Internet Privacy

At this very moment (January - February 1999) events are highlighting the Internet’s sensitivity to privacy. US privacy protection organisations (like http://www.epic.org) have declared a boycott on the giant Intel (http://www.intel.com), having announced that its new processor, the Pentium III, will include an individual processor serial number (PSN). The number will make it possible to identify the user’s computer in electronic commerce and other on-line transactions. The privacy organisations fear that the PSN will enable on-line businesses to share information on the consumer habits and other practices of computer users and create a huge database containing the information (for details of the boycott and these fears, see http://www.privacy.org/bigbrotherinside).

Despite the might of Intel, which controls 85% of the world processor market, it has not been able to stop the declaration of the boycott. On 28th January, Intel met those behind the boycott and tried to persuade them that the solution lay in a software patch, which will only activate the PSN if the user gives the appropriate command. The privacy organisations were not convinced: the software does not yet exist; Intel is relying on the computer companies to install it; many sites and programs will require the PSN and cancel the patch; and computer hackers might disable it without the user’s knowledge. These are some of the reasons for rejecting Intel’s proposal. The organisations are now also trying to enlist the support of the US Federal Trade Commission (http://www.ftc.gov).

Shadowing The Individual In The Digital Era

Using digital media leaves clear footprints of the user. These enable an accurate personal profile of the user to be drawn, embracing his personal preferences and other information that on-line merchants are eager to collect in order to sell him products and services that suit his interests.

Set out below are several examples of information that is divulged in the course of completely routine Internet-related acts:

  • e-mail: several Internet service providers offer a service called “finger”. In Israel, it is offered by Netvision. By means of “finger” and appropriate software (e.g. Cyberkit, which can be downloaded from http://tucows.netvision.net.il) it is possible to identify the owner of the e-mail account who has sent you a message and even when he last received e-mail and downloaded it;

  • Internet browsing: even simply browsing the web reveals data about the user: the type of browser he is using, the operating system installed on his PC, its screen resolution and number of colours and the web site he last visited. This information is divulged by simple computer code, written in java script, which is freely downloadable from many sites. The positive object of this is to match the page seen by the user to the configuration of his computer;

  • cookies: while browsing, the user’s computer invisibly accumulates data on sites he has visited, purchases he has made, advertisements he has seen and whether or not he has clicked on them. These details are accumulated by means of “cookies”. Depending on the programer’s definition of the cookies, different sites can collect, and sometimes decipher, the information contained in them. The technology also enables server computers to identify themselves as different servers and thereby catalogue the cookies created in the user’s computer by other servers;

  • on-line purchases: when making an on-line purchase, the buyer has to leave full details of himself - his full name, address, telephone number, e-mail address, credit card details and more. The seller’s site will also leave a cookie on his computer, containing information about the purchase. When he visits the on-line shop again, he can be offered products which are tailor-made to his needs, while the seller can share the information with other shops, if he chooses...;

  • software installation: several computer programs are offered free of charge to surfers, the user being asked to complete a personal questionnaire when he installs them. For example, this is the case with the Israeli ICQ program. The company that developed the program was purchased in mid-1998 by the American AOL for a huge sum of money. There are many who believe that the database containing details of the program’s users underlies the enormous price that the purchaser was willing to pay;

  • personalisation: one of the Internet’s magic words at the end of 1998 and the beginning of 1999 - the creation of pages personally suited to the user. The service is offered by sites like Yahoo! (http://my.yahoo.com) and other Internet gateways. Someone wishing to personalise a page needs to give information on the areas of news that interest him, the stocks he wants to monitor, the sports teams whose results he wants to see, the cities whose weather forecasts interest him etc., etc...;

  • Internet use at work: employers have identified the Internet as a breach of their organisation, enabling both the use of business resources for personal ends (through the misappropriation of working time) and the transmission of information out of the organisation. Software systems enable them to control undesirable Internet use by their employees. These systems can, amongst other things, guard against e-mail being sent outside the organisation (for example by scanning key words appearing in mail), blocking access to sites unrelated to work and obtaining reports - at individual user level - of employees’ on-line activity. An example of such a program is Session-Wall 3, produced by the Israeli company, Abirnet (http://www.abirnet.com), which blocks the organisational network from unauthorised outside access and at the same time keeps watch over outgoing activity;

  • free programs: a new genre of freeware is developing - free programs which offer advertisements to the user. An example of this is the freeware version of the search program Copernic 98 (http://www.copernic98.com). Another program, the Go!Zilla download manager (http://www.gozilla.com), asks the user to complete a questionnaire to enable it to show him advertisements matching his preferences;

  • newsgroups: newsgroups were the first hunting ground of Internet advertisers. The US imigration attorneys, Lawrence & Segal, caused an uproar when they sent messages to newsgroups offering their services. E-mail addresses of those posting messages to newsgroups are now being taken from the groups, the addresses then being used for the circulation of junk mail (spamming).

The collection of personal particulars has been given momentum with the start of Internet-based commercial activity. The name of the game is now “personalisation” - the tailoring of pages and transactions separately for the individual user, so as to offer him the product most suited to his needs and increase the chance of making a deal.

The Israeli Protection Of Privacy Law In The Digital Age

In 1996, the Israeli Committee on Israel in the Information Era considered the infringement of privacy issue and wrote in its report as follows:

    “Computer networking technology necessarily embodies greater potential of privacy infringement. Information of a personal nature, which becomes publicly accessible through a computer networking system like the Internet, is uncontrollable and the infringement resulting from it will constantly grow. “Footsteps” which the individual leaves in the virtual world (where he has browsed, where he was, for how long, what he bought etc.) give rise to a risk of creating his personal profile. Attention should therefore be paid to ensuring that such information does not become publicly available on a computer networking system that is open to all, and the use which the State’s agencies make of such information should also be limited”.

Hence, the main concern evidenced by this paragraph was infringement of privacy by the State’s authorities. On-line commerce, as a possible source of infringement, was not mentioned then.

The Israeli Protection of Privacy Law, 5741-1981 was also drafted with an eye to a technological environment in which information can easily be collected and manipulated. The Explanatory Notes on the 1980 Draft Law therefore stated:

    “The expansion of the mass communications media, the development and availability of technological instruments enabling eavesdropping, shadowing and remote spying, the increasing collection and concentration of information by and in the hands of public and private entities and the rapid growth of population and housing density all lead to the aggravation of privacy infringements. The individual finds himself exposed in matters of a personal nature and feels that his intimate private affairs will unjustifiably fall into the public domain. This new situation has created the need to secure the protection of the individual’s right of privacy and to fill a lacuna in an area of ever increasing importance”.

The Protection of Privacy Law protects the individual against the collection and processing of personal information by laying down a duty to register databases in Israel (Chapter Two of the Law). There are those who note that this duty was appropriate in its time, since when the Law was enacted there were only a few computerised databases, but it is doubtful whether the Law is appropriate in the current age, when every PC can keep a computerised database, and data on the individual can be invisibly collected without his even knowing that he is leaving traces that are being recorded by someone.

Secret Monitoring

Personal information of Internet users is shadowed covertly by technologies like cookies. Sites monitor the pages that the user has viewed, the advertisements that he has seen and those on which he has clicked, the products he has bought, the questionnaires that he has completed and more. The object is to offer the user a program, product, advertisement or service that better suits his needs and thereby increase the chances that he will buy it. At the moment these sites essentially keep the information to themselves, although there are programs for commercial sites to share this very valuable information (e.g. http://www.befree.com).

The Protection of Privacy Law indicates the problems involved in adapting law to the virtual world. When the Law was enacted, global computer networks were not yet in existence. The Law did not and could not envisage the Internet. It provided that the performance of certain acts constitutes an infringement of privacy, but covertly shadowing personal habits is probably not one of those acts. Section 2(a) of the Law provides that “spying on or trailing a person in a manner likely to harass him, or other harassment” is an infringement of privacy.

“Harassment” is, per se, a vague term. What is trailing “in a manner likely to harass” or “other harassment”? Consideration of the Law and the relevant case law indicates that these terms have to date been analysed in relation to very tangible acts that occur in the physical world. Discreet and covert acts like those between computers - for example, transmitting a cookie to the user’s computer and then deciphering the information encoded by it - have not yet been considered by the courts. (Incidentally, a few months ago, an action was brought in the USA by someone seeking to obtain the cookies on the computers of public servants, in order to trace the use of the Internet made by them in their work...)

Harassment In Cyberspace

The Explanatory Notes on the Draft Protection of Privacy Law explain that section 2 prohibits harassment “in order to protect the individual against infringing conduct in the private and public domains, even when that conduct does not constitute damage to his person or amount to defamation”. Harassment must therefore amount to “infringing conduct in the private and public domains”.

In the report of the Protection of Privacy Committee (Jerusalem, 5737), that was published in October 1976, the Committee detailed all the types of privacy infringement. The term “harassment” is mentioned alongside “peeping” and is ascribed to pursuing an individual in order to obtain information; incessant, undesirable telephone calls; and maliciously causing mental damage or inconvenience.

The case law on harassment is in very physical contexts, for example, giving a prisoner saltwater to drink in order for him to vomit drugs (HCJ 249/82, Moshe Vaknin v. The Military Court of Appeal and FH 9/93, The Military Court of Appeal et al v. Moshe Vaknin, PD 42(3) 845/846). As an example of prohibited harassment, mention was made of following a person’s every move, amounting to overt monitoring and keeping a close watch on a person’s home - “such action might unsettle a person’s peace of mind, remove his feeling of personal security and his sense that he can keep his life to himself without his personal affairs becoming a show for others”.

Hence, it is doubtful whether a covert act of the type of which the computer user is unaware, would be deemed an infringement of privacy in the sense of the Law, since it is not prima facie harassment. This is an extraordinary result having regard to the fact that the Law did bear in mind the ease of collecting information in the computer era. The European Community Directive on the Protection of Privacy, which became effective on 25th October last year, inter alia prohibits the processing of personal information unless one of the alternative conditions specified in the Directive is fulfilled. The first condition is obtaining the express consent of the individual whose particulars have been collected. It is therefore not surprising that there are those who maintain that Internet cookie technology is a contravention of the Directive.

Since section 2(1) of the Protection of Privacy Law probably doesn’t apply in the context of Internet use, because it is doubtful whether the requirement of harassment is fulfilled (see above), might other provisions of the Law be of help?

Writing Not Intended For Publication

Section 2(5) of the Protection of Privacy Law prohibits “the copying or using, without permission from the addressee or writer, of the contents of a letter or any other writing not intended for publication”. One of the fears of the on-line community concerns the information accumulated through cookies. The technology enables one server to read the cookies created by another server, despite not originally being intended for that purpose. Servers can identify themselves as other computers and thereby read the cookies intended for those other computers, and certain cookie definitions enable any computer to read them (see the demonstration at Cookies Central - http://www.cookiecentral.com/bug/index.shtml).

Are cookies “other writing not intended for publication”? On the one hand, they have no purpose if not somehow published. On the other hand, it can be said that if one server uses cookies not meant for it by imitating another server, it is using the contents without the permission of the addressee or writer.

Section 2(9) of the Protection of Privacy Law provides that “using, or passing on to another, information on a person’s private affairs otherwise than for the purpose for which it was given”, constitutes an infringement of privacy. The case law on this section has gone so far as to hold that even a person’s name, address, telephone number and like trivial particulars will be deemed a person’s private affairs (CA 439/88, The Registrar of Databases v. Ventura, PD 48(3) 805). On the Internet, the particulars sought about a person on one site could find their way to another site (for example the sharing of information between two on-line shops that have been set up through the same service provider). It appears that in such a case, where a person gives his details to a particular shop in order to obtain a product from it and the information is used to tailor advertisements to his needs at another site, section 2(9) of the Law would be applicable.

Intrusion On Computer Data Is Not An Infringement Of Privacy

Another solution might perhaps be found in the Israeli Computers Law, 5755-1995, which prohibits unlawful intrusion on computer data. A server sets a cookie and later commands the user’s computer to return the cookie to it with the data stored in it (the “get cookie” command). On the face of it, this command could be treated as a prohibited intrusion on the user’s computer, if only because it is done without the user’s knowledge. This is certainly the case when one computer sets the cookie and another gets it. However, the snag is that the Computers Law does not prescribe that intrusion on computer data is an infringement of privacy! This is a material flaw in the Law, which means that anyone seeking to rely on it will have to base his plea on the framework tort of breach of statutory duty.

Further provisions of law and their application to possible scenarios in the on-line world could be analysed. It might well be found that some situations do have an answer in existing law. However, the inevitable conclusion is that the existing law is not suitable for covert shadowing of the individual’s acts in the on-line world, with the object of drawing a personal profile of him and using the information for marketing purposes. This individual could be an adult or minor; he might have given the information about himself in good faith to a particular shop or it might have been collected completely without his knowledge. Whatever the circumstances, it is not at all certain that the Protection of Privacy Law protects him.

The report of the Committee on Israel in the Computer Networking Era stated a couple of years ago that the supervision of databases should be tightened. In order to ensure compliance by those responsible for databases with the duty of information security prescribed by the Protection of Privacy Law, the Committee recommended the establishment of a professional supervision unit by the Registrar of Databases and that it should be provided with the resources and modus operandi to enable the public to be given a feeling of supervision and create an incentive for the implementation of the relevant statutory provisions.

What Privacy Ought To Be Protected In The On-Line World?

It seems that none of this is enough. The on-line world largely necessitates a complete re-think of what privacy ought to be protected and whether the privacy of an individual, who is not identified by name or physical address, ought to be protected at all. In other words - what damage, if any, will be caused by the fact that an on-line business knows that a particular cookie holder is, for example, interested in laptop computers, and shows him advertisements or makes him special offers, which are specifically tailored to his tastes, as long as the business does not know the real person behind the cookie? It might be said that only benefit will ensue.

Translated by Word Power