High-tech snoops get real personal

0 Comments | Insight on the News, August 19, 1996 | by David Wagner

The evolution of data collection is outpacing the legal system's ability to protect your privacy.

As more than 700 former Republican White House staffers have discovered, the Privacy Act no longer means much in today's highly partisan atmosphere. Given that this atmosphere not only is partisan but computerized as well, it may take laws far more sophisticated to protect the privacy of those about whom the federal government collects information. And that is a very disturbing aspect of the Filegate scandals currently haunting the Clinton administration.

The fact is, technological developments in collecting personal information on Americans are fast outstripping the legal system's ability to account for them. Granted, law traditionally has developed in response to real-world circumstances. Commercial law was preceded by commerce; tort law was preceded by people trespassing on each others' land, hitting each other with sticks and defaming the tavernkeeper's beer. With computers, too, the law will catch up.

But it had better hurry. Here are some questions the US. legal system will face:

* How are personal-privacy rights to be protected when data collection that formerly would have taken months of a private detective's time now can be accomplished with a few keystrokes?

* What happens to the notion of limited personal jurisdiction -- for example, the fact that courts of Kentucky can't force a citizen of Oregon to serve as a defendant in Kentucky unless that Oregonian has had some sort of meaningful contact with Kentucky -- in a world in which one can send data to, and receive data from, computers anywhere in the world?

* How can the Internet become a viable marketplace when any information sent over it, including copyrighted works, credit-card numbers and other sensitive material, can be imperceptibly intercepted?

* Should encryption technology that could solve many of these problems be banned because of the possibility that it could end up in the hands of terrorists and gangsters? And does it matter that the terrorists and the gangsters are going to get it anyway?

"Encryption" is a fancy word meaning translating information into code to keep it safe from snoops. Encryption technology is software that can restrict data access to those who have a special software "key." The "strength" of encryption technology is measured in "bit-lengths." Encryption technology with a bit-length of 40 or higher is considered "strong." Solveig Bernstein, telecommunications-policy analyst at the Cato Institute, says this threshold is too low. "Netscape uses 40 bit-length encryption," she says, "and hackers break it all the time."

The United States forbids the export of strong encryption technology. The rationale: Such technology might be used by terrorists. True, say opponents of the ban, but given the realities of electronic communication the technology will fall into those hands anyway. Streams of 1s and 0s, transmitted electronically, don't know from border guards or customs officials.

A consortium of Japanese companies already has developed a strong encryption system and intends to market it globally California-based RSA Corp. also is on the cutting edge of encryption. And, legislation is moving forward to relax the export controls (see cover story, pp. 8-11).

For commercial marketers the new possibilities for data collection are a bonanza. Mail-order companies are adept at pinpointing the interests of prospective customers, as demonstrated by the distribution of sales materials or catalogues targeted at -- or at least within spitting distance of -- their specific interests. Sophisticated list brokers break out lists by 130 qualities of name profile. And that's a lot of snooping.

The fact is, every time someone uses a credit card, even in a store, an electronic trace remains. If a customer buys a book with a credit card, the clerk sweeps the card through the verification machine with its little keypad, then sweeps the purchase with its bar codes over the electronic reader. That credit card now can be matched to specific titles. Over time, a detailed portrait of the customer's book-buying habits can be compiled.

The only way to prevent this is to use cash. In that light, the current talk about "E-cash" and the impending extinction of currency may be ominous.

It is possible to create anonymous cash-cards, says Cato's Bernstein, which would have a specific value imprinted on them electronically, and users could spend them down without revealing personal identity. However, the cash-cards would require encryption far stronger than 40 bit-lengths: "Otherwise," says Bernstein, "they can be fiddled so that they never run out. A few of these were made for the Olympics, with $20 on them. They were taken off the market, but they could be out there somewhere. If you have one, you can rig them so that you can buy an unlimited amount of stuff with them -- as long as no individual purchase is for more than $20."

Furthermore, every time someone visits a World Wide Web site on-line, he or she leaves an electronic fingerprint. Web sites sometimes brag about how many "hits" they've had or they may tell a user that he or she is the 51,924th hit since last Monday. What people may not know, says Bernstein, is that it is relatively easy for Web-site operators to recover not only the total number of hits but also the source of each. To visit a Web site is to sign its guest book and announce the visit to the world.