Anonymity on the Internet
A Collection of Letters between Daniel Fuentes and Victor Wong
December 6, 2004
This
collection of correspondences is a survey of how we are not anonymous on the
internet and how businesses and governments can exploit this lack of anonymity.
In a
country where privacy is such a big issue, there seems to be a disproportionate
amount of ignorance and apathy toward the nonexistence of internet anonymity.
Businesses routinely violate what is considered “privacy” by acquiring
otherwise “private” information from users often without their knowledge because
users are under the mistaken impression that they are anonymous.
Users
need not even go to a particular web site for their information to be accessed.
For example, in computers with the Intel Pentium III processor, information
about user registration, hardware, and internet habits can be easily acquired
by online companies because the CPU was designed to release such information
whenever an online source requested it to authenticate CPU purchases. However,
this feature could easily be exploited by other companies to acquire
information without user consent. Although users can turn off this feature*,
the typical consumer is oblivious to this fact, happily (and incorrectly)
assuming that they are anonymous on the internet because he or she does not
explicitly provide any personal information upon request. Requests can even be unrelated
to the information that companies seek to collect.
Federally
required controls such as “opt-in and opt-out”, which require companies to
prompt users whether they want to subscribe to mailing lists or install
software, colloquially referred to as “spyware” and “adware” to access company
material, are not entirely effective. Many prompts often appear repeatedly to
the consumer’s chagrin and out of frustration, 90% of consumers click “Yes” (to
whatever the companies want to do) just to get rid of the prompt. Aside from the
commercial sites that exploit typical user habits, there are means to acquire
personal data such as email and phone numbers which can be used for unsolicited
correspondence, or “spam” which can be harmful in several ways. The spam (which
can waste many people’s time at best) might also be the cause for more spam;
Emails containing spam might not only contain viruses, but various hidden means
of acquiring more personal information without permission.
To the typical consumer,
this sounds pretty disturbing. But how much of an impact, if any, does it have?
Yes, all these real privacy issues which can lead to various problems are
time-consuming, but many people feel that the solutions (such as repeatedly
opting out* or installing anti-spyware programs) are just as time-consuming, if
they know about them at all. If user apathy and ignorance continue, it seems as
though there is no case against this violation of privacy (something that many
businesses do not seem to mind). It seems appropriate to conclude that on the
internet, where infractions of privacy are more subtle than their physical
counterparts, no one is anonymous but almost no one cares.
Sincerely,
Victor Wong
*Later Intel disabled the feature by default due to the
controversy.
*Usually sites that prompt the user to accept a condition
(e.g. installing an innocent looking program that is actually “spyware”) before
he or she can continue, stops prompting the user after he or she opts out 3
times.
http://www.computerhope.com/help/cpu.htm
Dear Victor,
I agree to your statement that anonymity is sometimes
assumed when a user connects to the internet.
A good example of this is the fact that a lot of people connect to Peer
to Peer (p2p) file sharing networks under the belief that their identity online
is anonymous. Although you say that
there is no case against this violation of privacy, there is one clear example
of just that.
Recently the Recording Industry
Association of America (RIAA) launched a campaign to catch potential file
sharers. The plan was to join the file
sharing networks themselves, seeking out people who were actively sharing
copyrighted material. As soon as they
establish a connection with the alleged file swapper, they obtain their
Internet Protocol (IP) address which is a unique address given to a user when
they log onto the internet. The RIAA’s
plan was to then take the IP addresses and subpoena the Internet Service
Providers (ISP’s) to release personal information about the users in
question. This plan actually worked for
a while and led to many law suits against file sharers by the RIAA.
That was until December 18,
2003, when the court overturned its decision in RIAA v. Verizon Internet. The original decision forced Verizon to turn
over the personal information of over 200 Verizon Internet users who were
classified as alleged file swappers.
The overturned decision meant that the courts deemed the RIAA’s strategy
illegal because there is no provision in the Digital Millennium Copyright Act
(DMCA) which would allow such a subpoena.
These same kind of cases were won by other colleges and ISP's also
(including MIT).
However, this case is just a
minor victory in the fight for internet privacy. Corporations such as the RIAA are still allowed to subpoena individual
IP addresses and serve “John Doe” lawsuits against them. Even though these lawsuits come out of
legitimate legal concern, the implications of companies having this kind of
access to your online identity are indeed disturbing.
Sincerely,
Daniel
Fuentes
Dear Daniel,
No one
disputes that deliberately and physically going onto someone’s property to
obtain information is “wrong.” However, on the internet where infractions of
privacy may go unnoticed due to much more stealthier and subtle methods (such
as the RIAA getting IP addresses of very active file-sharers, as you have
mentioned), it is clear that while many people find it disturbing, there needs
to be much more awareness behind the motives for gathering information (often
without explicit consent).
Businesses claim that
information gathering, also called
“data mining,” and regardless of whether it is explicitly approved by
the user, is actually helpful to both businesses and consumers because
information collected on consumer habits can be used by various companies for
research to produce “better products”, which will ultimately benefit consumers.
However, this is not the only possible use of information collected.
Furthermore, the type of information collected may be sensitive (i.e. Credit
card information and social security numbers which can be used by anyone for
whatever purpose - identity theft).
While most people believe
that this is the work of rogue hackers, the companies themselves may ultimately
be to blame. According to an article by Atlantic Monthly, many cases of identity
theft stem from company to company interactions. Namely, almost every company
sells the information they collected to other companies and groups to use for
whatever purpose, and gain profit. In the process, this information can easily end
up in the hands of individuals seeking to acquire people’s identities to access
personal material, such as bank account assets. Companies generally deny that
this occurs, saying that sharing consumer’s information “within bounds” is
healthy [apparently, for profits] and that they have extensive security
controls.
Nevertheless, it seems
that much of the argument from businesses for information-acquisition
is profit driven. It seems the ulterior motive. Their view is, it’s a
[lopsided] win-win situation and people who may be [adversely] affected don’t
really care. This consumer mentality has only helped businesses in this end.
Sincerely,
Victor Wong
“Holes in Internet Security”, Atlantic Monthly, New York:
February 2002
Dear Victor,
In your
last letter, you touched on the concern of individual privacy as it relates to
company “data mining”. There is another
form of data mining that I feel may even be a bigger concern to the public,
which is digital surveillance carried out by the government. Many typical data mining techniques are
actually approved for government use by the USA PATRIOT (Uniting and
Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism) Act, which you can find a copy of at EPIC (electronic
privacy information center). The act
was put together rather hastily following the September 11th attacks
in 2001 and was signed into law by President Bush on October 26, 2001. Since there was a hurry to pass this act
into law, it received less Congressional oversight and debate than a law this
complex normally would.
The USA PATRIOT Act grants the
government increased power to monitor not only “suspected terrorists”, but
anyone who may be abusing the Computer Fraud and Abuse Act, which is anyone who
uses a computer. These powers include
the right to scan e-mails, acquire personal information from your Internet
Service Provider, and to digitally “wiretap” your system. According to the Electronic Frontier
Foundation, section 202 of PATRIOT allows government officials to more easily
obtain what was formerly a sort of “super-warrant” that allowed them to
intercept computer information. These
warrants were usually only given in the most severe of instances and were only
valid pending approval by a judge, but now they are given without judicial
approval. Some see this as unnecessary
seeing as how there has never been an instance where a computer related crime
investigation was hindered by lack of surveillance.
It is clear that when the government
has these types of powers, no one is truly anonymous on the internet –
regardless of whether they know or care.
Sincerely,
Daniel Fuentes
All works contained herein are copyright their respective owners.