Privacy Essay.doc


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Privacy Essay.doc

  1. 1. Diluting the Transparency of the New Media The inherent functionality and nature of the Internet as a multi-directional transactional information depository is at the heart of the issues related to privacy and how enterprises and the general public utilize and interact with the Internet. The Internet has been described as the ‘new media', a new way of communicating and interacting with people that has never existed in the past. Innovative business models have developed over the past decade that have solely relied on this new level of interaction and have developed lucrative value propositions, which has taken traditional media from a passive to an active experience. The excitement and value of the Internet as a medium has revolved around the ability of enterprises to actively develop relationships and provide a new level of interaction with customers that was never before possible. Traditional media publishers typically collected demographic information through mass surveys and telemarketing, however the usefulness of this information was limited considering that the majority of respondents of surveys are those who are not satisfied; the Internet has reduced the application of this rule. Enterprises have migrated or initiated their business models to the Internet, such as AOL Time Warner1 and MusicMatch2, in response to this medium’s ability to collect and analyse information that was difficult or even impossible to assemble. Traditional media has undergone a convergence with technology that is changing the shape of our social economic interface, more pervasively convergence is decisively altering our social interaction. describes digital convergence as the idea of seamlessly merging or integrating applications (not applications in the sense of software) and technologies.3 Carly Fiorina, CEO of Hewlett Packard, suggests that a “new wave of technology 1 AOL Time Warner is a traditional conglomerate of Internet and communication infrastructures, traditional print, television and motion picture media. 2 MusicMatch provides an Internet Radio service that monitors a user’s preferences and adjusts the content accordingly. 3 Ken Soohoo. Digital Convergence Means Keeping it Simple for the Consumer. October 22, 2001 <>.
  2. 2. will empower customers - transforming how we do business, transforming how we create value, and transforming entire industries.”4 Technology analysts have described the last quarter of the twentieth century as the “Age of Information”, an idea substantially supported by the ease of accessing and collecting data that has been created by the capabilities of the Internet and eCommerce. It is the intent of this paper to discuss the impact of the Internet as a transactional environment that can cultivate the relationships between consumers and enterprises, and how the Internet has facilitated the collection of personal information causing attentiveness to privacy issues. The goal of this paper is to discuss the issues at hand and examine how the legal arena and enterprises have responded to privacy concerns, and/or how they still need to respond. This discussion will include issues that primarily exist in Canada and the United States of America. However, there will be some discussion of other international initiatives. Succession of Transparency Since the inception of print, radio, and television these mediums have remained generally passive in nature, limited in their capacity to communicate and interact with consumers. Collecting market information traditionally is time consuming and, at best, produced a generalization of the target market. Consequently, consumers were ultimately in control of their personal information and their degree of interaction with advertisers and marketers. One may argue that there did not exist a transparency of the medium. Advertisers and marketers were passively interacting with consumers, more importantly consumers were aware of the medium’s influence. These mediums have remained relatively unchanged, in their delivery of information; however advertisers and marketers have matured in the way they interact with consumers. Naomi Klein, author of No Logo, describes maturity in the delivery of the advertising and the 4 Carly Fiorina, Technology, Business and our way of life: What’s Next. Minneapolis, Minnesota, September 26, 2001 <>.
  3. 3. ‘message’ during the 1970s, 80s and 90s giving support and longevity to the theories put forth by Marshall McLuhan; specifically that ‘the medium is the message.’ Klein identifies “branding” as a means of creatively enhancing a static and passive medium. Branding effectively increases the ability of advertisers and marketers to develop a method of interacting with consumers while creating a transparent interface. Two examples of enterprises that have effectively utilized this transparency of advertising and marketing are Starbucks and the producers of the television series “Dawson’s Creek.”5 Scott Bedbury, Vice President of Marketing for Starbucks suggests “consumers don’t truly believe there’s a huge difference between products, which is why brands must establish emotional ties with their customers through the Starbucks Experience.”6 The Starbucks experience was adapted and refined to respond to those individuals that participated in the Starbucks Experience.7 Essentially, Starbucks proactively observed and collected information while consumer participated in the Starbucks experience to discover information about their consumers thereby creating a transparent interface, which enhanced traditional mediums of advertising and marketing. Some may consider observation and surveillance as an invasion of privacy, yet many would argue that by simply participating in society one must expect a level of observation and surveillance. This issue will continue to develop during the discussion of this paper, particularly in response to data collection via new technology and the Internet, which will facilitate electronic observation and surveillance. Nonetheless, it is important at this stage of the discussion to recognize that personal privacy has been somewhat diminished due to the transparent interface of consumer experience oriented enterprises. The Gartner Group, a technology strategy and research firm, suggests that observation and surveillance should be 5 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 22 – 40. 6 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 22. 7 Naomi Klein, No Logo. (New York: Picador USA, 1999), pp 19 – 23.
  4. 4. considered as a positive contribution to the consumer experience. However, they are quick to recognize the invasive nature that observation and surveillance creates when considering consumer privacy.8 Another example, the television series Dawson’s Creek and its cooperation with clothing enterprise J. Crew, demonstrates how media and the practice of branding have become quietly, or transparently, integrated into our media enhanced culture. In the television series, “[n]ot only did the characters all wear J. Crew clothes, not only did the windswept, nautical set make them look as if they had stepped off the pages of a J. Crew catalog, and not only did the characters spout dialogue like “He looks like he stepped out of a J. Crew catalog,” but the cast was also featured on the cover of the January J. Crew catalog.”9 This example does lack a direct link to privacy issues, however it is important in that it clearly demonstrates how culture, media and advertising have become transparent. More importantly, this example illustrates how consumers are becoming subject to the power and control of the medium - a complementary notion to our discussion in the coming sections. Shrinking Private and Public Space The convergence of technology with media further enhances this transparent interface with consumers. Naomi Klein makes an assertion that through branding and the creativity of traditional media there is a perception that private and public space is shrinking.10 Moreover, this assertion can be extended to suggest that as media migrates to a more interactive medium, the Internet, there is an increasing encroachment on public space and privacy. For example, Jeff Bezos, CEO of, describes his organization and business model not as a bookstore (as was their initial product offering), but as an information broker. has openly articulated to their customers that they are capable of collecting and maintaining a database of 8 Gartner Group, Surveillance and Privacy: Technology and Opportunities. Jackie Fenn, 1 April 2002, p 1 9 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 42. 10 Naomi Klein, No Logo. (New York: Picador USA, 1999), pp 60 – 80.
  5. 5. interests and reading habits, thereby suggesting the ability to profile consumers. This is a major enhancement and an example of increasing the transparency of collecting and observing consumers via the Internet and ‘the experience’. Previously, consumers, if transacting through cash, only shared limited information while participating in traditional shopping malls. However, eCommerce requires information to deliver products and complete credit card transactions, thereby contributing to the ability to electronically collect, warehouse and analyze consumer information. More importantly, the Internet is capable of monitor and recording interests and buying habits. When considering a shrinking of private and public space, consider that describes its business model as maintaining two types of customers: consumers looking for books and publishers looking for consumers.11 This invasive environment is allowing enterprises to more efficiently target consumers thereby contributing to the contraction of personal space. As discussed previously, consumers have traditionally maintained a choice as to the degree that they participated in the public theater. However, the Internet has created an economic environment that places control and knowledge in the hands of the enterprise to which they can manipulate consumers via their personal information and actions. Consider the previous discussion regarding Starbucks and their ability to control and adapt the experience or the medium (advertising to pull consumers to their products), to respond and target certain types of consumers. Furthermore, consider the social control and influence that J. Crew communicates through television by persuading the cultural fabricate to value their products. The central concept is that much of this influential control and conditioning - resulting in observation and data collection - is performed with little knowledge by the consumers thereby violating what could be considered private. 11 EPIC, Request for Participation and Comment from the Electronic Privacy Information Center. Accessed March 2002 <>.
  6. 6. Enterprises are driven by the desire to target individuals likely to purchase items or respond to certain types of advertising. More importantly, enterprises are trying to reduce the costs associated with marketing and are increasingly becoming aware of how collecting personal information will effectively and efficiently predict and target consumers. AOL Time Warner Chairman, Steve Case, comments that he must deliver on promises made to Wall Street while balancing the privacy concerns of consumers with profits. Steve Case expressed concerns about how the United States Congress may ‘crack down’ on practices such as data mining, which was one of the primary reasons for the AOL merger with Time Warner.12 By bringing consumer information from both enterprises together, AOL Time Warner is capable of boosting revenues through cross-business collaboration or cross-selling.13 Digital Trails It is at this stage of the discussion that the real issues involving privacy and the Internet begin to take shape and can be easily identified with the convergence of technology and media, which contributes to the transparency of the medium with respect to user information. Practices such as Data Mining, Data Matching, Adware, and Spyware are all contributing to a new transparency of the Internet to which consumers are ultimately unaware of the abilities of enterprises to collect and make use of personal information. By simply posting a message to the Internet, it is possible to aggregate a message and all information attached, such as one’s name, IP address14, network name and interests. By simply participating and interacting with the Internet a user should expect that they are dynamically sharing and disseminating information.15 Can one then assume an expectation of privacy when participating in the public arena and be 12 The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002, p 1. 13 The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002, p 2 – 3. 14 An identifier for a computer or device on a network. Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicates. Source: 15 Steve Gibson of is an excellent resource to read about issues of security on the Internet and the information which one is potentially sharing and disseminating within a public network.
  7. 7. immune to observation and surveillance? In short, this would be a dangerous expectation, and one that many consumers made when they chose to purchase a coffee at Starbucks. Furthermore, the Internet (which is a public network) and the inherent technological abilities of an electronically supported transactional medium should suggest to the majority of consumers that there is a possibility that personal space will be encroached upon. The aforementioned practices of Data Mining, Spyware and others, utilize and/or capture a digital trail which advances and enhances an organization’s ability to observe and survey the general public. As our previous assertion suggested, there is a shrinking of public and private space due to these practices. Of interest are the comments by AOL Time Warner executive Vice President for global and strategic policy, who suggests that: [the United States] Congress should pass legislation requiring companies to provide consumers with notice of privacy policies and give them a choice about how their data can be used. Any further restrictions would inhibit ‘flexibility.’16 In effect, an enterprise is calling upon the government to put in place guidelines and laws which will inform consumers as to the collection and exploitation of their digital trail, yet it does not condemn the practice of this invasive technology. Through this statement AOL Time Warner is responding to the inherent transparency of advertising and marketing, and is charging government to reduce the transparency of the Internet in response to the invasive nature of the medium. It would be fair to suggest that AOL Time Warner is recognizing the vast complications involving privacy and are demonstrating a social responsibility to protect consumers. Moreover, AOL Time Warner is also suggesting that there is a strong possibility that consumers will remove themselves from the Internet and regard eCommerce as an insidious medium capable of profiling, classification, discrimination and dilution of personal space. 16 The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002, p 3.
  8. 8. Enhancing the Medium? Capturing Data/Information Previously, it was discussed that public and private institutions have or are planning to implement practices which will collect and make use of personal information. It is important to recognize that there are two phases to this issue. The first being the collection of data through technologies that either actively or passively monitor a user’s Internet activity. DoubleClick, the recognized leader in user data collection, whose goal is to make their clients ”marketing work better.” DoubleClick proposes to deliver a more complete understanding of consumers effectively reach and influence their consumers and measure the results of their client marketing efforts with a new level of accuracy.17 DoubleClick’s primary technology utilizes cookies18, which capture certain parts of the communication with DoubleClick clients or affiliates. Webopedia describes the purpose of a cookie as a means to: Identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages.19 This explanation provides the general function of cookie technology, however DoubleClick has adapted this technology to allow them to capture any information that a user gets or posts. As recorded by the court during a review of litigation involving the Web Users (Plaintiff), sought an injunction regarding monetary relief for injuries suffered as a result of actions on the part of DoubleClick by collecting information via a GET command: 17, accessed April 2002. 18 A cookie is a message given to a Web browser by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server. source: Webopedia. 19 <>, 13 May 2002 – search term: cookie.
  9. 9. “submitted as part of a Web site’s address or “URL,” in what is known as a “query string.” For example, a request for a hypothetical online record store’s selection of Bon Jovi albums might read: http://recordstore.hypothetical. com/serach?terms=bonjovi. The URL query string begins with the “?” character meaning the cookie would record that the user requested information about Bon Jovi.”20 A POST occurs when a user : “fill[s]-in multiple blank fields on a webpage. For example, if a user signed-up for an online discussion group, he might have to fill-in fields with his name, address, email address, phone number and discussion group alias. The cookie would capture this submitted post information.”21 Another technology, which DoubleClick utilizes, are tags imbedded in GIF images placed on their client’s websites. GIF tags are the size of a single pixel and are invisible to users. These tags record a user’s movements throughout a website allowing DoubleClick to capture the information a user sought and viewed.22 DoubleClick provides an example of how organizations can effectively and efficiently monitor and capture user information. The Internet is full of these services, which enhance the marketing power of enterprises, yet they argue that this in turn provides for an enhanced experience for the user. DoubleClick’s main business model attempts to read a user’s doubleclick_cookie.txt and then populates allocated advertising space on the affiliated/client website with targeted content. It would be careless to suggest that DoubleClick is not enhancing the experience of the Internet, however their means of providing this experience is somewhat questionable. Clearly, this example illustrates the increased transparency that the Internet yields to advertisers and marketers to enhance and effectively use this medium. Moreover, there is an increased transparency and decreased awareness of the user as to how they interact with enterprises and 20 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 10. 21 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 10. 22 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 10.
  10. 10. how they are targeted to effect their social economic behaviour. There are a number of issues related to this litigation, and it will be further investigated in subsequent sections. It is important to realize that DoubleClick is only one of the numerous organizations that have developed their entire business model on this elusive aggregation of data. Other enterprises of note that participate in this elusive aggregation of data are vx2 and Aureate/Radiate. Both of these enterprises share many of the same value propositions that DoubleClick proposes. However, these software offerings have created a new industry and are contributing to concerns of personal privacy. Spyware and Adware is “any software that covertly gathers user information through the user’s Internet connection without his or her knowledge, usually for advertising purposes.”23 These software applications create a new degree of transparency and are somewhat likened to a Trojan Horse virus.24 The insidious characteristics of these applications is that they are constantly monitoring and relaying clickstream25 information back to a remote database, are always on, and are imbedded in the operating system of your computer. This seamless integration allows for captured keystrokes (such as credit card numbers), scans files on the user’s hard drive and effectively ‘snoops’ about the computer.26 The potential impact of these devices in regards to privacy is tremendous, and the United States Congress has addressed this ‘breed’ of software in recent legislation (S.197 – Spyware Control and Privacy Protection Act of 2001), which will be discussed later. For our current purposes, Spyware and Adware do enhance the Internet experience, much like 23 <>, search term: Spyware. 24 A Trojan Horse is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive.The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy. Source: Webopedia. 25 A clickstream is a record of a user's activity on the Internet, including every Web site and every page of every Web site that the user visits, how long the user was on a page or site, in what order the pages were visited, any newsgroups that the user participates in and even the e-mail addresses of mail that the user sends and receives. Both ISPs and individual Web sites are capable of tracking a user's clickstream. Source: Webopedia. 26 <>, search term: spyware.
  11. 11. DoubleClick, by providing content that is more likely to be of interest and relevance to a particular user. However, there is a real concern regarding the method of providing this experience, which clearly has become intrusive in nature. Moreover, many of these applications purposely attempt to disrupt the experience of the user by providing pop-up ads27 that interrupt the user but provides scores of impressions for the advertiser. Business Intelligence Collecting data is one thing, putting the information to use is another issue. Richard Hunter, author of World Without Secrets, presents the principle that “when everything is known, no one knows everything.”28 Although many technology advances certainly make surveillance more effective, many obstacles remain which will allow enterprises to achieve a high level of effectiveness and analysis of the data. Sophisticated artificial intelligence software such as SAS Enterprise Miner ( has removed some of the obstacles involved with making use of data. Tools such as SAS allow for enormous sets of data to be analyzed, recognizing patterns and predicting the likelihood of future behaviour based on like-minded records. These abilities lend to the danger that individuals will be discriminated against based on potential and likelihood, rather than exhibited characteristics. Research performed by Garnter in February of 2002 observes that 60 percent of companies are using business intelligence, yet only 10 percent of this 60 percent are effectively using business intelligence data; obtaining quality data tends to be the biggest problem with implementing business intelligence. Most enterprises recognize the potential of these practices and techniques due to the potential for creating greater customer loyalty.29 Enterprises such as Yahoo! exploit these predictive models to provide personalization of services and targeted 27 Pop-up Ads are advertisements that open a separate instance of your web browser and display an advertisement. source: Webopedia 28 Gartner Group, Surveillance and Privacy: Technology and Opportunities. Jackie Fenn 1 April 2002, p 3. 29 Computing, Gathering Intelligence for a more efficient Business. 21 February 2002, p 2.
  12. 12. advertising, yet must implement a balance between personalization and privacy which demonstrates their awareness of the hazards of a transparent ability to market and target consumers. Data Matching The potential to pool data to employ data mining techniques creates a unique issue in the realm of privacy. Legislation has been responding to this issue by limiting enterprises to use data beyond that of the original purpose communicated to the user. However, privacy policies are known to be generic and vague, and allow for the enterprise to change their minds at any time. AOL Time Warner notes that data matching for the purpose of cross-selling their services and products was the main reason that drove the merger of these two organizations. DoubleClick acquired Abacus Direct Corporation for more than one billion dollars with the suspicious intention and potential to data match to improve third party marketing efforts, not their own. Abacus maintained a database of direct market records, which consisted of names, addresses, telephone numbers, retail purchasing habits and other personal information, for which they claim to have for 90 percent of United States households. A United States Federal Trade Commission investigation ensued shortly after DoubleClick amended its privacy policy removing the assurance that information gathered by DoubleClick would not be matched or associated with third party data that was personally identifiable.30 The Legal Response New Zealand, a leader in privacy legislation, was one of the first nations to respond to the threat of the above-mentioned technologies and practices. The New Zealand Act, enacted as early as 1993, addressed both public and private sectors and the potential to collect publicly available information. New Zealand defined publicly available information as “personal 30 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 12.
  13. 13. information that is contained in a publicly available publication,” such as a magazine, book, and newspaper which is generally available to members of the public. Of note to our discussion is the fact that public registers are considered publicly available information. Access to registry information becomes an issue when referring to data collection, mining and matching. The availability of public registers allows for the matching of personally identifiable information from sources such as electoral lists, drivers licenses and telephone registries. By simply obtaining a telephone number, it is possible to discover the location of a household, age of the residents, and their general income based on the type/age of car they drive. This information can then be mined to predict the household’s interests, political tendencies, buying patterns and brand loyalty propensity. New Zealand responded to this concern by applying four privacy principles to the use of public register: • Personal information shall be made available from a public register only by search references that are consistent with the manner in which the register is indexed or organized. • Personal information obtained from the public register shall not be re-sorted, or combined with personal information obtained from any other public register, for the purpose of making available for valuable consideration personal information assembled in a form in which that personal information could not be obtained directly from the register. • Personal information in a public register shall not be made available by means of electronic transmission, unless the purpose of the transmission is to make the information available to a member of the public who wishes to search the register. • Personal information shall be made available from a public register for no charge or for no more than a reasonable charge.31 In terms of data mining and matching, this legislation was a major step towards the protection of privacy although its intent was to put in place principles for using publicly available information. Nonetheless, it is a response to the mode in which technology is changing the private sector’s use of publicly available personal information. 31 McCarthy Tétrault, Publicly available personal information and Canada’s Personal Information Protection and Electronic Documents Act. Rick Shields, 12 October 2000, p 31 – 32.
  14. 14. Technology has fundamentally altered the mode of accessibility, delivery and speed of acquiring data. Therefore, “the central legal issue, not surprisingly, has involved determining the point at which personal information ceases to be private or confidential, and becomes public. The general rule that has emerged is that information, whether personal or otherwise, becomes publicly available and ceases to be private/confidential when it has become accessible by the public by any means.”32 This has become the standard for the Canadian Federal Courts and should present a number of concerns when considering the ability of technology to glean user information from a public network. Does this further support the assertion made earlier, that by simply participating within the online public world, one should expect to broadcast personal information for government and enterprises to capture and exploit? This remains to be challenged and applied, however it is necessary to recognize the potential dilemmas and confusion that previous legislation has created. The Personal Information Protection and Electronic Documents Act (PIPEDA) helps provide some clarity and further protection of privacy. This legislation puts in place guidelines and laws that both the public and private sectors must adhere to when collecting and working with personally identifiable information. Privacy Commissioner of Canada, George Radwanski, asserts that “ [p]rotecting our privacy helps protect our independence, our ability to control our own lives, and our freedom to make our own decisions.”33 In short, PIPEDA provides the public control over their personal information by requiring organizations to obtain consent to collect, use and disclose information about an individual. Furthermore, the Canadian Standards Association (CSA) Model Code lies at the heart of PIPEDA and is granted legal effect by virtue of its inclusion. The CSA Code puts forth ten principles that seem somewhat more like 32 McCarthy Tétrault, Publicly available personal information and Canada’s Personal Information Protection and Electronic Documents Act. Rick Shields, 12 October 2000, p 8. 33 Office of the Privacy Commissioner of Canada, A Guide for Canadians: Your Privacy Rights – Canada’s Personal Information Protection and Electronic Documents Act. February 2001, p 2.
  15. 15. corporate best practices. These principles are: Accountability, Identifying Purpose, Consent, Limiting Collection, Limiting Use, Disclosure, and Retention, Accuracy, Safeguards, Openness, Individual Access and Challenging Compliance. For our purposes, the principles of Identifying Purpose, Providing Consent, Limiting Collection and Limiting Use, Disclosure, and Retention encompass the relevant issues capable of diluting the transparency of the Internet, thereby transferring awareness and control of personal information back to the individual. Identifying Purpose requires organizations to identify and document the purpose for which information is being collected. As well, an organization should only collect information that is necessary to fulfill the purpose of collection. Furthermore, if the collected information is to be used for another purpose, this must be communicated to the individual and consent granted. Consider the practice of Spyware, this technology clearly violates these principles by collecting any and all information that is entered into the computer or may reside on a media storage device. Moreover, the principle of consent maintains that “an organization, shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.”34 Interesting are the practices of software developers that utilize solutions from the Gator Advertising and Information Network (GAIN) and other Adware/Spyware software. As a condition of using certain software a user must accept the installation of GAINware, additional software that collects information regarding a user. GAIN professes not to collect personally identifiable information, yet they do make reference to: • Which web pages your computer views and how much time is spent at those sites • Your response to the ads displayed • Standard web log information and system settings35 • What software is on your computer 34 Michael Geist, Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001), p 282. 35 Web logs and systems settings tend to maintain user logins, passwords and usually a personally identifiable user name.
  16. 16. • Your first name, country, and five digit ZIP code • Your GAINware usage characteristics and preferences36 In today’s age of Data Matching and Mining, there is a strong possibility that the information collected by GAIN is capable of collecting personally identifiable information. For example, by collecting the first name, country, zip code, and web log information it is possible to match a captured user login that is a unique and personally identifiable piece of information. McVeigh v. Cohen is an excellent example in American case law. McVeigh composed and submitted an email to an individual who then used his user name to find McVeigh’s member profile and was able to identify McVeigh who was enlisted with the United States Navy and was profiled as a homo-sexual and thereby in breach of United States military law.37 Clearly, these four CSA principles go hand in hand to protect the privacy of individuals. However, there remains the issue of jurisdiction and enforcing such laws. The examples provided were heard in the United States, yet the services and issues transcend borders. Implementing such principles on a public and uncontrolled medium is somewhat ineffective. However, the Government of Canada has fulfilled their obligation to provide Canadians with knowledge and awareness of the issues at hand. More importantly, ”the central obligation of the new privacy legislation is the need for data collectors to provide transparent privacy policies so that Canadians are accurately informed about who is collecting their data, why it is being collected, and how it will be used.”38 Unlike Canada, the United States has not implemented comprehensive legislation that sets forth principles similar to PIPEDA. A discussion with Brian Keith, Partner with the law firm Borden, Ladner, and Gervais in Toronto, suggests that the United States has responded to 36 Gator Privacy Statement included with the ad supported full version of the DIVX Playa. The DIVX Playa is a media player similar to Windows Media Player found at Gator can be found at 37 Michael Geist, Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001), p 270 – 272. 38 Michael Geist, Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001), p 273.
  17. 17. privacy issues in a manner that is abuse driven, rather than the Canadian principle driven approach. In this sense, one could argue that the United States has created an environment that is responding to the technical abuses and transparency provided to advertisers and marketers, which is an inherent component of the medium. The Spyware Control and Privacy Act of 2001 provides “for the disclosure of the collection of information through computer software, and for other purposes.”39 Furthermore this Act provides a response to the technical abilities of the Internet. The Act additionally states that: Any computer software made available to the public, whether by sale or without charge, that includes a capability to collect information about the user of such computer software, the hardware on which such computer software is used, or the manner in which such computer software is used, and to disclose to such information to any person other than the user of such computer software.40 A key concept within this Act is the response to the collection of any information that is about the user which is somewhat different than ‘personally identifiable information’. Yet the Act does share some similarities in that it requires a ”clear and conspicuous” written “description of the information subject to collection and the name and address of each person to whom such computer software will transmit,” in addition to, “…how to disable such capability…[and provide a user] of such computer software provides affirmative consent, in advance, to the enablement of the capability.”41 Certainly, this Act is a response to the abusive nature of the technology on the Internet and may prove more useful at diluting the transparent nature of the Internet. Brian Keith provides further insight by noting that George Radwanski, Federal Privacy Commissioner, has spoken out against the Canadian Government and its lack of guidance and leadership to Industry to create a list of acceptable software applications and practices such as data mining, matching 39 Spyware Control and Privacy Protection Act of 2001, S.197, p 1. 40 Spyware Control and Privacy Protection Act of 2001, S.197, p 2. 41 Spyware Control and Privacy Protection Act of 2001, S.197, p 2.
  18. 18. and collection technology that do not conflict with privacy legislation. This may be an inherent fault concerning the way in which privacy legislation in Canada was adopted. In short, some may argue that Canada’s hastily enacted privacy legislation was enacted in response to strict European Union Directives - while the United States has laboured providing basic voluntary Safe Harbour conventions and focusing on the pending issues and abuses. For example, the United States has enacted legislation to protect children on the Internet and has identified clear guidelines for financial institutions and the intrinsic concerns of financial privacy in an electronic age. Ontario has proposed legislation to replace PIPEDA (as is the province’s right to do so as outlined in PIPEDA), which attempts to create ‘comprehensive privacy legislation’ which conveys to the people on Ontario confidence that their personal information is protected when dealing with the private and public sector. The proposal suggests that the government believes that it is important to strike a balance between an individuals right to control their personal information, while at the same time meeting the needs of the private sector to encourage commerce in a digital economy.42 An initial review of the proposal suggests that the proposed legislation corresponds with the principles outlined in PIPEDA. Of interest is the expanded definition of personal information to include any information about an individual that can be manipulated and used to identify or contact an individual.43 This suggests a movement towards a discussion regarding the technical abilities of an enterprise to match and mine data. A further addition is an opt-out clause, whereby consumer and users are assumed to have opted-out of providing information, unless they explicitly provide consent or an action to allow for the collection of information. The Canadian Marketing Association (CMA) has addressed this issue 42 Ministry of Consumer and Business Services, A consultation on the Draft: Privacy of Personal Information Act, 2002. Ontario Proposed Privacy Legislation, p 2. 43 Ontario Proposes Disastrous Legislation, <>, p 3.
  19. 19. extensively since it dramatically affects the ability of advertisers and marketers to perform their purposeful functions. An assumed opt-out does remove a certain negative transparency of interactive mediums, yet obstructs many of the inherent functions of a digital economy and the ability to enhance and make use of the medium. Many users are unaware of their required action to opt-in, much like they are unaware of opting-out; an interesting conundrum. Brian Keith shared a comment made by George Radwanski whereby Radwanski stated that as Privacy Commissioner he would not support or enforce an assumed opt-out. Radwanski believes that this clause goes against the very nature of humanity and its social function to perform functions for others without their consent. In other words, one could never perform random acts of kindness without first asking for permission; clearly a balance needs to be realized. The proposed Ontario Legislation is taking a number of steps towards the protection of privacy and reducing the transparency of collecting information in an undisclosed fashion. One may argue that Ontario is beginning to respond by drafting legislation from the viewpoint of protecting the public from abusive practices, much like the United States. However, this proposed legislation is far from addressing the concerns of privacy and the convergence of technology. The United States appears to be ahead of Canada and other nations in its attempt to isolate the impact of technology on privacy, particularly addressing the process of collecting data such as the Spyware Control and Privacy Protection Act of 2001. Maturing Legislation and Litigation Privacy law is very much in its infancy and will continue to develop in response to technical abilities and the processes of collecting information. Currently there are few cases involving the convergence of privacy and technology, of those many have been settled out of Court and are cases heard in the United States. Throughout the available cases, it is interesting
  20. 20. to note that many were tried not on privacy pertaining to data collection issues, but rather the acts pertaining to computer fraud and abuse, electronic communication and privacy, and wiretapping. A common thread throughout this legislation pertains to authorized surveillance of communications which indirectly deals with data collection. However, as noted previously, the United States tends to deal with abusive actions than the deeper principles and consequences of electronic communication which may prove to limit the ability to take action on abuses of technology. DoubleClick tends to be the prominent figure and has been accused of misconduct on many occasions. Earlier, this paper discussed a class action case in which DoubleClick was accused of collecting information such as names, and email addresses. Within this case exists three main issues: intercepting communications, active participation and interaction with a web site and authorized access to a user’s computer. Under the Electronic Communications Privacy Act (ECPA), the Plaintiffs charged DoubleClick with the unauthorized interception of a private communication between two users. The ECPA defines a ‘user’ as “any person or entity who (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use.”44 This is an important definition in that it recognized that a Web Server is an entity of communication, and therefore capable of providing consent to a third party’s participation in the communication. However, the plaintiffs do attempt to argue that on the basic principle of property and privacy rights, they are the only users that are allowed to provide consent to access their personal computers. Yet the United States Congress was clear to note that those who are intended to receive a communication are capable of providing consent. Thus, DoubleClick’s clients have provided consent to incept the communication and collect any information that a user sends or requests from the website. The Plaintiffs subsequently attempt a 44 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 16.
  21. 21. similar charge by virtue of the United States Federal Wiretap Act. The act provides for criminal punishment and a private right of action against: any person who-- (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept wire, oral, or electronic communication [except as provided in the statute].45 However, this act also provides an exemption in that: It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or any State.46 Again, DoubleClick is afforded consent by their clients to intercept the communication of users who have actively participated with a website that is affiliated with DoubleClick. Finally, the third claim was charged under the Computer Fraud and Abuse Act (CFAA). This act addresses: “whoever…intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains…information from any protected computer if the conduct involved an interstate or foreign communication…shall be punished as provided in subsection (c) of this section.47 DoubleClick did not contests that the Plaintiffs’ computers were ‘protected’ under the CFAA and that accessing these computers was unauthorized. However, the Plaintiffs were required to demonstrate a loss or damage of which must exceed $5 000 per Plaintiff. This brings to question the value that one places on information and whether personal information should be considered and treated as a commodity. In terms of this case, the harvesting of ‘user’ information was not granted economic value, thus loss or damage was not demonstrated. The case was concluded with the defendant’s motion to dismiss granted, but the plaintiffs’ ‘Amended Complaint’ was 45 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 20. 46 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 20. 47 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 25.
  22. 22. dismissed with prejudice as the Judge noted that United States Congress was considering legislation that would specifically recognize and regulate the online harvesting of user information. Of note, the Judge also suggested that some of the considerations by Congress made “exceptions for conduct like DoubleClick’s.”48 The DoubleClick case demonstrates how enterprises are allowed to generate a transparency of the Internet and encourages harvesting of user information by allowing the convergence of surveillance technologies and practices intended to protect individuals from criminal misconduct resulting in loss or damage. Furthermore, this case demonstrates that there is a lack of perceived value towards personal/user information, more specifically economic value, within the current legal arena. Should there be a formula that denotes the economic value of user information? In response to avenues of litigation for users, this would provide a method of proving damages and thus allow for a successful charge under the CFAA. Accordingly, the legislation ignores the privacy issues of users in regards to electronic communications. This discussion begs the question: should the deceptive collection of personal information be deemed a criminal offence? Furthermore, should the definition of personal information be extended, beyond even that of the proposed Government of Ontario legislation which proposes any information about an individual that can be manipulated and used to identify or contact an individual, to include clickstream data that in effect observes and monitors individuals? Legislation has yet to adequately discuss these methods of surveillance, however enterprises must recognize that these techniques may negatively impact the potential to develop customer loyalty and confidence, while encouraging electronic commerce. DTM Research v. AT&T, indirectly related to this discussion, contains an interesting comment by AT&T. AT&T declined to award a contract to DTM Research to make use of their data mining techniques because 48 In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.), p 33.
  23. 23. AT&T believed that issues of customer confidentiality cautioned against awarding the contract to a third-part considering that this action may involve sharing confidential consumer information. Although these comments may have been made with prejudice to legitimize declining the contract, this comment does demonstrate that enterprises have a responsibility to themselves, but more importantly to the consumer, to maintain confidence. A final case provides depth to the argument that by making information generally available to the public, as suggested in Canadian legislation, does not necessarily mean that this information may be collected. EF Cultural v. Explorica involves two student discount travel agencies who were in direct competition and were partaking in an active price war. Explorica constantly undercut EF Cultural and was able to do this by querying and extracting information directly from the EF Cultural website. Explorica developed a software scraper, also called a robot49, that surgically submitted queries to the EF Cultural website which aggregated all the potential rates and schedules that EF Cultural offered to its clients. As this was only a request for a preliminary injunction, on appeal from the United States District Court for the District of Massachusetts, it can only be noted that the court found that EF Cultural “would likely prove that Explorica violated the CFAA when it used EF Cultural’s website in a manner outside the ‘reasonable expectations’ of both EF [Cultural] and its ordinary users.”50 Therefore, could one argue that accessing a personal computer, much like DoubleClick did for the purpose of collecting user information is outside ‘reasonable expectations’ of the user? Searching for cases proposing this argument did not yield success, however it seems fair to suggest that this is a 49 A Robot is a program that runs automatically without human intervention. Typically, as robot is endowed with some artificial intelligence to help accomplish its task and react to different situations it may encounter. source: Webopedia. 50 EF CULTURAL TRAVEL BV, EF CULTURAL TOURS BV, EF INSTITUTE FOR CULTURAL EXCHANGE, INC., EF CULTURAL SERVICES BV, AND GO AHEAD VACATIONS, INC., Plaintiffs, Appellees, v. EXPLORICA, INC., OLLE OLSSON, PETER NILSSON, PHILIP GORMLEY, ALEXANDRA BERNADOTTE, ANDERS ERIKSSON, DEBORAH JOHNSON, AND STEFAN NILSSON, Defendants, Appellants, 274 F.3d 577 (2001) (US Court of Appeals for the First Circuit), p 5.
  24. 24. conceivable argument when consider that users are generally unaware of such privacy concerns and that the transparency of the Internet and lack of appropriate controls continue to suppress these concerns. Conclusion Privacy concerns are real and government bodies are attempting to address the issues that have evolved due to the expansion and usability of the Internet. However, there is a considerable need for legislation to identify and put in place guidelines and law that will realize the technological capabilities of the Internet and the impact on privacy. Canada and other nations have identified the principles of protecting privacy while the United States has begun to address the specific technological capabilities. The Internet provides and facilitates for an almost unlimited means of communication that reaches into the social and cultural structure of our societal infrastructure. Additionally, advances in information technology and data management offer the promise of a new and prosperous knowledge-based economy. Naomi Klein suggests that Branding, and arguably Internet privacy issues, are “stripping the hosting culture [the Internet] of its inherent value and treating it as little more than a promotional tool.”51 The use of data mining, matching and collection techniques have clearly demonstrated that the Internet can and will be used as a promotion tool. However, at issue is the Internet’s capability to provide organizations to transparently integrate their marketing and advertising practices reducing user awareness and resulting in manipulation or an enhanced experience. Yet as this transparency increases, legislators are attempting to remove a degree of transparency while attempting to maintain transparent privacy policies and practices to encourage eCommerce and allow for the functionality of a knowledge-based economy. As in all societal structures, striking a balance is the key component to a successful integration of any 51 Naomi Klein, No Logo. (New York: Picador USA, 1999), p 39.
  25. 25. social, economic and political issue. However, in a technologically enhanced society, should the public expect a level of surveillance and observation? Many would argue that our digital economy is being disengaged from our social rights, namely privacy. Yet society continues to demand personalized, enhanced, and new services, which inherently demands personal/user information. Just as technology has the capability to abuse individual rights, it also has the ability to protect and secure these rights. In brief, enterprises should recognize the necessity to integrate privacy and security into their software and business practices52 allowing legislators and enforcement agencies to focus on those who abuse the power of the Internet. 52 Message delivered by Ann Couvoukian during a lecture delivered to Dalhousie Law students: February 2002.
  26. 26. Bibliography Fiorina, Carly. Technology, Business and our way of life: What’s Next. Minneapolis, Minnesota, September 26, 2001 <>. Geist, Michael. Internet Law in Canada. ed 2 (Ottawa: Captus Press, 2001). Klein, Naomi. No Logo. New York: Picador USA, 1999, p 22 – 40. Soohoo, Ken. Digital Convergence Means Keeping it Simple for the Consumer. October 22, 2001 <>. Articles Computing, Gathering Intelligence for a more efficient Business. 21 February 2002. EPIC, Request for Participation and Comment from the Electronic Privacy Information Center. Accessed March 2002 <>. Gartner Group, Surveillance and Privacy: Technology and Opportunities. Jackie Fenn, 1 April 2002. Ministry of Consumer and Business Services, A consultation on the Draft: Privacy of Personal Information Act, 2002. Ontario Proposed Privacy Legislation. Office of the Privacy Commissioner of Canada, A Guide for Canadians: Your Privacy Rights – Canada’s Personal Information Protection and Electronic Documents Act. February 2001. Ontario Proposes Disastrous Legislation, <>. Tétrault, McCarthy. Publicly available personal information and Canada’s Personal Information Protection and Electronic Documents Act. Rick Shields, 12 October 2000. The Atlanta Journal and Constitution, Public Anger growing over Net Privacy Issues. 4 March 2002., accessed April 2002. Legal Resources DTM RESEARCH, L.L.C., Plaintiff-Appellee, and UNITED STATES OF AMERICA, Intervenor- Appellee, v. AT&T CORPORATION, Defendant-Appellant, 245 F.3d 327 (2001) (U.S.Court of Appeals for the Fourth Circuit). In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (2001) (U.S. Dist. N.Y.). Spyware Control and Privacy Protection Act of 2001, S.197. EF CULTURAL TRAVEL BV, EF CULTURAL TOURS BV, EF INSTITUTE FOR CULTURAL EXCHANGE, INC., EF CULTURAL SERVICES BV, AND GO AHEAD VACATIONS, INC., Plaintiffs, Appellees, v. EXPLORICA, INC., OLLE OLSSON, PETER NILSSON, PHILIP GORMLEY, ALEXANDRA BERNADOTTE, ANDERS ERIKSSON, DEBORAH JOHNSON, AND STEFAN NILSSON, Defendants, Appellants, 274 F.3d 577 (2001) (US Court of Appeals for the First Circuit). Websites Definitions: <>.