Journal Areas
About
Works

 

Anonymity on the Internet

 

A Collection of Letters between Daniel Fuentes and Victor Wong

December 6, 2004

 

 

 

 

 

            This collection of correspondences is a survey of how we are not anonymous on the internet and how businesses and governments can exploit this lack of anonymity.

 

 

 

 

Dear Daniel,

                In a country where privacy is such a big issue, there seems to be a disproportionate amount of ignorance and apathy toward the nonexistence of internet anonymity. Businesses routinely violate what is considered “privacy” by acquiring otherwise “private” information from users often without their knowledge because users are under the mistaken impression that they are anonymous.

                Users need not even go to a particular web site for their information to be accessed. For example, in computers with the Intel Pentium III processor, information about user registration, hardware, and internet habits can be easily acquired by online companies because the CPU was designed to release such information whenever an online source requested it to authenticate CPU purchases. However, this feature could easily be exploited by other companies to acquire information without user consent. Although users can turn off this feature*, the typical consumer is oblivious to this fact, happily (and incorrectly) assuming that they are anonymous on the internet because he or she does not explicitly provide any personal information upon request. Requests can even be unrelated to the information that companies seek to collect.

                Federally required controls such as “opt-in and opt-out”, which require companies to prompt users whether they want to subscribe to mailing lists or install software, colloquially referred to as “spyware” and “adware” to access company material, are not entirely effective. Many prompts often appear repeatedly to the consumer’s chagrin and out of frustration, 90% of consumers click “Yes” (to whatever the companies want to do) just to get rid of the prompt. Aside from the commercial sites that exploit typical user habits, there are means to acquire personal data such as email and phone numbers which can be used for unsolicited correspondence, or “spam” which can be harmful in several ways. The spam (which can waste many people’s time at best) might also be the cause for more spam; Emails containing spam might not only contain viruses, but various hidden means of acquiring more personal information without permission.
                To the typical consumer, this sounds pretty disturbing. But how much of an impact, if any, does it have? Yes, all these real privacy issues which can lead to various problems are time-consuming, but many people feel that the solutions (such as repeatedly opting out* or installing anti-spyware programs) are just as time-consuming, if they know about them at all. If user apathy and ignorance continue, it seems as though there is no case against this violation of privacy (something that many businesses do not seem to mind). It seems appropriate to conclude that on the internet, where infractions of privacy are more subtle than their physical counterparts, no one is anonymous but almost no one cares.

 

Sincerely,

Victor Wong

 

*Later Intel disabled the feature by default due to the controversy.

*Usually sites that prompt the user to accept a condition (e.g. installing an innocent looking program that is actually “spyware”) before he or she can continue, stops prompting the user after he or she opts out 3 times.

http://www.computerhope.com/help/cpu.htm
Dear Victor,

 

I agree to your statement that anonymity is sometimes assumed when a user connects to the internet.  A good example of this is the fact that a lot of people connect to Peer to Peer (p2p) file sharing networks under the belief that their identity online is anonymous.  Although you say that there is no case against this violation of privacy, there is one clear example of just that.

                Recently the Recording Industry Association of America (RIAA) launched a campaign to catch potential file sharers.  The plan was to join the file sharing networks themselves, seeking out people who were actively sharing copyrighted material.  As soon as they establish a connection with the alleged file swapper, they obtain their Internet Protocol (IP) address which is a unique address given to a user when they log onto the internet.  The RIAA’s plan was to then take the IP addresses and subpoena the Internet Service Providers (ISP’s) to release personal information about the users in question.  This plan actually worked for a while and led to many law suits against file sharers by the RIAA.

                That was until December 18, 2003, when the court overturned its decision in RIAA v. Verizon Internet.  The original decision forced Verizon to turn over the personal information of over 200 Verizon Internet users who were classified as alleged file swappers.  The overturned decision meant that the courts deemed the RIAA’s strategy illegal because there is no provision in the Digital Millennium Copyright Act (DMCA) which would allow such a subpoena.  These same kind of cases were won by other colleges and ISP's also (including MIT).

                However, this case is just a minor victory in the fight for internet privacy.  Corporations such as the RIAA are still allowed to subpoena individual IP addresses and serve “John Doe” lawsuits against them.  Even though these lawsuits come out of legitimate legal concern, the implications of companies having this kind of access to your online identity are indeed disturbing.

               

Sincerely,

Daniel Fuentes

 


Dear Daniel,

                No one disputes that deliberately and physically going onto someone’s property to obtain information is “wrong.” However, on the internet where infractions of privacy may go unnoticed due to much more stealthier and subtle methods (such as the RIAA getting IP addresses of very active file-sharers, as you have mentioned), it is clear that while many people find it disturbing, there needs to be much more awareness behind the motives for gathering information (often without explicit consent).
                Businesses claim that information gathering, also called  “data mining,” and regardless of whether it is explicitly approved by the user, is actually helpful to both businesses and consumers because information collected on consumer habits can be used by various companies for research to produce “better products”, which will ultimately benefit consumers. However, this is not the only possible use of information collected. Furthermore, the type of information collected may be sensitive (i.e. Credit card information and social security numbers which can be used by anyone for whatever purpose - identity theft).
                While most people believe that this is the work of rogue hackers, the companies themselves may ultimately be to blame. According to an article by Atlantic Monthly, many cases of identity theft stem from company to company interactions. Namely, almost every company sells the information they collected to other companies and groups to use for whatever purpose, and gain profit. In the process, this information can easily end up in the hands of individuals seeking to acquire people’s identities to access personal material, such as bank account assets. Companies generally deny that this occurs, saying that sharing consumer’s information “within bounds” is healthy [apparently, for profits] and that they have extensive security controls.
                Nevertheless, it seems that much of the argument from businesses for information-acquisition
is profit driven. It seems the ulterior motive. Their view is, it’s a [lopsided] win-win situation and people who may be [adversely] affected don’t really care. This consumer mentality has only helped businesses in this end.

 

Sincerely,

Victor Wong

“Holes in Internet Security”, Atlantic Monthly, New York: February 2002


Dear Victor,

 

                In your last letter, you touched on the concern of individual privacy as it relates to company “data mining”.  There is another form of data mining that I feel may even be a bigger concern to the public, which is digital surveillance carried out by the government.  Many typical data mining techniques are actually approved for government use by the USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) Act, which you can find a copy of at EPIC (electronic privacy information center).  The act was put together rather hastily following the September 11th attacks in 2001 and was signed into law by President Bush on October 26, 2001.  Since there was a hurry to pass this act into law, it received less Congressional oversight and debate than a law this complex normally would.

The USA PATRIOT Act grants the government increased power to monitor not only “suspected terrorists”, but anyone who may be abusing the Computer Fraud and Abuse Act, which is anyone who uses a computer.  These powers include the right to scan e-mails, acquire personal information from your Internet Service Provider, and to digitally “wiretap” your system.  According to the Electronic Frontier Foundation, section 202 of PATRIOT allows government officials to more easily obtain what was formerly a sort of “super-warrant” that allowed them to intercept computer information.  These warrants were usually only given in the most severe of instances and were only valid pending approval by a judge, but now they are given without judicial approval.  Some see this as unnecessary seeing as how there has never been an instance where a computer related crime investigation was hindered by lack of surveillance.

It is clear that when the government has these types of powers, no one is truly anonymous on the internet – regardless of whether they know or care.

 

Sincerely,

Daniel Fuentes


All works contained herein are copyright their respective owners.