EYE IN THE KEYHOLE
Databases Start to Fuel Consumer Ire
By John Schwartz
and Robert O'Harrow Jr.
What finally sent Tom Meeks of Kensington over the top earlier this year was a birthday card inscribed "Happy Birthday from your friends at Radio Shack."
Meeks had no friends at Radio Shack. And it mystified him how the giant electronics chain even knew when his birthday was.
"I felt this was an invasion of my privacy," he said in an interview.
After a phone call to the company, Meeks discovered that Radio Shack bought his birth date and many others from an outside database and combined it with its mailing list of more than 147 million customers.
Meeks complained in a letter to company President Leonard Roberts that the birthday card, offering a 10 percent discount, "thoroughly shocked and appalled me." To reciprocate the feeling of invasion, Meeks included Roberts's home telephone number and his wife's first name in the letter.
Meeks is part of a growing army of angry consumers. "Just say no," once the battle cry of the war on drugs, could be the slogan for another emerging fight in American society over protecting personal information. As data become ever more easily amassed, stored and transferred electronically, many people view safeguarding it as a sort of "street smarts" for the 1990s.
On the simple end, people are delisting phone numbers and omitting their Social Security numbers from applications. On the complicated end, they sort trash to protect credit card numbers of discarded receipts and scramble their electronic mail with encryption technology.
In California, roughly 50 percent of telephone subscribers have contacted Pacific Bell to disable the Caller ID signal on their outgoing calls (in California, that's a right guaranteed by law). When they place a call, a Caller ID telephone flashes the words "private number" on the screen.
Some people simply want to avoid dinnertime calls from pesky marketers. Others have a deep distrust of government and business, a fear that information ultimately will make its way to insurers or employers and be used against them.
For privacy activist Janlori Goldman, fighting back against privacy erosion starts with chiding sales clerks who ask for personal information a common practice at retail chains such as the Gap and Toys R Us.
Her response? "You don't say 'hello,' you don't say 'how are you?' you just ask for my Zip code. I don't want that kind of relationship with you. I just want to buy my shirt," said Goldman, who is on leave from the Washington-based advocacy group Center for Democracy and Technology.
Leonard P. Levine, a computer science professor at the University of Wisconsin-Milwaukee, said consumers should be wary of "2 cents off on a can of beans cards" his name for supermarket savings club cards.
Today, the store that issues them tracks your buying habits in order to offer customized coupons and manage its own inventory. Tomorrow, there is nothing to prevent information that a customer is buying bacon and cigarettes from making its way to an insurance company, Levine said. His advice: Pay the extra pennies and preserve privacy.
Here and there, ordinary Americans are becoming privacy crusaders. Barbara Joyce of Montgomery County began a privacy campaign after telemarketers called her home one too many times.
"It is an intrusion of privacy," Joyce said. "These people are calling a phone I pay for, in my house, for my convenience. ... Everybody has a right to be left alone in your own home."
She fought back with a little-known weapon: a federal law called the Telephone Consumer Protection Act of 1991, which, among other things, allows people to demand that telemarketers remove them from call lists or pay them financial penalties.
Using detailed logs, she found the callers often did not properly identify themselves or their companies and routinely called back after she asked them to stop. Though the system is cumbersome and frustrating, Joyce said that so far, she has won more than $5,000 in settlements. The number of intrusive calls to her house has dropped from two each night to one each week.
"If everybody would ask to have their telephone numbers placed on the do-not-call list, it would choke the industry and lead to its demise," she said.
Donald Knox of Phoenix routinely blocks direct-market mailings by complaining that the material is sexually offensive. It doesn't matter to him what the solicitation actually says he fills out a form provided by the U.S. Postal Service to stop deliveries. For him, it is worth the effort "to kick them in the shins."
Even his telephone answering machine warns callers: "If you're calling me on a telemarketing thing, please hang up now. Right now!"
A Fear of 'Ghosts'
Whatever steps people take, a file is being built on them somewhere that may or may not be accurate.
"There really are ghosts every one of us is followed around by an invisible profile that purports to be who we are," said Don Goldhammer, a University of Chicago computer network administrator. He tries to limit dissemination of his particulars by stamping his checks with this message: "By cashing this you agree not to use any information contained on it."
Credit reports frequently contain errors, said privacy expert Goldman, who urges consumers to review their credit reports before an important transaction. "They should do it before their credit comes into play," so that they can dispute incorrect information, he said.
Psychiatrist Harold Burzstajn of Harvard is especially concerned about confidentiality breaches in medicine and mental health because patients have to be able to trust doctors to keep information private. "If you don't have privacy, you don't have psychoanalysis," he said.
Burzstajn said he worries about patients in managed care who often must sign release forms allowing anyone in the organization to read their records.
To preserve medical privacy, he said, patients should periodically demand a copy of their medical records and monitor new entries. Patients should try to get the managed-care company to purge anything that doesn't relate directly to health care, or might be misconstrued, he said.
As more people venture onto the Internet, protection of online privacy is a growing issue. People who take part in online discussions leave their e-mail addresses. Someone seeking sensitive information, such as treatment for AIDS, might not want the activity to be publicly known.
Many Web sites require people first to "register," or fill out a form about themselves. Sites also resell e-mail addresses of visitors, which can feed a glut of junk in the electronic mailbox.
Some Web surfers simply lie when asked for personal information at Web sites, according to an Internet survey conducted last year at Georgia Tech University. About 40 percent of the 19,000-plus Web users surveyed said they sometimes fib; almost 70 percent of those who decline to register on Web sites said the reason was worry over how the information would be used.
Internet users can ensure that the sites they visit do not hit them with targeted ads next time they visit. This is done by disarming the "cookie" file on a computer a sort of ID card that gives the site information about the user. (Instructions for doing so on most versions of popular browsers can be found at http://www.junkbusters.com/ht/en/cookies.html#disable) Cookies were designed into browsers to boost Internet business, allowing Web site publishers to track usage and market to visitors. But many users view them as a privacy invasion.
Those who are not comfortable reconfiguring their software instead sometimes visit such sites as the anonymizer (www.anonymizer .com). The site strips personal information, such as e-mail addresses, away as visitors pass through it to go to other locations. At least 7,000 people routinely use this service. That's a 75 percent increase since last spring, said Anonymizer Inc. President Lance Cottrell.
Other Internet users who simply do not want their messages read by others are turning increasingly to encryption, the technology that scrambles messages so that only the intended recipient can read them. In recent years, encryption has become a low-cost software add-on that is relatively easy to use a far cry from the cumbersome hardware-based systems of old.
For some people, protecting privacy has become an obsession.
One Maryland man receives mail only at a post office box and keeps his phone under an assumed name. He encrypts many of his online communications and pays for long-distance calls with phone cards, so that there is no central electronic record of his calls.
He recognizes, he said, that "these things are sort of paranoid for the average person. Part of my view of life is, it's a game how do you play the game? ... I'm no deadbeat dad or anything like that, but I object to it. I object to George Orwell's being in charge of the FBI."
Not surprisingly, he asked that his name not be used in this article.
A more moderate, but still time-consuming approach is offered by Robert Ellis Smith, publisher of Privacy Times. The guiding notion, said Smith, is: "Remember Noah's Ark. You have to have two of everything."
Keeping two trash cans isn't hard, he said, and it lets you tear in half sensitive things such as credit card numbers on receipts. "Half in one trash can and one in the other and empty them on alternate days," Smith said a simple system that makes paper shredding unnecessary.
He recommends two online accounts, one private, for sending and receiving e-mail and another for searching the World Wide Web. That way, the marketers who gather e-mail addresses from cookies will be sending their come-ons to a mailbox you never check.
Some people are discovering that when you say no to data gatherers, you do not necessarily miss out on what they are offering in return. Rich Brown, a consultant with a Lanham research firm, got a telemarketing call offering him a platinum credit card if he would answer a few questions. The caller proceeded from simple queries verifying his address and telephone numbers to complicated ones asking details of his salary, mortgage and other debts.
Irked, Brown cut off the caller. "I said I was uncomfortable giving out that kind of information," especially on the phone, he recalled. Brown thought the deal was scuttled until a short time later, when a new credit card appeared in the mail. Brown figures the company had all it needed to issue the card but was using a prying phone call to fish for more personal information.
Some privacy advocates want to simplify the process of getting off lists. Entrepreneur Steven Bearak publishes a book titled "Privacy PowerPak" that explains privacy issues and includes ready-to-mail forms and postcards to demand removal from mailing and call lists, to dispute credit reports and more.
Bearak knows, however, that his $34.95 "tool kit" doesn't fix the problems: "You're not pushing a button and erasing years of information that you have left behind. ... Protecting your privacy is a process, it's not an event."
A Call for Curbs
A number of privacy advocates say that it's just too much work for the individual and laws should be strengthened. "The only reason individuals have to do day-to-day approaches is because the policy is inadequate," said Richard Sobel, a researcher at Harvard Law School.
Hence campaigns such as the American Civil Liberties Union's "Take Back Your Data!" effort. The privacy initiative offers brochures and reports about the use of Social Security numbers, electronic monitoring at work, the Internet and other matters.
Activism can be local or company-specific. When Walt Disney Co. bought the ABC television network, the company issued new identification cards to employees that prominently displayed their Social Security numbers. Since many employees wear cards on the job, they objected and the cards were changed.
Levine got his university to stop using Social Security numbers on faculty and student ID cards.
In the case of the Radio Shack birthday card, the company responded quickly to Meeks's complaints. Company officials apologized and took Meeks off the birthday card list. They pledged to follow up with a consumer survey to find out just how many people the program irritates. Meeks said he was gratified by the response.
Radio Shack representatives said the campaign also has generated compliments from consumers, and noted that while the company has collected facts on customers, it has not sold the information to any other company even though it would be lucrative to do so.
"We have the absolutely highest respect for our customers' privacy that you could imagine," said David Edmondson, Radio Shack's senior vice president for marketing and sales. "I can only say that with everything that is within me, in terms of passion."
Meeks does not doubt that the company acted with good intentions he just wants businesses to think before they mine data and act on it. "The attitude of most of these companies seems to be, 'because it can be done, it should be done and if there's any value to the customer, it's perfectly okay.' They don't see it as a privacy issue.
"Maybe companies should pause a few moments and ask, 'Just because it can be done, should it be done?'‚"
Shifting responsibility away from individuals is the only sensible path, said Marc Rotenberg of the Electronic Privacy Information Center. "I feel people should feel free to act in the ways they want to act, and their privacy will be protected. Which means we need to change the world," he said.
© Copyright 1998 The Washington Post Company