On Ethics and Identity

CYBER IMPOSTORS STEAL DIAMONDS, ROLEXES: Two Memphis men used the Internet to engineer an identity-theft scam that allowed them to use the credit cards of half a dozen top business executives and order more than $700,000 worth of expensive watches and jewelry. The two men, James R. Jackson and Derek Cunningham, face millions of dollars in fines and several decades worth of prison time if convicted on conspiracy and fraud charges. The case is being held in New York. Manhattan U.S. Attorney Mary Jo White says communications tools offered by the Internet are allowing criminals to engage in new schemes and strategies. Experts say identity theft can be carried out easily over the Internet. All scam artists need to do is pay a fee to an information broker to get an individual's Social Security number. Online databases also contain address information, while an individual's mother's maiden name can be found in obituaries or other public documents. (USA Today, 8 May 2000)[1]

The title refers to the 1971 Frazier-Ali boxing match that some writers called the best bout of the last century. As I see it, information ethics is taking a hammering from e-commerce, and unless we all become involved, the fight is a first round knockout, over before it begins. Before tacking the coming century, we will focus on a few aspects of the past in order to highlight some of the current issues. 

In the 19^th and 20^th centuries, lynchings occurred so commonly in the United States that people bought and sent “lynching post cards.” Today, we are offended that people mailed post cards showing a dead person hanging from a tree with a message saying, “I was here.” Nevertheless, people did. They mailed the cards until 1908, when the U.S. Postal Service decided that such material ought not be carried in the mail. After embarrassing racial incidents, several states were shamed into outlawing the sale of these postcards.[2] Note how these battles rage today, with discussions of community standards, online censorship, and cultural pollution. 
 

Who could have foretold in 1900 that would unleash the atomic bomb, put a man on the moon, or own a PalmPilot? Women in the United States could vote at the start of the century; by the end of the 1900’s only a small fraction of the people vote at all. We cannot predict what is going to happen. However, some trends leap out at us, and we would have to be blind to miss them. We can foretell in 2000 that what happens with privacy and data mining and national ID cards and biometrics will change our sense of who we are as people. The big players in this revolution are the same people forming start-ups and dealing in e-commerce all over the globe. Our future is in their hands.
 

The Main Areas of Concern about Information

The following example contains critical information issues: privacy, accuracy, security/access, and ownership[3]

If I speed down the highway, and the police stop me, the resulting traffic ticket contains true but potentially harmful information about me, for my driver's insurance policy premium may increase, and other friends and relatives may lose confidence in my driving judgment. 

What would happen if I was also behind on child support payments, and the computer puts my name together with this infraction? Government officials might track me down and make me start paying my monthly contribution. If I were drinking alcohol, matters get worse, for I might not be hired for certain jobs due to this evidence of drunk driving. 

Now, what if I were not going too fast and did not get a ticket, but someone mistyped the information, and my name is in the records for speeding or driving under the influence of alcohol? Moreover, what if a prospective employer uses computers to learn everything it can about me and finds out about the phantom ticket? Although I did not do anything wrong, I could forfeit a prospective job. 

This scenario brings up key questions: What aspects of traffic tickets or any other piece of information should be private? How can we ensure the accuracy of information stored about us? Who can and should have access to that information? Who owns information about us? 
 

Ethics

We are, in essence, our moral and ethical selves. My ethical self should not vary from one situation to another. When I change my surroundings, I always bring me with me. Thus, if I am not consistent--if I behave one way at work and a different way elsewhere--then I am in danger of losing “me.” My values are the integral part of me, and through my values I know myself. 

This thought brings us to ethics. Ethics is moral decision making. When a mother grabs her child and flees a burning building, she does not have a spare second to contemplate her choice; she acts on instinct. That is not an ethical choice; it is a reaction.

Given time to think about what we are doing (provided that we do not have a gun pointing at our head), we usually try to select the most moral option among many. We may choose to ignore the niggling voices of our conscience, and perhaps do something we are not proud of. When I see what is happening online, I worry that some programmers and businesspeople appear to have no “niggling voice” in their ear, that their choices are not based on any ethical standard that I can recognize.

If ethics is about moral decision-making, then what ethical guidelines do people have? Where did they learn them and how widespread are they? What laws are best to deal with information? Will we obey these laws? Who can enforce the laws? If an offshore gambling site breaks the mores of Minnesota, how does Minnesota preserve its mores?

A young Amherst graduate now living in New York spoke to me about his new job. He works in Silicon Alley, creating the banner ads that rake in personal information about web surfers. I asked him if he worried about ethics, and he said “No.” He added, “We need that advertising money to finance the Internet.” In this fellow’s mind, his work supported my use of the Internet, as though the Internet never existed until the browser came along. History began in 1995. 

Shared values are the mortar of a society. Society has to have its mores and trust among its members. Part of our current problem is that traditional ethical values are situated in the physical world, where the ultimate measure of an action is how that action affects the people we live with. One constraint on physical behavior is that others can observe what we do, and the results of our moral decisions are “out there” for all to judge. 

In the online world, we sit in front of a computer, away from the public eye, and we write flaming email messages, creep into other people’s servers, and do all sorts of things we would not do in a face-to-face situation. 

My specialization is computer and information ethics, a field that deals with a more difficult ethical concept to grasp, that is, the sacredness of information itself. In the Information Age, one of our duties ought to be preserving the privacy, security, and integrity of information. We have to ensure access to it and maintain ownership of it, and the battle is constant and unrelenting. 

Check the course offerings in computer science departments around the country. Is ethics mentioned anywhere? Is it required as a single course? Is it supposedly integrated into all courses? Both the Association of Computing Machinery’s Curriculum 91 and the Computer Science Accreditation Board's Standards recommend the inclusion of ethical issues in the computer science curriculum. Why? If they did not demand that ethics is taught, it might not be. 

The other day as I searched the web for materials on programming, I clicked a link and suddenly a pornographic page popped up. I immediately hit the close button, only to have a new pornography site appear. Every time I clicked the window shut, another page popped up. I felt like Mickey Mouse in Fantasia, with the broomsticks proliferating. The entrepreneurs who ran the porn sites had literally hijacked me. What if I had been using a browser at work, and my boss monitored my web usage? I could be fired for accessing pornography on the job. Hijacking destroys that most important element in information ethics, trust in the reliability and accuracy of information. If you want to learn more about this practice, read the FTC complaint at http://techlawjournal.com/courts/ftcvpereira/19990914com.htm.

Pornography and gambling are leading the way in online commerce, and I cannot tell how soon others will follow. Do not imagine that page hijacking is something that only pornographers do. One example of “hijacking” involves trademarks. Trademarks such as Pepsi and Playboy are very highly valued by their owners. Companies spend years developing brand recognition and the good faith of the customer. A questionable practice of some companies is to embed in their web pages, invisible to the visitor, the names of very popular products and sites. Calvin Designer Label Company incorporated the words "Playboy" and "Playmate" into the invisible coding on its adult-oriented websites. Likewise, National Envirotech Group, a pipeline-reconstruction company, embedded the names of a larger competitor, Insituform Technologies Inc. 

This trick diverted traffic from Playboy and Insituform to their competitors. Such practices also diminish the value of search engines as a way for people to find accurate information about companies. Diverting people on the Internet is like slapping a sign on a freeway that says “Shell,” and when you pull up in front, you are at Exxon.

To maintain trust and a common morality, we protect information, as we would guard jewels. The danger with counterfeit money is a devaluing of all currency; the same concept applies to the integrity of information. 

E-Commerce

Silicon Valleys exist across our country, from New York to Austin to Palo Alto. What is happening? Who are these business people? What are their values? Do they use moral reasoning to arrive at decisions? What are their priorities? 

Recently, an author said that he was struck, while doing a recent series of interviews with e-commerce CEOs, on the "low quality of the Dot Com CEOs when compared with the traditionalists." He characterized the Dot Com CEOs as “lacking in depth, experience and common business sense, driven primarily by jealously and greed in a race to go public as quickly as possible and rake in those stock options. ‘Hey, why get rich slowly with a lot of work when I can get rich quickly with not much work?’ is the general thinking.”[4]
 

That author predicted a stock market “shake out,” one that we are witnessing today. He wrote that the Dot.Coms will fail, and take with them “a sinful amount of venture and day trader capital.” The toll on human capital will be even worse: “An entire generation of business leaders will be corrupted. They will have great skills in designing obtuse ad campaigns, doing barter deals, negotiating with investment banks and venture capitalists, and doing secondary road shows. But this generation will have no skills in marshaling sales forces, hiring executive teams, working out fair business contracts with customers, and building employee morale and culture that is sustainable beyond a two-year period.”[5]

Not long ago, a company called RealNetworks released software called RealJukebox that let people listen to CDs and digital music while working on a computer. People simply downloaded the software from the Internet and installed it on their hard drives. RealJukebox sent back the unique ID number generated by each installation of the RealNetworks software on each PC, together with the names of all the CDs played, the number of songs recorded on the hard disk, the brand of MP3 player owned, and the music genre listened to most. The unique ID number could be mapped to a person’s e-mail address via the registration database.[6]

Information stored on my hard disk in cookies is hard to control as well. Either I go to the inconvenience of approving all cookies, install cookie cutter software, or live with ongoing monitoring. In sum, I am a deer in the woods, trying to hide from hunters, yet wearing a GPS chip clipped onto my ear.

The Internet is making identity theft one of the signature crimes of the digital era. Identity theft is the pilfering of people's personal information for use in obtaining credit cards, loans and other goods. Any visitor to cyberspace can find websites selling all kinds of personal information and, with that information in hand, thieves can acquire credit, make purchases, and even secure residences in someone else's name. 
 

The Social Security Administration reported that it received more than 30,000 complaints about the misuse of Social Security numbers in 1999, most of which had to do with identity theft. That was up from about 11,000 complaints in 1998 and 7,868 complaints in 1997.[7]

How is identity theft tied to the Internet? The evidence is clear. For example, GeoCities, a Web portal that claims nearly 20 million visitors a month, sold information solicited during its registration process, despite an explicit online assurance it would not do so. The data included income, education, marital status, occupation, and personal interests. In January, 2000, the Federal Trade Commission charged eight California businesses with billing consumers for unordered and fictitious Internet services, using their credit-card account numbers.[8]

Identity theft, as any victim can attest, can destroy a personal credit rating and potentially lead to very expensive litigation that may take years or perhaps decades to fully correct. The victim cannot rent an apartment, obtain credit, or even hook up to phone service. Identity theft and related computer crimes supported over to the Internet may become an unparalleled destabilizing force for 21st century.[9]

Practices of E-Commerce Companies

I can buy Viagra online because regulators cannot keep up with the proliferating websites. As soon as one site closes down, another takes its place. Who are the doctors prescribing drugs online? Who facilitates their work? 

Recently, Amazon.com entered the spotlight for featuring books posing as editorial picks. In fact, publishers paid for books to be featured on Amazon.com's home page. While product placements are commonplace, the issue is one of ethics. The readers thought that Amazon selected the books on merit.

The Better Business Bureau is a useful source of information about e-commerce practices, http://www.bbb.org/. 

People need to be aware of exactly what they are revealing and to whom when giving out information, however inadvertently. Online services know not only their members' social security and credit card numbers, but may also hold entire profiles on people, including what bulletin boards they join--discussion groups for cancer survivors, for instance, a potential danger for a job applicant. On that thought, here is an email message that I recently received:

Date: Sat, 29 Jan 2000 23:30:00 PDT 

From: "Customer Service at itn.net" <amex-efares@itn.net> 

Subject: An important announcement from Internet Travel Network 

Sender: "Customer Service at itn.net" <amex-efares@itn.net> 

To: Internet.Travel.Network.Subscribers@ml-sc-0.itn.net

Reply-To: "Customer Service at itn.net" <amex-efares-reply@itn.net>

This is a special post only email. Please do not reply.

Dear Internet Travel Network subscriber:

We are pleased to announce that ITN.net has combined forces with American ExpressÆ Travel and Entertainment to bring you a new and enhanced online travel site. The creation of this powerful site provides new capabilities and benefits for all of your travel needs. By typing in the URL, www.itn.net, you'll be able to continue to make all of your travel plans online. 

What you gain with our new relationship with American Express is continued access to ITN's airline booking system which provides competitive airfares and schedule information…

To make this transition as easy as possible, your profile and password information will be transferred to the new reservation system. Past booking information will continue to be available. Now you'll get to explore these travel services from one of the world's largest travel agencies, American Express. 

We look forward to welcoming you to the new American Express Travel Home Page.

Sincerely,

Gadi Maier President & CEO, GetThere.com

The email message above told of a recent merger of two travel firms, ITN and American Express. My files automatically went to American Express, and I had no power to stop it. ITN evidently owned my information and used it as an asset in the business merger. 

A few years ago, such an occurrence would seem less threatening. After all, banks and stockbrokerages merge all the time and transfer personal records. However, today, with massive and easily searchable databases, the transfer of data about us without our consent is frightening. Yet that was the company's main asset, its customer database, with my name and travel preferences.

Some companies also gather data merely for the purpose of selling it. Few protections against these practices have been established, though some have been proposed in Congress. I attended a Washington hearing between the top administrators and business representatives, and the overwhelming message from the capitol is that self-regulation is going to be the only choice we have of the ethical handling of our information by e-commerce businesses. 

Privacy of Information

Scott McNealy, chairman and chief executive of Sun Microsystems[11]

One of the worst aspects of credit cards and computers and digital information is that I cannot even hide from myself, let alone from the rest of the world. The Visa card readout tells me more than I want to know. Formerly, when we dealt in cash and checks, we had little idea how we spent our money. With credit cards and electronic money, the bank not so kindly itemizes my expenses for me so I can see where I spend it—hotels, travel, meals, and entertainment—not a pretty sight. 

Privacy is not mentioned in the United States Constitution. Justice Louis Brandeis argued in a1890 Harvard law review article that people have the right to keep parts of themselves private. Later, in a famous dissent to privacy case, he wrote, "Subtler and more far-reaching means of invading privacy have become available . . . Ways may some day be developed by which Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.[12]

In Europe, privacy protection laws are much stricter than in the United States. It is illegal to combine the health care database with the tax database, for example. In the United States, such strictures do not apply as firmly. 

In my textbook on computer and information ethics, I use the following scenario to make students think about privacy:

Today there are websites that provide roadmaps of most cities. These sites assist in finding particular addresses and provide zooming capabilities for viewing the layout of small neighborhoods. Starting with this reality, consider the following fictitious sequence. Suppose these map sites were enhanced with satellite photographs with similar zooming capabilities. Suppose these zooming capabilities were increased to give a more detailed image of individual buildings and surrounding landscape. Suppose these images were enhanced to include real-time video. Suppose these video images were enhanced with infrared technology. At your own home 24-hours-a-day. At what point in this progression were your privacy rights first violated?[13]

Marketers say that consumers give out their information "willingly" in exchange for services, but cookies from banner ads are invasive. A friend of mine wrote this email message:
 

I was looking at www.cnn.com this morning when I got a cookie alert. It said something like, "To increase your viewing experience we would like to install a small file 'cookie' on your system."

Upon clicking on "more info," the cookie was from a banner ad, for Nicorette[a product to help you stop smoking]. Seems like the phrase should have said, "To provide info to the advertiser..."[14]

Likewise, when we open up email containing a web page, another cookie could be left on our drive, and this time, because it arrived through email, our exact email address can be linked to data about sites that we previously visited. 

Prominent companies are associated with privacy invasion. After a lawsuit, the Chase Manhattan Bank and the Internet company InfoBeat will no longer be sharing customer data with telemarketers. Chase had violated its own privacy policy when it divulged personal and financial information about as many as 18 million credit card and mortgage holders across the country, while InfoBeat inadvertently provided customer email addresses to advertisers because of a software problem that has since been corrected.[15]
 

For years, people in many countries have worried about national databases and national identity (ID) cards. In one very public case, a New Hampshire company began planning to create a national identity database for the United State federal government. The company would have begun by putting driver's license and other personal data into one giant database.[16] The company officials believed their system could be used to combat terrorism, immigration abuses, and other identity crimes, and the company received $1.5 million in federal funding and technical assistance from the Secret Service. This piqued the interest of foreign governments who inquired about whether technology could be used to verify the identities of voters.[17]

Privacy advocates complained loudly about the plans to scan in license photos, and states stopped their plans to sell the information. However, the company intends to offer a revamped version of its system that will gather photos and personal information from one customer at a time at retailers, banks, and other participating companies. By collecting photographs individually, the company hopes to head off complaints that it is violating drivers' privacy by gathering the images without their consent.[18] Just as supermarkets gather data about our shopping habits, slowly this company will compile data linked to a picture, eventually building a huge database capable of identifying all of us.

As for government information, recall that government agencies are publicly owned, and they are required by law to give open access to the information they hold. The government cannot copyright information. With the data produced by global positioning systems, GIS, businesses can create entirely new data out of old information, and that may then indirectly reveal information that is supposed to be private. 

The Future

 

In this age of information, we, the professionals who are entrusted with this data, are increasingly being looked at as people who are no better than a drug dealer who stalks out an elementary school looking for future clients. We possess something much more powerful than drugs, though, we have at our control the information stores that control the world and most of the people who inhabit it.[19]

Recently, I discovered classmates.com. This website allows me to locate old friends from the Ukiah High School class of 1964. If I want to email them, I pay $25 for that privilege for the coming two years. I did not hesitate to join, to give them my email address, Visa card number, and all the information that anyone needs to track me down. The site owners will be instantly rich, even though the site could disappear in three months. I have no guarantee, no assurance whatsoever. What they sold me was irresistible, the chance to find old friends. Compare $25 with the effort it would take to locate these people—it is a bargain. Or is it?

After several million of us have suffered identity theft, people will call for a technological fix. We can imagine being forced to accept national IDs, implanted chips, and retinal scans. How else can we trust that people are who they say they are? Yet, does a match on a retinal scan really tell us anything? Someone could switch the master database, so the scan is linked to another identity. Information is only as good as the integrity of the database underneath it.

As far as the national identity card issue goes, the government will not lead the way, but business will. The brave new world envisioned by the Hewlett-Packard Company gives me pause. They predicted that in the future, a doctor will pick up a context-aware badge when entering a hospital. The badge will recognize the doctor through biometrics (fingerprint, iris, face or voice recognition). A global positioning system device in the badge will physically locate the doctor. The badge will know what is going on around the physician because of the servers embedded throughout the facility, and everyone else will be wearing context-aware badges. 

When the doctor enters a room, the system will recognize the doctor, confirm that he or she is seeing the right patient and the relevant charts will automatically come up on a computer screen. If an unauthorized person approaches the screen, the screen will go blank. 

Is that so far away from where we are now? The technology is in the hands of people acquiring instant wealth, and whose children expect to be rich by the age of 25. Reports from Silicon Valley are worrisome.

Is privacy going to be lost to technology? What can we do about it? Here are some self-help suggestions:

oBe informed. Push hard for open access to information that is stored about you. 

oUse encryption. 

oSupport legislation to protect privacy. Right now, the money in government is bolstering up enforcement of copyright and patent protections while leaving e-commerce privacy abuse to "self-regulation." 

oUse an anonymous server to send email or access Internet sites when you want privacy. 

oPrevent widespread distribution of Usenet, private listserv postings, and chat group discussions by using passwords, domain name filtering, Internet address filtering, or a firewall to prevent access by unauthorized users.[20]

oUse cookie cutter software to select the cookies you want stored on your hard drive.

The activists today work for a better future, one in which information is treated with respect. A century ago, we had radicals fighting for equal rights for women. After public protest, the government stepped in and stopped the mailing of lynching post cards. Today we have organizations like CPSR (Computer Professionals for Social Responsibility) and EPIC (Electronic Privacy Information Center) and the ALA (American Library Association) espousing information ethics. 

Most Internet activists realize that key technologies and policies affecting our future will come from the field of telecommunications. Nevertheless, this sensitivity is relatively recent. When Congress passed the Telecommunications Act of 1996, few computer and information professional knew about little more than the Communications Decency Act. However, after realizing the key decisions that will determine the future of the Internet, e-commerce, and information ethics, these same programmers and librarians are arguing Section 251(b) with telecommunication carriers and discussing what is intrastate versus what is interstate with the FCC.

The Internet is both dependent on traditional telecommunications and in some ways a competitor to them. Those interested in Internet policy can follow telecommunications debates, both national and international. We can keep an eye on who has the right to regulate e-commerce and telecommunications issues, and we can make our voices heard.[21]

Until that time comes, fasten your seatbelts. We are in for quite a ride.