The real reason, for firms from Google and Yahoo to Amazon, eBay, and Expedia, is that they are all in an endless struggle to entice more people to spend more time on their sites, so they can sell more advertising. This whole effort, they believe, depends crucially on their ability to “personalize” their services. “The information about you is gold, and it’s used for ever more perfect marketing to you,” Kevin Bankston told me. “Nothing will change that unless there is a law to force them to stop.”
For users, “the fear is Panopticon,” says Lawrence Lessig, of Stanford Law School, referring to the unseen but all-seeing observer in a prison watchtower once proposed by Jeremy Bent‑ ham. “The critical point to recognize is that there simply is no such thing as anonymity on the Internet. That is not because of its technical architecture. It is because of the business model of these companies, which depends on gathering and storing as much data about the customer as you possibly can.”
What’s the potential harm? Every person I spoke with gave an example. A few were political, but most concerned the drawbacks of life in which everyone is on the record, all the time. A spouse in a divorce case might ask for Web- browsing histories to show the other spouse’s peccadilloes or peculiar interests. Vetting applicants for jobs—or nominees for official positions—could become even more intrusive than it is already, and even less forgiving of adventure or eccentricity, in an extension of today’s “just Google him” effect.
No one suggests that an online firm will deliberately disgorge everything it knows about you. Technically, Google could list every IP address that has ever launched a search for “underaged hotties” or “how to make a bomb.” Commercially, that would be suicide. Since the Googles and Yahoos need users’ trust in order to keep getting data, they, like banks or credit-card companies, have a strong incentive to compete on trustworthiness. But the long-run fear is that as unprecedented amounts of personal information pile up, all of it linked by IP addresses, more will ultimately be used.
So what are we supposed to do about it? The answers I got covered a very wide range, with one area of consensus that made me think differently about how hard individual users should—or should not—try to protect their own secrets.
At one extreme is the approach that Richard Forno describes as “wearing tinfoil underwear.” Marvelous tools of disguise exist, starting with encryption software for e-mail. Perhaps the most powerful one, called Tor, can be found at the Electronic Frontier Foundation Web site, tor.eff.org. Originally funded by the Navy, the system effectively conceals a user’s IP address by bouncing every Web query among routers around the world, making it harder to trace back to its origin. Tor is free but somewhat tricky to install (I have succeeded, but it took time), and it slows Web response time noticeably. I would use it only if I were working on a project I really wanted to keep under cover.
There are other, more modest protective measures. Politicians and CEOs should think twice about doing anything they wouldn’t want to see on the front page of a newspaper. Everyone else should think twice before sending e-mail they would not want to see broadly forwarded. (I get and send more e-mail than ever for routine business, but stick to the phone or meetings for anything sensitive.) To keep your computer from piling up data you’d rather not have it store, you can configure your Web browser to reject all cookies, or to ask you before it accepts any. (In IE, you find this via Tools/Internet Settings/Privacy. In Firefox, via Tools/Options/Privacy/Cookies.) Doing without cookies means not being able to use some sites or services at all, for instance Gmail, plus manually logging into other sites every single time. A more moderate step is to have the browser accept cookies but purge them whenever you close the browser.
On the other extreme is the approach Lawrence Lessig takes. “I don’t do anything” about privacy, he says. “I think there is no way to hide. I just live life thinking everything is in the open.” Esther Dyson, of CNET, says something similar. “The short answer is: Nothing,” she replied by e-mail when I asked what concealing steps she takes. “For a while I tried flagging every cookie I got, just for fun, but I let them all go through anyway, so eventually I stopped.”
Mitchell Kapor, the founder of Lotus, who now directs the Open Source Applications Foundation, does take a few protective measures. When using an Internet café, he doesn’t log on to PayPal, his credit-card account, or any other site that involves his finances, just in case some keystroke-capture program has been installed. He wasn’t comfortable using Gmail as one of his personal e-mail accounts until he grilled Google officials and determined that they “took privacy and security seriously when they store mail.” Kapor said that what changed his mind was evidence that Google understands how important a reputation for guarding privacy is to the company’s prospects. “They do take steps,” he told me, “to make sure that Google employees don’t just satisfy their curiosity by looking at people’s e-mail, as well as making sure that if you delete the account, they clobber all copies everywhere, including the backups.”
Between these alternatives—the hypercautious approach of encoding all e-mail and the fatalistic belief that Big Brother will see everything anyway—lay the surprise in what I heard from these informants. This was the idea that legislation—the intrusion of the stodgy old pre-digital government—offers modern computer users their best hope.
“When your choices are the tinfoil or doing nothing, that’s not right,” Lessig says. “I would rather think about how we could actually increase privacy without giving up the versatility of the Internet.”
For instance, a future law might require Google and other companies to strip specific IP addresses from records of searching or browsing activity that they intended to store for more than a brief period. This would be a balancing act similar to the creation of the “do-not-call” list for telemarketers. It would preserve the legitimate commercial value of aggregate data about Internet use, while protecting individuals if the records were dredged up in legal proceedings—or simply lost, stolen, or exposed through negligence or incompetence. TiVo already applies such a policy. It keeps records of aggregate viewing patterns, which is how it knows that the Janet Jackson breast exposure, from the 2004 Super Bowl, is the most replayed event in TiVo history—but it removes all evidence of which specific customers have viewed or replayed which shows.
Nicole Wong unsurprisingly rejects the idea of controls on her own company. But she also suggests that the real privacy firewall, or at least wall, will be built through legislation, rather than ever warier behavior by individual users or more restraint by companies. “I don’t think that the fix for user privacy is companies providing less service,” she told me. “At the systemic level, the solution is to limit what personal data the government can ask for”—and by extension to limit what information banks, potential employers, divorcing spouses, and other potential snoops can find out.
“This is a big, macro public-policy issue about the design of our infrastructure,” Marc Rotenberg, of EPIC, says. “It involves payment systems, communications networks, identification, transportation toll design. It’s not something that will be solved by ‘privacy survivalism’—anonymizers, dark glasses, people paying for everything in cash. Collective problems require collective solutions.”
I feel worse than I did when I started this project, because I’ve realized how fully exposed my whole life is. I feel better when I think that companies could be required to purge data every so often, or to store data in a way that makes it hard to link one person’s name and IP address to the details of what he or she has done online. Then I remember that Congress would need to concentrate long enough to enact this change in a thoughtful, far-reaching way with minimal glitches, and I really start worrying.