7.26 Privacy suits: DoubleClick and Toysmart
Some examples should help to illustrate some of the problems associated with privacy and the internet. Privacy suits taken out against Doubleclick and Toysmart are important illustrative cases with respect to the influence of commerce on privacy. They raise questions about the kind of architecture we should be striving for, somewhere along the continuum from open-anonymous to closed-identifiable.
Late in 1999, the largest internet advertising company, DoubleClick, effectively changed its policy on tracking websurfers anonymously. In the summer of 1999 they bought out the direct marketing (junkmail and catalogue) company Abacus Direct, which reportedly had a database profiling the spending habits of 90 million US households. DoubleClick planned to cross-match the Abacus database with its own, building profiles of online and offline consumer habits. Privacy groups were angered by the move, as DoubleClick had maintained that their technology allowed internet users to remain anonymous. The company won Privacy International's ‘Big Brother Award’ in April 2000, in the Greatest Corporate Invader category ‘for monitoring the surfing of 50 million Net users.’ Some consumers and the State Attorneys General of New York and Michigan sued the company. ZDNet published a report in March 2000 on how the DoubleClick cases could change US law. It did not change the law – the New York Times reported in April 2001 on DoubleClick's victory in the case. (Note: the New York Times requires you to register and accept cookies to view their articles.)
They also said that the closing of the investigation:
… is not to be construed as a determination that a violation may not have occurred, just as the pendency of an investigation should not be construed as a determination that a violation has occurred. The Commission reserves the right to take such further action as the public interest may require.
By the summer of 2007 DoubleClick was in line to be taken over by Google. Since Google's chief executive, Eric Schmidt, had declared that one of the company's key goals was to collect as much personal information about individual users as possible, this proposed takeover became the object of much concern among civil right activists. The takeover was examined by US and EU regulators with the US Federal Trade Commission approving the deal in December 2007 and the European Commission following suit in March 2008.
What each of these cases and the preceding discussion again illustrate is the need to make policy choices – about how commerce is handled via the internet and how far the need to facilitate e-commerce can be allowed to erode traditional notions of personal privacy.
I have hardly scratched the surface of the issues related to privacy and the internet. There have been a huge number of developments in the area since Lessig published his book, the most important, arguably, being those developments arising out of the tragedies of September 11, 2001. These include a whole host of anti-terrorism legislation (such as the USA/PATRIOT Act and the Anti-Terrorism Crime and Security Act in the UK), the national identity card proposed by the UK government, and the ‘Secure Flight’ passenger screening system (which replaced the Computer Assisted Passenger Pre-screening System (CAPPSII)), which aims to improve airline security.
The cost of manufacturing microscopic radio frequency identification (RFID) tags has also come down to the extent that it now makes economic sense for commerce to deploy them on a large scale. The Guardian reported (Tesco tests spy chip technology) on a trial run with these chips at Tesco in Cambridge.
In a cnet news report a Californian senator worried, ‘How would you like it if, for instance, one day you realised your underwear was reporting on your whereabouts?’
Further reading: the debates in relation to privacy also tend to get quite polarised, but there are quite a few useful information websites and books in the area should you decide to look into the matter further. For example:
Center for Democracy and Technology
The Control Revolution, by Andrew Shapiro
The Internet, Law and Society, edited by Yaman Akdeniz, Clive Walker and David S. Wall
The Unwanted Gaze: The Destruction of Privacy in America, by Jeffrey Rosen
Database Nation, by Simson Garfinkel
Secrets and Lies, by Bruce Schneier
Beyond Fear: Thinking Sensibly About Security in an Uncertain World, by Bruce Schneier
Look out also for stories in the media about the handling and transfer of EU airline passenger data to US authorities and the use of the so-called CAPPS on CAPPSII database in the US. The CAPPSII program was declared dead by the US Secretary for Homeland Security in July 2004 but it is was replaced by a similar scheme operating under a different name, ‘Secure Flight’. By 2006 Secure Flight had been subjected to several government reviews (including reviews by the Department for Homeland Security and the General Accounting Office), all of which basically found it unfit for purpose. Though it was temporarily suspended in 2006, Secure Flight was re-introduced and, as of the autumn of 2007, the program was still being used, with budget plans to spend a further $38 million on it in the next financial year. US Customs have also for some years been operating an ‘Automated Targeting System’ which assigns a score to all travellers entering or leaving the US indicating what level of terrorist threat they pose. There is very little public information about how the programme operates, but the data collected can be shared with a range of federal or local authorities and even private organisations. It seems that the only people who can't get the information are those travellers to whom it relates. It is also subject to retention for 40 years.