You may be right to wonder who's keeping tabs

05/10/2001

By DOUG BEDELL / The Dallas Morning News

The Internet just can't keep a secret. Or so the nation thinks, according to a wide range of recent studies.

As outlandish as that might seem, an April survey by the Pew Internet & American Life Project (pewinternet.org) indicates a growing, seething distrust for the new electronic world of quick-merging databases, electronic surveillance and rapid-fire financial transactions zipping across an inherently insecure network.

• 87 percent of 2,096 American adults surveyed between Feb. 1 and March 1 said they are concerned about credit card theft online.

• 82 percent are concerned about how organized terrorists can wreak havoc with Internet tools.

• 78 percent fear crackers (individuals who attempt to access systems without authorization) will breach government computer networks, while 76 percent fear similar intrusions within business networks.

Those jitters have spawned a confusing patchwork of state and national regulatory efforts. State privacy commissions are springing up to deal with troubling issues emerging with vast pools of electronic driver's license, criminal background and voting record data. The FBI is hard at work on e-mail snooping software. And businesses are joining governments everywhere in grappling with how medical information and workplace e-mail should be handled when privacy can be stripped away with the push of a button.

A ranking of the Top Ten Privacy stories by the Privacy Foundation ( www.privacyfoundation.org), an University of Denver-based advocacy group financed by Denver entrepreneur Peter Barton, listed employee-employer friction over Net activities at the top of the heap.

"The rise of the Internet has sent a flood tide of privacy concerns through business and society, and the waves are breaking big-time in the workplace," says Stephen Keating, executive director of the Privacy Foundation.

About 80 percent of major U.S. companies keep tabs on employees by checking their e-mail, Internet, or telephone connections or by videotaping them at work, according to American Management Association's annual survey on workplace monitoring and surveillance. Active monitoring has skyrocketed in recent years, up from 35 percent in 1997.

And the rest of the Top Ten are no less unsettling.

Here's a look at the list and what's happening on each front.

Workplace surveillance

"Getting this stuff together is daunting," says Mr. Keating.

According to the latest AMA numbers, 47 percent of surveyed companies store and review employee e-mail, an increase from 38 percent in 2000. Forty percent block Internet connections to unauthorized or inappropriate sites, up from 29 percent last year.

More than a quarter of surveyed companies (27 percent) say that they've fired employees for misuse of office e-mail or Internet connections, and nearly two-thirds (65 percent) report some disciplinary measure for those offenses.

Three years of documented cases by the Privacy Foundation reveal a helter-skelter picture of corporations and government agencies using a wide range of disciplinary methods, policies and surveillance.

In many cases, as with a recent dismissal of at least 10 workers at Computer Associates International in Herndon, Va., employees profess shock over their terminations, and their supervisors have reportedly refused to produce specific posts involved.

"Employees are toast," the Privacy Foundation says it was told by one corporate privacy officer.

Many of these cases will undoubtedly wind up in state courts, creating new, local requirements for handling Internet-related terminations, experts say.

"There's a clear increase in disciplinary actions," says Mr. Keating. "To some degree I think it's going to be like drug testing was 15 years ago, which is that it's a brand new thing and becomes embedded in the business culture."

Legally, nothing has changed. Under current laws, employees have no recognized right to expect privacy of their communications over company Internet connections, experts say.

"The rights are definitely with the employer," says Mr. Keating. "It's their equipment and they're paying the salary of the worker. But I think a question of what surveillance is reasonable and what's the point?" In many cases, it is alleged, questionable violations of company Net policies are simply being used as a new tool to reduce payrolls.

Gary Clayton – a Dallas attorney and founder of the Privacy Council, a for-profit firm that helps corporations deal with sticky problems presented by new forms of communication – says employees will gradually understand that their bosses have a duty to patrol company pipes.

"Businesses are going to become more and more liable for how their employees use e-mail, the network and communication assets," Mr. Clayton says. "People are using e-mail more and more often, and we're very informal the way we use it. We attach and send documents and info that, quite truthfully, customers and patients consider private and privileged."

Worker fears about corporate monitoring has fostered the growth of software and Web sites, including ZeroKnowledge Freedom ( www.zeroknowledge.com), SafeWeb ( www.safeweb.com) and Anonymize.com ( www.anonymizer.com) – that attempt to wipe away digital footprints of Internet activities. But, like an escalating arms race, employers bent on monitoring have helped develop even more sophisticated methods that render such services useless. The market for employee monitoring software, in fact, is booming at an annual growth rate of 55 percent, according to International Data Corporation research, and is expected to be a $562 million industry by 2004.

Using simple, cheap software with names like Checkpoint, Web Marshal, Telemate, and WinWhatWhere, even individual key strokes can be recorded and stored for analysis.

And, with virus infections on the rise, companies are increasingly restricting loading of any software on work terminals.

"Privacy in today's workplace is largely illusory," said Ellen Bayer, the AMA's human resources practice leader. "In this era of open space cubicles, shared desk space, networked computers and teleworkers, it is hard to realistically hold onto a belief in private space."

Managers who would never permit monitoring phone use in their offices often feel no angst about e-mail and Web monitoring, the experts say.

"You're going to start seeing more and more companies held liable for damages for leaks and mistakes or embarrassment," says Mr. Clayton. "As that happens, you're going to see increased pressure on businesses to regulate and manage how their employees use e-mail."

Looking ahead, the Privacy Foundation expects that some companies, particularly those in need of highly skilled, high-tech workers, will tout "spy-free workplaces" as a fringe benefit.

"Employers may be rightly concerned about security and productivity issues, or legal liability arising from e-mailed sexual banter," says Mr. Keating. "But pervasive or spot-check surveillance conducted through keystroke monitoring software, reviewing voice-mail messages, and using mini-video cameras will undoubtedly affect morale and labor law, as well as employee recruitment and retention practices."

Patient privacy

A sweeping set of medical privacy rules initially drafted by the Clinton administration was adopted in April by Health and Human Services Secretary Tommy Thompson. Six years in the making, the revisions to the Health Insurance Portability and Accountability Act ( www.hhs.gov/news/press/2001pres/20010412.html)will force doctors to seek patient consent to use medical records in routine matters, and give patients greater access to their own records. The 1,553 pages of new patient privacy rules, proposed by HHS, will take two years and billions of dollars in private sector costs to implement.

"The question remains: 'Are these things workable and are they going to have any effect?'" says Mr. Keating. "There are rules to the degree that if you are taking someone to hospital, whether the doctor can come out in the waiting room and tell you how they're doing.

"It's very detailed."

E-mail surveillance

"It's not quite as memorable," says Mr. Keating.

Law enforcement officials insist they need Carnivore and similar tools to zero in on terrorists, drug traffickers and child pornographers.

But the Pew survey indicates the public may not fully trust its government to make decisions on whose e-mail should be scanned. The project showed only 31 percent of Americans trust the government to "do the right thing most of the time or all of the time." That figure is down from 41 percent in 1988.

Americans express a willingness to let law enforcement agencies intercept suspects' e-mail, but they also support the general idea that new laws should be written to cover how law enforcement agencies monitor it. Just 14 percent of Americans say the laws that relate to intercepting telephone calls are good enough to cover Internet communications. More than 60 percent of Americans say new laws should be written to make sure that ordinary citizens' privacy is protected from government agencies.

Privacy and civil libertarian groups, including the Electronic Privacy Information Center (EPIC.org ), want independent reviews of the program's capabilities.

"Much of the controversy concerning Carnivore grows out of the fact that the system accesses and processes a great deal of ISP traffic, the vast majority of which contains the communications of Internet users not targeted for surveillance and not named in any court authorization," EPIC general counsel David L. Sobel wrote House of Representatives leader Dick Armey, R-Texas.

EPIC and others want wiretap statutes updated to make law enforcement agencies at least seek approval before attaching Carnivore to an ISP or other network. They also want an examination of the Justice Department and other agencies who may circumvent the letter of U.S. laws permitting allies to run e-mail sniffers for them.

"Standing alone, Carnivore's inherent ability to "over-collect" communications renders it legally and constitutionally suspect," Mr. Sobel argues.

EPIC and the Electronic Frontier Foundation ( www.eff.org/) have already begun pressing for more disclosure of the government's plans. "The broad fear is that the FBI could use Carnivore to tap the data pipes of Internet Service Providers and cast a wide net for e-mails, not just those sent and received by the targets of specific investigations," the Privacy Foundation says.

Meanwhile, courts across the country have begun handling cases arising from e-mail surveillance by police. The U.S. 9th Circuit Court of Appeals ruled in January that unauthorized access to stored electronic communications could violate the federal Wiretap Act.

The Justice Department, in court papers, warns that the ruling could be "substantially impairing the ability of federal and state investigators and prosecutors to pursue and prosecute Internet crime of every kind."

Data mining

A federal judge has ruled the use of "cookies" and other technology for the purpose of targeting online ads does not violate federal laws.

The Manhattan-based U.S. District Court judge dismissed at an early stage a consolidated class-action lawsuit against DoubleClick, Inc., a New York-based company that is the largest provider of Internet advertising products and services in the world.

Lawyers say the decision is significant because it represents an important victory for the Internet advertising industry and some Web publishers, whose data-collection practices have been denounced by privacy advocates as an intrusive monitoring of consumer behavior online.

In addition, the case represents the first time a federal court has addressed the applicability of federal laws to Internet advertising.

Lawyers representing a potentially huge class of consumers had alleged that DoubleClick's online advertising practices violated three federal laws: the Electronic Communications Privacy Act, which seeks to prohibit destructive hacking; the Wiretap Act, which generally prevents wiretapping for criminal or other wrongful purposes; and the Computer Fraud and Abuse Act, which prohibits unauthorized access to computers.

The judge found on March 28 that plaintiffs had failed to show that DoubleClick's purported conduct violated any of the three federal laws.

Chief privacy officers

"Businesses don't have a skill set yet for managing data the way it's going to have to be managed in the future," says Mr. Clayton, whose firm has begun training programs for CPO at Southern Methodist University and several other venues across the globe.

"Data is a valuable asset," he says. "It's going to have to be managed almost like money."

Switching policies

The move, made as Amazon faced scrutiny from Wall Street about its financial prospects, underscored criticisms about the way that dot-com companies revise privacy policies to capitalize on customer data.

And the uproar evidently produced a backlash. When Toysmart.com went bankrupt and decided to put its customer database went up for auction, the Federal Trade Commission blocked the deal.

The Privacy Foundation said it believes continued efforts like this will draw more and more lawsuits to the dot-coms for alleged violations of privacy policies. Meanwhile, the Federal Trade Commission recommended that Congress legislate privacy standards for Web sites.

However, Congressional action is no longer likely on this front. Mr. Armey has even written Congress with a warning that privacy bills introduced this session will face lukewarm response from the White House and House leadership.

"I don't want strangers poking around in my business any more than they want me poking around in theirs," Mr. Armey wrote, but "in the fast-paced world of the Internet, we must avoid silver-bullet solutions that will quickly become obsolete or leave ourselves vulnerable to criticism that the government is not meeting the standards it requires from others."

Says Mr. Keating: "It looks like Congress is losing its appetite for Internet regulation this year. It could be because the economy's softening and the Republican Congress doesn't want to be seen as restrictive on business.

"Or maybe they just think all the companies doing the tracking are going to go out of business, anyway."

Financial data merging

The Privacy Foundation predicts these developments will give rise to a flood of consumer complaints about misuse of personal data by financial institutions.

Cell phone privacy

With tens of millions of cell phones in use, the U.S. government is mandating the deployment of location-sensing E911 service for cell phones in 2001. Just as telemarketers exploited the ubiquity of wireline phone service, there are a wide range of data-service providers and marketers eager to piggyback on the new wireless technology to send text ads and discount offers to cell phone users, the Privacy Foundation says.

The foundation's chief technical officer, noted Internet security expert Richard Smith, says he has already found business plans calling for:

• Electronic ad services that send text ads to cell phones based on a person's location. Example: "Save big at McDonald's. Get 50 cents off a Big Mac meal. You're only blocks away! Hurry, this offer is good for only the next 20 minutes!"

• A tracking system for airlines that checks to see if late-arriving passengers are close enough to an airport to make a flight vs. being "no shows." The "no show" seats can then be given to other passengers if a flight has been overbooked.

• A system for parents to track their kids via cell phone location.

Wireless spam will face increasing calls to create an "opt-in" or "opt-out" system that allows consumers to regulate text and voice messages sent to their cell phones by marketers, the foundation says.

Cookie-blocking

P3Pis a privacy dial that will allow users to set privacy preferences for sites while Web surfing. Earlier in this year, revelations that the National Drug Control Policy Office's Anti-Drug Web placed "cookies" on users' computers led to an executive order banning cookies on federal Web sites.

A new public record

The president had already watched as the press and political activists had used open record laws to gain copies of e-mails to and from his brother, Florida Gov. Jeb Bush, during the 2000 presidential election controversy.

More and more, computer server logs of government agencies and schools are being were sought by the media and individuals as public records.

Among the incidents: a county prosecutor's secretary, fired in Washington state, had her e-mail traffic disclosed to the media. And, in suburban Indianapolis, a school superintendent who resigned had his alleged Web-surfing activities published in the local newspaper.

This trend is likely to continue until there is some change in the way open records laws apply to computers and data storage.