How do you keep personal information private amid ever-increasing
information-gathering capabilities of new technologies?
Every day, with a phone call, a click
of a mouse, or a beep of an automatic teller machine, Americans give
away more personal details about themselves than ever before. From our
buying habits and financial status to our children's names and the books
we read, information once considered private has become part of a
digital data mecca for businesses and government.
Increasingly, corporations use personal information databases to target
marketing activities, calculate insurance risks, manage employees and
make loans. Government agencies that traditionally collect data to
ensure that we keep licenses current, obey the law and pay our taxes are
now under pressure to expand their information-gathering activities in
the wake of 9/11. Controversial examples include an airline passenger
database, face recognition software, and the Pentagon's Total
Information Awareness project.
Just how much private information is really available? Today, for a fee,
Web sites will search databases that include real estate records, voter
registration, phone records, magazine subscriptions and changes of
address. Sites promise to find cell and unlisted phone numbers, peruse
military records or "find the dirt" in criminal files.
Wait a minute. Is this really legal? Can't individuals control the
accumulated details of their own lives?
Although the United States has a tradition of protecting many individual
freedoms, says lawyer Harlan Onsrud, there is no broadly encompassing
right to control or limit personal electronic information collected by
others. The playing field is thus tilted in favor of those who collect
and sell such information as though it were a commodity like grain or
The issue is complicated by a tradition of openness in American society.
Access to information, some of it personal, is a hallmark of the court
system, media and local government. Even in our public libraries, people
have free use of the books, CDs and videos; it's also in these hallowed
halls of information access that many librarians have taken a stance
against opening their lending databases to scrutiny in the name of
With the latest advances in information technology, the question, says
Onsrud, is how to keep the control of one's "private" information in the
hands of that individual. (Just where the line is between information
traditionally considered private and intimate knowledge for the sake of
national security is a whole other discussion.)
Onsrud, a professor in the Department of Spatial Information Science and
Engineering at the University of Maine, focuses on legal issues related
to information systems. With fellow faculty member Silvia Nittel, he
hosted a recent research workshop on location privacy to investigate
technological, legal and institutional approaches that would give users
greater control over the collection, use and storage of information from
the electronic devices they use and sensors to which they may be
Simultaneously, the researchers want to preserve the open information
marketplace of American society. Their goal is to restore a balance in
social policies to the benefit of both privacy and the marketplace.
"We really do want the marketplace to be effective and efficient," says
Onsrud. "We also want to protect privacy. The assumption here is that by
protecting privacy, you can make the market grow. My argument has been
that information industries can offer more services and make far more
money by advancing technological approaches that give consumers direct
control over information about them."
In essence, he says, personal information security can give consumers
confidence to use new technologies without fearing an invasion of their
Onsrud and others have proposed that information technologies be
designed to automatically include a standard licensing agreement,
allowing individuals to define when, where and under what circumstances
their personal information is used. As an example, he cites GPS (global
positioning system) chips now built into cell phones, which provide
location information for emergency responders. Marketers could use the
same information to send advertisements for retail stores in a user's
"Say you're in the market for a certain brand or style of pants. You
request your ‘communicator' to notify you when you pass a store meeting
your criteria. Or perhaps you request it to notify you when your friends
are near. You're in control. However, you don't want it to tell you
about other sales and services you haven't
requested," he says.
Users also need the option of controlling when and exactly what
information will be collected on them, and how long — or if — it will be
stored, Onsrud says. They need to be able to change these options
easily, continuously, automatically. It's important, he adds, that
information technologies be designed to give people choices.
"One promising way you might enforce this is through a contractual
relationship — a standard contract that makes preference choices legally
enforceable. The preference settings of a ‘communicator' might initially
be set to provide maximum privacy protection. In time, as users desire
more services, they may be asked by their ‘communicator' if they want to
change a setting in order to receive a specific service.
"The choices made are automatically enforced through the technology and
are made legally enforceable through the contract that might be with the
ISPs (Internet service providers) or through an intermediary. If you
discover later that you're getting communications that you're not
supposed to be getting, or that information about you has been sold
without your permission, then they've breached a contract with you." At
that point, he says, an individual can bring a private enforcement
action, just as one would with any other contract breach, perhaps
resorting to damage amounts pre-specified in the consumer contract.
Nevertheless, the very nature of information makes it difficult to
control. Former ambassador, public policy expert and author Harlan
Cleveland noted that information is inherently different from other
possessions. It travels at the speed of light, expands as it's used and
has a tendency to diffuse. Owning information is thus problematic, as
copyright holders can attest, but some privacy advocates would still
like to rely on the concept of ownership to restore individual control
over personal data.
However, the ownership rules that control electronic information are
different, Onsrud explains. "Problem is, we're moving into this age
where you can no longer give your book away. Now it's in electronic
form, controlled by a license rather than by the social bargain struck
through traditional copyright law. In day-to-day practical living,
you've lost some of the ownership rights that you previously had under
In the future, new technologies are only likely to increase privacy
concerns. The remote access RFID (radio frequency identification) tag, a
replacement for the product bar code, is already used to track business
inventories. "Potentially, they'll be embedded in virtually everything
you buy — from magazines to underwear," says Onsrud.
Segments of the grocery industry have already embraced RFID technology
with the goals of reducing overhead and increasing efficiency. In the
grocery store of the future, shoppers will not have to wait in checkout
lines. They will load up their carts and walk past an RFID scanner that
identifies their purchases and sends data to computers that tally the
bill and charge a customer's account.
"Once you start looking five to 10 years down the road with these
pervasive identification technologies, it gets to be more of a
challenge. The way to address it is probably through a combination of
legal and technological methods. Quick legal or technological fixes in
isolation from each other won't work," Onsrud says.
Such efforts will need to take homeland security into account. The
government's ability to spy on individuals has long been constrained by
measures to protect privacy. But in a post-9/11 world, those policies
are shifting toward greater surveillance.
In a paper delivered at the location privacy workshop earlier this year,
Onsrud noted that "privacy is sometimes confused with security." An
invasion of privacy arises when personal data is used without an
individual's awareness or consent. On the other hand, security breaches
involve information access by unauthorized third parties. To guard
against the latter, he wrote, technological security measures are
One speaker at the location privacy workshop suggested hypothetically
that security may ultimately stem from fostering a small-town culture.
"His point was, if you want to protect against terrorism, put the power
in the hands of everybody to observe everybody else, because we are a
mutually supportive society. We don't need to depend on some overseer.
It becomes more of an equity issue that we should all have access to
everyone else's business rather than have a corporate or government
elite in control," Onsrud says.
Such an approach may face limits in large communities, not to mention an
absence of personal privacy, but it harkens back to the nation's roots
when most Americans lived in small rural towns. That period also saw an
emphasis on the importance of freedom and self-determination, values at
the core of what it means to be an American.
Today, availability of personal data raises questions about how we
protect such values — what it means to be a free person with the power
to exercise self-determination.
A key to being a person, Onsrud has written, is the ability to be
autonomous, or self-defining. That's why misuse of personal information
can be viewed as a violation of an important human right. "We haven't
developed a cohesive body of human rights law in the U.S. such that an
individual has a right to the pursuit of happiness versus a corporation
that does not," says Onsrud, referencing a treatise by Charles L. Black
Jr., of Columbia and Yale law schools.
As a result, legal scholars and technology analysts continue to
reconsider the balance between ownership, access to government
information and commercial interest, Onsrud says. "The problem is that
it is so complex. It's dealing with the whole range of human-computer
interaction — how you actually interact with the device. And there are
the institutional issues. What are the appropriate institutions, if any,
for control and protection of privacy?"
by Nick Houtman
for more stories from this issue of UMaine Today Magazine.