Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Privacy Threats on the Internet'

Privacy On the Internet - Threats

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 19 October 1997; addition of FTC Report on 8 February 1998

© Xamax Consultancy Pty Ltd, 1997

Invited Address to the IBC 1997 Australian Privacy Forum, Gazebo Hotel, Sydney, 21-22 October 1997

Substantially revised version of a paper for a Seminar on 'Consumer Protection on the Internet', run by The Policy Network, Mitchell Library, Sydney, 1 May 1997

This paper is at http://www.rogerclarke.com/DV/InternetThreats.html


Abstract

This paper is one of a set of documents that consider privacy in the context of the Internet. It identifies specific threats, and specific countermeasures that are available for each of them.


Contents

Introduction

Identity Matters

Personal Data Matters

Conclusions

Resources


Introduction

This paper assumes that the reader is familiar with privacy generally. An introduction is available. This paper is designed to be read as a subsidiary document to its parent-paper, 'Privacy on the Internet: Threats, Measures and Policy'.

Privacy intrusions can be viewed as being particular classes of dysfunctional behaviour on the Internet. For a compendium of these, see this author's Netethiquettecases.

The thinking in this paper also draws on the author's substantial previous work on electronic commerce, and electronic communities and cyberculture.

The following sections examine a series of ways in which the privacy of Internet users may be intruded upon. Within each section, approaches are suggested as to how individuals can combat the intrusions.


Appropriation of One's Identity

Email contains a From: address. This is intended to identify the person who sent the message. In general, the software that despatches the message performs no checks as to whether the person sending it has any 'right' to use the From: name it bears.

It is therefore open to anyone to send a message purporting to come from someone else. This may be done:

The phenomenon can catch new users of Internet email by surprise, and causes some people serious concern.

There is a current fad/'beat-up' in the United States, which involves bewailing the phenomenon of 'identity theft' (particularly in the context of credit-card fraud), and using it as a counterargument against privacy protections and anonymity. If it lasts for very long, the idea may influence discussions about appropriation of Internet identity.

Countermeasures

There is remarkably little that individuals can do about appropriation of their identity in the context of the Internet.

On the other hand, the situation is much the same in real life. In the business world, for example, financial institutions depend on such devices as hand-written signatures and the keying of a PIN to reduce the likelihood of a misrepresentation; and newspaper editors commonly seek confirmation that the person who is represented as having written a 'Letter to the Editor' did in fact write it.

The concept of human identity and human identification are complex, and ill-understood. See Clarke (1995).


Appropriation of One's Mailbox

Unsolicited mail is a well-known phenomenon, appreciated by a proportion of the population, regarded ambivalently by many, and despised by others. Unsolicited telephone calls are increasingly common, and intrisically more intrusive into people's homes.

Unsolicited emails, commonly referred to as 'Spam', are at epidemic proportions. There is ample evidence that many 'entrepreneurs' are pleased to invoke the U.S. First Amendment (a strong form of freedom of speech) to justify their abuse of people's email-boxes. These range from virile startups, most vividly 'Spamford' Wallace, to large corporations like AOL.

A related issue is the sending of irrelevant unsolicited messages to emailing lists. A separate document addresses privacy issues arising in the context of e-lists.

Countermeasures

No simple means is available to restrict access to one's mailbox to persons with whom one would like to communicate. A number of suggestions are offered as an addendum to this author's page on Spam.

These include hoping that organisations will actually take you off lists if you ask them to; and implementing filters in front of one's own mailbox, or at the ISP level, which recognise senders that generate spam, or recognise spam based on the contents of the message.


Email-Transaction Identification

When an email message is despatched, it carries with it a form of identification of the sender, and of the sender's net-location. The sender's id is disclosed in the form of the From: and Reply-To: addresses, and the net-location in the form of the workstation's IP address.

In some circumstances (e.g. where the sender anticipates physical risk to themselves if their identity or location becomes apparent), this may represent a privacy risk.

Countermeasures

One approach is to ensure that the mailer includes in the message a false From: address. To be effective, however, the approach needs to be considerably more subtle, because email packages generally also disclose the actual account-name from which the message is sent, in the variable X-Sender. There is a moral argument to the effect that such measures ought not to be undertaken lightly, because interests additional to privacy are involved; but this paper restricts itself to the question of privacy threats and protections.

A more thorough approach is to use an anonymous remailer (most of which are actually pseudonymous rather than anonymous). Such software acts as an intermediary, and prevents the recipient from knowing from what person and net-location the message was sent. Many anonymous remailers are available. A deeper analysis is in Goldberg, Wagner & Brewer (1996).


Web-Transaction Identification

When a web-browser requests a page from a web-server, it provides some data with the request; for example, it has to advise the server which IP-address to send the page to. The data generally also includes data about the configuration of hardware and software that the person is using. Demonstrators are provided on a variety of sites, including CDT. It may also include personal information, such as the user's email address.

Additional information about the sender may be disclosed (in most cases, without the person being aware of it) through the application of cookies.

Depending on the context (especially the person's awareness of and consent to the practice, the relevance of the data to the purpose, and the uses to which the data is put), this is more or less privacy-invasive. Visits to service-counters, and telephone calls to enquiries numbers, have hitherto generally been anonymous; but the corresponding electronic transactions are at risk of losing that quality.

Countermeasures

An increasing number of services are being offered whereby a person can 'surf the web' anonymously (or at least pseudonymously), by sending the request via an intermediary. Examples of such services are Community Connexion's Anonymizer and AT&T/Lucent's Crowds.


Location Extraction

The Internet has been harnessed as a means of finding people. The first step was the conversion of conventional services into Internet-accessible form. See, for example, Telstra's Australian White-Pages. The next was the consolidation of what were previously separate directories into national form. After that, meta-services were built, to exploit multiple sources.

This has dramatic power, because it combines a vast array of pre-existing data-sources (such as telephone books), together with new sources (such as e-list and newsgroup archives), and renders them all available to search engines. Examples of such services are BigBook, Populus, and Find-A-Friend.

Countermeasures

The most straightforward approach to avoiding making information widely available is to use pseudonyms / aliases / aka's.


The Possibility of Routinised Self-Identification

The possibility exists that every individual, in the not-too-distant future, may be required to carry a chip that assists in the authentication of their identity, and identify themselves on a routine basis. This would represent a dramatic change in the patterns of life, because such a large proportion of transactions that people engage in have always been anonymous or pseudonymous.

At present the carrier being talked about is a plastic card; but already cattle and dogs are carrying them embedded in their shoulders and ears, and institutionalised people (prisoners, and people suffering senile dementia) are carrying them in wrist-bands and anklets.

For treatment of the complex privacy issues arising in relation to chip-borne authentication and digital signatures, see Greenleaf & Clarke (1997).

For an assessment of the broader area of chip-based IS, see Clarke (1997).

Countermeasures

This is one of the most substantial challenges confronting society. The key elements of resistance against the reduction of people to the level of animals or goods, include denial of central storage of identification details, denial of multiple use of a single identifier, and downright subterfuge by people in general, to ensure that most people have multiple official identities.

The author has proposed design criteria for chip-based ID.


Transmission Insecurity

Data transmitted over the Internet (using any of the many services and protocols, such as HTTP, SMTP and FTP) is subject to a number of risks, including:

For a discussion of these risks, see Clarke (1996).

Countermeasures

Means are available to address each of these risks. They depend on the use of cryptographic techniques, whereby the data is manipulated before it is sent, and re-manipulated on receipt, in ways that only the sender and the intended recipient can do. For an overview of security techniques for data transmissions, see Clarke (1996).

However ... the most powerful government in the world continues to seek to deny people the freedom to use the more powerful variants of these cryptographic techniques, on the grounds that people's communications should be able to be intercepted by that government's national security agency. The U.S. Administration's cold-war-warrior stance has now become isolated from the more pragmatic stances of most of the relevant nations. For a discussion of the confusions this is causing, see Clarke (1996).


More Transaction Trails, of Greater Intensity

We already leave behind us a considerable number of data trails. Because of corporate practices and the capabilities of information technology, even more are emerging.

New trails that Internet users are leaving behind them include:

These logs may be accumulated variously on the individual's own workstation, at their ISP (which is in some cases the person's employer), on other participant's workstations, and at the ISPs supporting other participants.

There is a current attempt to produce an additional, more sophisticated trail-generation mechanism, at the bidding of the web-servers that people visit. This mechanism is referred to as Cookies. A cookie is a record that is written onto the local drive of the web-browser, as a result of a command issued by a web-server. Each record has a long key, which is likely to be unique to a given application. When the user accesses a relevant page at a later date, the web-server causes the web-browser to read the record and transmit it to the web-server.

If they were designed carefully, cookies could become a welcome means of collaboration between browsers and servers. The false start that has been made is strongly biassed towards the interests of web-server operators, and against web-browser users. That bias may be in the process of being corrected; alternatively, the new standard that is being prepared may consolidate the attempt by would-be privacy-invaders to arm themselves with a powerful new weapon.

A further, imminent development is effective payment mechanisms on the net. Depending on how they are designed, these may be privacy-invasive, balanced, or privacy-intrusive.

Countermeasures

In general, transaction trials can be prevented or subverted through the denial of information, and the denial of identity.

A variety of counter-Cookie measures are available, the most basic of which is the denial of cookie-writing approval (which, at present, can involve an inordinate amount of effort on the part of the user ...).

People who value their privacy are demanding that net-based payment mechanisms, especially where they involve relatively low-value payments (e.g. under, say, $100), be anonymous, and hence deny the possibility of betraying the consumer's behaviour patterns.


Personal Profile Extraction

Beyond the accumulation of individual data-trails lies the probability of multiple trails being consolidated. This may occur in a variety of ways.

In the public sector, the motivations are social control and protection of the public purse, and the mechanisms include:

In the private sector, the motivations include:

There are, moreover, many attractions to corporations and agencies in collaborating among themselves in order to gain access to additional data-streams, with the insights into personal behaviour traits and proclivities that the consolidated database can generate.

The inexpensiveness of profile extraction makes the technique very attractive to organisations. But it also makes it widely available to individuals. The roles people play when they exploit the possibilities range from the fan, via the competitor, to the malevolent.

Brutally clear documentation of the ease with which information about an identified individual can be gathered is provided by the Stalkers' Home Page, and Lane's 'Naked in Cyberspace: How To Find Personal Information Online', and the associated Directory of Internet Resources.

One application of the power of search engines is that a persons's utterances on such forums as newsgroups, e-lists and web-chat may be turned up through searches in the future (Greenleaf 1996).

The U.S. Federal Trade Commission reported on 17 December 1997 on what it referred to as 'individual reference services' or look-up services'. The news release said that "The Report gives an overview of the types and sources of personal identifying information available. It explains that information about a person comes from public sources, such as real property records; marriage and divorce records; birth certificates; driving records; court records; postal records; and government applications, as well as from non-public sources, including survey data and credit and marketing information. Other sources of information about a person also can now be found using the Internet to access published materials, phone numbers and addresses, and information from Web sites where people publish their own identifying information.

"Convenient access to so much information about individuals through individual reference services confers myriad benefits on users of these services and on society. The look-up services enable law enforcement agencies to carry out their missions, public interest groups to find missing children, banks and corporations to prevent fraud, journalists to report the news, lawyers to locate witnesses, and consumers to find lost relatives," the Report states.

At the same time, the Report acknowledges that the increasing availability of this information poses various risks, including a potential threat to individual privacy and harm from unlawful uses of personal identifying information, such as identity theft and credit card fraud. In addition, "[g]iven the ease with which information can be gathered, aggregated, and shared, errors could be widely replicated and the harm long-lasting."

Countermeasures

Individuals often plead powerlessness against the economic incentives that drive large corporations, and the bureaucratic and political motivations of government agencies. In fact, there are many ways in which little people can do significant harm to the interests of large organisations, and force them to change their behaviour. An example of an organisation that provides guidance in such matters is NetAction.

One significant step that individuals can take is to adopt multiple identities. Many people may regard such a measure as being beneath their dignity, or more suitable to a crook than an honest person. In fact, there are many different kinds of people who adopt different identities to go with their different roles.

Moreover, multiple identities need not be blatant. A subtle approach is to vary the spelling of one's name and address. Among other outcomes, this can assist in tracking the ways in which one's details migrate from one data-repository to another.

A related approach is the provision of misinformation, preferably consistently inconsistently, i.e. using a different variant each time. This is most effective when used in relation to data that is only vaguely relevant to the purpose at hand, and can be applied to data as diverse as birthdates, incomes and family structure. The purpose of misinformation is to ensure that all data-holders come to accept data as being fundamentally inaccurate, rather than letting them subscribe to the myth that the digital persona is an adequate substitute for the actual person.

There is some degree of recognition within industry and government that the technology and its use embody serious privacy threats. The FTC Report of December 1997 brought pressure to bear on providers of such services, and reported in glowing terms about the industry self-regulatory arrangements. On the other hand, the 'voluntary industry principles' around which they revolve reveal that the protections afforded are very limited: distribution of only a few data items is restricted (Social Security number, mother's maiden name, birth date, credit history, financial history, medical records, or similar information, or any information about children); and "Look-up services may not allow the general public to run searches using a Social Security number as a search term".


Push-Marketing

An emergent concept that draws many of these privacy-invasive practices together is being referred to as 'push-marketing'.

The web was originally driven from the user's workstation, in a 'demand-pull' manner. The web-browser is now the dominant user-interface model, and there is a real risk that people trained to be complacent consumers may develop into thinking, demanding initiators. Unsurprisingly, this makes old-fashioned marketers and advertisers uncomfortable, and they are longing for a return to the simple-minded broadcast-mode, which in modern terms is the server-driven, supply-push approach.

Attempts are being made, on the one hand, to subvert the web-browser by turning the impetus around, and, on the other, to replace it with new tools that provide marketers with greater ability to manipulate the consumer's behaviour.

Countermeasures

If people wish to resist the subversion of pull technologies into push-media, and the replacement of pull technologies by push-media, teed to vote with their feet, and decline to use the new forms, despite the blandishments that will accompany them. Pre-Internet consumers have not shown a great deal of ability to act in concert, and in their own interests, but have followed the line of least resistance. Time will tell whether Internet-era consumers will behave differently.

Related to this issue is the question of 'relative bandwidth symmetry'. By this term, I mean that down-channels and up-channels to and from the home should be comparable in capacity (as befits a two-way medium), rather than heavily biased in favour of corporate marketers (which would subvert the Internet into something resembling a mere broadcast medium). See (Clarke 1994).


Dataveillance

I use the term 'dataveillance' to refer to the monitoring of individuals and groups through the transactions recorded about them, rather than through physical or electronic means. See Clarke (1988).

There are many potential, though not necessarily yet actual, privacy threats. An example is the mooted use of the [old] Telecommunications Act s.88(3) powers to "request" information from ISPs that amounts to a trace of the traffic passing through a particular user's workstation.

Countermeasures

This is a macro-issue, compared to the specifics discussed in the remainder of the paper. There can be little doubt that the enormous impacts of the many changes documented above demand a re-think of the entire concept of data surveillance. I'm in the process of preparing a paper which argues for very substantial enhancement to the limited 'fair information practices' of conventional information privacy protections.


Conclusions

This paper has provided an analysis of privacy threats, and laid the foundation for successor papers on 'Privacy on the Internet: Countermeasures', and 'Privacy on the Internet: Policy'.


Resources

A comprehensive set of resources is provided in the main paper.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 29 April 1997 - Last Amended: 8 February 1998 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/InternetThreats.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2017   -    Privacy Policy