Internet privacy

From Wikipedia, the free encyclopedia

Jump to: navigation, search

Internet privacy consists of privacy over the media of the Internet: the ability to control what information one reveals about oneself over the Internet, and to control who can access that information. Many people use the term to mean universal Internet privacy: every user of the Internet possessing Internet privacy.

Internet privacy forms a subset of computer privacy. A number of experts within the field of Internet security and privacy believe that security doesn't exist; "Privacy is dead - get over it"[1] according to Steve Rambam, private investigator specialising in Internet privacy cases. Privacy advocates believe that it should exist.

Contents

[edit] Levels of privacy

People with only a casual concern for Internet privacy need not achieve total anonymity. Internet users may achieve an adequate level of privacy through controlled disclosure of personal information. The revelation of IP addresses, non-personally-identifiable profiling, and similar information might become acceptable trade-offs for the convenience that users could otherwise lose using the workarounds needed to suppress such details rigorously. On the other hand, some people desire much stronger privacy. In that case, they may try to achieve Internet anonymity to ensure privacy — use of the Internet without giving any third parties the ability to link the Internet activities to personally-identifiable information of the Internet user.

[edit] Risks to Internet privacy

Those concerned about Internet privacy often cite a number of privacy risks — events that can compromise privacy — which may be encountered through Internet use. These methods of compromise can range from the gathering of statistics on users, to more malicious acts such as the spreading of spyware and various forms of bug exploitation.

Privacy measures are provided on several social networking sites to try to provide their users with protection for their personal information. On Facebook for example privacy settings are available for all registered users. The settings available on Facebook include the ability to block certain individuals from seeing your profile, the ability to choose your "friends," and the ability to limit who has access to your pictures and videos. Privacy settings are also available on other social networking sites such as E-harmony and MySpace. It is the user's prerogative to apply such settings when providing personal information on the internet.

[edit] Cookies

See main article, HTTP cookie

Cookies are tools which are sometimes used for user-tracking, a common concern in the field of privacy. As a result, some types of cookies are classified as a tracking cookie. Although HTML-writers most commonly use cookies for legitimate purposes, cases of abuse can and do occur.

An HTTP cookie consists of a piece of information stored on a user's computer to add statefulness to web-browsing. Systems do not generally make the user explicitly aware of the storing of a cookie. (Although some users object to that, it does not properly relate to Internet privacy. It does however have implications for computer privacy, and specifically for computer forensics).

The original developers of cookies intended that only the website that originally distributed cookies to users could retrieve them, therefore returning only data already possessed by the website. However, in practice programmers can circumvent this restriction. Possible consequences include:

Some users choose to disable cookies in their web browsers - as of 2000 a Pew survey estimated the proportion of users at 4%[2]. Such an action eliminates the potential privacy risks, but may severely limit or prevent the functionality of many websites. All significant web browsers have this disabling ability built-in, with no external program required. As an alternative, users may frequently delete any stored cookies. Some browsers (such as Mozilla Firefox and Opera) offer the option to clear cookies automatically whenever the user closes the browser. A third option involves allowing cookies in general, but preventing their abuse. There are also a host of wrapper applications that will redirect cookies and cache data to some other location.

The process of profiling (also known as "tracking") assembles and analyzes several events, each attributable to a single originating entity, in order to gain information (especially patterns of activity) relating to the originating entity. Some organizations engage in the profiling of people's web browsing, collecting the URLs of sites visited. The resulting profiles can potentially link with information that personally identifies the individual who did the browsing.

Some web-oriented marketing-research organizations may use this practice legitimately, for example: in order to construct profiles of 'typical Internet users'. Such profiles, which describe average trends of large groups of Internet users rather than of actual individuals, can then prove useful for market analysis. Although the aggregate data does not constitute a privacy violation, some people believe that the initial profiling does.

Profiling becomes a more contentious privacy issue when data-matching associates the profile of an individual with personally-identifiable information of the individual.

Governments and organizations may set up honeypot websites - featuring controversial topics - with the purpose of attracting and tracking unwary people. This constitutes a potential danger for individuals.

[edit] ISPs

Consumers obtain Internet access through an Internet Service Provider (ISP). All Internet data to and from the consumer must pass through the consumer's ISP. Given this, any ISP has the capability to observe everything about the consumer's (unencrypted) Internet.

However, ISPs are usually prevented from participating in such activities due to legal, ethical, business, or technical issues.

Despite these legal and ethical issues, some ISPs, such as British Telecom (BT), are planning to use deep packet inspection technology provided by companies such as Phorm in order to examine the contents of the pages which people visit. By doing so, they can build up a profile of a person's web surfing habits, which can then be sold on to advertisers in order to provide targeted advertising. BT's attempt at doing this will be marketed under the name 'Webwise'.

Normally ISPs do collect at least some information about the consumers using their services. From a privacy standpoint, ISPs would ideally collect only as much information as they require in order to provide Internet connectivity (IP address, billing information if applicable, etc).

What information an ISP collects, what it does with that information, and whether it informs its consumers, pose significant privacy issues. Beyond the usage of collected information typical of third parties, ISPs sometimes state that they will make their information available to government authorities upon request. In the US and other countries, such a request does not necessarily require a warrant.

An ISP cannot know the contents of properly-encrypted data passing between its consumers and the Internet. For encrypting web traffic, https has become the most popular and best-supported standard. Note however, that even if users encrypt the data, the ISP still knows the IP addresses of the sender and of the recipient. (However, see the IP addresses section for workarounds.)

General concerns regarding internet user privacy have become enough of a concern for a UN agency to issue a report on the dangers of identity fraud[3].

[edit] Data logging

Many programs and operating systems are set up to perform data logging of usage. This may include recording times when the computer is in use, or which web sites are visited. If a third party has sufficient access to the computer, legitimately or not, the user's privacy may be compromised. This could be avoided by disabling logging, or by clearing logs regularly.

[edit] Legal threats

Use by government agencies of an array of technologies designed to track and gather Internet users' information are the topic of much debate between privacy advocates, civil libertarians and those who believe such measures are necessary for law enforcement to keep pace with rapidly changing communications technology.

Specific examples

  • Following a decision by the European Union’s council of ministers in Brussels, in January, 2009, the UK's Home Office adopted a plan to allow police to access the contents of individuals' computers without a warrant. The process, called "remote searching", allows one party, at a remote location, to examine another's hard drive and Internet traffic, including email, browsing history and websites visited. Police across the EU are now permitted to request that the British police conduct a remote search on their behalf. The search can be granted, and the material gleaned turned over and used as evidence, on the basis of a senior officer believing it necessary to prevent a serious crime. Opposition MPs and civil libertarians are concerned about this move toward widening surveillance and its possible impact on personal privacy. Says Shami Chakrabarti, director of the human rights group Liberty, “The public will want this to be controlled by new legislation and judicial authorisation. Without those safeguards it’s a devastating blow to any notion of personal privacy.”[4]
  • The FBI's Magic Lantern software program was the topic of much debate when it was publicized in November, 2001. Magic Lantern is a Trojan Horse program that logs users' keystrokes, rendering encryption useless. [5]

[edit] Other potential Internet privacy risks

[edit] Anonymous Internet usage

For anonymous browsing of websites, see anonymizer. For anonymous email, see anonymous remailer. For anonymous speech online, see anonymous post.

Further information: anonymity

[edit] Specific cases

 This article may require copy-editing for grammar, style, cohesion, tone or spelling. You can assist by editing it now. A how-to guide is available. (June 2008)

[edit] Jason Fortuny and Craigslist

In early September 2006, Jason Fortuny, a Seattle-area freelance graphic designer and network administrator, posed as a woman and posted an ad to Craigslist Seattle seeking a casual sexual encounter with men in that area. On September 4, he posted to the wiki website Encyclopædia Dramatica all 178 of the responses, complete with photographs and personal contact details, describing this as the Craigslist Experiment and encouraging others to further identify the respondents.[6]

Although some online exposures of personal information have been seen as justified for exposing malfeasance, many commentators on the Fortuny case saw no such justification here. "The men who replied to Fortuny's posting did not appear to be doing anything illegal, so the outing has no social value other than to prove that someone could ruin lives online," said law professor Jonathan Zittrain[7] , while Wired writer Ryan Singel described Fortuny as "sociopathic".[8]

The Electronic Frontier Foundation indicated that it thought Fortuny might be liable under Washington state law, and that this would depend on whether the information he disclosed was of legitimate public concern. Kurt Opsahl, the EFF's staff attorney, said "As far as I know, they (the respondents) are not public figures, so it would be challenging to show that this was something of public concern."[7]

According to Fortuny, two people lost their jobs as a result of his Craigslist Experiment and another "has filed an invasion-of-privacy lawsuit against Fortuny in an Illinois court." [9]

Fortuny did not enter an appearance in the Illinois suit, secure counsel, or answer the complaint after an early amendment. Mr. Fortuny had filed a motion to dismiss, but he filed it with the Circuit Court of Cook County, Illinois, and he did not file proof that he had served the plaintiff.[10]. As a result, the court entered a default judgment against Mr. Fortuny and ordered a damages hearing for January 7, 2009.[11] After failing to show up at multiple hearings on damages,[12][13] Fortuny was ordered to pay $74,252.56 for violation of the Copyright Act, compensation for Public Disclosure of Private Facts, Intrusion Upon Seclusion, attorneys fees and costs.[14]

[edit] Search engine data and law enforcement

Data from major Internet companies, including Yahoo! and MSN (Microsoft), have already been subpoenaed by the United States[15] and China[16]. AOL even provided a chunk of its own search data online[17], allowing reporters to track the online behaviour of private individuals[18].

In 2006, a wireless hacker pled guilty when his Google searches were used as evidence against him. The defendant ran a Google search over the network using the following search terms: "how to broadcast interference over wifi 2.4 GHZ," "interference over wifi 2.4 Ghz," "wireless networks 2.4 interference," and "make device interfere wireless network." While court papers did not describe how the FBI obtained his searches (e.g. through a seized hard-drive or directly from the search-engine), Google has indicated that it can provide search terms to law enforcement if given an Internet address or Web cookie. [19]

[edit] US v. Zeigler

Many cases discuss whether a private employee (i.e., not a government employee) who stores incriminating evidence in workplace computers is protected by the Fourth Amendment's reasonable expectation of privacy standard in a criminal proceeding.

Most case law holds that employees do not have a reasonable expectation of privacy when it comes to their work related electronic communications. See, e.g. US v. Simons, 206 F.3d 392, 398 (4th Cir., Feb. 28, 2000).

However, one federal court held that employees can assert that the attorney-client privilege with respect to certain communications on company laptops. See Curto v. Medical World Comm., No. 03CV6327, 2006 U.S. Dist. LEXIS 29387 (E.D.N.Y. May 15, 2006).

Another recent federal case discussed this topic. On January 30, 2007, the Ninth Circuit court in US v. Ziegler, reversed its earlier August 2006 decision upon a petition for rehearing. In contrast to the earlier decision, the Court acknowledged that an employee has a right to privacy in his workplace computer. However, the Court also found that an employer can consent to any illegal searches and seizures. See US v. Ziegler, ___F.3d 1077 (9th Cir. Jan. 30, 2007, No. 05-30177). [1] Cf. US v. Ziegler, 456 F.3d 1138 (9th Cir. 2006).

In Ziegler, an employee had accessed child pornography websites from his workplace. His employer noticed his activities, made copies of the hard drive, and gave the FBI the employee's computer. At his criminal trial, Ziegler filed a motion to suppress the evidence because he argued that the government violated his Fourth Amendment rights.

The Ninth Circuit allowed the lower court to admit the child pornography as evidence. After reviewing relevant Supreme Court opinions on a reasonable expectation of privacy, the Court acknowledged that Ziegler had a reasonable expectation of privacy at his office and on his computer. That Court also found that his employer could consent to a government search of the computer and that, therefore, the search did not violate Ziegler's Fourth Amendment rights.

[edit] State v. Reid

The New Jersey Supreme Court has also issued an opinion on the privacy rights of computer users, holding in State v. Reid that computer users have a reasonable expectation of privacy concerning the personal information they give to their ISPs.[3][20]

In that case, Shirley Reid was indicted for computer theft for changing her employer's password and shipping address on its online account with a supplier. The police discovered her identity after serving the ISP, Comcast, with a municipal subpoena not tied to any judicial proceeding.[21]

The lower court suppressed the information from Comcast that linked Reid with the crime on grounds that the disclosure violated Reid's constitutional right to be protected from unreasonable search and seizure.[22]. The appellate court affirmed, as did the New Jersey Supreme Court, which ruled that ISP subscriber records can only be disclosed to law enforcement upon the issuance of a grand jury subpoena.[23] As a result, New Jersey offers greater privacy rights to computer users than most federal courts.[24] This case also serves as an illustration of how case law on privacy regarding workplace computers is still evolving.

[edit] Teachers and MySpace

Teachers’ privacy on MySpace has created controversy across the world. They are forewarned by The Ohio News Association [25] that if they have a MySpace account, it should be deleted. Eschool News warns, “Teachers watch what you post online.” [26] The ONA also posted a memo advising teachers not to join these sites. Teachers can face consequences of license revocations, suspensions, and written reprimands.

The Chronicle of Higher Education wrote an article on April 27, 2007 entitled "A MySpace Photo Costs a Student a Teaching Certificate" about Stacy Snyder[27]. She was a student of Millersville University of Pennsylvania who was denied her teaching degree because of an unprofessional photo posted on MySpace, which involved her drinking with a pirates’ hat on and a caption of “Drunken Pirate". As substitute, she was given an English degree.

[edit] References

  1. ^ http://video.google.com/videoplay?docid=-383709537384528624
  2. ^ Trust and Privacy Online: Why Americans Want to Rewrite the Rules. Pew Internet & American Life Project. Released Aug. 20, 2000
  3. ^ UN warns on password 'explosion'
  4. ^ Police set to step up hacking of home PCs
  5. ^ FBI 'Lantern' Software Does Log Keystrokes
  6. ^ Neva Chonin (2006-09-17). "Sex and the City". San Francisco Chronicle. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/09/17/PKG6BKQQA41.DTL. Retrieved on 2007-06-17. 
  7. ^ a b Anick Jesdanun (12 September 2006). "Prankster posts sex ad replies online". AP. http://www.msnbc.msn.com/id/14791788/. Retrieved on 2007-06-27. 
  8. ^ Ryan Singel (2006-09-08). "Craigslist". Wired Blogs. http://blog.wired.com/27BStroke6/index.blog?entry_id=1553329. Retrieved on 2006-09-12. 
  9. ^ Schwartz, Mattathias. "Malwebolence". New York Times. http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?ex=1375329600&en=b5085d50ee5c65e5&ei=5124&partner=permalink&exprod=permalink. Retrieved on 2008-08-01. "After receiving death threats, Fortuny meticulously scrubbed his real address and phone number from the Internet. “Anyone who knows who and where you are is a security hole,” he told me. “I own a gun. I have an escape route. If someone comes, I’m ready.”" 
  10. ^ Doe v. Fortuny, 1:08-cv-1050 (D. Ill. 2008-12-15).
  11. ^ Doe v. Fortuny, 1:08-cv-1050 (D. Ill. 11/12/2008)..
  12. ^ Doe v. Fortuny, 1:08-cv-1050 (D. Ill. 01/07/2009).
  13. ^ Doe v. Fortuny, [1] (D. Ill. 04/09/2009).
  14. ^ Doe v. Fortuny, 1:08-cv-1050 (D. Ill. 04/09/2009).
  15. ^ Bush Administration Demands Search Data; Google Says No; AOL, MSN & Yahoo Said Yes
  16. ^ Yahoo Knew More About China Journalist Subpoena Than It Told Congress It Did
  17. ^ Forget The Government, AOL Exposes Search Queries To Everyone
  18. ^ They know all about you
  19. ^ Tim Wafa (January 2008). "Internet Privacy Rights - A Pragmatic Legal Perspective". Berkeley Electronic Press. http://works.bepress.com/tim_wafa/. Retrieved on 2008-08-17. 
  20. ^ State v. Reid, 194 N.J. 386, 954 A.2d 503 (N.J. 2008).[2]
  21. ^ Id. at 393.
  22. ^ Id. at 393
  23. ^ Id. at 402.
  24. ^ Id. at 396-97.
  25. ^ Learning Curve
  26. ^ Related Top News - Teachers warned about MySpace profiles
  27. ^ Wired Campus: A MySpace Photo Costs a Student a Teaching Certificate - Chronicle.com

[edit] See also

[edit] External links

v  d  e
Privacy
Principles
Privacy law
Areas
Information privacy
Advocacy
Organizations
See also
Retrieved from "http://en.wikipedia.org/wiki/Internet_privacy"
Personal tools