Markkula Center of Applied Ethics

Privacy: Electronic Information and the Individual

By Joseph Westfall

In addition to a diverse body of information, the Internet makes available to the average user various forms of global communication. E-mail, World Wide Web pages, online shopping, and virtual chat rooms are all ways in which the Internet user can not only interact with machines, but communicate with other persons online. The benefits of rapid and global electronic communication are many, but there are severe drawbacks. Each of these communications has the potential to reveal personal information about the user. Every time someone communicates via electronic media, the chance exists that someone else is compiling or recording personal information-often for later, unrelated use. Many critics of Internet privacy standards are furious that personal information is as unsafe as it is. The lack of information safeguards can fall into one of two areas: security or confidentiality.

Security
Roughly speaking, security issues deal with personal information that is not voluntarily given, such as items stored on one's computer hard drive. Furthermore, it includes information contained in e-mail messages or other electronic transactions that are intercepted between their source and destination. Credit card numbers intercepted by hackers during online business transactions are an example of a security breach. Another popular security concern is the result of the practice of World Wide Web sites depositing information called "cookies" on the hard drives of computers visiting those sites. This information includes the URL of the site visited, as well as some information pertaining to that site-such as site usernames and passwords (which keeps users from having to enter them multiple times as they traverse the site). When a site reads the cookie file in one's computer, however, it might also have access to a list of other sites the user has visited. Some fear this information could be used for ill, or to compile marketing databases.

Although breaches of security are very rare, when information security is violated a great deal of damage can be done. Most solutions to security issues are technological, and many of the technological solutions work. Data encryption-encoding information stored in and sent from a computer-is a security wonder, but a legal nightmare. Two sets of values are presently clashing in Washington: the value the government (especially the FBI) places on access to personal information for law enforcement and national security reasons, and the value individuals place on the privacy of their information.

Some federal officials note that, in recent years, encrypted electronic media have been the communication of choice for those bringing illegal drugs into the United States, as well as many involved in the purchase and sale of illegal substances within national borders. A number of bills have been presented in Congress that would require the electronic 'keys,' the strings of numbers that decode encrypted information, for all codes used in the United States. They argue that the common good of the nation is ethically primary to an individual's desire to keep personal information personal. If communications between drug dealers and the like can be intercepted, read, and acted upon by federal law enforcement, each individual in the nation is better served.

Those in favor of data encryption have concerns on two levels: first, they argue that no code whose key is available to anyone but the party for whom the data was intended is a secure code; second, they maintain the rights of the individual. Positing a right to the privacy of personal information, they fear a government circumvention of basic human rights in the electronic age-to be treated as individuals, they must not lose the security of their information in the pursuit of law enforcement ends. In their eyes, it is unethical to violate an individual's rights in this way. Some border on a paranoiac fear of a 'Big Brother'-style totalitarian government, others have a more legitimate concern for the security of their personal information. Both understand the privacy of personal information as primary to law enforcement concerns.

Confidentiality
The situation is more complicated when an individual volunteers his or her personal information. Much is culled from Internet registration forms, for example, that might be compiled and sold. Because the information is given voluntarily, however, the "owner" of that information is difficult to determine. Does an individual maintain the ability to oversee the dissemination and use of his or her personal information at all times? Or does the organization that is given the information by the individual have some claim to its use? Confidentiality, as a privacy issue, is the extent to which an organization makes personal information available to other organizations and individuals.

Few information-collecting organizations have clear confidentiality policies, leaving individuals to choose between sacrificing the benefits of dealing with an organization to insure the confidentiality of their information, or sacrificing their privacy for those benefits. Understanding that there is a decision that must be made is the first step in overcoming issues of confidentiality, but few other things can be done by the individual. Refraining from giving any information but that absolutely required helps, but the kinds of information that one would want to protect are often also "absolutely required." Without statements of information confidentiality policy, it is unclear whether an organization is truly trying to provide a better product or service, or is attempting to gather information to be distributed, or both.

President Bill Clinton, in his recent document addressing the development of Internet commerce (Clinton), called for explicit statements from online organizations, detailing how personal information is to be used and to whom it will be distributed, if at all. He maintains that electronic business will not thrive until people can feel that the information they provide on the Internet is not only secure, but confidential. Although Clinton's statement lacks the authority of law, such a move in favor of electronic privacy and confidentiality of information-whether voluntary on the part of Internet business, or enforced by new legislation-is, perhaps, the only clear means of maintaining information confidentiality.

The situation is further complicated by information-finding services electronically available to individuals and corporations. Data warehouses collect addresses and telephone numbers, social security numbers, tax records, driving records, criminal and civil records, vital statistics, marketing preferences and more. As detailed in the report of an experiment conducted in the summer of 1997 (see "The Privacy Experiment"), many important pieces of personal information are readily available to the novice seeker for a small fee. These search services buy information from government agencies, private businesses, and other data warehouses. Cross-referencing the material allows information brokers to compile stunningly complete dossiers on many individuals. Organizations that provide such services, such as Lexis-Nexis or the American Information Network, Inc., epitomize what critics fear of current lax confidentiality laws and often non-existent corporate confidentiality policies.

Safety Online
Many of the consequences of confidentiality breaches are of limited consequence, usually resulting in unsolicited mailings from the organizations to which personal information was sold. Unfortunately, junk mail is not the only potential consequence of the availability of information. Just as the Internet brings schoolchildren, universities, and governments into the global network of electronic communication, so does it bring predators-child molesters, hate groups, and stalkers-into contact with their prey. Cyberstalkers use false identities to come into contact with unwary individuals in electronic chat rooms or through e-mail. Child predators often frequent sites designed for children, even identifying themselves as other children in order to gain a child's trust and arrange meetings in the "real world." Neo-Nazis, Skinheads, and other hatemongers establish sites that attempt to lure others into their groups, as do some religious cults. Although this last method is not itself a breach of privacy, these groups can then use any influence they have over unsuspecting site visitors-especially children-to acquire personal information ("Dark Side...").

As in the actual world, it is not entirely clear what one should do about the potential breaches of privacy the virtual world makes possible. The techniques outlined for security and confidentiality breaches would certainly assist in diminishing electronic losses of privacy. Yet, to insure a level of safety, one needn't wait for better encryption or new legislation. Perhaps the best precaution an individual can take for his or her privacy online is to recognize that there are people who would like to use their personal information to further their own malicious ends. It is too easy to forget that revealing any amount of information online is too much, unless the individual or organization to which the information is given has (a) good reason to request that information, and (b) a policy of not providing other individuals or organizations with information they have collected. Considering the state of confidentiality in the United States, seemingly innocuous bits of information can become keys to unlocking a full personal dossier.

For those with some responsibility for children-parents and teachers especially-learning about Internet privacy risks is not enough. Children are especially susceptible to requests for information, as they often do not understand the motives that may lie behind requests for information (Furger). Short of keeping children offline, there is no way to guarantee that their Internet experiences are not also breaches of privacy. Ideally, children would always communicate online in the presence of an adult, who would serve more as a guide than a supervisor. Yet this is not always possible, and concerned parents and teachers must therefore rely upon the education they have given their children and students in matters of privacy. What not to tell strangers is one of the most important Internet lessons a child can learn-more important than how to navigate the World Wide Web or use e-mail-and explaining to them that they should tell their parents or teachers when they are asked to submit information online serves to protect both the child and his or her family's privacy. Such a family or classroom environment would hopefully encourage the trust necessary for this method to work.

Fortunately for concerned adults, lawmakers have paid much attention to children and Internet privacy in recent months, mandating that anyone requesting personal information from children online receive a parent's approval before releasing that information to other parties, which helps to eliminate confidentiality problems that would further complicate the matter ("Feds caution..."). Technological advances are also aiding adults in securing privacy for children. One of the most recent advances in privacy technology is the Open Profiling Standard (OPS). OPS allows the parent or other computer administrator to set their browser to accept sites matching a predetermined level of privacy. Sites that fall below the user's privacy criteria cause a warning message to appear, and the user then has the option of lowering privacy standards for this site, or refusing the site altogether (Weise). This does not resolve all privacy problems, but it does afford users a minimum level of justified confidence online.

The Individual and Electronic Information
Information is not merely something other people have; it is, often, something individuals want to have. The flip-side of the electronic privacy issue is a consideration of the tools individuals and organizations might use to gain others' personal information. There is a variety of software available for the information-seeking individual or organization in addition to those already mentioned, the bulk of which allows businesses to compile their information into databases, or to register and access a data warehouse. Law enforcement agencies in some states make available CD-ROMs cataloguing sex criminals' photos, crimes and addresses (Chavez). Yet the most interesting developments, from a privacy perspective, are software that enable computer administrators to monitor users' Internet use. Two different products, one developed for business and the other for the home, have recently become available to assist administrators toward this end. These are not the only products in their line, but they are exemplary of their type.

"Assentor," by SRA International, Inc., checks e-mail messages sent by company employees for "unacceptable" language, such as racist or sexist jokes, foul language, and so forth. The software also rates messages as to "the degree of possible offensiveness" (Kaplan). If a message trips Assentor's sensors, that message is detained until a manager or other appointed person can read the text for potential offense. Businesses that wish to use Assentor claim that they do so in order to comply with trade regulations and to maintain good business relations. In the past, however, persons have also lost their jobs on the basis of e-mail message content. In one case, an employee who made a disparaging remark about his employers soon found himself employer-less (Spinello). Judges have ruled that, in e-mail communications, there is "no expectation of privacy" (Kaplan), and thus e-mail messages sent by employees are fair game for employers. At least at the office, there is no such thing as e-mail privacy. This may better serve external corporate relations, but it may also serve to weaken an employee's relationship with the employer, potentially diminishing morale, productivity, and loyalty.

"NetSnitch," an innovation for the home computer, comes in response to the outcry against the accessibility of Internet pornography. Rather than use standard forms of Internet blocking software, such as NetNanny or SurfWatch, the developers of NetSnitch wish not to block, but to observe the sites their children visit during their cyberforays online. NetSnitch, as its name might suggest, maintains a record of the sites a user visits and the amount of time the user spends at each site. Parents are thus made aware of the sites their children visit without actually blocking access to those sites ("New parental..."). Although this type of World Wide Web monitoring has been available through such Internet blocking software as NetNanny, NetSnitch is the first product to market itself for this purpose. While some parents are heralding the arrival of a software that enables them to know where their children have been online, privacy advocates are upset by what Marc Rotenberg, director of the Electronic Privacy Information Center, has called "Orwellian parenting" ("New parental..."). If Assentor reduces the trust between employees and employers, then it is likely that NetSnitch does the same within the family. Children can believe in their parents' lack of trust, regardless of the actual level of trust a parent has in his or her child, and it is the child's belief that does much of the relationship weakening.

Privacy and Trust
There is much discussion in America today of the "right to privacy." Although the right is not constitutionally guaranteed, there is some basis for it in federal law. The legislation, however, has little bearing on the ethical value of privacy. Although privacy itself may be something as simple as "the right to be left alone," the consequences of privacy (or a lack thereof) go far beyond independence and solitude. The expected level of privacy in relationships with other persons-be they business or personal-shapes the ways in which we interact in those relationships. Whenever information is given or received, privacy is a concern. It would seem that in any information exchange, there is an expected level of privacy-how private the parties involved believe the information to be-and an actual level of privacy-how private the information actually is.

When the expected and actual privacy levels are the same, few problems arise. If I send my friend a letter, and I expect the contents of that letter to go no further than that friend, I have established an expected level of privacy. If she, in turn, does not disseminate the information in the letter, the actual level of privacy matches the expected level. But if she gives the letter to her brother, and he shares the information with his friends, the actual level of privacy is far below what was expected. In this instance, problems begin to arise. If she is truly not aware of such expectations or the legitimacy of such expectations, the issue probably ceases to be an ethical one, and becomes something along the lines of a misunderstanding. If, however, I had a legitimate expectation of privacy in my relationship with my friend, and the legitimacy of this expectation is known to her, then it would seem that she has ignored my "right to privacy." If privacy truly is a right, then my friend has committed a moral wrong. But perhaps more important to my friendship than the transgression of rights is the loss of trust in my friend. If I feel that I cannot trust my friend with personal information, I am likely to tell my friend little of importance with regards to my life. Without this depth, my friendship would most likely become shallow and eventually dissolve. My friend has, presumably, done both of us harm.

This pattern is loosely followed in breaches of security in the electronic realm, although the stakes may be much higher for society. Were employees to lose confidence in the state of information security, electronic communication might cease to be an effective tool in the corporate or consumer world. As it is, many individuals refuse to make credit card purchases online, for fear that their credit card numbers might be intercepted by others with criminal intentions. Individuals communicating within an organization might find, were software like Assentor a workplace reality, that little of corporate importance should be discussed on e-mail, for example. The great benefits that electronic communication provides the business world could be lost to concerns for the privacy of information. Trust in the technology itself might dwindle, not to mention the change in the employee-employer relationship discussed earlier. In this scenario, society loses both consumer ease and corporate productivity.

Trust also weakens when the level of information confidentiality is not high. Much of the information collected is used for what it was intended, be that for marketing, registration, or other purposes. The fact that many information collectors do sell their data, however, is beginning to make some persons wary of revealing personal information. Considering confidentiality today, their wariness is justified-and important to protecting their privacy. This wariness, however, denies the benefits of information databases. The compilation of information makes for more efficient business, aids law enforcement, and even lets individuals keep in touch with old friends. None of this is possible, however, without trust in the information collecting agents. And trust will not come unless confidentiality is secured; unless organizations and individuals collecting information for whatever purpose make their intentions known, and do not make that information available to other individuals and organizations.

Trust is not necessarily lost in a breach of privacy; it is not the retention of private information that makes for a trust relationship. Rather, there are ethical considerations that lead one to trust or not to trust. The first has to do with rights; the second, deceit. If an individual transgresses another's rights, especially one's right to privacy, it becomes difficult to place that individual in situations in which one expects one's rights to be upheld. Thus, if my friend lets her brother read my letter, it will be difficult for me to include sensitive information in my letters to my friend again. Furthermore, it is incredibly difficult to place one's faith in someone who has been deceitful in the past. If, in the personal letter example, my friend knew that I expected a certain level of privacy, and if she led me to believe that privacy would be maintained, and yet she still made light of my desires, she could be seen as having deceived me. In some significant sense, she was using me merely to gain my personal information for dissemination. This union of deceit and a lack of respect for human rights leads directly to the weakening of trust. On the Internet, for both business and personal reasons, trust is essential-without it, many of the benefits of the Internet run the risk of disappearing.

Bibliography

Security
Berg, Al. "Is your Web site secure?" Lantimes Online.
http://www.lantimes.com/lantimes/97/97jul/707b028a.html

Braun, David. "Victory for Crypto Exporters as Panel Clears Bill." TechWeb homepage.
http://www.techweb.com/wire/news/jul/0723crypt.html

"Computer group unites to break computer code." CNN Interactive. 19 June 1997.
http://www.cnn.com/TECH/9706/19/crypto.challenge.ap/

"Encryption export battle to resume." MSNBC.
http://www.msnbc.com/news/87969.asp

"FBI Wants Computer 'Keys'." New York Times. 10 July 1997.

"FBI wants method to decode computer messages." CNN Interactive. 9 July 1997.
http://www.cnn.com/TECH/9707/09/data.scrambling.ap/index.html

"For the Record." Washington Post. 10 July 1997.

Pacheco, Dan and Michael Whitney. "Digital Security." Technologypost.
http://www.washingtonpost.com/wp-srv/tech/analysis/encryption/encrypt.htm

"Security lapse allows Web access to credit card numbers." CNN Interactive. 10 July 1997.
http://www.cnn.com/TECH/9707/10/web.security.ap/index.html

Spinello, Richard A. "The Case for E-mail Privacy."
http://www.math.luc.edu/ethics97/papers/Spinello.txt

"Surfer Beware: Personal Privacy and the Internet." Electronic Privacy Information Center homepage.
http://www.epic.org/reports/surfer-beware.html

"Who's watching you?" CNET homepage.
http://www.cnet.com/Content/Features/Dlife/Privacy/ss01.html

Confidentiality

Bernstein, Nina. "Lives on File: Privacy Devalued in Information Economy." New York Times. 12 June 1997.

Brier, Steven. "There's No Guarantee of Privacy on the Internet." New York Times. 13 January 1997.

Broder, John M. "Making America Safe for Electronic Commerce." New York Times. 21 June 1997.

Caruso, Denise. "FTC to Study Internet Privacy." New York Times. 3 June 1996.

Chartrand, Sabra. "What Your Employer Knows About You." New York Times. 19 May 1996.

"Cyberspace Chat." Washington Post. 11 July 1997.

"Lexis-Nexis agrees to let people see personal data." CNN Interactive. 24 June 1997.
http://www.cnn.com

Mannix, Margaret and Susan Gregory Thomas. "Exposed online." U.S. News & World Report. 23 June 1997. 59-61.

Weaver, Jane. "Violations of virtual privacy." MSNBC.
http://www.msnbc.com/news/89370.asp

Safety
Culnan, Mary J. "A LOOK AT...Cyber Privacy." Washington Post homepage.
http://www.washingtonpost.com/wp-srv/WPlate/1997-07/13/088L-071397-idx.html

Dyrli, Odvard Egil. "Online Privacy and the Cookies Controversy." Technology & Learning. March 1997. 20.

"Feds caution Internet sites on seeking data from kids." CNN Interactive. 16 July 1997.
http://www.cnn.com/TECH/9707/16/internet.kids.ap/index.html

Ferrell, Keith. "Dark Side of the Web." CNET homepage.
http://www.cnet.com/Content/Features/Dlife/Dark/index.html

Freed, John C. "Internet Q & A." New York Times. 23 February 1996.

Furger, Roberta. "Your Children Are Talking to Strangers." PC World. June 1997. 35-9.

"FTC Staff Sets Forth Principles for Online Information Collection from Children." Center for Media Education homepage.
http://www.ftc.gov/opa/9707/kidscom.htm

Kalish, David E. "White House Presses for Net Controls for Children." New York Times. 14 June 1997.

"Keeping Secrets." People Magazine. 28 July 1997. 107-8.

Lane, Carole A. "A LOOK AT...Cyber Privacy." Washington Post homepage. http://www.washingtonpost.com/wp-srv/Wplate/1997-07/13/089L-071397-idx.html

"Net privacy at issue." San Jose Mercury News. 3 June 1997.

"Privacy & the Internet." National Public Radio homepage.
http://www.npr.org

Snell, Jason. "Big Brother meets the Cookie Monster." MacUser 13:7. July 1997. 96.

Trott, Bob. "Privacy issue unites rivals." Infoworld. 16 June 1997. 10.

Wasserman, Elizabeth. "Net privacy rule for kids ordered." San Jose Mercury News - Mercury Center. 17 July 1997.
http://www.sjmercury.com/business/ftc071697.htm

Weise, Elizabeth. "Small Company Plays Large Role in Net Privacy." New York Times. 14 June 1997.

"Whatever happened to that guy in French class?" CNN Interactive. 17 July 1997.
http://www.cnn.com/TECH/9707/17/site.seer.people/index.html

Monitoring Software
Chavez, Paul. "Sex offenders on CD-ROM and Internet." MSNBC.
http://www.msnbc.com/news/83825.asp

Kaplan, Carl S. "Big Brother as a Workplace Robot." New York Times. 24 July 1997.

"New parental software tracks kids on Internet." CNN Interactive. 3 August 1997.
http://www.cnn.com/TECH/9708/03/cybersnitch.ap/

Oakes, Chris. "Email Spy Lurks in Corporate Future." Wired homepage.
http://www.wired.com/news/news/technology/story/5315.html

Willett, Shawn. "An E-mail Spy is Coming." TechWeb homepage.
http://192.215.107.71/wire/news/jul/0714email.html

Click here for more ethics related articles.


New Materials

Center News