1 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT?

Is Technology Advancing Faster than Our Ability Control It? Gary C. Hunt Western Governors University March 20, 2011

2 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? Your privacy is safe on the Internet. It would be against the law for companies to collect personal information and then sell it. It would be wrong for them to do that wouldn’t it? It is a basic law of economics that states, that with great benefits, there are great risks. Since its inception the Internet has been a free forum where diverse people can come together to share knowledge in an open environment. Now however, research shows that technology is enabling the exploitation of personal data due to poor data center security, increased use of unsecure online business transactions, and access to private information on social networking sites. As entertainment, information, or a business medium the Web has forever altered the lives of people around the world. The web was born in 1990 in Geneva Switzerland. Its inventor, Tim BernersLee exhibited to the world that any one person could communicate and share data with any other person. The father of the World Wide Web (www) envisioned an open and free forum that treated all people equally and offered users an equal opportunity to utilize the web in any way Berners-Lee (2010). In an atmosphere of openness and cooperation the web has prospered and to this day the internet is still open and unregulated. It is important to understand that there is a difference between the World Wide Web and the internet. According to Berners-Lee (2010) the web is an application that runs on the internet and the internet is a network (albeit a very large network) that while following certain protocols is able to send packets of data to millions of computers (Berners-Lee, 2010, Keep The Web Separate From The Internet section, para. 2). If the web is the car, the internet is the gas that allows it to run. The differences are not within the scope of this paper and the two terms will be used interchangeably. The internet has steadily grown more efficient. In Berman and Bruening's (2000) article that asks if privacy is still possible in the twenty first century they state that because of this steady growth the modern concept of privacy has become more complicated. It will continue to be more complicated as online businesses get more efficient at gathering and marketing private profiles. With this increase of efficiency more companies and consumers are using the web than ever before and it is this very

3 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? universality that is threatening to individual privacy. Recently privacy issues have been showing up with a regular frequency. In Balz and Hance (1996), it is stated that with some of these issues of privacy, while not new to societies are not yet addressed by conventional legal means. It is however, these circumstances created by the internet that are creating challenges for the protectors of privacy (Balz and Hance, 1996, p. 219). For all organizations that are economically sustained by the internet the concern for individual privacy has emerged as a central concern. If the internet is to function efficiently it needs to be a free and open exchange. It is this exchange however has led to the privacy conundrum that exists today. In the process of understanding how to protect individual privacy there must first be an acknowledgement of what privacy is and then another acknowledgement as to whether or not society wishes to regulate it. To support this Berman and Breuning (2001) define privacy extremely well when they state, "privacy entails an individual's right to control the collection and use of his or her personal information, even after he or she discloses it to others." (What Do We Talk about When We Talk about Privacy? section, para. 2). Modern privacy issues are something of a paradox. Websites taking advantage of Web 2.0 technologies are inviting users to participate in their communities. To participate, you must agree to surrender some personal information. In an article that studies the relationship between your offline self and your online self, Hawkins and Mannix (2000) find that most internet browsers have no idea that websites are compiling data about them based on their internet usage. They go on to say that as far as the websites go, the individual is the virtual data. They then conclude that even the experienced web user would be shocked at the sheer volume of data accumulated from their browsing (Hawkins and Mannix, 2000, p. 65). In March of 2009 Microsoft published the results of a Harris Poll that showed that 91% of those surveyed stated they were very concerned, concerned, or somewhat concerned about online identity theft (Microsoft News Center, 2009). This poll went on to show that 62% of those polled are more

4 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? concerned now than two years earlier about web security as defined by not giving personal information online, shopping online, or giving credit card information (Microsoft News Center, 2009). These results would tend to give the impression of a population that is privacy and security aware and careful. But the facts state something different. According to eMarketer (2011), an internet market research firm, in 2010 134.6 million people used the internet in the United States at least once per month (eMarketer, 2011, p1). In a study of nationwide demographics during the third quarter of last year, Kiser (2010) explained that Facebook was used by nearly 57% of the population of the United States. Facebook, a Web 2.0 company offers onsite applications that are immensely popular with the public. These applications, like Facebook, are data collectors. In separate research, eMarketer (2011), states the nearly 62 million people use these Facebook applications at least one time per month (eMarketer, 2011, p1). The owners of Facebook have not hesitated to state publicly that while their user's private data is of utmost importance to them, so is profit. Facebook user's personal data is but a commodity to be collected, stored and sold. In fact the paradox isn't that there are so many users of Facebook but that the users did willingly give up their personal data in order to participate in Facebook. In 1896 Justice Brandeis set the standard for defining privacy in the United States by declaring privacy is "the right to be left alone" (as cited by Berman and Breuning, 2001). In times past it was enough for an individual to be able live his or her life with an expectation of being left alone (Berman and Breuning, 2001, p.4). There has been a transformation of this older view of privacy involving three technological trends. These trends include the accumulation of enormous quantities of individual data into a personal information files; the globalization of data compilation and scrutiny; and the absence of any control apparatus for the protection of these personal information files. These trends have influenced society's concept of privacy so that it is now thought of as informational privacy.

5 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? This informational privacy goes beyond what Justice Brandeis defined as the right to be left alone (Berman and Breuning, 2001). That idealized version of individual privacy belonged to another time. Technology has marched forward. Communications over networks are completed in microseconds with more and more consumers, businesses and governmental institutions participating online every year. In this atmosphere of growth in number of users and technology, another party has crept into the equation and its name is online commerce. Online commerce requires a workforce to compile, maintain and market personal informational databases. These databases come in all shapes and sizes. Just in the arena of online commerce massive databases exist in order to allow credit card transactions, to allow consumers access to their own credit bureaus, and to allow companies to carry on online marketing (purchasing and selling) of goods with sites like eBay and Amazon.com. In this light, Soma, Courson and Cadkin (2009) talk about the idea of a private and virtual self complicating the issue of privacy for the user. Not only does the physical consumer willingly bring the virtual self into an online exchange but now also expects to keep that self private (Soma, Courson, and Cadkin, 2009, Reconciling Privacy With Technology section, para.2). From the evidence presented it must be assumed that while the majority of web users are aware of problems concerning privacy many of those same users are deciding to relinquish a portion of their online privacy in order to enjoy/reap online benefits. Web 2.0 websites and applications pose a problem for consumers. They offer services that are appealing to segments of society but in order to interact with them an individual must give up a part of his or her personal privacy all the while knowing that this information will more than likely be tracked and processed. As with any advancement or invention the legal system lags behind. In the case of the World Wide Web, born and maintained in a spirit of freedom and openness, the legal system to a point will acquiesce to the self policing that the internet provides.

6 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? With the current level of sophistication it is difficult for regulatory bodies to find enough common ground to limit their own surveillance abuses let alone criminal abuses as well. In America, the Federal Government is an intimate player in the privacy issue. With agencies like Social Security Administration or the Internal Revenue Service your personal information is available to any number people including database workers, legislative bodies, regulatory agencies and law enforcement agencies. Bridis, (2005) describes one such instance of a federal agency using web technology to run surveillance on the public was the FBI's internet wiretapping system with the unfortunate name of Carnivore. Carnivore was started in 1997 and was designed to monitor email and electronic communications inside the United States. It only lasted eight years before it was replaced by commercial products. All other levels of government have agencies that actively interact with online databases. The fact that they use these databases is not an issue. The issue is whether or not the information in the databases is safe with so many people coming in contact with it. The more people involved the more potential for abuse. Many of these agencies engage in data mining and/or the selling of individual private data mining. Data mining in this context is defined by Rubinstein, Lee, and Schwartz (2010) as a process of extracting targeted personal information of an individual's activities from huge databases. Since 9/11 the American Government has been conducting extensive data mining operations on mostly day to day transactional data gathering information on hundreds of millions of people in order to try to detect terrorist activity. There are two types of searches that fall under this category: subject based searches and pattern based searches. These searches entail scouring databases for transactional and personal data looking for matches between a model they have developed and actual patterns of activity found within the databases. A subject based search is the gathering of relevant information about an individual or individuals already suspected of wrongdoing. A pattern based search is profiling. The

7 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? searchers develop a model of assumptions of activities and characteristics that they define as potentially terrorist activities (Rubinstein, Lee, and Schwartz, 2010, p. 261). Data center dangers come in many guises. This paper has already covered the potentially dangerous act of data mining. Not all dangers involve questionable activities though. Some dangers are presented by the data centers themselves. Corporate executives are realizing the huge threat to online security data centers have become. This realization has not come cheaply though as illustrated with the steady rise of data center breaches that have occurred Soma, Courson, and Cadkin (2009). In the public sector according to Miller (2011), the Social Security Administration recognized that their data center in Frederick County, MD was severely outdated. With the help of stimulus funding the SSA began to plan for a new data center. The thirty year old center that supports delivery of $700 billion in payments annually to 56 million Americans could potentially lead to a system-wide failure. Because of delays caused by auditors concerns, the project is already over a year behind schedule (Miller, 2011, p. 1). Aside from infrastructure dangers, an individual's personal data becomes more vulnerable every time this data changes hands according to Soma, Courson and Cadkin (2009) and this danger could potentially lead to a data breach. Data breaches can be caused by many things like a lost back up tape, a lost laptop, stolen equipment, malicious hacking into data centers and databases and they happen to all types of companies. From January 2005 to September 2008 over two hundred American universities, CitiFinancial, Bank of America, Wells Fargo, MCI, Boeing, Kraft Foods, and Lloyds of London experienced substantial data breaches (Soma, Courson, and Cadkin, 2009, The Incidence Of Large Scale Data Breach section, para. 2). The incidences of large scale data breaches are growing every year. Statistics are not easy to come by because many companies that have experienced data breaches do not want this information publicly reported. The reasons behind this practice are many. One such reason is fear the information when leaked out will affect the stakeholder's confidence in the company and thus the stock

8 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? price. (Soma, Courson and Cadkin,2009) tells about one such instance in September 2007, the loss of a laptop at Gap, Inc. compromised the personal information of 800,000 job applicants (Soma, Courson, and Cadkin, 2009, Sources And Scope Of Data Breach section, para. 1). Without a doubt data breach security is a major danger for the U.S. economy. It is lucky then that most data breaches tend to be homegrown (inside jobs) and can be avoided by strict guidelines and the adherence to network protocols. Organizations in the private sector have reasons all their own for accumulating as much data on individuals as possible. An individual's personal information is a wonderful asset that an organization can use for marketing purposes or to sell to another organization. This information when combined with millions of other individual's personal data would benefit a company two ways: it increases the chance that their advertising will bring more sales and the organization will be able to avoid aiming their advertising at people that are not interested in their products. With the proliferation of Web 2.0 services available online organizations can track and accumulate a wide variety of consumer's online activities. In 2008, Berners-Lee (2010) relates that a company named Phorm devised a method that would allow an Internet Service Provider (ISP) to look inside the packets of the information it was sending. What this did was enable them to know every web site the end user visited. They could then construct a profile of the user's activity in order to compile targeted advertising (Berners-Lee, 2010, No Snooping section, para. 1). In their article on Privacy in the twenty first century, Berman and Breuning (2001) describe cookies as being a common method for businesses to track the online activities of consumers. When a user visits a web site a cookie is placed on their hard drive in the form of a text file and this file will store information about the user and their preferences. Information may include searches, user names and passwords they may have used at a website and then finally the data may include the user's browsing history and behavior (Berman and Breuning, 2001, p. 310).

9 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? Companies have been accumulating data for marketing purposes for many years on the internet. Marketing, however, is not the only reason companies seek an individual's personal information. A trend that has been increasing online is that of companies snooping on their employees. Hawkins and Mannix (2000) talks about one such incident in 1999 Consolidated Freightways Inc. installed hidden cameras in its women's and men's bathrooms Even though one camera was pointed toward a urinal and another at the entrance to the women's bathroom a Federal Appeals Panel ruled that this action did not violate any privacy law. The reason given was that the union agreement allowed for unspecified video surveillance. Another example of alleged employer abuse is described by Hawkins and Mannix (2000) of a former employee of the State Bar of Nevada. The employee states that he always received exemplary evaluations, until he was suddenly fired after submitting $6000 in medical claims for the treatment of his HIV infection (Hawkins and Mannix, 2000, p. 64). A recent movement on the web is Web 2.0. Web 2.0 is user participation and it is the latest obstacle in the way of protected personal privacy. Web 2.0 goes beyond sharing of similar information, it consumes a person's privacy. Web 2.0 is participation not publishing, wikis, blogs, the user is seen as a potential contributor, tagging, bit Torrent and delicious. Companies that start up web sites no longer have sole control over the content on the site. An individual browses to a Web 2.0 website and decides to become a member. Of course, the website will tag, track, accumulate, process and the sell individual profiles. Web 2.0 features social networking sites that allow communities to form around a common characteristic such as heart disease. This could certainly be helpful allowing people to hear from others with a like condition. The website encourages would be regular contributors to talk about their illness, the symptoms, their prognosis, their fears, and maybe even some information about their prescriptions and on and on. For their troubles they will get compassion in return for understanding and a sense of belonging to a community at a time when they thought the world must surely be out to get to them.

10 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? Yet another area is shown by Lo and Parkham (2010) where Web 2.0 web sites provide a valuable service concerns sites that offer consumers access to advanced medical technology, such as, personal genome sequencing. These websites allow users to participate (sometimes at great expense to the user) in a genetic sequencing program whose results will inform the consumer as to their vulnerability to illnesses ranging from diabetes to Alzheimer's to Huntington's Disease and they may be able to do this without a request from their doctor (Lo and Parkham, 2010, p. 19). Once again, these websites are indeed Web 2.0 so they allow the users to talk with each other and contribute to the website possibly through the wiki. Lo and Parkham (2010) state that of the companies offering to assist consumers with some sort of medical information, electronic medical records (EMR's) and personally controlled medical health records (PCHR's) at face value seem like a great thing. In order to persuade them to get rid of their paper files, hospitals are being bribed by the Federal Government to convert their paper records into EMRs and to set up PCHRs for the patients. The benefits are obvious, when a patient requires their medical history before it may have taken days to find it and convert it into something the patient could use (Lo and Parkham, 2010, p. 18). Now it can be summoned in seconds. It is possible that patients can after a test can go online and find the test results without having to wait days for the doctor's office to get back to them. These are all very good things The EMRs and PCHRs state Lo and Parkham (2010) are covered by the Health Insurance Portability and Accountability Act (HIPAA) that is a good law which in part works to protect patient's privacy. Recently, who didn't at least silently cheer when medical workers in Tucson, Arizona were allegedly found to have looked at the medical files of the people killed in the "Tucson Massacre"? They were fired and arrested and will be tried for violating HIPAA Laws. What then about the Web 2.0 services like the genome project or the social network for people with like illnesses? Unfortunately, HIPAA only covers what are considered, "covered entities" which

11 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? include health centers, health plans, and health clearinghouses. HIPAA does not apply to websites not involved in providing medical care but present themselves as social networking, informational sites or "recreational" genomic testing (Lo and Parham, 2010, p. 21). These Web 2.0 websites attract people, record their most private information (medical information) and sell that to whoever can afford it. Web 2.0 companies have been able to build profiles of individual consumers by the millions. Information garnered by these profiles can then be used against the same individuals when applying for employment or life insurance (Balz and Hance, 1996). Yes, major employers now research databases for possible information about prospective employees. That person who is a member of the genomic informational site may not be hired because of a possibility of being stricken by Huntington's disease and the same thing can happen to people applying for health insurance or life insurance as well. What about somebody who has joined an online forum populated by fellow alcoholics? Their information can be noted by an auto insurance company and they could be denied coverage. This is all happening currently on a daily basis. Since December 1990 when Tim Berners-Lee invented the World Wide Web, the internet has become a part of everyday life. The World Wide Web provides us with entertainment, education, advice, the ability to socialize with our peers and those who are not our peers. While the internet may represent an extremely valuable tool to society it also represents an extremely large peril to individual privacy. During the process of understanding how to protect individual privacy there must first be an acknowledgement of what privacy is. Society's concept of personal privacy has been challenged and redefined since 1990. What was acceptable previous to that year is no longer adequate. As with any technological change the laws of governments need to catch up. They walk a very fine line between protecting individual privacy and allowing a free and open internet. In the meantime a free market will

12 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? prevail with organizations coming and going in order to take advantage of the lack of adequate legislation. With the current level of sophistication it is difficult for regulatory bodies to find enough common ground to limit their own surveillance abuses let alone criminal abuses as well. Governments generally distrust an open market of any kind. Even in a democracy governments try to find a need and then step in and regulate if not control. There are many examples in current events to illustrate governments attempting to manipulate the internet, control it outright or dictate what should be considered free speech. Consumers walk a fine line in terms of protecting personal privacy. In order to derive benefit from the internet consumers must give up some of their privacy. Only individual users can say how much is too much. With privacy and the internet, the issue is not only protecting the user but also the user's virtual identity. This virtual identity includes all of the information they have ever submitted to web sites and all the information they have ever submitted when they installed and registered software. To think this information is not gathered into a profile is to be naive. It all starts with each and every individual user of the internet. Pressure must be applied to elected officials to redefine privacy laws in a way that will protect the individual's privacy. Stringent regulations and internet protocols are in place and are constantly evolving to compensate for changes in technology. These regulations and protocols must be adhered to. No government or organization has ever been able to protect themselves from the one individual that has decided to perpetrate a malicious act but organizations that decide to ignore accepted ethics can be persuaded by the consequences of their unethical act. Research shows that technology is enabling the exploitation of personal data due to poor data center security, increased use of unsecure online business transactions, and access to private information on social networking sites.

13 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? References Balz, S.D. and Hance, O. (1996). Privacy and the internet: Intrusion, surveillance and personal data. International Review of Law, Computers and Technology , 10(2), 219-235. Berman, J. and Bruening, P. (2001). Is privacy still possible in the twenty-first century? Social Research, 68(1), 306-318. Retrieved March5 2011 from Academic Search Complete Database. Berners-Lee, T. (2010). Long live the web. Scientific American, 303(6). Retrieved March 5, 2011 from the Academic Search Complete Database. Bridis, T. (2005, January 19). FBI stops using Carnivore wiretap software. USA Today. Retrieved March 20, 2011 from: http://www.usatoday.com/tech/news/surveillance/2005-01-19-carnivoreobsolete_x.htm eMarketer (2011). Social gaming market to surpass $1 billion. eMarketer. Retrieved March18 2011 from http://www.emarketer.com/Articles/Print.aspx?1008166. Hawkins, D. and Mannix, M. (2000). Privacy is under siege at work, at home, and online. U.S. News and World Report, 129(13). Retrieved March 6, 2011 from http://www.usnews.com/usnews/culture/articles/001002/archive_011452.htm Kiser, P. (2010). Social media 3Q update: Who uses Facebook, Twitter, LinkedIn, & MySpace? Social Media Today. Retrieved March 18, 2011 from: http://socialmediatoday.com/paulkiser/199133/social-media-3q-update-who-uses-facebooktwitter-linkedin-myspace Lo, B. and Parham, L. (2010). The impact of web 2.0 on the doctor-patient relationship. Journal of Law, Medicine & Ethics, 38(1), 17-26. Retrieved March 6 2011 from the Academic Search Complete database.

14 IS TECHNOLOGY ADVANCING FASTER THAN OUR ABILITY CONTROL IT? Microsoft News Center. (2009). Browser security and privacy fact sheet. Retrieved March 5, 2011 from: http://www.microsoft.com/presspass/newsroom/windows/factsheets/0318BrowserSecurityFS.mspx Rubenstein I., Lee, R.D., and Schwartz, P.M. (2008). Data mining and internet profiling: Emerging regulatory and technological approaches. UC Berkeley: Berkeley Center for Law and Technology. Retrieved from: http://escholarship.org/uc/item/2zn4z6q4 Soma, J.T., Courson, J.Z., and Cadkin, J. (2009). Corporate privacy trend: The "value" of personally identifiable information ("PII") equals the "value" of financial assets. Richmond Journal of Law and Technology (Online), 15(4 1). Retrieved from on March 20, 2011: http://jolt.richmond.edu/v15i4/article11.pdf