January 28, 2000, Friday
IRA FLATOW, host:
This is TALK OF THE NATION/SCIENCE FRIDAY. I'm Ira Flatow.
What did you do today? Did you buy something, pay for it with a credit card? Did
you visit a few Web sites, send some e-mail, buy a book online? Did you pay toll
on a bridge, tunnel or highway using one of those wireless electronic automatic
payment devices? Did you talk on your cell phone, chat on the portable, beep
someone on their pager? Did you go food shopping and pay at the checkout counter
with that special discount shopping card? Did you extract a few bucks from your
ATM? Did you buy something in the store, and you know as they ring it up, did
they ask you for the last four letters of your name? Did you apply for a loan or
a mortgage, get a new telephone number, park your car in a public garage, ask
for a referral to a doctor in your HMO plan?
If you did any one of these things--and I could go on and on--chances are you
sacrificed some of your privacy. You gave away some information about yourself
or your habits: what kind of salsa you like to buy, where you travel, what your
credit risk is, how healthy you are, the kind of books you like to read, who you
called on your cell phone. Somewhere, in some computer database, all that
information, and lots more of it, gets stored every time you engage in
electronic commerce, use a wireless device or don't pay for something by
cash--and even ask that now, for your ID, when you do that.
Well, last night in his State of the Union address, President Clinton talked
about the new breakthroughs of the 21st century and he gave highest priority to
safeguarding our privacy. As technology changes the way we do most things in our
lives, privacy is becoming harder to protect. In this hour we'll be talking
about where you want to go today, and what you're going to find there
privacywise when you get there. We'd like to hear about your opinions on
privacy. Do you have a privacy horror story that you want to share with us? Has
your fundamental right to privacy been trampled? Who should be in charge? Who
should be in charge of securing our privacy?--some of the questions. Give us a
call. We promise when you call us we're not going to trace your call, and you
don't even have to use your last name. Our number, 1 (800) 989-8255; 1 (800)
989-TALK. And if you want more information about what we're talking about this
hour, visit our Web site at www.sciencefriday.com.
Now let me introduce my guests. Simson Garfinkel is a columnist for the Boston
Globe and the author of a new book, "Database Nation: The Death of Privacy in
the 21st Century," published by O'Reilly. He's here in our WNYC studios in New
York.
Thanks for coming in today. Good to see you.
Mr. SIMON GARFINKEL (Boston Globe Columnist; Author): Thanks for having me.
FLATOW: Marc Rotenberg is the director of the Electronic Privacy Information
Center and adjunct professor at Georgetown University Law Center. He is
co-editor of "Technology and Privacy: The New Landscape," published by MIT
Press, and he's in our NPR studios in Washington.
Welcome back to the program.
Professor MARC ROTENBERG (Director, Electronic Privacy Information Center):
Thank you, Ira.
FLATOW: And I have to share this with you. I saw this on the news the other
day--for both of you. A device that's being tested--this might have been in,
like, the patent of the week; maybe you saw it--where you drive into a public
parking garage, and they're able to eavesdrop on what radio station that you're
listening to so they can determine your listening habits and, I guess, sell you
something--the kind of person you are. Simson, probably not surprising to you
that something like that...
Mr. GARFINKEL: Well, the technology's easy. We've had radar-detector detectors
for years. When the radio station's tuned to one frequency it transmits a little
that you can figure that out from. The--you know, when you go into the parking
garage, they can also videotape your face and your...
FLATOW: Right.
Mr. GARFINKEL: ...license plate. It's more information leakage that we should
worry about.
FLATOW: Marc, do we actually have a right to privacy? Give us a little legal
brief on the position the Constitution has on it. Is there a right to privacy?
Prof. ROTENBERG: Well, the Constitution doesn't explicitly talk about a right to
privacy, although I think most legal scholars would agree that in the Fourth
Amendment and elsewhere there are some clear indications that limit the
government's authority to search into our private lives. In the latter part of
the 19th century there was a famous Law Review article written by Brandeis and
Warren that basically set out a theory for right of privacy among private actors
not involved in the government, and that theory took hold in the United States
before, in fact, it took hold in other countries. And under most state laws
today you do have a right of privacy against people who intrude into your
seclusion, appropriate your name, do certain other things that we might consider
to be offensive.
FLATOW: Is that where the phrase that you have 'the right to be let alone' comes
from?
Prof. ROTENBERG: Yeah. There's a very famous phrase. Brandeis used it a couple
of times, in fact; he used it again in a 1928 wiretap dissent, although it's not
originally his. It was borrowed from someone else. I should add also that, in
addition to our theories of privacy in state law, we also have federal laws. The
Congress has passed a number of statutes that protect the privacy of our video
rental records, our cable subscriber records; even our stored electronic mail is
entitled to some protection under US law.
FLATOW: Let's talk about a case that is in the news now; in fact, very recently.
Yesterday a woman filed suit against DoubleClick, which is a Web advertising
firm, because DoubleClick had figured out how to attach a name and address to
the information they had been collecting on Web servers. Can you give us an idea
of--well, let me ask you first, Simson: How does DoubleClick do that? How do
they know where you're going, what you're doing, with that information?
Mr. GARFINKEL: Well, I don't know the precise technical details that DoubleClick
is using, but for two or three years I've been saying that it's relatively
simple for an organization like DoubleClick to correlate information about you
from different Web sites, and then use that to derive a name and an e-mail
address and a phone number. The way it works is DoubleClick shows
advertisements, and when you go to different Web sites, you still get the
advertisements from DoubleClick. If you register at any one of those Web sites
with your real name, then DoubleClick can tie together that real-name
registration with the ad that you were seeing, and then use that when you go to
other Web sites. Now DoubleClick does that with cookies, and some people disable
cookies on their computers to eliminate that problem.
But there are lots of other techniques that DoubleClick can also use to tie
those ads displayed to information that you've given other ways.
FLATOW: Do you have to click on the ad?
Mr. GARFINKEL: No.
FLATOW: No, you don't.
Mr. GARFINKEL: You just have to view it.
FLATOW: You just have to view--go to the Web page and view it.
Mr. GARFINKEL: When you view the ad, all the DoubleClick ads come down with a
thing called a cookie, which is a little piece of information that is stored on
your computer. And then the next time you go to a Web site that asks you to view
an ad, when you go to get the ad, you serve that cookie back to DoubleClick to
identify who you are.
FLATOW: So they know what your preferences are from that cookie. They know where
you've been, where you've surfed on that site...
Mr. GARFINKEL: No. Actually, the cookie just has a unique identifier number.
FLATOW: I see.
Mr. GARFINKEL: The preferences, all that other information, is stored inside
DoubleClick's computers. And the big irony here is that when Netscape invented
these cookies, they didn't do it to destroy people's privacy. They actually did
it to preserve privacy. Instead of using the cookie to key you into a database,
the cookie could also store your personal preferences. Like you could store in a
cookie, 'I want to see my newspaper in English' or 'I want to see it in
Spanish.'
FLATOW: Yeah.
Mr. GARFINKEL: You could store the particular comics that you want to look at.
And the idea of the cookies was, they wouldn't then have to store that
information on their server.
FLATOW: Keep it on your own machine.
Mr. GARFINKEL: Right.
FLATOW: Yeah.
Mr. GARFINKEL: And that was a good use of cookies. And DoubleClick and a number
of other companies figured out how to turn it around and distort the original
intent.
FLATOW: Is it--Marc Rotenberg, is it illegal to do something like this?
Prof. ROTENBERG: Well, it may be, because what's very interesting in the
DoubleClick case is that, aside from the expensive profiling, which Simson just
described, they seem to be going against a policy that they announced earlier to
the public. In other words, a year ago, when DoubleClick was operating its
advertising network and had entered into agreements with I think more than a
thousand Web-based organizations, they had a policy that said, 'We weren't
collecting any personally identifiable information' and that these cookies would
be, in effect, anonymous. So they may know that you had gone to one car site
advertising SUVs and might put up an ad for another car site with SUVs, but it
didn't necessarily mean that they knew who you were.
Well, later in the year, Abacus decided to get into a merger with--I'm sorry;
DoubleClick got into a merger with Abacus, which is a large catalog database
firm; has information on 90 percent of the American households, what they
actually purchase. And I think both companies figured out pretty quickly that
what would make this merger so attractive was to join the information that
DoubleClick was acquiring on Web surfing of these virtual identities with the
actual identities that were sitting in the Abacus database. And, of course, that
meant going back to these privacy policies where they had told everybody their
privacy would be protected, there wouldn't be any personal information
collected, and changing all of them.
And that's one of the claims that was made yesterday in the lawsuit in
California; basically, that DoubleClick had engaged in deceptive trade practice.
FLATOW: Should you assume that anywhere, anytime, anyplace, you're not going to
be surprised by "Candid Camera" but you should be expectant that people will
surprise you by knowing what you're doing. I mean, surfing--anytime you surf,
anytime you use wireless devices, anytime...
Mr. GARFINKEL: Well, I think we're moving to that world, but I don't think that
we have to. I think that if you're in public right--we used to have this
expectation that when you were walking around in public...
FLATOW: Right.
Mr. GARFINKEL: ...you actually had this expectation of privacy, and that, even
though you might be having a conversation with a friend, you didn't think that
there was somebody behind you recording it. And now we're sort of having to fess
up with the fact that things that happen in public can really be public
knowledge. I don't think that, as a society, we want to go there. And I think we
can stop going there if we put on the brakes now, change the way that we're
doing things, put in place some legislation and put in place some codes of good
practice.
FLATOW: It's interesting here; you talk about legislation. It's almost ironic,
because the Internet is such a--I would say it's a politically conservative
place, whereas--especially when it comes to any kind of legislation. And now
you're saying that we do need it, and who the ultimate protector of public
interest is, is going to be the government.
Mr. GARFINKEL: I think so. The people who are on the Internet--it's true;
they're wildly opposed to government intervention, and that's very ironic,
because the whole Internet was created with government research dollars. The
original purpose was military communications. Today, though, we can look to the
government as a way of enforcing social norms through the courts and a way of
establishing standards that we've all agreed to through the political process.
The...
Prof. ROTENBERG: Ira, if I could jump in...
FLATOW: Yes. Go ahead.
Prof. ROTENBERG: I just wanted to add to Simson's point. I think there is a role
for government to protect privacy, but I think viewing this problem as sort of
'Yes government; no government' really misunderstands what's going on. The point
is, government is involved in the Internet, you know, one way or another. You
know, government is involved in setting communications policy through wire tap
standards, through export controls. There's obviously a lot of government
involvement today and the question is: Is this government involvement
involvement that's going to promote privacy or undermine privacy? And I think
the sense today among a lot of people online is that we really need a policy
that's more responsive to privacy concerns. And part of that's about
legislation, part of it's about oversight of industry practices, and part of
it's about supporting the development of good technologies that would protect
privacy. And I think there's many different ways to go, but the real key at this
point is moving government policy in a direction that's much more responsive to
public concerns about privacy.
Mr. GARFINKEL: We can also move the technology into a pro-privacy direction, as
well. When we were talking earlier about cookies, you have the ability to turn
on and off cookies, but only in a very coarse control. Netscape hasn't put in
the provisions, that I've seen, that you can say, 'I want everybody's cookies
except DoubleClick's. I want to be able to use the cookies on the online
shopping sites that I go to, but I don't want the cookies to track me.'
Now there are actually programs out there that do let you control cookies that
well. One is a program that a friend of mine wrote called InterMute. There's
privacy networks coming into being, like one from Zero-Knowledge Systems and one
from Privata. All of these systems give you the ability to browse on the
Internet anonymously.
FLATOW: But that makes the Internet harder to use. I mean...
Mr. GARFINKEL: Actually, they don't.
FLATOW: But for people who, you know, are having trouble still getting the 12
off their clock--from blinking, they want to get on the Internet and I don't
think they're going to worry about 'How do I turn the cookies off,' you know?
Mr. GARFINKEL: Well, you know, the beautiful--well, let me tell you about this
InterMute program. You go to the site and you download it, and then you don't
get ads anymore on the Internet, either, 'cause it cuts out the ads. And I
didn't really care about ads, and then I turned it on and I noticed that the
Internet experience became much more peaceful and less invasive. I see
advertising as an impact on my privacy, both because they're trying to track me
and also because they're intruding in my life and they're trying to control my
thoughts and make me buy their products. So I really do think that technology is
part of the answer. We just need to find the right technology.
FLATOW: You agree, Marc, that technology's part of the answer?
Prof. ROTENBERG: Well, I agree. I mean, I think it's clearly part of the answer.
It's also clearly part of the problem. And so we have to think about designs of
technology that do a better job of protecting privacy. I agree also--I think
something that you said, Ira, a moment ago can't just be...
FLATOW: All right. I'm going to have to take a break. Let me get back after this
short message.
This is TALK OF THE NATION/SCIENCE FRIDAY from National Public Radio.
(Soundbite of music)
FLATOW: Welcome back to TALK OF THE NATION/SCIENCE FRIDAY. I'm Ira Flatow. We're talking this hour about privacy and your right to it in this age of electronic
commerce and kinds of a--new era of ways of shopping, buying stuff and talking
with other people. My guests are Simson Garfinkel, columnist for the Boston
Globe and the author of a new book, "Database Nation: Death of Privacy in the
21st Century," published by O'Reilly. Marc Rotenberg is the director of the
Electronic Privacy Information Center and an adjunct professor at Georgetown
University Law Center. Our number, 1 (800) 989-8255.
Marc, I interrupted you. You were talking about how technology is sort of a
double-edged sword here.
Prof. ROTENBERG: Well, I thought you were making an interesting point, Ira, that
a lot of the solutions that consumers see today to protect their privacy
involves a lot of extra work. I think it's, you know, reasonable to ask people
to take some, you know, small steps to protect their privacy, but to ask them to
open up their cookies table, for example, and start sorting through domain names
and deleting cookie codes that they probably don't understand really isn't
reasonable. And that's, I think, simply stated, the reason that we do need some
legislation. We can't expect people left on their own in this very complex world
to sort through all these technical details to find the right ways to protect
their privacy.
FLATOW: And what might that legislation say?
Prof. ROTENBERG: Well, you know, it's interesting; for all the range of types of
technology that privacy law has tried to address over the years--I mean, there's
everything from photography in the 19th century, which was what interested
Brandeis and Warren, to the telephone network in the 1920s and computer
databases in the '60s, and now the Internet in the 21st century. The basic
theory of privacy protection is actually pretty straightforward. It's the
concept called fair information practices, and it says that when an organization
collects information about individuals it takes on some obligations, like
keeping the information accurate and not misusing it and protecting it, and that
individuals get some rights. They get to see how the information is being used
and to limit its use.
So when people talk about privacy legislation for the Internet or for some of
these other surveillance techniques, what they're typically saying is, 'We need
some way to apply fair information practices to give people control over the use
of the personal information that's being held by someone else.'
FLATOW: 1 (800) 989-8255 is our number. Let's go to Patrick in San Antonio,
Texas. Hi, Patrick.
PATRICK (Caller): Thank you for taking my call. I agree 100 percent with Marc
that when they gather information on you--corporations--they need to be
accountable. And just as--like Fair Credit Reporting Act, you can go look at
your credit rating and find out, you should be able to go find out what these
corporations are collecting and if they're using it for purposes that--and then
you should be able to take action legally if they're not. And, you know, some of
this stuff is worthwhile. Like, I like to get mail about, you know, guitars and
skateboards, and I don't like to get mail about other things, products I don't
use. So it's fine...
FLATOW: But wouldn't you like to know when they are collecting information on
you...
PATRICK: Exactly.
FLATOW: ...and have that option whether to give that to them or not, which you
don't have at this point?
PATRICK: No, we don't, and there needs to be some legislation. There needs to be
legislation for the greatest good, for the greatest number--the universal, you
know, ethics.
FLATOW: All right. Thanks.
PATRICK: Thank you for taking my call.
FLATOW: Thanks for calling. You're welcome.
1 (800) 989-8255. Let's go to Charles in Seattle. Hi, Charles.
CHARLES (Caller): Yes. Good evening, or actually, good afternoon, Ira. Let me
congratulate you on a great topic, and a great show, as always.
FLATOW: Thank you.
CHARLES: What I wanted to ask was, we've got the situation where we're talking
about rights in the United States. And wonderful as it is, the Internet's very
international, and we just had the Chinese announcing that, 'Oh, gee, you want
to do business in China? Give us your encryption codes.' What do we do about
foreign governments? What do we do about, you know, whether it's the home-grown
Mafia or Mafias outside the country who want to...
FLATOW: In other words, isn't...
CHARLES: ...do things with the information. What do we do...
FLATOW: Isn't there a legitimate reason for keeping some of this stuff...
CHARLES: Well, the thing is...
FLATOW: ...technology?
CHARLES: ...that I think the default mode has got to be, you know, for all of
the ISPs, that you're anonymous, that you can't be sold, and that everybody who
collects information on you needs to notify you that they're collecting it, and
that if we find, whether domestically or internationally, that people are, you
know, taking information on American citizens, then we need to, you know, make
that part of our willingness to do trade with them.
FLATOW: Marc Rotenberg?
Prof. ROTENBERG: Well, I agree with your caller. I mean, first of all, he
suggests trying to keep information anonymous where possible, and I think that's
an excellent proposal. It's one of those technology as a privacy that actually
avoids a lot of problems associated with legislation. But it's also true that we
have an international network. We're talking about, you know, different legal
systems and how to protect some basic values. I think the good news here is that
countries, over time, have shown a surprising level of an agreement about
privacy protection. In fact, this privacy law in Europe called the EU Data
Directive, which is causing some concern for US businesses, reflects the common
view of the European countries about protecting privacy going forward. So I
think we can do it again, you know, with some good technology like anonymity,
and also by pushing for some kind of basic understanding about protecting
privacy rights, even in other countries.
FLATOW: Thank you, Charles, for calling.
If--and I'm going to make this assumption--if the goal of the Internet is
e-commerce, in other words--it didn't start out that way, but the Internet is
rapidly heading toward--well, people will do business to business, business to
consumer. People are going to buy and sell stuff on the Internet. Doesn't
that--now I'm thinking as a businessperson. Doesn't that defeat the purpose, if
you have customers--basically turning them off to the Internet? If they come to
a Web site and they're informed, 'Do you want us to collect any information on
you, yes or no,' they're going to say--I would imagine they're going to say no.
Doesn't that defeat the businesspeople's desire to do business on the Internet
by...
Prof. ROTENBERG: Well...
FLATOW: Go ahead. I'm sorry.
Prof. ROTENBERG: I don't think so. I mean, you know, business is basically about
selling products; I mean, getting, you know...
FLATOW: Right.
Prof. ROTENBERG: ...money for what you have to offer. And I think that's a
perfectly fine thing, and I think the Internet is a wonderful way to do
business. But if you think about it, you know, over time, consumers have
generally experienced buying and selling by paying cash. I mean, you go out, you
know, for lunch or you buy a newspaper or you get on the subway or something
like that, there's a lot of, you know, cash-based transactions. Even credit card
purchases, interestingly, have a high degree of privacy, because credit card
companies aren't particularly interested in having merchants make use of that
data.
So, you see, the expectation that most people have, I think, in physical-world
transactions, is that there should be some privacy protection. And the problem
is that we haven't really solved the problem--we haven't really figured out how
on the Internet to recreate that level of privacy. How do we do anonymous
payment, for example, that works for merchants and works for customers? How do
we enable online transactions that allow businesses to prosper and still protect
consumer privacy interests? I think those are the big challenges, and those are
the ones that we need to focus in on.
Mr. GARFINKEL: If I could...
FLATOW: I think--yeah.
Mr. GARFINKEL: ...add something here.
FLATOW: Yeah.
Mr. GARFINKEL: Businesses in this country have a history of not acting in their
own rational long-term interests. In the 1950s the chemical industry was
tremendously polluting the country, and they still are, to an extent, but we
were told that if any sorts of environmental controls--in the '50s and the
'60s--would destroy the economy. And what we learned, in fact, was that without
environmental controls, the economy would be destroyed, because everybody would
be too sick to work. I believe that, moving forward, if we don't have strong
controls for privacy on the Internet, it's going to turn off the Internet.
Already there are surveys that say that fear of privacy--fear of having your
privacy destroyed is the number-one thing that's holding back more people from
engaging in e-commerce.
So if you think that the goal of the Internet is e-commerce--and I'd actually
say that the goal of the Internet is probably chat, but if you're...
FLATOW: To be realistic, you're saying that.
Mr. GARFINKEL: Chat and e-mail are always the most popular...
FLATOW: Yeah.
Mr. GARFINKEL: ...applications of electronic communities. But...
FLATOW: But you're paying for e-mail anyhow, so it's commerce.
Mr. GARFINKEL: Yeah. And--but I really do believe that if people believe that
there's going to be pervasive monitoring on the Internet, that the things they
buy is going to be recorded and available, they're going to turn off.
FLATOW: And you actually take some sort of guerrilla tactics--you suggest some
guerrilla tactics that people might use to protect their own privacy on the
Internet.
Mr. GARFINKEL: Well, you can always lie, you know? Lying or not filling out
forms--it's amazing. Many people, when they're confronted with a form, they feel
compelled to tell the truth. We don't like lying in this society. It's a bad
thing. But it is one of the ways you can protect your privacy online.
FLATOW: Lie about your Social Security number, or...
Mr. GARFINKEL: In some cases, that's illegal to do. In some cases, it's not
illegal. It depends on what it's being used for. But you could lie about your
age, about your name. You know, if you give somebody your name and your
birthday, they can figure out all the information about you, because that's
enough into the databases. So just give a different one.
FLATOW: Mm-hmm.
Mr. GARFINKEL: Other techniques that you can use to protect yourself using
multiple e-mail personalities. I believe that ultimately we're going to need
more guerrilla tactics to fight for the right to privacy but Marc and I differ
on that.
FLATOW: Marc?
Prof. ROTENBERG: Well, I certainly agree with Simson about the need to fight for
the right of privacy. And that's been a large part of the work of EPIC. But at
the same time I think it'd be unfortunate if people became, you know, privacy
survivalists, I mean, sort of hiding behind our computers, you know, constantly
concealing identities because we were so concerned about how information about
us would be used by others. And I think we need to create a social environment
that will respect basic rights and allow people to feel that there's confidence
in commercial relations and personal interactions.
FLATOW: Do you have a right not to be monitored where you go? I mean, you know,
we're talking about seeing surveillance cameras in places. There's a law about,
you know, where you can be seen, who can see you and things like--Simson you
were telling me before about different kinds of surveillance systems that are
found around cities that people are not even aware of.
Mr. GARFINKEL: We have pervasive surveillance right now. One of the things I've
tried to do in my focus is to give people an idea of just how much data is being
recorded upon us as we move through our days. And right now with very few
exceptions, when you're in public, people do have a right to record what you're
doing. What I believe is that the Codes of Fair Information Practices should be
applied to those recordings that are made. If people record me with a
surveillance camera, I want to know that that tape is not going to be resold for
like bloopers of the best security video cameras.
FLATOW: I hadn't thought of that show.
Mr. GARFINKEL: Well, those are being sold in England right now.
FLATOW: Is that right? Surveillance...
Mr. GARFINKEL: England has something like 300,000 videotape cameras throughout
the island and these tapes are now showing up on late-night television shows;
they're being sold; they're being used to harass people. And there's very, very
little regulation, even though England has a formal system for controlling
privacy. This is because the technology has moved faster than they can keep up.
FLATOW: You know, it's funny is that in 1984 Big Brother was government and now
it seems like Big Brother is a lot of other places but government, in terms of
surveillance. Everybody else is surveilling us: our banks, our security systems,
our stores.
Mr. GARFINKEL: Well, I think it's like a lot of little brothers that are
constantly trying to get your attention, get you to do something for them. You
know, asking you to take them along, asking you to stop what you're doing and
service them.
FLATOW: Uh-huh.
Mr. GARFINKEL: And that's what I see is our future.
FLATOW: Marc Rotenberg, let's talk about medical records 'cause this is one of
the hottest issues, the hot potato of all privacy. I think people are most
concerned what happens, who has legal access to your medical records? I guess we
all believe--I think we sort of lie to ourselves. We all believe that our
medical records are secret, but we really don't believe it. We believe that
some--a doctor, an HMO has some power whenever they want to to pass it around
and send it to people, other doctors, insurance companies back and forth. What's
the law on that?
Prof. ROTENBERG: Well, the problem, I think, is that we have a very quaint 19th
century notion about a relationship with a doctor who is collecting some very
intimate information about us and then keeping that information locked up in the
cabinet somewhere. And, of course, in our modern society and very elaborate
system for delivering medical care, that cabinet is connected with insurers,
HMOs, cost analysts, auditors, government regulators so that many people in the
end could get access to the contents of the file.
Now what has happened over the last few years in Washington is that there's been
a real effort to try and establish a basic framework, again, based on the fair
information practices to protect that information. But Congress failed with its
self-imposed deadline, didn't get legislation out last year and the secretary of
HHS was given the authority to issue some guidelines which were announced last
year with the support of the president, which are actually pretty good. I mean,
I would, you know, credit the White House here, you know, because I think they
did some good work to get those medical privacy regulations out.
But they're still incomplete. There's some critical areas that weren't covered
and they still lack the authority and the rights that would be provided in
legislation, so there's more to be done. I think that the big problem going
forward, and this was even in the president's speech last night, is that as we
learn more about ourselves genetically, and more of this information is not only
a record of what we've done but perhaps also a prediction of what may happen to
us in the future, we run a real risk with this medical information that it'll be
used in ways to discriminate against people based on genetic conditions that
they really can't control. And those--you know, those kinds of problems, I
think, are going to pose some of the most pressing, you know, ethical and social
issues we have.
FLATOW: Mm-hmm. We're talking about privacy this hour on TALK OF THE
NATION/SCIENCE FRIDAY from National Public Radio. I'm Ira Flatow with Simson
Garfinkel, Marc Rotenberg and your phone calls.
One other issue, I know that you joined a group of other privacy advocates who
have been trying to block an FBI effort to dictate the design of the nation's
communications infrastructure. Tell us a little bit about that.
Prof. ROTENBERG: Well, this actually goes back to a law that was passed back in
1994 by Congress, very unfortunate controversial law, called the Communications
Assistance for Law Enforcement Act. Essentially the FBI had said that they were
having difficulties in wiretapping the new digital network and they needed the
legal authority to tell the telephone companies how to design standards that
would make wiretapping easy. And the privacy and and civil liberties
organizations in '94 just said this is a crazy idea. I mean, you have a Fourth
Amendment right, the government does, to conduct a search when you have reason
to believe a crime is being committed, but you don't get to tell, you know, the
telephone companies or homeowners how to design their networks or build your
homes so that it's easy to conduct a search. That was, you know, completely new.
But the government succeeded in getting the legislation through. Part of it was
because they gave a very large sum of money to the telephone companies to get
reimbursed to do this work. So we continue to fight it and we're fighting it now
at the Federal Communications Commission. We're in a series of proceedings now
before the DC Court of Appeals basically arguing that even under the act, which
we didn't like--but even under the act, the FCC was supposed to stop the FBI
from going as far forward as they have with their recommendations.
FLATOW: But is there not a legitimate concern on the part of people who protect
us, law enforcement people, to be able to conduct their business?
Prof. ROTENBERG: Well, yes. And we've said that throughout this. We recognize
the law enforcement right to protect public safety, to investigate crime, to,
you know, arrest bad people. I don't think that's in dispute in this case. What
we're disputing here is whether there's also a right to design the nation's
telephone system or the industry's encryption standards to make surveillance
easy. And that's why I said at the outset that it really is not about whether or
not government should be involved. The reality is that government is involved.
So the question is: How do you develop the policies to make government more
responsive to privacy concerns? That really is today in this country, I think,
the critical challenge.
Mr. GARFINKEL: One of the things that I write about in the book is that the law
enforcement is using the ability to conduct surveillance as sort of its nuclear
bomb. It's ability to look inside criminal organizations, look inside the minds
of people conducting illegal activity and see what they're planning. And I don't
think that's going to work in the long run. In the long run I think we have to
rebuild our society so that we can be more resilient to the people who are
trying to wiretap ...(unintelligible) upon--we really haven't been moving in
that direction. We're not trying to protect ourselves from biological diseases.
We're trying to wiretap all the people who might conduct biological terrorism.
FLATOW: All right. We're going to come back and talk lots more about privacy and
take lots of your calls. So stay by the phones. We'll be back after this very
short break. Stay with us.
(Soundbite of music)
FLATOW: This is TALK OF THE NATION/SCIENCE FRIDAY from National Public Radio.
(Announcements)
FLATOW: Welcome back to TALK OF THE NATION/SCIENCE FRIDAY. I'm Ira Flatow. A
brief program note. This time on Monday, join Neal Conan and his guests for a
look at the Super Bowl as show business.
We're talking this hour about privacy with my guests Simson Garfinkel, a
columnist for the Boston Globe, author of a new book, "Database Nation: The
Death of Privacy in the 21st Century" published by O'Reilly. It's a pretty scary
book. It really is the death of privacy, if you believe that. Wow.
Marc Rotenberg is the director of the Electronic Privacy Information Center and
professor at Georgetown University Law Center. Our number, 1 (800) 989-8255.
Let's go to the phones and maybe we've got some folks who have a horror story.
Darcella in St. Louis. Hi, Darcella.
DARCELLA (Caller): Hi. How are you?
FLATOW: Fine. Go ahead.
DARCELLA: I want to agree with what one of your people said there--your speakers
said about being nervous about getting on the Internet and ordering.
FLATOW: Right.
DARCELLA: I had an issue that started about five or six years ago where I
had--it was actually an e-commerce deal--well, it was actually more like a debit
card.
FLATOW: Mm-hmm.
DARCELLA: And eventually what happened is I went to get a home this year and
found out through the credit report that someone had taken the information about
five or six years ago and just went crazy around the country, you know, buying
things and I was wondering why I was getting all this junk mail.
FLATOW: So your card number was stolen on the Internet.
DARCELLA: Right. It was taken. And that made me really nervous about buying
anything. Well, this year, I went to--or last year, actually, I went to purchase
some music off of the Internet and now I probably get if not one, 1,000 things
today telling me, 'We know you have a credit card. Buy us--you know, buy us this
thing and buy us...'
FLATOW: Right. And they know where you visited, Simson, right?
DARCELLA: And they do.
FLATOW: And they know on what Web site which she has visited, what her music
interests are and...
DARCELLA: Oh, my goodness. And it's horrible. And so I agree that...
FLATOW: Yeah.
DARCELLA: I don't think I'll ever go back to the Internet and purchase another
thing because I don't want to be bombarded every single day with not just new
products that they're sending me...
FLATOW: Can't--let me ask you, can't you turn it off somehow that they can't do
that?
Mr. GARFINKEL: Well, the irony is, Darcella, that some of the stuff you're
receiving may have nothing to do with the transaction that you engaged in.
DARCELLA: Yeah.
Mr. GARFINKEL: There's many, many people who receive what's called junk mailers,
spam mail...
DARCELLA: Right.
Mr. GARFINKEL: ...on the Internet. I receive 20 to 50 messages like that a day.
DARCELLA: It's horrible.
Mr. GARFINKEL: And I'm about to kill my e-mail address that I've had for the
past 15 years.
DARCELLA: Yeah.
Mr. GARFINKEL: And frequently people get your e-mail address through all sorts
of mechanisms that you might not suspect.
FLATOW: And there's nothing illegal about it?
DARCELLA: Well...
Mr. GARFINKEL: Well, there is something illegal in some states. But we need
federal legislation on this and so far the Direct Marketing Association has been
very good preventing federal spamming legislation like we have federal junk fax
legislation.
FLATOW: Mm-hmm.
DARCELLA: You know, it wouldn't be so bad if it was just the e-mail. But I'm
getting it at home now. I mean, things are coming to my house and...
FLATOW: Right. And it's interesting if you go on America Online and you have to
actually turn the things off yourself or else it's automatically turned on to
send you these things.
Mr. GARFINKEL: They turn it back on every year.
FLATOW: Right.
Mr. GARFINKEL: Darcella, one thing you can do is, you can go to a Web site
called junkbusters.com, that's...
DARCELLA: OK.
Mr. GARFINKEL: ...J-U-N-K-B-U-S-T-E-R-S. If you are getting mail, the people who
run JunkBusters will let you fill out a form with your name and address and then
it will print out for you--it will display Web pages that you can print, letters
that you can send to all the companies that sell your name...
DARCELLA: OK.
Mr. GARFINKEL: ...saying, 'Please take me off your list.' And most of them will
honor that request. They'll also print out things for the telephone preference
service so that you'll get less phone calls at home.
DARCELLA: Oh, goodness. OK.
Mr. GARFINKEL: It takes about three to six months for this to make a difference
and you need to redo it every two or three years.
DARCELLA: Mm-hmm.
Mr. GARFINKEL: But it really does make a difference.
FLATOW: OK, Darcella?
DARCELLA: OK. Thank you.
FLATOW: There's your hint for the weekend.
DARCELLA: Huh?
FLATOW: Got some work for the weekend for you.
DARCELLA: I know.
FLATOW: Thanks for calling.
DARCELLA: Thank you.
FLATOW: 1 (800) 989-8255. Shelley, Johnson County, Kansas. Hi, Shelley.
SHELLEY (Caller): Hi. I hope I don't have a horror story.
FLATOW: Oh, good.
SHELLEY: I heard...
FLATOW: Tell us what your story is.
SHELLEY: What?
FLATOW: The doctor is in. Tell us your story. Go ahead.
SHELLEY: OK. No, I don't even know if it's a story, and probably not something I
should be putting out on national radio. I'm very concerned about information
collected from kids, especially without parents' permission, surveys in schools,
things at juvenile assessment centers. I've been working on this issue for a
long time and when I became aware of how easily shareable this is, for example,
a questionnaire the kids fill out about very personal things, sexual habits, or
family things, attitudes, 14 different governmental entities can get this. And
all of a sudden when I saw this I thought, Oh, no. I remember when my now
18-year-old was 13 years old and he had to fill a survey to fill out in school.
FLATOW: Mm-hmm.
SHELLEY: And when they asked him what his mother did for a living, he thought it
was anonymous, he thought he'd be cute and he said, 'She's a hooker.' And when
they asked him about whether he had done drugs, he said, 'Sure. Crack.'
FLATOW: So you think somewhere in these giant databases, your name is mud as
they used to say.
SHELLEY: Oh, I hope not. I sure hope not.
FLATOW: Marc Rotenberg, have you heard anything like this?
SHELLEY: What?
FLATOW: Anonymous--Marc...
Prof. ROTENBERG: Well, that's a pretty good story, I have to admit, and I get a
lot of these calls.
FLATOW: Yeah.
Prof. ROTENBERG: It's certainly true. You know, privacy of kids' records are a
very important concern for a lot of people. It is one area where Congress did
act. They passed some privacy legislation last year, and the FTC's pushed
through regulations on that and I think it's helpful. But your caller points to
another interesting which the legislation doesn't really address and that is
what happens to information that's collected on kids by government. There's a
lot of survey data, a lot of medical information that is obtained through the
school system and a lot of that is used for various types of reporting and
analysis. I think it'd be perfectly appropriate for Congress to take a look at
that practice and see if there's enough privacy protection in place.
Mr. GARFINKEL: And this isn't new. Back in the '60s, there was many books on
privacy issues that came out. There was a sudden pique of interest back then and
there were databases being assembled on children back then and the government
was looking for ways of making that information available through the telephone
system. We need to understand that this is a long-term problem in our society
and the only way that we are going to do that is with more realization on the
part of our government that privacy matters.
FLATOW: Mm-hmm.
Mr. GARFINKEL: The way that I think we need to do that is by establishing an
office inside the federal government that is responsible for ensuring the
privacy of American citizens. Other nations have that. We don't.
FLATOW: You would think that in this political year, with the explosion of the
Internet, this would be a really great issue for some candidate to pick up on:
preserving privacy.
Mr. GARFINKEL: I--I...
FLATOW: Anybody listening?
SHELLEY: I want that candidate.
FLATOW: You'll vote. You'll vote for that candidate, huh?
SHELLEY: Did the Family Privacy Act ever pass?
Prof. ROTENBERG: Yes. It's...
SHELLEY: I'm looking at something here that was by Grassley, it was Family
Privacy Act. It was in 199--either '94 or '96.
Prof. ROTENBERG: Well, that's...
FLATOW: Marc?
SHELLEY: It had to do with the surveys at schools and those kinds of things and
that parents--recognizing that parents are the best advocates for their
children.
FLATOW: All right, Shelley. We've got an answer here, I think.
SHELLEY: Oh, I'm sorry.
Prof. ROTENBERG: OK. I think, in fact, the Grassley bill from '96 did not pass.
There was legislation adopted in '97--I'm sorry, 1974 which is the Family
Education and Right to Privacy Act, sometimes called FERPA, which protects
certain records that are held by public schools and state universities.
FLATOW: Mm-hmm.
Prof. ROTENBERG: But the problem that you were describing and I think Senator
Grassley has been interested in, I don't think we have legislation yet to
address that.
SHELLEY: Well, there was a recent article on a national publication that comes
from the right, but I don't see it as a right vs. a left issue. I see it as an
issue for all parents and that's in Eagle Forum. Schlafly has done a lot of
stuff on this and, again, I don't see it as a conservative or...
FLATOW: Well, it's a political year, Shelley, you can knock yourself out, you
know, asking this question of your candidate.
SHELLEY: Well, it's on--no, this isn't even about candidates. It's on
www.eagleforum.org.
FLATOW: All right.
SHELLEY: It's...
FLATOW: Thanks for calling.
SHELLEY: It...
Mr. GARFINKEL: Do you know about the anonymous medical testing that's being
done?
FLATOW: The anonymous medical test?
Mr. GARFINKEL: There are many medical studies where they take extra blood or
they take leftover blood from women maybe who've given birth at a hospital, send
it off for testing without the medical identifiers, and then use that for
statistics. And this is being used to, like, determine the percentage of crack
babies being born.
FLATOW: Mm-hmm.
Mr. GARFINKEL: They surreptitiously test mother's blood for drugs.
FLATOW: Well, in the few minutes we have left, let's talk about what your
recourse is. Marc Rotenberg, if you think your privacy has been violated, and
you've been taken advantage of on--in a way that you didn't like, maybe, to
getting your blood sent off and tested, do you have a recourse on this?
Prof. ROTENBERG: Well, it really depends. I mean, it depends on the type of
privacy problem it is, you know, whether you're in a state that has an agency or
dealing with an area where there is some privacy agency in place or consumer
agency to help you. I will say that our Web site for the Electronic Privacy
Information Center, that's epic.org, really does have an excellent collection of
resources for people who have concerns about privacy issues. One of our most
popular pages is called the Online Guide To Practical Privacy Tools, and we
provide all these techniques to bust cookies, surf anonymously, encrypt your
e-mail to protect your privacy online.
Beyond that, if you have a general consumer concern, I would recommend that you
contact the Federal Trade Commission in Washington. The FTC has taken some
responsibilities to try to address privacy issues and I think they should be in
a position to at least handle complaints on consumer matters.
FLATOW: Mm-hmm. Let me remind everybody that I'm Ira Flatow and this is TALK OF
THE NATION/SCIENCE FRIDAY from National Public Radio. Talking with Simson
Garfinkel and Marc Rotenberg, the last few minutes here, about privacy. Let's
see if we can get a phone call or two in.
Paul, in St. Louis. Hi, Paul.
PAUL (Caller): Hi there. My mom was telling me a story of when she was searching
some kind of database that was being sold to her company that they were able to
just type in her Social Security number and it came up with all the houses and
all the property that she lived at and, in fact, all of her kids had lived at
over the last, like, 20 years.
FLATOW: Hmm.
PAUL: It was unbelievable how much, you know, information's out there. And, you
know, they've always been very careful.
FLATOW: Right.
Mr. GARFINKEL: You can use that same database. It's 1 (800) USA-SEARCH.com.
PAUL: Oh.
Mr. GARFINKEL: And it's like $ 39.95 to type in somebody's name, their state. it
will tell you everywhere they've lived, all the public records on them. It will
tell you everybody else who lived in the houses where they lived and all the
public...
PAUL: Right.
Mr. GARFINKEL: ...records on them.
FLATOW: No kidding. For $ 39.95 you can get...
PAUL: One last point...
Mr. GARFINKEL: Great tool.
PAUL: Are there any laws about, you know, when companies cannot ask for your
Social Security number?
Mr. GARFINKEL: I don't think so.
FLATOW: Marc?
Prof. ROTENBERG: There are in the public sector. In other words, government
agencies are restricted about how they may use the SSN, but there are no
restrictions in the private sector. We've generally said that the best practice
would be for companies to only use the SSN for tax reporting purposes, which is
really the only legal reason that a company would need it. If they're collecting
SSN for other purposes, it's simply a decision that they've made to use the
Social Security numbers as an identifier and they really don't have to do it
that way.
FLATOW: Well, normally when people are asked their number, they just
automatically give it out. You don't have to give out the 800 number.
Mr. GARFINKEL: You don't have to give it out, but they don't have to give you
service.
PAUL: Right. Right.
Mr. GARFINKEL: They can say, 'Well, you know, we have a policy, we just...'
FLATOW: So it's extortion basically.
Mr. GARFINKEL: 'We just don't sell french fries to people who don't give us
their Social Security numbers.' But as I said earlier...
FLATOW: Make it up you said earlier.
Mr. GARFINKEL: Well, make it up. But we focus too much on that number because
with your name and your...
FLATOW: Yeah.
Mr. GARFINKEL: ...birth date, I can do exactly the same thing.
PAUL: OK. Thanks.
Mr. GARFINKEL: The problem isn't the number.
FLATOW: All right, Paul.
All right. Let's see if I can get a quick phone call in before we go. Richard in
Akron, Ohio. Hi, Richard.
RICHARD (Caller): Hi. I was calling about--well, some amplification of Ira
saying 'We promise we won't trace your number.' Most citizens don't know that
any business with an 800 number automatically gets delivered the number of the
caller. It's not Caller ID, it's called ANI, automatic number identification.
And it cannot be blocked. In spite of that, telephone companies market both
unlisted phone numbers without disclosing. They charge you money to unlist your
number...
FLATOW: Right.
RICHARD: ...and then they don't disclose to you that any time you call an 800
number it's going to be given out. They also market in some states, like mine,
per-line blocking for Caller ID. In my state it's not free. You have to pay for
it and they don't tell you that it doesn't work for 800 numbers.
FLATOW: All right, Richard. We've run...
Mr. GARFINKEL: These...
FLATOW: We've run out of time. Quick, Simson.
Mr. GARFINKEL: It doesn't work for 800 numbers because the people you call are
paying the bill.
FLATOW: That's the bottom line.
All right. Well, we're going to revisit this issue many times in the future
as--and we're going to see if we can turn this into a political issue, maybe
somebody will take this on as a political issue this year about privacy. I'd
like to thank my guests, Simson Garfinkel, columnist for the Boston Globe and
author of a new book, "Database Nation: The Death of Privacy in the 21st
Century" published by O'Reilly. A good read. I suggest it, really. It's a great
book. Marc Rotenberg is the director of the Electronic Privacy Information
Center and a professor at Georgetown University Law Center.
Thank you, both, for joining me this hour.
Mr. GARFINKEL: Thank you.
FLATOW: You're welcome.
(Credits given)
FLATOW: If you have comments or questions, write to us at TALK OF THE
NATION/SCIENCE FRIDAY, WNYC Radio, 1 Center Street, New York, New York 10007.
And if you missed any--we gave out a lot of Internet addresses today, so we're
going to have them all up on our Web site at sciencefriday.com. Easy to
remember, sciencefriday.com. We'll have Simson's addresses. We'll have Marc
Rotenberg's address up there, all those references we made. One stop shopping
right there, and we won't collect your name if you don't want to.
Have a good weekend. I'm Ira Flatow in New York.
LANGUAGE: English
LOAD-DATE: January 29, 2000