Your Electronic Self
The phone rings. It's evening. You might be watching television, or reading, or having a bite; in any case, you take a few seconds from your leisure time to get up and answer the phone. You hear a click, then nothing.If you're a relatively unparanoid sort, you probably assume it was a wrong number, and that the caller realized with the sound of your voice that he or she had made a mistake. These days, however, it's more likely it wasn't a person at all, but rather a machine engaging in a practice known as "predictive dialing." It might have been one of the big three long-distance companies, or some telemarketing firm.Once, salespeople making telephone solicitations dialed numbers themselves. It was a time- and money-wasting procedure, especially since the employees were paid by the hour. So a computer program was developed to dial numbers automatically -- to make more calls, in fact, than the operators can handle, using a statistical model to predict how many of those people called will not answer the phone. The Direct Marketing Association works with its members to try to eliminate excess calls, but industry insiders say the rate of "abandoned calls" (the click-then-nothing ones during which the machine hangs up because no operator is available) is between 1.5 and 3 percent of the 18 million telemarketing calls made daily. Every day, then, a quarter- to a half-million people or so might have to answer dead calls.It's a minor inconvenience, to be sure, but a needlessly annoying one to some people. Others might find it a bit eerie. Consider this mechanized nuisance a phone call from the future.Have you noticed how many times lately you've had to fill out cards with your name, address, and phone number -- for subscriptions, warranties, supermarket savings-club cards? Or how often government agencies or your employer use your Social Security number for identification? Have you noticed how many cameras there are in stores, in automated teller machines, and on street corners?You probably haven't thought of these things because, well, you have a life. They might seem unconnected and trivial. And you might not associate them with the idea of "privacy." But more people are, and are raising questions about what privacy actually is in this day and age.Perhaps the best definition of privacy, legally anyway, was formulated by Boston law professors Louis Brandeis and Samuel Warren in 1890. They said privacy is, very simply, "the right to be let alone," to be allowed to keep your affairs to yourself.What does this mean in the digital age, when everything from the cameras on Park Avenue to the cash-register scanners at the Charles Village Safeway have caught some aspect of your day-to-day activity? When cellular-telephone calls can be picked up by old scanners and even old television sets? When disgruntled employees can take your Social Security or credit-card number and start a new life?Everyone leaves a trail of electronic bytes, like so many M & M's, that hungry marketers, nosy employers, government agencies, and the just-plain curious can gobble up when they get an appetite to find out more about you. Companies are amassing huge databases of information, dossiers of individuals' spending habits, credit histories, driving records -- information they don't even know what to do with yet but are confident they will find a buyer for.So what? Perhaps the fact that strangers at data-warehousing companies know what kind of yeast-infection medication you prefer is no big deal. In the old days of small-town and city-neighborhood life, the local tobacconist knew his customers' favorite brands and always kept some on hand, and everyone knew everyone else's business.But then, at least, we could see who was gossiping about us and keeping track of what we liked to buy. Increasingly, in an anonymous society, the nosy information mongers are large consumer-product companies. They have a bead on you -- your tastes, your likes and dislikes, your ability to pay off a bill on time. You can't see what they know about you, and they'd very much like to keep that information under wraps, thank you very much.Oh, and you know what? The government agrees with them. By now just about everyone has heard the cliche that this is the Information Age, but few pay attention to the data streams silently flowing in the background. Only occasionally, when something goes wrong, does it make itself noticed. It's like in the new movie "The Truman Show" -- only when a light accidentally crashes down out of the sky does Jim Carrey's character realize an entire world exists beyond his own.Southern Maryland resident Kim Little had an epiphany like that. Little is not Kim's real last name; she chooses to remain anonymous for the purposes of this article. Which is not surprising. Kim describes herself and her husband as "meticulous" about protecting their privacy. They have only one credit card, and they don't order merchandise by mail -- just to keep their names off of junk-mail and telemarketing lists.But even as a privacy nut, Kim was surprised by the amount of information on her that gets out, and how fast. It started last fall, when she bought a toy log cabin for her young son at a local Wal-Mart. The toy house had a defective door, and when she returned to the store for a replacement, the item was sold out.So Kim did the logical thing -- she called the manufacturer, a company called Little Tikes. The woman who answered gave Kim the first glimpse of the entanglements to come. Kim was told she could get a list of nearby stores that carry the product. She was also asked for her name and address. Kim balked. She asked why that information is needed. "The computer won't let me give you any information without a name and address," was the response."Why don't you use yours?" Kim politely but firmly countered -- the company wouldn't know the difference. Eventually the receptionist relented, and Kim got the list of stores.The Little Tikes log cabin must have been popular with little tykes last summer -- all of the stores Kim visited were sold out. She again called the manufacturer, which agreed to send her a replacement. She sought and received assurances from two company officials that her name and address would not be distributed to anyone. "I felt comfortable that they would keep my name confidential," she says.Almost comfortable, anyway. She gave her correct address but provided a phony last name -- Little -- the better to spot any junk mail emanating from a Little Tikes list. Sure enough, a few months later "Kim Little" received a piece of advertising mail from a Pennsylvania-based company called Baby's First Book Club. She called the company's president, who swore her name would be removed from the book club's records. A month later a book came in the mail from Baby's First Book Club, addressed to "Baby Little.""I called the company to let them know how appalled I was," Kim says. Once again she extracted a promise that she would be removed from its list and that the membership she never signed up for would be canceled.By then, however, the damage had been done. Mail addressed to Kim Little started coming in from other companies. Buster Brown tried to sell her clothing. Gerber's, Kim says, offered a $5,000 life-insurance policy for her child. She got invitations to apply for credit cards with baby pictures on them. By her count at least eight companies she'd had no contact with now knew she was a new mother.And she still didn't know how Baby's First Book Club obtained her name. The company insisted she must have sent in a membership card, but she says she didn't. (Company president Maurice Sandvik guesses that when Kim called to complain about the first mailing, a customer-service rep may have accidentally checked off a box on a computer screen indicating she wanted a membership.) She repeatedly called Little Tikes too; after being transferred from one department to another and hearing endless denials that the company sold her information, she reached the firm's head of customer service, who Kim says acknowledged that a Tikes list could have been shared with Baby's First Book Club. That was supposed to be a one-time use, Kim says she was told-an agreement Baby's First Book Club violated by renting Little's name and others out to other companies.No doubt the people at both companies thought this Kim person was a pain. According to Kim, one asked her what the big deal was -- why couldn't she just throw the mail away? Only when she threatened legal action did they take her seriously, she says; Baby's First Book Club provided a partial list of companies that have her name.But what legal action could Kim take? "There are no laws whatsoever" that prevent companies from sharing information they have gathered about their customers, says Bob Bulmash, founder and president of Private Citizen, a privacy-advocacy group that, for a small yearly fee, advises consumers how to take on pesky marketing firms."There is no way to protect your privacy, outside the trust you build up with the company itself," says Kim, who says she is still receiving mail for the fictitious Ms. Little. "There is nothing legally you can do, there is no recourse." To her, the most annoying aspect of the whole business isn't the junk mail but the utter indifference she says she encountered from Little Tikes, from low-level staffers on up to the company's president."If they had integrity they would have acted differently. It's not that they made a mistake but that they did nothing to rectify it," she says. "Little Tikes refused to counter the problem at all."While not commenting on the details of Kim's experience, Lorrie Krum, a spokesperson for Rubbermaid, Little Tikes' parent company, says Tikes had followed "common practices of the industry" in compiling customers' names and addresses.Since Kim's complaints, Krum says, anyone requesting replacement parts from Little Tikes by phone is asked whether they want their name placed on the toy maker's mailing list. "This is an issue that has been under discussion for some time," she says, adding that the company has been seeking a balance to satisfy customers such as Kim Little and those who do want to hear about new products.Sandvik, while noting that Baby's First Book Club does routinely sell members lists to other companies, is also sympathetic. "We're not in the business of pestering people," he says. "It's not what we want to do." In many ways it is easy to see Kim Little as a zealot. After all, what harm did she and her child really come to? None that can be seen. And if she had looked through her junk mail she might have found bargains she'd have missed otherwise. Kim's experience notwithstanding, most companies claim the utmost sensitivity regarding protection of customers' privacy.Chet Dalzell, spokesperson for the Direct Marketing Association, an industry trade group, estimates that about 20 percent of the population is actively worried about how companies use information about them. His estimate might be a bit conservative -- a 1996 Equifax/Harris survey on privacy issues found that 65 percent of the public agrees that "protecting the privacy of consumer information" is "very" important. (For comparison's sake, 87 percent say "controlling the cost of medical insurance" and "staying out of excessive debt" are "very" important, according to the same survey.)Whatever the numbers, the point is, as Dalzell notes, that a sizable number of people don't want to hear from direct marketers, and that direct-marketing companies -- the ones that send fliers to your home and hire telemarketers to call you-must recognize them if they want to stay in business. The trade group has set up voluntary guidelines for members with this goal in mind. "It's to our financial benefit to know who the people are who don't want to be bothered," Dalzell says, "because they're not likely to purchase much anyway."Indeed businesses are very much aware of the privacy issue.Take Superfresh, which, like most large supermarket chains, offers regular customers "club cards" that provide check-cashing privileges and discounts when scanned by a cashier. According to Michael Rourke, a senior vice president for A&P, Superfresh's parent company, the card gives the company something valuable as well-a record of the customer's spending habits. With this information, he says, Superfresh can target people who like certain products. Rourke points to a Michigan supermarket that established a "baby club," giving $20 to young parents who buy $200 or more of baby-related items.There is virtually no limit to the ways the club-card database can be divvied up. "We could start a pet club or a frozen-food club," Rourke says. The motivation behind the card, he says, is "to bring our customers closer to us." The similarity that runs through Superfresh and other information-collecting bodies is that people can opt out -- they can check a box or in some other way indicate they don't want their information to be shared. But the burden is on you to opt out rather than on the company or agency to opt you in.This isn't the norm elsewhere in the world. Many countries in Europe, particularly Germany, enforce tough privacy laws that bar businesses from collecting information on people unless those people give explicit approval.Come fall the European Union (EU) will require all countries it trades with to implement similar laws. It's called the European Data Protection Directive; each country will be required to have a privacy commissioner or agency oversee compliance with the laws. Under this directive, people will have the right to access data about them, to have it corrected if it is wrong, and to allow information to be traded only with approval.The United States, it appears, has no interest in complying, and quiet murmurs about a trade war are being heard. "Administrative people from the Federal Trade Commission and State Department are spending more time in Brussels trying to persuade [EU officials] to back down than they are in Washington," says Simon Davies, head of the London-based advocacy group Privacy International.A recent U.S.-Japan pact under which Japanese companies will regulate themselves on privacy issues, as U.S. industry does, in effect forms a powerful bloc opposing the EU directive. In a recent talk at University of Maryland-Baltimore County, Michael Nelson, director of technology policy for the Federal Communications Commission, predicted a U.S.-EU split over data privacy.According to Nelson, it's not that the United States won't comply, it's that it can't -- the advance of information technology is outpacing the government's ability to enforce any privacy regulations. "The old way [was that] laws, licenses, rules were written in the 1970s when there were few computers," he said at UMBC. Today the number of computing devices has outstripped any agency's attempt to understand how they work.The solution, according to the feds, is pushing the data collectors to police themselves. As stated in a 1997 U.S. Commerce Department report on "The Emerging Digital Technology," "In order to empower consumers to have control of their own personal information, the U.S. government is encouraging the private sector to establish codes of conduct and self-regulation."Privacy advocates don't buy either this reasoning or this response. "There are numerous technologies that government regulates in the public interest, weapons technology for instance which advance constantly," Privacy International's Davies says. "We consider the government has a responsibility to keep that in mind, monitor it, and control it." Many view the we-can't-keep-up argument as an excuse to serve the interests of the deep-pockets telecommunications and direct-mail industries. There's little political reason to do otherwise; in these anti-bureaucracy times, there isn't likely to be any public hue and cry for a new agency to regulate data privacy.As for self-regulation, privacy advocates generally agree on the private sector's performance. "I think they've done pretty poorly," says Jason Catlett, who runs Junkbusters, a service that helps consumers get off of junk-mail lists. "There have been some shining exceptions of companies that have implemented strong, sound privacy practices, [but] a large fraction of direct-marketing companies don't even have a do-not-mail list, let alone the opportunity for humans to see what information is being held about them. Really, self-regulation has failed."Apparently EU agrees. Wired magazine reported last month that "Germany's Spiros Simitis, the world's first data-protection commissioner, told an audience in Washington [D.C.], 'Don't imagine for a moment that you can get away with paying lip service to privacy. Europe requires a regime of real protection. That is the new global position.'"I have been in the database field and computer networks for 17 years and I have seen stuff that will scare you to death," Robert Biggerstaff says. Last year the South Carolina resident testified before the Federal Trade Commission on his experiences of working with databases for the military and for commercial firms.During a conference call, Biggerstaff and Private Citizen's Bob Bulmash try to explain the danger of something as seemingly innocuous as junk mail and telemarketing."The danger is [as much] the infrastructure set up to feed the junk-mail and junk-phone-call industry as the industry itself," Bulmash says. "It takes our personal and private information, information that we would not even give to a close personal friend, and publishes it. Would you give your friends the exact cost of your home? Not necessarily. Would you tell every person that you knew what your religious affiliation was? Whether or not you are homosexual? Not necessarily, but the direct-marketing industry will collect that information without your knowledge and permission and publish it for their own financial benefit."What can a company do with information about a consumer? It can, Biggerstaff says, "take [motor-vehicle] records, property records, public records, overlay that with credit reports, magazine subscriptions, club memberships, vehicle registration, salary information, bank information," and derive a surprisingly detailed portrait of a person.Such data harvesting is largely the point of supermarket club cards. "When I first saw the frequent-shopper cards, I knew the reason," Biggerstaff says. "With a database like that, I could say I want to see who has bought birth control or condoms in a certain zip code, and take that list and compare it to a list of single female employees and decide to fire those because [I] feel they have an immoral lifestyle." An insurance company with access to supermarket records, he says, could deny someone coverage for purchasing too many fatty foods over the years."It's perfectly legal to" buy that type of information, Biggerstaff says. "As these databases get more and more data in them," he predicts, "the database will become the major asset of the corporation."Evidence can already be seen of such operations at work. The Privacy Rights Clearinghouse, a California privacy-advocacy group, keeps on its Web site a list of complaints it has received. One story is of a woman who received promotional mail from a drug company that included the name of the pharmacy she used. Then there's the story of a 10-year-old who received a preapproved offer of credit in the mail -- his name was obtained from a national athletic organization that oversees a swimming program he participated in. Individually these instances might not mean much, but taken together they show a disturbing trend.And these are just some of the legal uses. Already a cottage industry is forming of renegade information brokers who claim that, for a small fee, they dig up information that is illegal for private citizens to obtain, such as records of long-distance phone calls and Social Security numbers. I called one such service. The woman who answered said she could provide the complete bank records for any individual for $325-$275 if I already had the person's Social Security number. She accepted most major credit cards. Other brokers offer criminal-record checks-just the thing, as one such service touts on its World Wide Web site, if you're "planning to hire or date someone." But even solutions such as the European Data Protection Directive might be of limited value. History shows that most attacks against the march of progress turn out to be futile, such as that of the 19th-century Luddites, weavers who went around surreptitiously in the night breaking up weaving machines as a protest against the encroaching industrial age. They might have had a point, but their effort was fruitless.The futility of trying to block technology is the theme of The Transparent Society (Addison and Wesley), a new book by David Brin. Normally a science-fiction writer, Brin has stepped out of his field with a genuinely new way of looking at what seems an intractable problem."In the information age to come," he writes, "cameras and databases will sprout like poppies-or weeds-whether we like it or not." The solution is not to ban the cameras and erase the databases-that will never happen. The only answer, Brin posits, is what he calls "transparency": "We may not be able to eliminate the intrusive glare shining on citizens of the next century, but the glare might be rendered harmless through the application of more light aimed in the other direction." In other words, people should demand as much visibility as is asked of them. If the police can watch the streets through surveillance cameras, Brin says, there should be cameras in police stations for citizens to monitor what goes on there. Dossiers kept on consumers should be freely available for inspection by those consumers.Reciprocity might take some getting used to. Where it currently exists, it is limited. The Board of Physician Quality Assurance of Maryland, via its Web site and through e-mail, provides information on Maryland doctors, including addresses of record, medical school attended and year of graduation, medical specialty, and the status of the physician's license to practice, including expiration date and information on sanctions -- useful stuff for finding the right doctor. What the board does not offer, according to its Web page, is "information on malpractice claims and other unadjudicated information." Such information, board chairperson Dr. Suresh Gupta told The Sun last December, might cause misconceptions about a doctor over a suit that might later be dismissed.The assumption behind that argument, of course, is that the benefit of the doubt should be given to the doctor, not the consumer. It mirrors the self-regulation argument-that decisions about what information is appropriate to distribute should be left to those doing the distributing.In general, the holders of that information don't seem too keen on revealing what they know and how it gets around, if Kim Little's case is any indication. Myriad businesses and agencies are more than willing to sell what they know about you to third parties, but they seem loath to tell you who those third parties are.Can we see the people watching us as clearly as they can see us? Is it possible for us to opt in instead of opting out? These are the questions that might help frame the ongoing debates over privacy. At least they should be, lest we end up like the hapless person on the wrong end of an abandoned call-annoyed, confused, and helpless to do anything about it.