Chris Larsen may seem like an unlikely privacy advocate. But then, as the CEO of online lending firm E-Loan (EELN), Larsen has seen the murky underworld of personal data collection. As a player in a business that thrives on information, Larsen knows how easy it would be to use a consumer's credit score to manipulate the auto insurance rate the person pays or to track a consumer's buying trends to concoct a risk profile that could be used to justify a less-favorable mortgage rate.
"Profiling is fast getting to the point where it crosses the line of efficiency in business to the dark side," says Larsen. "We're going to see a technology train wreck unless we can get it under control."
And so Larsen, in an atypical move for a business leader, is donating $1 million of his own money to help get a financial privacy initiative on the March, 2004, ballot in California. Not only that, the measure Larsen is backing is far stricter than the bills, introduced by Democratic state Senator Jackie Speier, that lobbyists have blocked in each of the past three years. Larsen's proposal would require financial institutions to get explicit consent from consumers before selling or sharing their personal information with another company or even a sister subsidiary (see BW Online, 7/11/02, "Will Voters Opt for Opting In?"). Since May, Larsen, Speier, and a coalition of consumer groups, privacy advocates, and senior citizens have collected in excess of 400,000 signatures -- more than the 373,000 required to put the measure on next year's ballot.
Since 1996, Congress has passed three major -- if imperfect -- privacy laws: The Health Insurance Portability & Accountability Act (HIPPA), which regulates health data; the Children's Online Privacy Protection Act (COPPA), which mandates how companies sell and represent themselves to children online; and Graham-Leach Bliley (GLB), which requires financial institutions to inform customers about their data-sharing policies.
California, Minnesota, and Hawaii have each established a state office of privacy protection. And in testimony this month, Federal Trade Commission Chairman Timothy Muris called for credit agencies to provide free credit reports to every consumer.
"THIS ISN'T RIGHT." Privacy advocates have raised alarms for years that the Big Brother of the George Orwell's novel 1984 was just around the corner -- and indeed, "the technology is there to do everything Orwell dreamed of," says Robert Gellman, a privacy-policy consultant and former general counsel to the House subcommittee on government information. "Industry is using it. The government is using it." But now, he adds, "there are voices that say, this isn't right. At long last, we're seeing the institutionalization of privacy" protection.
That's at least partly because more citizens understand more clearly how their personal information can be used. And once they do, they worry that the doomsday scenarios painted by privacy advocates aren't necessarily farfetched. As computers become more powerful and more data go digital, credit companies could track, say, whether you buy unhealthy foods or load up on liquor on weekends -- and sell such information to your health and auto insurers.
Beyond that, the U.S. Patriot Act, passed in the wake of the September 11 terrorist attacks on New York and Washington, would require companies to hand over such information to the federal government. Certainly, 100 years after Orwell's birth, the technology for doing surveillance and controlling individual communication equals anything in 1984. That fact was driven home by the Bush Administration's 2002 proposal, which was just squashed in Congress, to create a Total Information Awareness program. TIA would have empowered the government to comb through every American's bank records, tax filings, driver's-license information, credit-card purchases, medical data, and phone and e-mail records for evidence of suspicious activity.
PEOPLE'S CHOICE. The institutionalization of privacy protection is showing up most obviously in business marketing, as evidenced by the success of the Federal Trade Commission's Do Not Call list, which promises to slash dinner-time telemarketing solicitations for folks who join the list. Some 64,000 individuals filed comments about the Do Not Call proposal in 2002, says Katie Harrington McBride, an FTC staff attorney. Compare that to the 92 comments filed in response to telemarketing sales rules proposed in 2000.
Since the Do Not Call registry opened on July 1, more than 25 million Americans have signed up. That's one-quarter of the total who voted in the last Presidential election. "The era of targeted marketing is at an end," declares Columbia University professor emeritus and privacy expert Alan Westin, who has been studying attitudes toward privacy for more than 30 years. "A new era of permission, or consensual, marketing -- in which people will decide if they do or don't want to be marketed to -- is about to begin."
Nor is the revolt limited to phone solicitations. Case in point: Retailers often ask customers for a phone number or Zip code during checkout. And without thinking, most provide it. It seems harmless enough, but the purpose is potentially insidious. With a name and perhaps one other piece of information, retailers can find a customer's address, phone number, and e-mail address as well as uncover the person's purchasing patterns and credit histories. The retailer can then use that information to market to the customer -- or sell the information to someone else.
"GREAT ARROGANCE." That's the kind of practice that infuriates California Senator Speier. What right, she asks, do retailers have to even collect that information -- much less turn a profit on it? In California alone, financial-services companies collect $937 million
annual by selling and sharing personal information, according to an analysis of figures by the Direct Marketing Assn., an industry group.
And so Speier has introduced a bill that would prohibit retailers from asking customers for any information that isn't necessary to complete the transaction. The bill has passed California's senate and is headed for a vote in the state assembly. "Privacy must be institutionalized," says Speier. "There's still great arrogance out there, and the potential for abuse is huge."
The same observation could be made of new federal surveillance and data-collection initiatives that took effect after September 11. For example, the Justice Dept. applied for -- and received -- 1,228 wiretap orders under the Foreign Intelligence Surveillance Act in 2002, up from 934 in 2001. Under FISA, government officials don't have to show probable cause that a crime has been committed -- and their applications are made in secret.
GIVING GOVERNMENT LEEWAY. Plus, the newly formed Transportation Security Administration is building a database of travel info, dubbed the Computer-Assisted Passenger Prescreening System, or CAPPS-II, which would link passenger photos to the names, addresses, phone numbers, and dates of birth collected by credit-reporting agencies. It would then scan law-enforcement and intelligence files to determine whether the passenger is a security risk (see BW Online, 3/27/02, "Putting the Blinders Back On Big Brother").
While consumers get hopping mad at businesses that intrude on their privacy, they're generally less quick to condemn government agencies that want personal information in the name of fighting terrorism. A February Harris poll revealed that support for increased surveillance remains strong, though it has slipped slightly since September 11.
Some 84% of people favor stronger document and physical security for travelers, vs. 93% directly after the attacks, according to Harris. Some 44% of those polled still support expanded government monitoring of cell phones and e-mail, vs. 54% earlier.How to put a system in place to protect us from [both] terrorism and invasions of privacy is something we are just barely beginning to understand," says Columbia's Westin, who conducted the poll.
CREATING NEW LIMITS. Nevertheless, legislators and citizens are sketching lines in the sand. On July 8,the House of Representatives voted to bar government agencies from deploying or implementing any component of the TIA without congressional notification and authorization. The next day, the Senate Appropriations Committee also voted to deny funds to TIA. "In TIA, terrorism met privacy head on, and privacy won," says consultant Gellman.
Government officials are sometimes even moving proactively to protect privacy. That seems to be a lesson from a bizarre incident in May, when 50 Democratic state legislators in Texas fled the state to prevent a vote on a redistricting plan supported by Republican U.S. House of Representatives Majority Leader Tom DeLay. Texas law enforcement worked with the Homeland Security Dept. to track the Democrats to Ardmore, Okla. -- and used the Federal Aviation Administration to trace the path of the private plane they had flown there. According to a report from the Transportation Dept.'s inspector general, the search took eight hours and involved 13 FAA employees, a task that far overreached traditional FAA duties.
Washington Democrats led by Senator Joseph Lieberman (D-Conn.) objected. And on July 16, the FAA instituted new rules restricting access to information about an aircraft's whereabouts unless the request is for an official government purpose or for safety or efficiency reasons. The rules, announced at a House Transportation Committee hearing, also mandate that henceforth a law-enforcement agency can make such a request only as part of an official investigation.
THREE BIG THREATS. Of course, privacy is a battlefield where no side holds the high ground for long. The next conflict is likely to be over Internet privacy -- particularly, the efforts of cyber-libertarians to preserve the natural anonymity of Netizens from business and government tracking. Three major initiatives now put online privacy at risk: Digital rights management (DRM), which protects content from being copied and shared online; digital IDs, which ensure that you are who you say you are online; and so-called Trusted Computing, a Microsoft (MSFT) initiative that will give individual PCs a seal of approval before they can download music, movies, and software.
Individually, each initiative makes sense. But together, they'll put an end to the freewheeling Net, worries David Weinberger, an Internet expert and author of the book Small Pieces Loosely Joined: A Unified Theory of the Web. Here's why: For DRM to work, a PC has to be able to follow the rules embedded in a given piece of content, such as an MP3 file. If the rule requires that the song can't be copied, that condition will be enforced by the "trusted" computer, which enters into an electronic contract with the digital file.
Users who try to skirt the rules will find that their digital ID will tell the content's owner who they are -- and make it easy to track them down. Individuals lose control, even if they had no intent to steal but wanted only to use a few lines from the song to put on a family home video.
FAR FROM "HIPPIE HEAVEN." If all three initiatives become ubiquitous, online privacy would be drastically reduced. "Counter to expectations, the Net is becoming far more tagged, tracked, and identified than the real world," says Weinberger. "The one thing that looked like hippie heaven will end up micromanaged to the point where everything you do is known, every piece of content is tracked, and every transaction is noted and potentially available" to prying eyes.
In the end, though, it's looking increasingly likely that Americans will succeed in maintaining a balance between privacy and the desire of business and government to gather, parse, and distribute information about them. "There's no question America is wrestling with the future of privacy at the beginning of the 21st century," says Marc Rotenberg, executive director of privacy group EPIC. "As new architectures of control arise, so do strong assertions that protect Americans' concepts of freedom, mobility, and limited government."
Those assertions come from E-Loan's Chris Larsen, from California state Senator Jackie Speier, and from the millions of individuals who have flocked to register for the FTC's Do Not Call list. Their voices ensure that though privacy may be threatened, it most likely will never be lost. By Jane Black in New York