Article Banner
Navigation Bar
Navigation Bar

Partners:
 On Our Site
  • Fast Forward
  • E-mail
    rob@twp.com
  •  
    Rob Pegoraro's Fast Forward Live
    Privacy Discussion With David Banisar

    Wednesday, April 14, 1999 at 2 p.m.

    Rob Pegoraro Welcome to Fast Forward Live. I'm your host, Rob Pegoraro, editor of the weekly Fast Forward section of The Washington Post. My guest on Wednesday is David Banisar, policy director of the Electronic Privacy Information Center.

    From credit ratings to government records, the easy accessibility of personal data today has many consumers concerned about the erosion of privacy. For a review of some of the issues at stake, read The Post's 1998 series on privacy, "Eye in the Keyhole" and recent stories by Post privacy reporter Robert O'Harrow.

    Discussion Transcript



    Rob Pegoraro: Hello again--welcome back to Fast Forward's semi-sort-of-weekly rap session. Today we're talking about privacy issues online; who's got your data, how did they get it, what can they do with it, and how much should you worry about it? David Banisar of the Electronic Privacy Information Center is here and knows a heck of a lot more about this than me... so let's get started.


    Rob Pegoraro: David,

    There's been a handful of stories in the papers lately about computing gear that contains some sort of identifying tag--specifically, the Pentium III, with its processor ID number, and the ID tag Microsoft Word 97 embeds in documents (it was used to track down the author of the Melissa virus). Why do you think companies seem so interested in putting these sorts of permanent IDs into their products, when customers always seem to freak out when they discover these "features"?

    David Banisar: Well companies seem to think that quite a bit of the future of online commerce involves collecting huge amounts of data on their customers so that they can do "1 to 1" marketing. And for some reason , consumers seem to find the idea of some guy walking around you in a shopping mall following you into stores writing down what you are doing pretty creepy..



    St. Louis, MO: As a resident of Missouri, I'm very concerned about the fact that my social security number appears on my driver's license. How many other states require this and what can I do to get it off?

    Rob Pegoraro: My understanding is that pretty much all states put the SSN on a driver's license by default, although I think you can request that another, random number be used instead. Your comments?

    David Banisar: It really varies. Most states give people the option of taking their SSN off the license which is why the recent proposal by the US Department of Transportation to require SSns on the card got so much opposition and was eventually stopped by congress


    Arlington, VA: Everything I've read to date says there have been no cases of credit card fraud via the Internet -where the information was obtained from an online transaction-, which makes e-commerce much safer that using a credit in a store for consumers. Does that claim still hold true?

    Rob Pegoraro: I've written a couple of those stories, actually. However, the bigger risk seems to not getting ripped off by random interlopers, but by the allegedly reputable store you're doing business with. What have you heard on that score, David?

    David Banisar: there have been a couple of cases where someone has broken in an online system after the fact and obtained credit card info but I haven't heard of any interception of card info resulting in fraud. I'd say the odds are about the same. Database security is still pretty poor generally but then again, so is the gas station.


    Rob Pegoraro: Something I was just reminded of... in Bill Gates's new book, there's an extended discussion of how some sort of uniform "smart card," packed with personal data, could make all of our lives a lot easier. Nowhere in that chapter did I find any kind of sense of how much people seem to dislike the concept of a national ID card (well, notwithstanding the role that driver's licenses already play). It's often said that the people developing these technologies in the laboratory "just don't get it." Do you agree with the idea that there's some sort of cultural disconnect between how these things are seen in Silicon Valley (or along the Dulles Toll Road) and how they're viewed elsewhere?

    David Banisar: I think its more a geek thing that "hey. Lets build a new c00l toy" without thinking through any of the implications of the device on everyone else. Oh in Bill agates case, its more likely that he just wants that MS Wetware (tm) implanted into our brains (grin). Seriously, the opinion polls show a very high opposition to the national id card here. A few years ago, we were involved in taking down the australian govt when they tried something similar. The govt actually fell because of the mass street protests.


    Arlington, VA: So, how worried should the average person with a checking account and a social security number be about their privacy?

    David Banisar: well, banks are trading information all around, and merging with insurance companies. All sorts on commercial uses of your info right there.


    Rob Pegoraro: One of the most frequently asked questions I see in e-mail from readers is the whole issue of "cookies," the little bits of text data that Web sites store in your browser's preferences. Most of the time, they simply make clicking through a site a little more efficient--usually by storing a password or user ID for you so you don't have to retype those each time you visit the site. But lots of people find the whole concept a little sketchy. What kind of mischief has been accomplished with cookies in the past? How much should I worry about this?

    David Banisar: The new interesting thing in cookies is the development of what I call "supercookies" where you have a marketing company with central site such as imgis or doubleclick which can serve the same cookie to thousands of sites (including the w. post site I see). This will allow marketers to not just see what you do on one site but watch your activities over thousands of different sites including search engines and portals. They can develop very detailed profiles for advertising etc.


    Tampa,FL: What do you think of the company who bought all the driver's license information from several states to use for "credit card security"? The idea was that when you use your credit card, the picture from your driver's license would pop up on the vendor's monitor so they could instantly verify that someone else was not trying to use your card. I know it made me a bit nervous to think that all my data would be in the hands of a private corporation, even if they are working with the government. What are your thoughts? Any need for worry or concern?

    Rob Pegoraro: Yes, I think it was a company called Image Data. The idea, if I recall correctly, was that the company would buy the pictures and names off a state's driver-license database, then correlate that info with some sort of bounced-check database. After the resulting uproar, that company's own public image seems to be in the toilet, though... any other ventures like this going on that you're aware of?

    David Banisar: They were not actually working for the govt. There were a completely private concern like TeleCheck. That said the Secret Service was also secretly funding them. We think that it was a completely inappropriate use of digital photos for the states to be disclosing them to anyone outside the DMV. As for PR image, its funny you should mention that, the spokesperson for the company used to work for the Direct Marketing Association.


    Boston,MA: They say you shouldn't give your SSN to anybody these days. However, it seems impossible to get a credit card, bank account, apartment, house, and a lot of other necessities without giving out your SSN. Do we have any other options?

    Rob Pegoraro: Not that I've ever heard. Let me two of my own questions to Boston's query: How much damage could I do if I obtained somebody else's SSN? What other commonly requested, but potentially compromising info--mother's maiden name or whatever--*can* I practically avoid giving out?

    David Banisar: Under current federal law, if you refuse to give your SSN to various non-govt entities, they can deny you service. We support various bills in congress that would prohibit this.

    With someone's ssn, you can take their identity and steal a pretty good amount of money from them etc. It also makes it easier to track them and since many entities use the SSN as a password, to obtain bank info etc.

    As for other info, I usually use a different name for my mother's maiden name for various entities. Nothing wrong with that if you are not planning to commit fraud.


    Rob Pegoraro: A follow-up question about cookies: How directly can your own identity--name, e-mail address, street address, phone #--be tracked via use of these ad-network cookies? I.e., do they know that it's Rob Pegoraro clicking on the ad for Honda, or do they just know it's one particular Web browser, coming in from a certain Internet protocol address?

    David Banisar: It depends if you ever registered at any of the sites anywhere that cookie is being served to. If you didn't, then at best they know it's the same browser but they know a hell of a lot about the browser.


    New York, NY: I know web sites can see where I'm from, what ISP I'm using, the time I entered the site, for how long I was there, etc. Is there software out there to block this information, thus making surfing much more anonymous?

    Rob Pegoraro: I know there are a couple of sites that completely block that info--for instance, anonymizer.com--but it also slows down browsing a little bit. Any others? Do they really work?

    David Banisar: www.anonymizer.com is the best of the group. There is also a new one from Zero Knowledge Systems that's also encrypted. However, I just saw a message today on comp.security.misc that there are a number of ways that servers can bypass the anonymity.


    Rob Pegoraro: The single biggest privacy annoyance I have to deal with on a day-to-day basis is telemarketers. But I'd rather not have an unlisted phone number, just in case some could-have-been significant other from college comes into town (hey, it could happen... ). I always tell these folks to put me on their "do not call" list, but it doesn't seem to have much effect; AT&T took a year or so to take the hint. How can I keep my number out of these databases? I actually don't mind junk snail-mail that much, but I can't stand to have some marketing droid yammering in my ear when I'm eating dinner.

    David Banisar: There is a federal "do not call" list and you can sue if they call you but I'm pretty skeptical of any system that creates a new database to keep you out of other databases. We gave a privacy award this year to a woman who took on Sears when they kept calling her and finally recorded their calls. They then threatened to sue her and charge her with violating a wiretap law which didn't even apply. She is now suing them for $100k for harrassment.


    New York, NY: The question was asked before about cookies: How much should I worry about this? Well?

    Rob Pegoraro: I trust David will let me know if I'm mangling his words, but, basically, if you don't give your name to a site that issues you a cookie, then you're only identified as Joe Browser User; they can track where and when you stop by, but they can't send the encyclopedia salesman to your door. (Apologies to any Funk & Wagnalls reps in the audience.) The potentially insidious cookies come from ad networks, which put up ad banners on multiple sites, including this one. Now my own question: So will not clicking on those ad banners mean I have fewer eyeballs following me through the Web?

    David Banisar: Not clicking on ad banners does not lower the number of sites that have the ad banners.

    Perhaps the best way at the moment to deal with cookies is to use software that edit cookie files such as Cookie Cutter so that after the fact, you can get rid of all the ones from sites that you do not want.


    Rob Pegoraro: In Europe, we see a great deal of laws that mandate what companies have to disclose about their privacy policies, who they can share data they've collected with, and what individuals can do to control the use of their own info. There's no real equivalent to that legal infrastructure here. Why is that so?

    David Banisar: its not just Europe - all over the world, countries are adopting comprehensive privacy laws. I did a survey late last year that found that 40 major countries including all of Europe, Canada, Australia, Argentina, Brazil, NZ etc. have either passed laws or are in the process of adopting laws on privacy (http://www.privacyinternational.org/survey/)

    The problem is that here in the US, both the govt and the industry oppose these laws because it would prevent them from using the information for just about any reason they want. Polls show that there is about 80% support for comprehensive privacy laws but there is very serious $$$ lobbying against it. It is one of the reason the Director Marketing Association was a runner up for Privacy Internationals' Owell Award in the "lifetime menace" category (the FBI won).


    Rob Pegoraro: EPIC's Web site includes a short list of privacy-promoting software, such as the Cookie Cutter utility David just mentioned: http://www.epic.org/privacy/tools.html


    Washington, DC: What about getting off of lists for offers of credit cards or other credit based services? I have called an 800 number provided by the credit agencies and mailed in a request to be removed, but they keep coming as much as ever? I'm concerned that each of these companies is reviewing my credit when they send these out.

    David Banisar: Under the 1996 revisions of the Fair Credit Reporting Act, the banks and credit reporting agencies are supposed to take you off the lists if you request. The problem is there are so many entities that have the info that it's difficult to track them all down. If you ask a company to take you off and they do not, you can ask the Federal Trade Commission (http://www.ftc.gov) to step in and smack them around.


    Rob Pegoraro: I've heard that privacy activists have set up dummy user IDs at popular Web sites, so that visitors who want to maintain their privacy can log in under that made-up identity. That so? I haven't tried this myself, but of course I have nothing to hide (yeah, right... :)

    David Banisar: At many sites, you can use the username/pw of "cypherpunks" works just fine.


    shepherdstown, wv: I recently registered for ancestry.com to do genealogical research and needless to say i was amazed that i was able to find deceased relatives. But the problem with finding that information was that the social security #'s of my relatives were also supplied. It worries me that anyone can get access to such information alive or dead. Is the social security administration aware of that this is whats happening?

    David Banisar: The SSN's of dead people are freely provided by the SSA and are available at some site on the web.

    As for the other uses of the SSN, the SSA has frequently testified against expanding its use at the same time that its parent organization, HHS, was proposing its use for the national medical id number.


    Rob Pegoraro: Well, we're out of time for this week. (As I type this, my art director and one or more of bosses are looking at me over the cubicle walls and tapping their watches...) Thanks to all y'all for stopping by, and thanks to David Banisar for his time and insight. You can read up on EPIC at http://www.epic.org, logically enough, and we're at http://www.washingtonpost.com/ffwd. Come back soon...


    © Copyright 1999 The Washington Post Company

    Back to the top

    Navigation Bar
    Navigation Bar
     
    yellow pages