Rules of the Road for Navigating the Information Superhighway

By Barry Fraser

This article was adapted from Fact Sheet #18, entitled "Privacy in Cyberspace" written by Barry Fraser for the Privacy Rights Clearinghouse and is reprinted here with permission.

If you have access to a computer and a modem, then you are licensed to drive on the information superhighway. And you are one of a growing number of online participants. According to one study, one-third of the nation’s households now have a personal computer. Another study found that one-third of Americans over 18 years of age use the Internet. This is over 70 million adults. (Nielson Survey, August 1998.)

The information superhighway can bring many benefits. However, it may create many new threats to our personal privacy as well. Unless you know the privacy "rules of the road," your online activity may lead to significant privacy problems.

What Are "Online Communications?"

"Online communications" are communications over telephone or cable networks using computers. Examples of online communications include connecting to the Internet through an Internet Service Provider (ISP); connecting to a commercial online service such as America Online, Compuserve, the Microsoft Network, or Prodigy; or dialing into a computer bulletin board service (BBS). Increasingly, the differences between ISPs, the commercial services, and BBSs are blurring. The larger commercial services and many BBSs now provide Internet access. The Internet raises some unique privacy concerns. Information sent over this vast network may pass through dozens of different computer systems on the way to its destination. Each of these systems may be managed by a different system operator (sysop), and each system may be capable of capturing and storing online communications. Furthermore, the online activities of Internet users can potentially be monitored, both by their own service provider and by the sysops of any sites on the Internet that they visit.

ISPs, commercial services, and BBSs are managed by sysops who may have different attitudes toward online privacy. Additionally, there are a tremendous variety of activities provided by all types of online services, each of which may raise specific privacy concerns.

What Level of Privacy Can I Expect in My Online Activity?

Often the level of privacy you can expect from an online activity will be clear from the nature of that activity. Sometimes, however, an activity that appears to be private may not be. There are virtually no online activities or services that guarantee an absolute right of privacy.

Public activities. Many online activities are open to public inspection. Engaging in these activities does not normally create an expectation of privacy. In fact, according to federal law, it is not illegal for anyone to view or disclose an electronic communication if the communication is "readily accessible" to the public (Electronic Communications Privacy Act, 18 U.S.C. § 2511(2)(g)(I)).

For example, a message you post to a public newsgroup or forum is available for anyone to view, copy, and store. In addition, your name, electronic mail (e-mail) address, and information about your service provider are usually available for inspection as part of the message itself. Most public postings made on the Internet are archived in searchable databases. Thus, on the Internet, your public messages can be accessed by anyone at anytime—even years after the message was originally written.

Other public activities may allow your message to be sent to multiple recipients. Online newsletters, for example, are usually sent to a mailing list of subscribers. If you wish to privately reply to a message posted in an online newsletter, be sure you address it specifically to that person’s address, not to the newsletter address. Otherwise, you might find that your message has been sent to everyone on the newsletter mailing list.

You should not expect that your service account information will be kept private. Most services provide online "member directories" which publicly list all subscribers to the service. Some of these directories may list additional personal information. Even individuals with direct Internet accounts may be identified with commands such as "finger," which let anyone with Internet access find out who else is online. Most service providers will allow users to have their information removed from these directories upon request. Be aware that some service providers may sell their membership lists to direct marketers.

"Semi-private" activities. Often the presence of security or access safeguards on certain forums or services can lead users to believe that communications made within these services are private. For example, some bulletin board services maintain forums that are restricted to users who have a password. While communications made in these forums may initially be read only by the members with access, there is nothing preventing those members from recording the communications and later transmitting them elsewhere.

One example of this kind of activity is the real-time "chat" conference, in which participants type live messages directly to the computer screens of other participants. Often these activities are described as private by the service provider. However, chatline users may capture, store, and transmit these communications to others outside the chat service. Additionally, these activities are subject to the same monitoring exceptions that apply to "private" e-mail (see next section).

"Private" services. Virtually all online services offer some sort of "private" activity that allows subscribers to send personal e-mail messages to others. The federal Electronic Communications Privacy Act (ECPA) makes it unlawful for anyone to read or disclose the contents of an electronic communication (18 U.S.C. § 2511). This law applies to e-mail messages.

However, there are three important exceptions to the ECPA:

• The online service may view private e-mail if it suspects the sender is attempting to damage the system or harm another user. However, random monitoring of e-mail is prohibited.

• The service may legally view and disclose private e-mail if either the sender or the recipient of the message consents to the inspection or disclosure. Many commercial services require a consent agreement from new members when signing up for the service.

• If the e-mail system is owned by an employer, the employer may inspect the contents of employee e-mail on the system. Therefore, any e-mail sent from a business location is probably not private. Several court cases have determined that employers have a right to monitor the e-mail messages of their employees.

Once a sysop has intercepted e-mail for any of these lawful reasons, the sysop generally may not disclose the contents to anyone other than the addressee. Certain exceptions to this disclosure prohibition exist, however. These exceptions include when any party to the message consents to disclosure, when disclosure is ordered by a court, or when the message appears to involve the commission of a crime (in which case disclosure is limited to the appropriate law enforcement officials).

A sysop does not violate the ECPA if the message is accidentally sent to the wrong person. (However, the sysop may be responsible for damages caused by negligence in operating the service.)

Law enforcement officials may access or disclose electronic communications only after receiving a court-ordered search warrant. Only certain officials may apply for this order, and a detailed procedure is set forth in the ECPA for granting the order (18 U.S.C. §§ 2516-2518). These provisions are relaxed for messages that have been stored in a system for over 180 days (18 U.S.C. § 2703).

Remember, your e-mail message may be handled by several different online services during delivery. The sysop of each of these systems may view e-mail under the above exceptions to the ECPA. Additionally, the message may be intercepted if either the sender or recipient consents. So, even if you do not consent yourself, the person you sent the e-mail to may have consented to the disclosure of the message.

Can Online Services Track and Record My Activity?

In a word, "yes." Many types of online activities do not involve sending e-mail messages between parties. Internet users may retrieve information or documents from sites on the World Wide Web (WWW), or from "ftp" (file transfer protocol) sites. Or users may simply browse these services without any other interaction. Many users expect that such activities are anonymous. They are not. It is possible to record many online activities, including the newsgroups or files a subscriber has accessed and the Websites a subscriber has visited. This information can be collected both by a subscriber’s own service provider and by the sysops of remote sites that a subscriber visits.

When you are "surfing the Web," many Websites deposit data about your visit, called "cookies," on your hard drive. When you return to that site, the cookies' data will reveal that you've been there before. The Website might offer you products or ads tailored to your interests, based on the contents of the cookies. (See sidebar on p. 19 for more information about cookies.)

Records of subscriber browsing patterns, also known as "transaction-generated information," are a potentially valuable source of revenue for online services. This information is useful to direct marketers as a basis for developing highly targeted lists of online users with similar likes and behaviors. It may also create the potential for "junk e-mail" and other marketing uses. Additionally, this information may be embarrassing for users who have accessed sensitive or controversial materials online.

The practice of collecting browsing patterns is increasing. Online users should educate themselves about what information is transmitted to remote computers by the software that they use to browse remote sites. Most WWW browsers invisibly provide Website operators with information about a user’s service provider, and with information about the location of other Websites a user has visited. Some Web browsers are programmed to transmit a user’s e-mail address to each Website a user contacts.

The Federal Trade Commission is urging commercial Website operators to spell out their information collection practices in privacy policies posted on Websites. Many Websites now post information about their information-collection practices. You can look for a privacy "seal of approval," such as TRUSTe (http://www.truste.org), on the first page of the Website. TRUSTe participants agree to post their privacy policies and submit to audits of their privacy practices in order to display the logo. Other seals of approval are offered by the Council of Better Business Bureaus (http://www.bbbonline.org), and the American Institute of Certified Public Accountants, Webtrust (http://www.aicpa.org/webtrust/index.htm).

Users who access the Internet from work should know that employers are increasingly monitoring the Internet sites that an employee visits. Be sure to inquire about your employer’s online privacy policy. If there is none, recommend that such a policy be developed.

Also be aware that law enforcement officials may be able to access records of your online transactions. However, in order for law enforcement officials to gain access to subscriber transactional records, they must obtain a court order demonstrating that the records are relevant to an ongoing criminal investigation (Communications Assistance for Law Enforcement Act, 18 U.S.C. § 2703(d)). This provision prevents "fishing expeditions" by government officials, hoping to find evidence of crimes by accident.

Can An Online Service Access Information Stored in My Computer Without My Knowledge?

Unfortunately, the answer to this question is also "yes." Many of the commercial online services will automatically download graphics and program upgrades to the user’s home computer. News reports have documented the fact that certain online services have admitted to both accidental and intentional prying into the memory of home computers signing on to the service. In some cases, personal files have been copied and collected by the online services.

It is difficult to detect these types of intrusions. The online user should be aware of this potential privacy abuse, and investigate new services thoroughly before signing on. Always ask for the privacy policy of any online service you intend to use.

What Can I Do to Protect My Privacy in Cyberspace?

When you are sitting alone at your computer, "surfing" the Internet, sending electronic mail messages, and participating in online forums, it’s easy to be lulled into thinking that your activities are private. Be aware that at any step along the way, your online messages could be intercepted, and your activities monitored, in the vast untamed world of cyberspace.

The following are tips for protecting your privacy in cyberspace:

• Protect your password. Create passwords with nonsensical combinations of upper and lower case letters, numbers, and symbols, for example tY8%uX. Change your password frequently. Never write it down or give it to anyone else. Don’t let others watch you log in. Never leave your computer logged in unattended.

• Contact the sysop. Contact the sysop of any online service you intend to use and ask for its privacy policy. Most of the commercial services have written privacy policies that are provided to new subscribers. Also, carefully read all messages that appear on initial login. Many sysops notify online users in login messages that e-mail is subject to inspection. Services often require new subscribers to allow e-mail to be monitored as part of the sign-up process. All sysops should have a well-defined, written policy concerning privacy. Those that do not should be avoided. Likewise, when you are "surfing the Web," look for privacy policies posted on the Websites that you visit. If you are not satisfied with the policy, do not spend time on that site.

• Shop around. Investigate new services before using them. A good way to do this is to post a question about a new service in a dependable forum or newsgroup. Bad reputations get around quickly in cyberspace, so if others have had negative experiences with a service, you should get the message.

• Assume that your online communications are not private. Unless you use powerful encryption (see below), do not send sensitive personal information (e.g., phone number, password, address, credit card number, vacation dates) by chat lines, forum postings, e-mail, or in your online biography.

• Be cautious of "start-up" software. Be cautious of start-up software that makes an initial connection to the service for you. Often these programs require you to provide credit card numbers, checking account numbers, social security numbers, or other personal information, and then upload this information automatically to the service. Also, these programs may be able to access records in your computer without your knowledge. Contact the service for alternative subscription methods.

• Note that public postings made on the Internet are often archived and saved for posterity. For example, it is possible to search and discover the postings an individual has made to Usenet newsgroups. (See information about the search tools DejaNews and Alta Vista below.) This information can be used to create profiles of individuals for a variety of purposes, such as employment background checks and direct marketing.

• Be aware of electronic footprints. Online activities leave electronic footprints for others to see, both at your own service provider and at any remote sites you visit. Your own service provider can determine the commands that you execute and track the sites you visit. Website operators can often track the activities you engage in on their site, particularly at sites that ask you to "register" or otherwise provide personal information. Some Web browsing software transmits less information to remote sites than others. You can avoid leaving tracks when you send e-mail messages by using anonymous remailers. (See below for information about remailers.)

• Be aware that your sysop can monitor your newsgroups. If your online service allows you to compile a list of favorite newsgroups, or lets you arrange newsgroups by priority, be aware that your sysop can monitor that list. Do not place controversial or sensitive newsgroups in this list if you want to avoid being connected to particular issues.

• Remember that the "delete" command does not make your messages disappear. They can still be retrieved from back-up systems.

• Be aware that others’ online identities are not always what they seem. Network users often adopt one or more online aliases.

• Your online biography, if you create one, may be searched. Your online bio may be searched system-wide or remotely "fingered" by anyone. If for any reason you need to safeguard your identity, don’t create an online bio. Ask the sysop of your service to remove you from its online directory.

• Direct marketers may collect your personal information. If you publish information on a personal Webpage, note that direct marketers and others may collect your address, phone number, and any other information that you provide.

• Beware of potential online dangers. Be aware of the possible social dangers of being online such as harassment, stalking, being "flamed" (emotional verbal attacks), or "spamming" (being sent frequent unsolicited messages). Women can be particularly vulnerable if their e-mail addresses are recognizable as women’s names. Consider using gender-neutral online IDs.

• Teach children to use appropriate online behavior. If your children are online users, teach them about appropriate online privacy behavior. Caution them against revealing information about themselves or your family. (See sidebar on p. 16.)

• Take advantage of privacy protection tools. There are several technologies that help online users protect their privacy. Discussed here are encryption, anonymous remailers, and memory protection software.

Encryption. Encryption is a method of scrambling an e-mail message or file so that it is gibberish to anyone who does not know how to unscramble it. The privacy advantage of encryption is that anything encrypted is virtually inaccessible to anyone other than the designated recipient.

An encrypted e-mail message cannot be read by the online service sysop, or anyone else who has obtained the message legally or illegally. Therefore, any message containing private or sensitive information should be encrypted prior to communicating it online. Various strong encryption programs, such as PGP (Pretty Good Privacy) are available online. (See sidebar on this page for details.)

Because encryption prevents unauthorized access, law enforcement agencies have expressed concerns over the use of this technology, and Congress has considered legislation to create a "back door" to allow law enforcement officials to decipher encrypted messages. The legal status of this technology is still unsettled. Moreover, exporting certain types of encryption code or descriptive information to other countries is limited by federal law (International Traffic in Arms Regulations, 22 CFR § 121.1 et seq.) However, its use within the United States is not currently restricted.

Anonymous remailers. Because it is relatively easy to determine the name and e-mail address of anyone who posts messages or sends e-mail, the practice of using anonymous remailing programs has become more common. These programs receive e-mail, strip off all identifying information, then forward the mail to the appropriate address. There are several anonymous servers available on the Internet. (See sidebar on this page for more information.)

Memory protection software. Software security programs are now available that help prevent unauthorized access to files on the home computer. For example, one program encrypts every directory with a different password so that to access any directory you must log in first. Then, if an online service provider tries to read any private files, it will be denied access. These programs may include an "audit trail" that records all activity on the computer’s drives.

Barry Fraser is Cable Television Franchise Administrator for the County of San Diego, California. He is a former staff attorney for the Privacy Rights Clearinghouse and Staff Counsel and Director of the CyberCop Project for the Utility Consumers’ Action Network (UCAN). His published works include articles on Internet consumer and privacy issues, and telephone universal service. He can be reached at bfrasech@co.san-diego.ca.us.