New Privacy Threats
As you guard your privacy against standard threats like spyware and phishing, your data is leaking out via legit firms you do business with.Erik Larkin
Illustration by Stuart Bradford
The records can persist for decades, and no comprehensive federal law protects them. Even if you believe the firms you do business with wouldn't sell your records to an unscrupulous marketer, you're not safe. As long as it exists, your data can be sold in bankruptcy proceedings, or snagged by hackers, con artists, and anyone with a court order, says Ari Schwartz, deputy director of the Center for Democracy and Technology, a consumer advocacy organization.
All these personal records about us are growing. And a number of recent cases have demonstrated just how vulnerable the records can be.
Beyond the Limit
GPS devices can be a godsend for intrepid explorers and the easily lost alike. But as one court case shows, the intensely personal details of your physical location and driving behavior can be gathered and used against you.
Connecticut-based American Car Rental installed GPS devices in its cars to track speed and location, according to state supreme court documents. The devices wirelessly phoned home to American every time a client drove faster than 79 mph for at least 2 minutes; American then tried to charge its customers $150 for each instance. American was sued, and the court ruled that the company could not charge a speeding fee--but the court didn't prevent the firm from using GPS devices to track driver speed and location.
Government may get into the GPS act as well. To make up for a projected gas tax shortfall (ironically due to successful fuel efficiency programs), Oregon's Department of Transportation is considering a tax based on mileage driven rather than gas purchased. A GPS unit in every car would track the mileage.
The department's Web site assures state residents that "no privacy issue exists" with the plan, because the devices would send in only number of miles driven and not location info. But while Oregon has opted not to record locations, there is little to indicate that, like American Rental Car, it could not do so if it chose.
Rules Roulette
Chris Hoofnagle, West Coast office director for the Electronic Privacy Information Center, a consumer advocacy organization.
Because no comprehensive national privacy laws exist, figuring out what a business (or government) can do with your data depends on your state, the industry, and the type of information involved. "One company could be covered by seven or eight different types of privacy laws," says the CDT's Schwartz.
Advocates have pushed for a national standard for years, but acknowledge that we're nowhere near getting one.
Consider something as private as what you watch on television. Cable companies are governed by specific laws that spell out what they can and can't do with the details of your viewing habits; for instance, they are generally prohibited from sharing your information with third parties. But digital video recorders like TiVo fall outside those laws, says Schwartz.
"TiVo has a pretty strong privacy policy for what they do with the information" they collect, and the company is bound by it, he says. But coming up with that policy was a business decision, not a legal mandate, and the company could choose to change its policy at any time.
"The consumer dilemma is, similar products or services can have very different privacy implications," says Chris Hoofnagle, West Coast office director for the Electronic Privacy Information Center, a privacy advocacy group. Users shouldn't be expected to know that, he says, "but they are."
Searched and Seized
Users who are concerned about privacy also need to know details about what every business actually does with their information. Take Internet searches, for example.
Once you get your search results, you forget about the search and move on. Search companies don't forget. They store those searches, often along with an identifier showing who ran the search; how well the firm safeguards your data varies by search engine.
The important questions, Hoofnagle says, are: "How long will the data be kept, for what purposes will it be used, and what do [the companies] do when the police come knocking on the door?"
A case in point: The U.S. Department of Justice recently sought "a massive amount of information from Google's search index, and [ordered Google] to turn over a significant number of search queries entered by Google users," according to court documents. The Justice Department subpoenaed several search engines for information in defense against a lawsuit brought against the U.S. Attorney General's office over the Child Online Protection Act. According to the Justice Department and the judge's ruling, AOL, Microsoft, and Yahoo all complied with the request at least in part. In fact, many companies' privacy policies state that they will give the government data if asked.
Google fought, and won. Sort of. The judge ruled that the government could have a list of some site addresses found in Google's index, but denied the demand for search terms. The government had not asked for information that might have specified who conducted each search, but U.S. District Judge James Ware noted several potential privacy risks related to search strings, such as in the case of a "vanity search" where someone might look for data about themselves. And he highlighted a potentially serious privacy concern with searches run by a third party about another party, such as "[name] third trimester abortion san jose."
Google doesn't disclose its data retention policies, and it didn't respond to our questions about those policies. But Hoofnagle says that data older than 180 days can be subpoenaed more easily than newer info. Google cookies last over three decades on your PC.
Like Google's searches, Yahoo's use a cookie with a unique code; each search is tied to that identifier. The code isn't linked to personal data, like your age or location, but if you search while logged in to Yahoo, that search is tied to your Yahoo profile.
Yahoo stores those search details "for as long as it's useful," says spokesperson Nissa Anklesaria. And they're useful indeed. Yahoo's successful finance site came about in part because the firm saw many people running searches for financial information. However, Yahoo keeps your personal details to itself: Even when Yahoo works with third parties on ad campaigns and special offers aimed at users, it never gives user data to its partner, Anklesaria says.
Cellular Sieve
Even if a company does not willingly share your information with third parties, you may not be safe. Until the beginning of this year, your cell phone call list, for example, was easy pickings for unscrupulous agents. So-called pretexters were making a thriving business of calling cell phone firms, masquerading as a client, and getting a copy of that person's last bill--with a list of all phone numbers for calls both made and received. A slew of sites then offered those records to anyone willing to shell out $150 or so.
The good news is that these sites are shutting down due to an "incredible amount of enforcement scrutiny," says Hoofnagle, whose organization has testified before Congress on the matter. But since the demand for your data isn't going away, "my fear is that they'll simply move it underground," Hoofnagle says.
Government, he says, treats privacy issues like isolated fires: Scandals erupt when thieves steal loads of information from data brokers or pretexters run amok, then Congress crafts specific laws in response. A law setting national standards for data privacy would prevent many of those fires, but none is likely anytime soon. Until Congress changes its crisis approach to privacy issues, users who want to take control of their private data are on their own.
Four Ways to Take Back Your Privacy
Illustration by Stuart Bradford
Opt out: Companies can share a lot of your data--unless you tell them to stop. The Center for Democracy and Technology offers an excellent free service that links to online opt-out forms for numerous businesses, and that can generate opt-out letters for you to mail to firms that lack online options. Also, when signing up for any new service, look for the check box that refers to sending you special offers and be sure you're not automatically signed up.
Protect your call records: Contact your cell provider and set up a password on your account. You can also ask the provider to remove call details from your bill to keep others from seeing them (though you'll lose them, too). To check if you've been compromised, ask if the firm has released your records or if anyone has activated an online account in your name.
Read the policy: Reading privacy policies or End-User License Agreements (EULAs) is like flossing--we know we should, but we usually don't bother. The free EULAlyzer from Javacool Software makes the task much easier by examining the policy or EULA for you and searching for keywords (such as "Third Party"). The software then rates what it finds to let you know which ones to beware of.
Surf and search anonymously: One quick-and-dirty Google cookie anonymizer removes your unique identifier from the Google cookie. Know that using it will clear any Google preferences you've set, like how many search results display per page. Also, you can consult a guide to many resources for anonymously surfing the Internet.