Two weeks, two arrests. By any measure, law enforcement has been doing well in their pursuit of cyber criminals -- first nabbing the alleged writer of the Melissa virus and then, on Thursday, catching the man thought to be responsible for writing a false Bloomberg news story to boost his company's stock.
Great success, but at what price, ask privacy advocates. In both cases, law enforcement subpoenaed the Internet service providers involved, collecting personal information that led to the arrests. America Online gave New Jersey State Police enough information to connect a user's login to a single telephone number. Mindspring and Yahoo! handed over information that linked a Raleigh, North Carolina man to a fake news story posted on the Web. "There is sort of a dark synergy going on," said Lance Cottrell, president of anonymous remailer software maker, Anonymizer Inc. "The company collects the data and the government gets that data from the company. The fact that it is collected by the company voids your privacy rights." In short, the Internet -- long the symbol of anonymous free speech -- is quickly becoming an Orwellian nightmare.
Even congressmen have voiced their concern. "I believe in our society we are very concerned about privacy and anonymity and giving people space in which to act," said Rep. David Wu, at a hearing on Thursday discussing lessons learned from the Melissa virus. Instead of receiving plaudits for their success, the FBI and other agencies became the target of a privacy debate, focusing on how much information was caught up in the dragnet search for a suspect and why Internet service providers got so involved.
AOL spokeswoman Kim McCreery defended the company's collection of information. "We don't ask for information that is not relevant. We don't track what sites they stop at in their service," she said. "We are not going to sell data to marketers; we are not going to sell it to anyone." The company does release it, however. Over a year ago, AOL improperly released user information about Navy Senior Chief Petty Officer Timothy McVeigh (no relation to the convicted Oklahoma City bomber) to Navy officials without a subpoena. The information connected McVeigh with several postings where he allegedly admitted that he was gay. "People need to be made aware of what is going on behind the scenes," said David Sobel, general counsel for the online privacy watcher Electronic Privacy Information Centre. "Ultimately, they will realise that something they thought was an anonymous form of communication -- the Internet -- is potentially the most well documented form of communication."
In some cases, being on the Internet can be like being under surveillance the moment you leave your home, said Sobel. "Most people using these systems believe they have anonymity," he said. "Anyone who reads the terms of service for an ISP (know otherwise)." In some cases, companies collect the information to protect themselves from lawsuits. In others, the information collected helps to target marketing campaigns.
However, privacy concerns may cause confusion with corporate plans for the Internet, said Sobel. Instead of reducing the number of lawsuits, companies with large databases may find themselves the target of suit aimed at opening their databases to search for evidence in civil and criminal suits. "The more stuff that they collect about subscribers for commercial interests, the more interest they will generate from law enforcement who want to get a hold of that information," said EPIC's Sobel.
Being wary about privacy may cause users to step carefully amongst online sites, where information may or may not be collected. An AT&T Labs study released this week showed that customers are 40 percent less likely to give out information online, when they believe that information can identify them. Overall, the AT&T study found that users are confused about how much privacy they have online. "Most people don't know how much information is out there," said Lorrie Cranor, a researcher at AT&T Labs. "Our respondents are very confused about the ability of companies to link information to people."
That confusion could hurt e-business -- customers nervous with being identified means fewer companies will get the information that they want -- a lesson learned by the banking industry earlier this year. A proposed "Know Your Customer" program called for banks to identify their customers for each transaction and create profiles on each user. The proposal caused such a public outcry that the Federal Deposit Insurance Corp. withdrew it on March 23. "We need to be more sensitive to privacy in every context. We need to take privacy concerns into account in any regulatory proposal," said Donna Tanoue, chairman of the FDIC at the meeting announcing that the program was being dropped.
"The people have spoken," she said. "They have said, 'No.'" Can companies on the Internet learn the same lesson?