CPSR President Coralee Whitcomb introduced the main event by going thru a variety of announcements. Dave Farber, the keynote speaker, could not come because of an ill family member.

Technology: The Problem or the Solution?

Coralee introduced the first panel. Dave Banisar, Ray Everett, and Beth Givens were here to get the first panel started. Others arrived later.

Dave Banisar was one of the founders of EPIC [ Electronic Privacy Information Center http://www.epic.org ]. He started by saying that he was with CPSR many years ago. Technology is the engine, but who is behind the wheel was an old CPSR saying. He then reminisced about the time when a few people used email and the main use of computers was support of government programs. There was some commercial interests from those with large data bases. However, in those days the government was behind the wheel.

Things have changed now that the drive for technology appears to be the advertisers and the one-to-one marketers. The world is more interesting now that there are things other than government behind the wheel.

Dave went on to talk about privacy. He reviewed the issue that the tools help but that they have great limitations. For instance, encryption can protect against unauthorized folks using information, but what about those with authorized access. Who limits what they do with the information? What about infomediaries, who say to you,: "In return for some free service we will give away your information." Why do we trust such services?

Dave discussed Microsoft's Passport [ http://memberservices.passport.com/HELP/MSRV_HELP_whatis.ASP ]. Why should we trust Microsoft to do the right thing with our personal information. Dave does not see the benefit of having Microsoft manage private information.

David said that he believes that law is what is needed to protect us from Passport. The law can set a base line of rules, such as restricting what happens to data that a company has about us. The law can say what happens if the company goes bankrupt, or otherwise disappears.

Dave noted that the law restricting pollution forced the development of the catalytic converter which reduces pollution but adds little to the cost of a car. He implied that the industry response to privacy laws might have a similar effect, i.e., the creation of tools that improve privacy without adding much cost.

Dave said that the law is sometimes not a very sharp tool, but it is nevertheless a tool. He described both the benefits and difficulty of law. He said tht there are limits to laws too. David concluded that there needs to be cooperation. A problem is that if the government is not ready to enforce the law then the rules can become meaningless.

Beth Givens [ Privacy Rights Clearinghouse http://www.privacyrights.org/ ] talked about the seven reasons to be skeptical of a "technology fix" to protect privacy.

She said that in the process of compiling surveys they have talked to tens of thousands of people. She showed a list of surveys with some results.

• Over 90% of people believe that privacy is a problem.
• 82% have privacy concerns
• About 94% feel that violators should be punished.

She summarized privacy-enhancing services and technologies Then gave seven reasons why she is skeptical about technology fixes. Then she went on to discuss four privacy enhancing products.

Privacy-Enhancing Products

• Cookies managers
• Cookie Crusher, Cookie Terminator
• Anonymous servers
• Anonymizer, Zero Knowledge Freedom
• Anonymous purchasing
• Iprivacy, Incogno SaveZone, ZixCharge, American Express
• Email security
• Disappearing Inc, PGP, Hushmail

• Consumer Confusion
• Legitimizing data collection in environment of minimal legal protection
• Uncertainty of "secondary use"
• Smith's Foods Club Card Data
• DMV data used for Weight Watchers

She mentioned a case of a supermarket having its data base subpoenaed as part of a drug enforcement effort. The police were not interested in fancy chemicals, but in whether or not the person had purchased volumes of plastic bags.

She gave several examples of secondary use.

She mentioned an advertising person saying that if you want to do direct marketing to fat people all you have to do is ask the DMV for a list of hights and weights.

She also talked about banks being able to affiliate with insurance companies and pool their data.

She continued that if we should ever have martial law, the data will be used for invasion of privacy.

The federal trade commission does not have the staff or the charter to protect our privacy.

She has some recommendations

• Codify the Fair info principles into law
• Conduct "privacy impact assessment" before cementing the design and launching products, e.g., Pentium III with built-in ID
• Social Admin online “personal earnings and benfit estimate statement
• Develop technologies using "Value Sensitive Design"
• Introduce VSD into education at all levels

Definition of Value Sensitive Design (VSD):

VSD refers to an approach to the design of the technology that accounts for human values in a principled and comprehensive manner. These values center on human well-being, dignity, justice, welfare and human rights. She concluded that we should Question Authority, Question Technology, and Question Design

Dr. Ray Everett-Church [ Chief Privacy Officer at AllAdvantage.com ] noted that the head of Proctor and Gamble once said that he had the largest list of people who wet their pants. Ray observed that people on the Proctor and Gamble list might not be happy to be on such lists.

The protection of privacy is not as profitable at the present as having and using the information. Until people believe that privacy is important, it will be difficult to get the commercial people interested. Ray said that he is going to talk about the business elements of Privacy. How can we create a marketplace for privacy.

Ray said that there are a few products to protect privacy, but there are many firms who are doing all they can to invade our privacy.

Ray quoted Negropante, founder of the Media Lab at MIT, saying that Data is most valuable when it is in motion.

Dr. Steven Lucas [ President and Chief Privacy officer of Privaseek Inc. http://www.Privaseek.com/privaseek.html ] reported that Justice Brandeis defined privacy as the "right to be left alone." However, today information is the way that people create wealth.

The question is "Why is the Internet Unique from a Privacy Perspective?" The Internet gives us:

• The ability to use advanced modeling technology
• The ability to network databases has led to information security risk and privacy invasion concerns
• The low cost of direct marketing has significantly increased its use

He mentioned a site called www.lostpeople.com He says that this is a site that should cause fear.

Steven notes that both consumers and legislators are becoming more savvy. Consumers are more willing to share personal info, but they are less likely to share sensitive info. Hobbies will be shared at 47% while name drops to 30%, and credit card number down to 1%. Identity theft is one of the fastest growing crimes of our times. One in five households will be affected by identity theft.

Steven related a story of interviewing people in a company. The people said that they did not collect personal information, and the story held until he talked to the database administrator, who was proud to show all the things that the data base had and could do, including the collection of private data on individuals.

He mentioned several cases in which privacy rulings have made a big impact on the bottom lined because of fines or drastic drops in market value. he mentioned Doubleclick and others.

Steven Lucas said we have to be very careful about what we do when the company goes bankrupt. The problem for consumer is that litigating to stop the release of private information may put the same information into the public record because of the court case.

(Insert by Steve Teicher: I had this experience. A company that sold bricks to the contractor who installed our Jacuzzi went out of business and in addition the contracting company ceased to exist. The result was that my wife and I were sued for $176 and a mechanics lien was placed on our home. We were never aware that the money was owed because we paid the contractor who was supposed to pay for the bricks. However, we did not receive a receipt from the brick company and we never dealt with them. It cost us over $1600 to clear up the lien because everyone dips into this, including the lawyers, court, and more. For almost a year after this incident we received offers from "legal loan sharks," lawyers, and more because of the recording of the lien for $176 on our house. The callers offering expensive money and other forms of help were obnoxious, sometimes calling every evening wondering why we did not want their help.)

He said we should look at www.privacyprotection.org

Austin Hill [ CEO of ZeroKnowledge http://www.ZeroKnowledge.com/ ] is an authority on privacy related issues.

Talked a bit about his facination with privacy and what ZeroKnowledge says about it. He was wondering when he started ZeroKnowledge: what can existing technologies do about privacy? He says, if you think about what is happening in the last four years, there is a parallel to what happened in 40 years in the environmental world. In the 1940s, if you built a plant, then you did not care. By the 1950s you were hearing about it. In the1960s, you were buying lobbyist time. Now you have to have the environmental impact study done first before you even consider building the plant.

A similar thing is happening at Internet speed. Four years ago one did not care about privacy. Now there is tremendous exposure that companies are feeling to privacy violations.

Privaseek is looking at what is the technological infrastructure that supports privacy. He noted last week that in the UK, health insurance companies just got approval to use DNA tests to decide on insurance premiums, etc.

The point that Austin is making that the new technologies are not being built with the thoughts of the consumer in mind. For instance, I should be able to decide how my information is going to be used.

Is privacy on the check list of designers? Now privacy is on the check list at Intel, after the PIII debacle.

He mentioned a case with an AOL data base. Who gets access to the data about who listens to what songs when?

Austin described the privacy law in Canada and also reported on the output of the Privacy Commissioner who reported on a government data base that collected info from various tax services. This database and the group that did it were laid off.

Privacy concern is now becoming main stream.

Questions:

Netiva Caftori: If privacy is the number two issue, why wasn't it mentioned in the Presidential debate. Austin Hill said that both candidates agree on the issue of privacy, so that there is no reason to mention it (In fact Bush mentioned it). Austin Hill said that privacy will be a big deal on the Hill in the next Congress. He also noted that Al Gore mentioned it in the first debate.

Ray mentioned in conversations he has with people and lawmakers, privacy comes up as number one or number two. The problem is that below the top level there is a lot of differenceof opinion. The folks in Congress see privacy as an issue, but they get as many different responses as there are people to ask. It is difficult for them to get the legislative issues right if they are hearing a discordant symphony.

David Banisar said that while we have not seen much in the Predidential debate, that there is a lot of conversation about privacy in lower-level races.

There was a question of protecting patron information in public libraries. For hard copy information many libraries purge thir data bases when the items get checked back in. But what is happening with the Internet?

There was a question of whether anyone has calculated the cost of all the ads in terms of bandwidth. Austin Hill noted that there are tools that do this. However, he also noted that ads to pay a lot of the cost of the content delivery.

Herb Kanner asked about the legitimacy of the laws requiring filters. He said that in most cases the laws that require something specify agencies that set the standards. Ray said that the law normally says that you have to make a good faith effort.

A question was posed to Ray about making privacy profitable. We seem to have an economy that make data gathering profitable.

What's inside...