Online, privacy barely exists. Every page, email, and instant message can be intercepted, manipulated, and/or logged. The millions of Internet users browsing the web at this very moment may be surprised to find that their online information is not secure. The Internet’s greatest strength in accessibility is its greatest weakness in security. Web servers have the ability to store information about every visitor. In order to provide services to their customers, websites must store information on their customer’s machines as well as on their databases. Collecting data is an essential function of web applications; unfortunately, the majority of data collection practices used today is unethical because their users are not informed properly of what, how, and why their information is being gathered.
Digital data is virtual; ironically, the information does not exist anywhere other than through bits and bytes stored electronically. Unlike a letters that exist on a physical sheet of paper, digital media can be transmitted, duplicated, or modified in microseconds. Online data has the same characteristics. One analogy to explain how the web works with data is by a boy and his father playing catch with a baseball. The child, the client, throws a baseball to the father, the web server. The father (web server) catches the baseball. On the baseball there is writing that the client child wrote that the server child can read. The server child then erases the writings on the baseball and responds to the client’s writings with its own and throws the ball back. Unfortunately, the boy is very young and illiterate and must have his mother (the web browser) interpret what the father wrote. For example, the boy plays catch with CNN.com and throws a baseball that says “Give me CNN.com’s homepage file” (which his mother wrote) to CNN.com. CNN.com reads the message and writes the HTML file on the baseball and throws it back to the boy. The boy catches the baseball and asks his mother to read it for him. The mother (web browser) checks the file to make sure it does not have any malicious “writings” (code) and then reads it to the boy. The mother can also remember data (cookies) for the boy that the Dad wants the boy to write down on the next baseball.
This analogy may seem odd; however, it is a way of understanding how the Internet works. The baseball represents the data being passed back and forth. Unfortunately, that baseball can be “intercepted” on its way from one direction to another. If the writings on the baseball are not encrypted then that person reading the baseball will have access to that data. Additionally, there is nothing stopping the father (the web server) from transmitting the boy’s data to some other person.
Web servers need to use the pieces of data stored by “cookies” to deliver products; however, the way that web servers use cookies pose significant ethical concerns. Cookies are a form of invisible data gathering; most users have no idea that cookies are being stored on their machine. The use of web browser cookies by websites is ethical and essential to the web. The problem cookies pose is the ability for them to be misused and abused. Most websites store enough information to isolate individuals. That cookie data has the potential to be compromised if it is stored on users’ PC in unencrypted form. Any user of that PC can read that data. Websites should be designed to let users know what and how that information is being stored as well as use encryption to protect data. There is a standard currently released on the web called a Privacy Policy document. The Privacy Policy is a detailed description of what information a website is collecting. Currently in the U.S.A., only websites that target or knowingly collect information from children under the age of 13 must have a Privacy Policy document posted on their website. This law, known as Children’s Online Privacy Protection Act (COPPA), requires users under the age of 13 to obtain parent approval before registering with a website. While this act is well-intended, most websites (especially small ones) do not have the resources to verify parent signatures.
There are legitimate counter arguments to enforcing Privacy Policies documents. The simple enforcement of ensuring what Privacy Policies documents say and what the website actually collects is nearly impossible with the vast amounts of websites in operation. A second problem is that the actual regulation is impossible as the government does not have the resources to verify that the web server does not or does store information listed on a privacy policy. Lastly and most importantly, very few users actually read privacy policies on websites. A study done at Carnegie Mellon University [1] finds that privacy policies in U.S. sites are on average 2,500 words and takes on average 10 minutes to read (thus costing billions of dollars per year in opportunity cost). The study concludes that because Privacy Policies documents take so long to read, and are difficult to understand, most Internet users ignore them.
While cookies are stored on my machine, data I enter on web forms are stored on web servers. Since Privacy Policy documents are so rarely posted, followed, or read, how can I be assured that my credit card information I entered in a web form to purchase a product won’t be kept by the webmaster? There is no way for me to know how long it’s stored and who has access to view it. Credit card and social security numbers are examples of sensitive information that a criminals, rather than companies, seek. Identity theft is so rampant [2] in the United States that 221 billion dollars is lost by business every year. Identity theft crime has hurt the online economy according to a survey done of online shoppers by Harris Interactive for Privacy & American Business and Deloitte & Touche LLP [3]. 64% of respondents from their survey have decided not to purchase a product from an online company because they weren’t sure how their information would be used.
Currently, solutions are being offered via the use of noteworthy and famous third party vendors such as PayPal; however, many websites choose to store credit card information themselves. Unfortunately, these sites are often unprotected from hackers and criminals seeking to steal the identity of one of their customers. An ethical solution is to have a government regulated list of authorized transaction vendors (like PayPal or Google Checkout) that online transactions must use. The use of any private system should be illegal unless it is on the government’s list of approved transaction middlemen.
While cookies are an important part of online privacy, a report [4] concerning privacy in the European Union mentions that protecting personal data from intrusion is not the only part of protecting privacy. Legaresi reports that “Personal data protection has absorbed most of regulatory efforts devoted to privacy, on the wrong assumption either that it coincides with privacy protection or that it has the same dignity of privacy protection. The misunderstanding of the concept of privacy has determined a devaluation of its value and a lower level of protections of some of its relevant sides, like solitude, anonymity, intimacy and personality [4].”
Legaresi is correct in his analysis of data protection versus visibility protection. Social networking websites are an example of where data could be digitally protected yet not private. Many users list their phone numbers and addresses on these websites which, unless privacy options are available and applied the social networking site, could be accessed by anyone on the social network. In the work environment, this fact is especially important. Many employees post pictures on social networking websites that may be seen as inappropriate by their employers. Tiffany Shepherd was fired from her job as a high school biology teacher after pictures of her in a bikini were found [5] on her social networking site.
I don’t think Tiffany should have been fired from her job as her pictures were not crude or in bad taste; however, I do respect the right of the school to fire a teacher they believe is poorly representing the school. A New England Patriots cheerleader was fired after she posted to Facebook.com a photo of herself at a party next to a passed out man covered in offensive markings [6]. In this example, I think that the Patriots have every right to fire her, as not only is she poorly representing the football organization, but they are a private company and should be able to fire anyone for any reason other than race, gender, religion, disability, or sexual orientation. There are arguments against firing employees without direct cause. Many believe that what they do outside of the work place is their business. Additionally, company rules are not always transparent to employees. However, private companies need this right to determine who can work in their company. For example, if a male employee had an affair with his boss’s wife, would the boss not be able to fire the male employee because the affair happened outside of work? Of course not! The boss, like all company bosses, should have the right to fire people for events happening outside of work. So referring back to the Tiffany Shepherd incident, she along with anyone else can control what their employers see by simply not posting controversial media on their profile pages.
In current practice, Social networking privacy is almost an oxymoron. On the one hand, social networking websites offer services to connect users together by sharing information. On the other hand, users prefer to restrict the sharing of information to certain parties. One solution that some social networking sites such as Facebook have implemented is privacy controls. Users (employees, students) can select which data is viewable to other users (i.e. employers, teachers). But where does the line between personal responsibility and privacy fall? Concessions need to be made on both sides. I need to realize that what I post on a social networking site is no longer private and social networking sites should, but not be obligated to, offer privacy controls. The reason sites social networking sites should not be obligated to provide privacy controls is because regulation is nearly impossible. Many argue the opposite, that social networking sites should be obligated to have visible, explicit, and easy to use privacy controls. However, the only way regulatory agencies would be able to know if users’ information is not being shared with unwanted users is by either approving website code or by monitoring user accounts. Either is made increasingly difficult as new versions of social networking sites are consistently released.
I think this problem is solving itself. Social networking sites compete for users; ones that offer more services such as privacy controls are more attractive to customers. While this capitalistic perspective may seem speculative, the online statistics website Alexa.com backs up this claim by ranking MySpace and Facebook, two social networks that offer privacy controls, as the most popular social networking sites in the United States.
Sharing personal data with third parties is a logistical privacy problem for these social networking websites. In order to show relevant advertisements to a specific user, websites analyze specific user information to show ads corresponding to their data. For example, if a user’s marital status is listed as “single” on Facebook, that user may see a web advertisement for a dating website. Or if one of the user’s favorite bands is Coldplay they might see a banner ad for a Coldplay concert. As long as these websites do not share identifiable information to the companies serving the ads and also notify the users that they are sharing his or her data with other companies, then their practice is ethical. A counter argument is that these sites should ask permission from a user. Some applications do request from the user permission to send information anonymously to a statistics service. However, requesting permission could hinder the experience of using their product. I personally think as long as a service is sending my information anonymously, the service is ethically OK. Whether or not regulation or enforcement of anonymity is possible is a different question.
Another ethical dilemma is where or not companies can sell user or users’ data to marketing companies. For instance, TV networks would love to know trends in what users are listing as their favorite TV shows. Facebook and MySpace can and do provide empirical data to companies. While many dissent this practice as their information is technically being distributed to a third party without their permission, I don’t find it morally wrong as long as the data being sent to companies is sufficiently large to support individual anonymity.
The Internet was built to help share information rather than hide it. Since websites require information to deliver information, they are ethically bound to inform their users in an explicit, non-confusing way exactly how information is being kept. There is no one solution to enforcing websites to uphold this moral standard. Protecting privacy online is a multi-faceted problem that involves both regulation and lasses-faire policies. Nevertheless, the best weapon against privacy threats is the realization of online privacy vulnerability.
Bibliography
1. N. Anderson, “Study: Reading online privacy policies could cost $365 billion a year,” 2008; http://arstechnica.com/news.ars/post/20081008-study-reading-online-privacy-policies-could-cost-365-billion-a-year.html.
2. “Identity Theft Statistics,” http://www.spamlaws.com/id-theft-statistics.html.
3. “Vague online privacy polices are harming e-commerce, new survey reports,” http://www.internetretailer.com/internet/marketing-conference/578566856-vague-online-privacy-policies-are-harming-e-commerce-new-survey-reports.html.
4. N. Lugaresi, “Principles and Regulations About Online Privacy: “Implementation Divide” and Misunderstandings in the European Union ” Book Principles and Regulations About Online Privacy: “Implementation Divide” and Misunderstandings in the European Union Series Principles and Regulations About Online Privacy: “Implementation Divide” and Misunderstandings in the European Union ed., Editor ed.^eds., 2002, pp.
5. “Tiffany Shepherd fired for wearing Bikini?,” 2008; http://www.newspostonline.com/world-news/tiffany-shepherd-fired-for-wearing-bikini-2008103111672.
6. “Patriots Cheerleader Fired over Facebook Swastika Photo,” 2008; http://www.foxnews.com/story/0,2933,448044,00.html.