyware. Recommendations of the Working Party include giving the data subject notice of the data processing and collection, a user right of access to the data, prevention of the creation of client persistent information, and technical protections against spyware. In April 2004, the US Federal Trade Commission held a forum on spyware.
In the offline world, profiling has been thriving for decades. Profiling companies build personally identifiable databases based on a plethora of sources including supermarket purchases, product warranty cards, public records, census records, magazine and catalog subscriptions, and surveys. This is done in the absence of legislation that would prevent dossier building. Companies also "enhance" dossiers that they already own by combining or "overlaying" information from other databases. For instance, a business may request a name and phone number directly from the customer, and then use this information to purchase other personal details. These dossiers may link individual's identities to any number of facts deemed private by advanced societies including medical conditions, physical characteristics, and lifestyle preferences.
Attempts at developing more permanent methods of identifying users have been underway for years. In 1999, Intel announced that it was including a serial number in each new Pentium III chip that could be accessed by websites and internal corporate networks. Most of the manufacturers suppressed the number after a consumer boycott was announced, and Intel announced in 2000 that it is dropping the serial number in future chips. Microsoft and RealAudio were discovered using the internal networking number found in most computers as another identifier for online users. Microsoft's Windows Media Player contains a globally unique identifier (GUID) that can be tracked by website operators. Finally, the Media Access Control (MAC) address embedded in many network cards are unique and can be used to identify many computers.
The privacy of online consumers can also be seriously compromised by security breaches. Many web sites are poorly secured against both physical and electronic attacks. In 2003, a security breach notice law took affect in California that requires entities to notify individuals when their personal information may have been accessed with authorization. Since implementation of that law, every month brings a new series of notices of major security breaches.
The largest data security breach worldwide to date involved the theft of more than 45 million credit and debit card numbers from TJX Companies located in the US, Canada, Puerto Rico and possibly the UK and Ireland. This stolen information has been used to make fraudulent purchases in the US, Hong Kong and Sweden. Bank associations filed a class action lawsuit against TJX Companies over the data security breach. The banks claim that TJX failed to adequately protect sensitive data, and the suit seeks to recover damages in the "tens of millions of dollars," the cost, the banks say, to replace cards and cover fraudulent charges from the security breach.
There are tools available that can be used to protect the privacy of users in many cases. These technologies are known as "Privacy Enhancing Technologies" (PET) and are aimed at eliminating or minimizing the collection of personally identifiable information. Encryption is an important tool for protection against certain forms of communications surveillance. When properly implemented, a message is scrambled (i.e., encrypted) so that only the intended recipient will be able to unscramble (i.e., decrypt), and subsequently read, the contents. Pretty Good Privacy (PGP) is the best-known encryption program and has hundreds of thousands of users. An alternative is the open source program called GNU Privacy Guard (GPG) that allows anyone to view the full source of the system to ensure that it does not allow for secret surveillance. Cryptographic modules are also implemented in applications; for example web browsers, in order to maintain some confidentiality in electronic commerce transactions, include Secure Sockets Layer (SSL) to encrypt sessions between users and servers.
It is important to note that encryption of content alone does not prevent the disclosure of traffic data; that is, it is still clear that person A is e-mailing person B, or that person A is visiting web site W. Other applications are available to maintain the privacy of these transactions. "Anonymous remailers" strip identifying information from e-mails and can deter traffic analysis. Services such as Anonymizer provide anonymous websurfing, anonymous e-mail messaging, banner ad and pop-up blocking, and automated deletion of cookies and web bugs after Internet sessions.
At the same time, human rights groups and even large corporations explored new techniques to protect online privacy. The Canadian-based Privaterra worked with NGOs to encourage the use of strong encryption techniques and other methods for online privacy. Hacktivism efforts continued with new efforts to empower dissident political organizations operating over the Internet. In July 2002, the international hacker group, Hacktivismo, announced a new free service called "Camera Shy" to allow users to conceal messages in ordinary image files on the Internet. The browser-based steganography application automatically scans and decrypts content straight from the Internet and leaves no traces on the user's system. The same group released a developer version of a free secure and anonymous web tool called "Six/Four" in February 2003, and a portable anonymous web browser in 2006 called “Torpark.”
It is important to distinguish between genuine privacy enhancing techniques and data security technologies that seek to render processing safe but not to reduce the disclosure and processing of identifiable data. Moreover, there are many products offered by industry that are not privacy protective. Many of these systems, such as Microsoft's Passport and the World Wide Web Consortium's Platform for Privacy Preferences (P3P), are designed to facilitate data sharing rather than to limit disclosure of personal information.
In April 2007, Google announced an agreement to acquire DoubleClick for $3.1 billion, expressing intent to merge data from Google and DoubleClick to profile and target Internet users. In response, US civil liberties organizations filed a complaint with the US Federal Trade Commission (FTC), urging the Commission to open an investigation into the proposed acquisition, specifically with regard to the ability of Google to record, analyze, track, and profile the activities of Internet users with data that is both personally identifiable and data that is not personally identifiable. The groups further urged the FTC to require Google to publicly present a plan to comply with well-established government and industry privacy standards such as the Organization for Economic Co-operation and Development (OECD) Privacy Guidelines. Pending the resolution of these and other issues, the groups encouraged the FTC to halt the acquisition. Similar complaints previously brought by EPIC concerning DoubleClick advertising practices and Microsoft Passport led the FTC to require several changes to DoubleClick and Microsoft’s practices.
Web 2.0 architectures, which provides server side applications, raise new privacy issues. Companies such as MySpace, Digg, and Flickr now store detailed personal information that is available to the user and friends of the users, but may also be inspected by law enforcement and disclosed for commercial purposes.
In October 2006, Google merged online productive programs to launch Google Docs and Spreadsheets. These programs offer allow users to create and edit productivity files as if the data and software were located on the user’s computer. When combined with Google’s e-mail service, Gmail, and Google Calendar, a free web-based productivity suite is on offer to rival Microsoft’s Office and its open source equivalent OpenOffice. The Google suite is part of a larger trend towards server-side computing, or a "thin-client architecture" where the interface for programs is no more than a web browser. The privacy implications for these technologies, generally described as part of Web 2.0, will be immediate and profound. In particular, data remains on the companies’ web server meaning that the lawful access requirements are different than if the data remained on a personal computer.
See the Federal Trade Commission Spam
 For more information on spam generally and how to reduce it see <http://www.junkbusters.com> and <http://www.cauce.org/>.
 2006 Annual MessageLabs Intelligence Report, available at <http://www.messagelabs.com/publishedcontent/publish/about_us_dotcom_en/news___events/press_releases/DA_174397.html>.
Toolkit of Recommended Policies and Measures, April 2006, available at
 The StopSpamAlliance was launched during the first meeting of the United Nations Internet Governance Forum in Athens, Greece, in November 2006. See <http://www.stopspamalliance.org>. The initiative involves the Asia-Pacific Economic Co-operation (APEC), the EU Contact Network for Spam enforcement Authorities (CNSA), the International Telecommunication Union (ITU), the London Action Plan for Spam Enforcement (LAP), the OECD, and the Seoul-Melbourne MoU.
 Brad Stone, “Spam Doubles, Finding New Ways to Deliver Itself,” N.Y. Times, December 6, 2006.
 The 2006 Annual MessageLabs Intelligence Report, <http://www.messagelabs.com/publishedcontent/publish/about_us_dotcom_en/news___events/press_releases/DA_174397.html>.
 See e.g., <http://www.ftc.gov/bcp/conline/pubs/alerts/phishregsalrt.pdf>.
 Michael Barbaro and Tom Zeller, “A Face Is Exposed For AOL Searcher No. 4417749,” N.Y. Times, Aug. 9, 2006.
 Ryan Naraine,
“Spyware Researchers Discover ID Theft Ring,” eWeek.com, August 8,
2005. Available at
 Commission to the European Parliament, the European Economic and Social Committee, and the Committee of the Regions, “Communication on Fighting spam, spyware, and malicious software,” COM(2006) 688 final (November 15, 2006).
"Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on
the Internet Performed by Software and Hardware," (January 1999),
 See EPIC's Profiling page <http://www.epic.org/privacy/profiling/>.
See, e.g., Eric Murray, "SSL Server
Security Survey," July 31, 2000 showing that encryption on most e-commerce sites
is inadequate, available at
 Senate Bill 1386, available at <http://leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html>.
 “Canadian banks say no signs of credit card fraud victims after Winners breach,” CBC News, January 25, 2007, available at <http://www.cbc.ca/money/story/2007/01/25/fraud-tjx.html?ref=rss>.
 Bank Associations’ Press Release, April 24, 2007, available at <https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf>.
 See <http://www.gnupg.org/>.
See generally André Bacard,
"Anonymous Remailer FAQ"
 See <http://www.anonymizer.com>.
 See <http://www.hacktivismo.com>.
 The word steganography literally means "covered writing" as derived from Greek. It includes a vast array of methods of secret communications that conceal the very existence of the message such as invisible inks, microdots, character arrangement, and digital signatures.
 Eric Auchard, "Hacker Group Targets Countries that Censor Internet," Reuters, July 14, 2002.
Burkert, "Privacy-Enhancing Technologies: Typology, Critique, Vision" in Philip
Agre and Marc Rotenberg, eds, Technology and Privacy: The New Landscape 125 (MIT
 See EPIC and Junkbusters, "Pretty Poor Privacy: An Assessment of P3P and Internet Privacy," June 2000 <http://www.epic.org/reports/prettypoorprivacy.html>; EPIC, "Why is P3P Not a PET?" November 2002 <http://www.epic.org/reports/p3pnotpet.pdf>.
 Richard Walters, “Google Promises to Tackle Fears Over Privacy,” Financial Times, April 22, 2007.
 Will Harris, “Why web 2.0 will end your privacy,” BitTech, June 3, 2006, <http://www.bit-tech.net/columns/2006/06/03/web_2_privacy/>.