Privacy and Wireless Communication

 
Privacy and Wireless Communication
As we discuss in Chapter 4, e-Marketing and m-Marketing, wireless communication has
the advantage of location-based services. When Phase II of the E911 Act is initiated (it is
due to be implemented in October 2001), wireless phones will be located within a range of
125 meters, 67 percent of the time. The E911 (Enhanced 911) Act is discussed in detail in
Chapter 3, Location-Based Services. While providing benefits to wireless advertisers,
emergency services and consumers, location-based technology also raises privacy concerns.
In this section, we discuss an individual’s right to privacy and how this is affected
by the growth of the wireless Internet.
M-Fact 7.2
Nearly 60 percent of Americans feel that location-based advertising threatens their privacy.
[***”M-Commerce Users Feel Frustrated,” M-Commercetimes <www.mcommercetimes.
com/Marketing/44> 16 November 2000.***] 7.2
7.3.1 Right to Privacy
An individual’s right to privacy is not explicitly guaranteed by the Constitution, but protection
from government intrusion is implied through the First, Fourth, Ninth and Fourteenth
Amendments. The Fourth Amendment provides U.S. citizens with the greatest assurance
of privacy, protecting them from illegal search and seizure by the government:
The right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no Warrant shall issue, but
upon probable cause, supported by Oath or affirmation, and particularly describing the place
to be searched, and the person or things to be seized.
Government trespassing on private property was the greatest concern when the Fourth
Amendment was drafted. Problems applying the Fourth Amendment began to appear when
other instances, such as communication over telephone wires, required privacy protection. In
the landmark case Olmstead v. United States, which involved the discussion of illegal alcohol
sales over the telephone during the Prohibition era, the Supreme Court ruled that information
obtained through the tapping of telephone wires fell outside the protection of the Fourth
Amendment. This decision marked the need for a change in legislation.
This example demonstrates the need for translation, or interpretation of the Constitution
to protect the greater good. [***L. Lessig, Code and Other Laws of Cyberspace (New
York: Basic Books, 1999) 6.***] The invention of the telephone required the regulation
against trespassing to be reinterpreted so that it also included protection against wiretapping.
7.3.2 Wireless Internet and the Right to Privacy
Wireless location tracking will enable groups to identify people’s habits, including where
they go, when they go and their length of stay. Over time, a compilation of this information
can contribute to a substantial profile of a person’s habits. In addition, cell phone discussion
Wirelesshtp1_07.fm Page 172 Tuesday, May 8, 2001 4:04 PM
Chapter 7 Legal and Social Issues; Web Accessibility 173
© Copyright 2001. Deitel & Associates, Inc. All Rights Reserved.
often occurs outside the user’s home or office, leaving conversations open to persons within
hearing range. It is difficult to predict the effects of such precise personalization. However,
the ability to personalize information to a specific individual in wireline communications
created considerable controversy (Feature: DoubleClick: Marketing With Personal Information).
Currently, the accepted protocol for collecting user’s information is called an opt-in
policy—this requires the user to request targeted information. In some cases, a business
installs a double opt-in policy. Double opt-in policies require the user to request information
and then confirm that request by replying to a follow-up e-mail. In theory, this practice
provides a greater protection of privacy. An opt-out policy allows organizations to send
information to consumers until the user requests to be taken off the mailing list.
DoubleClick: Marketing with Personal Information
While privacy advocates argue that the Web will not survive without some form of regulation,
advertising organizations disagree. DoubleClick, an Internet advertising firm,
suggests that advertising must be effective to minimize Internet-related costs. As with
television and radio advertising, the money generated by Internet advertising can allow
people of all economic means to use the medium. [***“DoubleClick Advertisement:
Committed to Privacy,” The New York Times 14 February 2000: C19.***]
Web sites use a variety of tracking methods to record where visitors come from,
where they go and what catches their interest along the way. This information is tied to
a computer’s IP address (i.e., the numerical address of a computer on the Internet),
Web browser and operating system; it is used by marketers to target relevant advertisements
to specific computers. DoubleClick has an advertising network of more than
1,500 sites where banner advertisements for 11,000 of its clients appear. [***B.
Tedeschi, “In a Shift, Double Click Cuts Off Plan for Wider Use of Personal Data
of Internet Consumers,” The New York Times 3 March 2000: C5.***] This network
enables DoubleClick to combine data from many sites to target advertisements
for particular computers.
However, targeting a specific IP address, browser and operating system is less
effective than targeting a specific consumer. In 1999, DoubleClick acquired Abacus
Direct Corporation, a direct-marketing organization. Abacus stores names, addresses,
telephone numbers, age, gender, income levels and a history of purchases at retail, catalog
and online stores. This acquisition enabled DoubleClick to attach personal information
to the activities of what were once “nameless” personal computers.
One concern with this method of collecting and using data is termed digital
redlining. [***R. Tomkins, “Cookies Leave a Nasty Taste: Marketing Internet
Privacy,” Financial Times 3 March 2000: 16.***] Digital redlining suggests that
a company could skew an individual’s knowledge of available products by basing the
advertisements that user sees on past behavior. This practice could allow advertisers
to influence consumers’ habits by limiting the information they see to what the advertisers
determine the consumers want to see. [***R. Tomkins, 16.***]
Wirelesshtp1_07.fm Page 173 Tuesday, May 8, 2001 4:04 PM
174 Legal and Social Issues; Web Accessibility Chapter 7
© Copyright 2001. Deitel & Associates, Inc. All Rights Reserved.
Companies need to inform consumers of the information they will receive. In addition,
companies also need to inform consumers how their personal information will be managed.
This complicated legalese could be difficult to display effectively on smaller devices,
making wireless Internet more susceptible to privacy violations. For example, if the company
has partners or affiliates, location information can be sold and used to solicit consumers.
As a result, consumers could find themselves bombarded with unsolicited mail—
while they are in their cars, in a movie theater or enjoying an evening out. In addition, while
the Federal Communications Commission (FCC) has guidelines outlining a telecommunications
carrier’s responsibilities for protecting a user’s privacy, third-party vendors are not
subject to the same guidelines. [***C. Nobel and D. Callaghan, “Wireless Services Hit
Snags,” eWeek 18 December 2000: 15.***] Third-party vendors, in most cases, will
have their own privacy policies. Further, failed dot-coms filing for bankruptcy are able to
sell consumer information—a highly valuable commodity. Users may willingly give their
information to one organization, only to find that it can be legally transferred to others (Feature:
Going Out of Business: The Bankruptcy Reform Act). At the time of this writing, legislation
regulating sales of this type was under review. The proposed bill prevents
companies from selling consumers’ personal information if their privacy policies indicate
Direct marketing in the traditional sense affords a certain time lapse between an
individual’s purchases, the processing of that information and the use of that information
to target that particular customer. On the Internet, however, users can be instantly
targeted while they are browsing. [***“The DoubleClick Dilemma,” The Boston
Globe 2 March 2000: A16.***]
Perhaps of greater concern, is the recording of personal activities. The Internet is
valued as a medium in which users can search for information and express opinions
anonymously. Privacy advocates are concerned that browsing data could be used
against individuals attempting to obtain housing, get a loan, apply for insurance coverage
or even deal with spousal disagreements and divorce. [***J. Beauprez,
“Giant Online Database Dropped DoubleClick, Yields to Privacy Concerns,” The
Denver Post 6 March 2000: C1.***] For example, a user visiting a Web site to learn
more about an illness might not want that information to be made available to insurance
companies. DoubleClick promises to uphold its privacy policy, which assures users
that the company will not collect financial, sexually-oriented or medical information.
DoubleClick: Marketing with Personal Information (Cont.)
Wirelesshtp1_07.fm Page 174 Tuesday, May 8, 2001 4:04 PM
Chapter 7 Legal and Social Issues; Web Accessibility 175
© Copyright 2001. Deitel & Associates, Inc. All Rights Reserved.
that information would not be distributed. [***J. DiSabatino, “eBay Amends Its Privacy
Policy,” Computerworld 9 April 2001: 73.***]
While the negative consequences of location-based technology cannot be fully predicted,
there are some serious concerns. For example, opponents fear that the technology
could facilitate kidnappings and other illegal activities as easily as it can help rescue
workers and police locate injured parties and stolen vehicles. As long as individuals are carrying
a mobile phones, PDAs, pagers or laptop computers that host location-based technology,
their location can be identified.
To date, there is no legislation that monitors the use and misuse of location-based technology.
Industry leaders and many government agencies fear that legislation could slow the
development of wireless technology. In addition, there are many different ways to approach
privacy legislation and one "comprehensive" privacy law may target some issues, but miss
others. Personal information collected from wireless users, for example, can be of a different
nature from that collected from desktop users.
To address the privacy issue, the Cellular Telecommunications and Internet Association
(CTIA) has presented guidelines for protecting consumer privacy. These include 1)
Companies should alert consumers when their location is being identified, 2) Opt-in should
be the standard, informing users of the services they will receive and allow them to make
the decision, 3) Consumers should be able to access their own information, and 4) The same
protections should be offered to all consumers regardless of carrier or device. [***M.
Hamblen, “Ensuring Portable Privacy,” Computer World 11 December 2000: 50.***]
Going Out of Business: The Bankruptcy Reform Act [***H. Green,
“Your Right to Privacy: Going... Going...,” Business Week 23 April
2001: 48.***]
When businesses file for bankruptcy, they often sell assets to pay back creditors and
stakeholders. This can include customers’ contact information, such as names, addresses,
credit-card numbers, social-security numbers, purchasing histories and medical information.
The Bankruptcy Reform Act is intended to monitor the sale of consumer
information in cases of bankruptcy.
To protect privacy, Web sites need to abide by their privacy policies. For example,
if the privacy policy states that personal information is not shared with third parties, this
policy should be honored even if the privacy policy changes or if the company goes
bankrupt. In cases where the Web site clearly states that it intends to distribute consumer
information to third parties, other protections should exist. For example, users
should also be able to approve which companies receive their information.
eBay changed its privacy policy in April, 2001 to address this situation. The policy
now states that eBay has the right to share user’s personal information with subsidiaries
in joint ventures, mergers and acquisitions. Announcements of the adjustment to the
privacy policy were sent to registered users via e-mail and eBay maintains its Truste
membership based on its efforts to communicate with its users. Toysmart, Inc.
attempted to sell users’ personal information after the company declared bankrupcy.
However, due to public outcry, the sale was stopped.
Wirelesshtp1_07.fm Page 175 Tuesday, May 8, 2001 4:04 PM
176 Legal and Social Issues; Web Accessibility Chapter 7
© Copyright 2001. Deitel & Associates, Inc. All Rights Reserved.
Web-based efforts at protecting user privacy might also be used for wireless devices.
The World Wide Web Consortium introduced the Platform for Privacy Preferences Project
(P3P). The Consortium will release a questionnaire to users who have downloaded a newer
version of the more popular browsers (e.g., Netscape Navigator and Internet Explorer)
asking individual users about the level of privacy they desire. Then the browser will comply
in accordance with users’ answers by allowing them to interact in specific ways.
[***”The DoubleClick Dilemma,” The Boston Globe 2 March 2000.***] This
method has been endorsed by the federal government as a means of avoiding legislation.
The Web sites of many companies, including AOL, AT&T, Microsoft and IBM, already
employ the P3P protocol.[***“White House Backs Initiative For Net Privacy,” The
Boston Globe 22 June 2000.***]
The P3P privacy policies are XML-based applications that allow a user’s preferences
to be matched accurately to a site’s standardized privacy protocols. XML and related technologies
discussed in detail in Chapter 28, XML, XSL and XSLT. While P3P will prompt
users if the privacy policy of a particular Web site does not match the given preferences, it
does not force Web sites to abide by their own policies. Opponents fear that this method
will give Internet users a false sense of security that their privacy is being protected.
7.3.3 Employer and Employee: Privacy Issues
In Chapter 2, m-Business, we discuss business-to-employee (B2E) applications. We examine
how wireless technology, enhanced with location-based services, enables businesses to
monitor remote employees and manage shipping fleets. While this technology enables
businesses to allocate resources to specific projects or reroute shipments to avoid delays, it
can also infringe on employee privacy. For example, the number of times an employee
stops to use the restroom, where the employee chooses to eat and how fast or slow the employee
drives can be monitored.
Such monitoring is not limited to recording an employee’s physical location. One of
the newest surveillance technologies, keystroke cops, monitors employee activities on corporate
and communications equipment.[***M.J. McCarthy, “Thinking Out Loud:
You Assumed ’Erase’ Wiped Out That Rant Against the Boss? Nope,” The Wall Street
Journal 7 March 2000.***] Keystroke software provides an inexpensive, easy-to-use
method of monitoring productivity and the abuse of company equipment. [***M.J.
McCarthy, “Thinking Out Loud: You Assumed ’Erase’ Wiped Out That Rant
Against the Boss? Nope.”***]
The surveillance software is loaded onto the hard drive of an employee’s computer, or
it can be sent to an unsuspecting employee as an e-mail attachment. Once activated, the
software registers each keystroke before it appears on the screen. Many products also have
scanning capabilities that enable them to search through documents for keywords such as
“boss” and “union.” [***M.J. McCarthy, “Thinking Out Loud: You Assumed ’Erase’
Wiped Out That Rant Against the Boss? Nope.”***]
The issue is often one of company time and equipment versus the employee’s right to
self expression. Situations may involve employees who neglect responsibilities and instead
take company time to write personal e-mails, surf the Web or conduct online tirades against
management in chat rooms.
To determine the outcome of court cases on these issues, the courts propose two criteria:
(1) Did the employee have a reasonable expectation of privacy, and (2) Does the busi-
Wirelesshtp1_07.fm Page 176 Tuesday, May 8, 2001 4:04 PM
Chapter 7 Legal and Social Issues; Web Accessibility 177
© Copyright 2001. Deitel & Associates, Inc. All Rights Reserved.
ness have legitimate business interests that would reasonably justify violating an
employee’s privacy?
Companies do have legitimate reasons for monitoring employee activities on the
Internet. Employees that use company time for irrelevant Web surfing not only waste time,
but also attract unsolicited e-mail. Increased traffic to the server means slower access for
those employees using the Web for legitimate purposes. [***R. Beck, “Cyber Liability
Updates Old Risks,” Mass High Tech 31 January - 6 February 2000: 27.***]
E-mails can reach large groups of people quickly and easily, creating the possibility of
harassment suits. For example, an employee receiving e-mails containing offensive material
could use them to prove a hostile work environment. To understand the legal argument,
read the feature “Michael A. Smyth v. The Pillsbury Company: Viewing Expectations of
Privacy and Reasonable Business Interests.”
In an effort to regulate e-mail and Internet surveillance by employers, the Notice of
Electronic Monitoring Act was proposed in 2000. The bill would require employers to
notify employees of telephone, e-mail and Internet surveillance. Employees would be
updated annually or when policy changes were made. The frequency of surveillance, the
type of information collected and the method of collection would also be disclosed.
Proponents of notification argue that prevention would reduce the number of questionable
transactions made over the Internet. However, when a company takes the responsibility
of notifying employees of surveilance methods, they also assume the responsibility
of correspondence that is not blocked. In the event that an offensive e-mail is sent out and
not addressed by management, offended employees could argue the company allowed
Michael A. Smyth v. The Pillsbury Company: Viewing Expectations
of Privacy and Reasonable Business Interests
Based on a series of allegedly unprofessional e-mail messages transmitted to his supervisor
in October of 1994, Michael A. Smyth was dismissed as regional operations manager
at The Pillsbury Company in February of 1995. After receiving his notification of
termination, Mr. Smyth sued the company.
Mr. Smyth claimed that the Pillsbury Company had assured its employees that email
would not result in reprimand. However, under Pennsylvania law, “an employer
may discharge an employee with or without cause, at pleasure, unless restrained by
some contract.” [***Michael A. Smyth vs. The Pillsbury Company, C.A. No. 95-
5712 (1996).***]
Having to give up his claim of wrongful termination, Mr. Smyth then restructured
his argument. Mr. Smyth suggested that the use of his personal e-mail against him was
a violation of public policy. Examples of public-policy violations include reprimanding
an employee called for jury duty and denial of employment as a result of previous convictions.
However, the court did not find in favor of Mr. Smyth. It determined that there was
no reasonable expectation of privacy, nor was Mr. Smyth made to share personal information.
Rather, the court determined that The Pillsbury Company had legitimate business
purposes for its actions against Mr. Smyth.
Wirelesshtp1_07.fm Page 177 Tuesday, May 8, 2001 4:04 PM
178 Legal and Social Issues; Web Accessibility Chapter 7
© Copyright 2001. Deitel & Associates, Inc. All Rights Reserved.
these transactions to take place. [***P. Thibodeau, “Employer Snooping Measure
Nears Vote,” Computer World 11 September 2000: 1.***]