Toolkit: State of Online Privacy
Table of Contents
- Internet Technology Isn't (Usually) Built for Privacy
- Current Laws and Regulations
- Companies Profit by Sharing Information
- Build Your Toolkit
Internet Technology Isn't (Usually) Built for Privacy
The Internet was not designed with privacy in mind. Because data passes through many intermediaries—for example, your wireless router, your local Internet service provider, the web-hosting service for the website you're visiting—there are many points where someone could listen in. While designers usually try to incorporate basic security measures to keep thieves from outright stealing data, there are still many holes in most systems—and more subtle considerations like privacy are often left up to the user to deal with. As an analogy, while you might put a lock on the door, the walls are still so thin it’s easy to hear through them.
Even now, the information technology industry doesn’t have consistent best practices about privacy. Most college information technology and computer science programs don’t have specific courses for it. However, there are some efforts underway to develop industry-wide standards, both for individuals and for organizations as a whole.
One reason it is difficult to develop or effective industry standards—or comprehensive privacy laws—is that technology is continually and rapidly changing. For example, because people want to find information more easily, search technology is constantly improving. The most sophisticated types of data mining methods don’t just find information; they make important connections between different pieces of information—which can in turn be used to figure out further pieces of information. For example, the electric company could probably figure out when you go to work or whether you're on vacation by looking at your electricity usage.
Current Laws and Regulations
The United States Constitution does not specifically state that you have a right to privacy. The Bill of Rights covers some aspects of privacy, for example by forbidding unreasonable search and seizure. The application of these rights to information technology is currently under debate. As it stands, some types of stored digital data—such as the data in our cell phones—can't be reviewed by law enforcement without a search warrant. However, the government may collect many types of digital data, especially if the communication is routed outside the U.S., even if they don't have a warrant to review it. And of course, if a court issues a warrant or subpoena, your online information can be seized, searched, and potentially used against you.
Moreover, the protections in the Bill of Rights apply only to governments, not companies and other organizations. Laws about about nongovernment organizations and businesses collecting customer information online have not kept up with new technology. Some states have more strict and updated privacy laws, but these vary considerably, both in the information they protect and how consistently they are enforced. With a few exceptions, such as medical records or data that could cause financial damage, your personal information is not legally protected.
Companies Profit by Sharing Information
In RadioShack’s recent bankruptcy auction, millions of customer names, email addresses, and phone records were one of the auction items. Your information can be sold, and it’s valuable. Knowing about your interests and location means that advertisers can target you with products you’re more likely to buy. For example, if you search online for "dog treats", companies that sell pet products would be willing to pay more to advertise to you than to someone doing an unrelated search. Companies and online services are unlikely to share your data in a way they know will lead directly to financial or material harm. But for the most part, there is little that prevents them from sharing your data with marketing "affiliates", with data aggregators (specialized companies that buy and sell large amounts of consumer data), or with the government.
Most online companies and organizations have detailed privacy policies, but these policies are not necessarily designed to protect your privacy. Indeed, some companies' terms of service state that the company, not you, owns the information you share using their services. This allows them to legally use the data as they see fit. However, privacy policies vary a great deal depending on the provider and the situation. For example, companies vary in how much they limit what customer data their employees can see, and whether they limit it through technical security measures or whether they rely on rules and privacy trainings. Privacy policies are also subject to change without notice. In general, it’s safest to assume that privacy policies are written to protect the companies from lawsuits, and not to protect you.