In 2006, David Holtzman decided to do an experiment. Holtzman, a security consultant and former intelligence analyst, was working on a book about privacy, and he wanted to see how much he could find out about himself from sources available to any tenacious stalker. So he did background checks. He pulled his credit file. He looked at Amazon.com transactions and his credit-card and telephone bills. He got his DNA analyzed and kept a log of all the people he called and e-mailed, along with the Web sites he visited. When he put the information together, he was able to discover so much about himself—from detailed financial information to the fact that he was circumcised—that his publisher, concerned about his privacy, didn’t let him include it all in the book.
I’m no intelligence analyst, but stories like Holtzman’s freak me out. So do statistics like this one: Last year, 127 million sensitive electronic and paper records (those containing Social Security numbers and the like) were hacked or lost—a nearly 650 percent increase in data breaches from the previous year. Also last year, news broke that hackers had stolen somewhere between 45 million and 94 million credit- and debit-card numbers from the databases of the retail company TJX, in one of the biggest data breaches in history. Last November, the British government admitted losing computer discs containing personal data for 25 million people, which is almost half the country’s population. Meanwhile, some privacy advocates worry that the looming merger between Google and the Internet ad company DoubleClick presages an era in which corporations regularly eavesdrop on our e-mail and phone calls so they can personalize ads with creepy precision. Facebook’s ill-fated Beacon feature, which notifies users when their friends buy things from Facebook affiliates, shows that in the information age, even our shopping habits are fit for public broadcast. Facebook made Beacon an opt-in service after outraged users demanded it do so, but the company didn’t drop it completely.
Then we have Donald Kerr, the principal deputy director of National Intelligence, who proclaimed in a speech last October that “protecting anonymity isn’t a fight that can be won.” Privacy-minded people have long warned of a world in which an individual’s every action leaves a trace, in which corporations and governments can peer at will into your life with a few keystrokes on a computer. Now one of the people in charge of information-gathering for the U.S. government says, essentially, that such a world has arrived.
So when this magazine suggested I try my own privacy experiment, I eagerly agreed. We decided that I would spend a week trying to be as anonymous as possible while still living a normal life. I would attempt what many believe is now impossible: to hide in plain sight.
A Gallup poll of approximately 1,000 Americans taken in February 1999 found that 70 percent of them believed that the Constitution “guarantees citizens the right to privacy.” Wrong. The Constitution doesn’t even contain the word. And in a fully wired world, that’s an unnerving fact.
A number of amendments protect privacy implicitly, as do certain state and federal laws, the most significant of which is the Privacy Act of 1974, which prohibits disclosure of some federal records that contain information about individuals (1). Unfortunately, the law is full of exceptions. As Beth Givens, founder and director of the nonprofit Privacy Rights Clearinghouse, put it, the Privacy Act has “so many limitations that it can barely be called a privacy act with a straight face.”
1. California, where I live, leads the nation in privacy protection. If I’d conducted my experiment elsewhere in the U.S., it would have been even more difficult. Back to text
In the U.S., privacy law is sectoral, which means that we don’t have broad, generally applicable laws to protect our personal information. We’ve got federal laws that safeguard very specific types of data, like student records, credit reports and DVD rentals. But those have loopholes too (2).
In addition, technological advances are quickly rendering many of these laws useless. What good is strong protection for cable records when a technology like TiVo comes along that is not, technically, a “cable service provider” (3)? Or a statute about postal mail in a world where most communication now takes place online? “We’re way behind the curve,” says Richard Purcell, CEO of the Corporate Privacy Group and former chief privacy officer for Microsoft. “Technology is way ahead of our ability as a society to think about the consequences.”
Navigating this technological and legal maze wouldn’t be easy; I needed professional help, a privacy guru who could guide me through my week. That man was Chris Jay Hoofnagle, a privacy expert and lawyer who used to run the West Coast office of the Electronic Privacy Information Center (EPIC), a public-interest research center in Washington, D.C., that focuses on privacy and civil-liberties issues.
Hoofnagle had tried his own version of the same thing, partly for fun and partly because of fears of retribution from private investigators he had irritated in his previous job at EPIC. “When moving to San Francisco two years ago, I deliberately gave my new address to no business or government entity,” he told me. “As a result, no one really knows where I live.” His bills are in aliases, and despite setbacks—like having his power turned off because the company didn’t know where to send the statement—he’s been successful at concealing his home address.
Now that he’s a senior fellow at the University of California at Berkeley’s Boalt Hall School of Law, Hoofnagle doesn’t keep his office location a secret, so on a sunny afternoon, I set off to meet him there.
Tall and friendly, Hoofnagle has an enthusiastic way of talking about privacy violations that could best be described as “cheerful outrage.” He laid out my basic tasks: Pay for everything in cash. Don’t use my regular cellphone, landline or e-mail account. Use an anonymizing service to mask my Web surfing. Stay away from government buildings and airports (too many surveillance cameras), and wear a hat and sunglasses to foil cameras I can’t avoid. Don’t use automatic toll lanes. Get a confetti-cut paper shredder for sensitive documents and junk mail. Sign up for the national do-not-call registry (ignoring, if you can, the irony of revealing your phone number and e-mail address to prevent people from contacting you), and opt out of prescreened credit offers. Don’t buy a plane ticket, rent a car, get married, have a baby, purchase land, start a business, go to a casino, use a supermarket loyalty card, or buy nasal decongestant (4). By the time I left Hoofnagle’s office, a week was beginning to sound like a very long time.
2. One oft-cited loophole is in the Driver’s Privacy Protection Act of 1994. It was created after a series of crimes linked to Department of Motor Vehicles records, the most notorious of which occurred in 1989: An obsessed fan hired a private investigator to get actress Rebecca Schaeffer’s home address from her DMV record and then tracked her down and killed her. Now DMV employees aren’t allowed to release personal information. The only problem is that the law has 14 exemptions, including one that allows the release of information to licensed private investigators if they say they’re using it for purposes listed in the other 13 exemptions. Back to text
4. Pseudoephedrine can be used to make methamphetamine, and thanks to a federal law passed in 2006, your name goes into a log when you buy products that contain it. Back to text
Wearing a baseball cap and sunglasses, I walked into an AT&T store and immediately noticed several black half-globes suspended from the ceiling: surveillance cameras. I needed to keep my head down. When I tried to pay for my new phone, the cashier swiped its bar code, looked up at me with her fingers poised above her keyboard, and asked me for identification. “I don’t have any on me,” I lied.
She seemed mildly annoyed and asked for my name and address.
“I’m sorry,” I said, “but I don’t really want my information in the system.”
“We need your information.”
“For billing purposes.”
“But it’s a prepaid card. You don’t need to bill me.”
This, apparently, was irrelevant. “We need to put your information into the system,” she said again. “Otherwise you can’t buy the phone.”
I didn’t buy the phone. Instead I walked across the street to a generic cellphone store where a young clerk with pink hair and black-framed glasses was sitting behind the cash register, text messaging. “So do you want me to, like, just put in some random name?” she asked. Before I knew it, she’d christened me Mike Smith, born October 18, 2007 (6). As she charged minutes to my phone, I overheard a young man next to me tell a different clerk that he wanted to activate a cellphone that was registered under his mother’s name. “That’s no problem at all,” said the clerk. “We just need her Social Security number.” Unfazed, the man called his mom. He was dictating the number to the clerk as Mike Smith walked out the door.
5. These services are voluntary, but they vividly illustrate the privacy-killing potential of cellphone GPS. Back to text
6. She’d asked for my birth date to use as an activation code, but it turned out she really just needed any eight-digit series of numbers. Back to text
My new phone was anonymous, but I still needed to be careful. If I didn’t want it to be traceable back to me, I had to disguise my outgoing calls and minimize the number of calls that I received; records of both could be used to identify me. I changed the phone’s settings so that its number wouldn’t show up when I placed calls (7) and bought a prepaid calling card to use on top of my cellphone. That way, if anyone were to pull a record of my outgoing calls, they would just see the calling-card number.
If masking your cellphone number is difficult, hiding your online activity is nearly impossible. Anytime you access the Internet, your Internet service provider (ISP) knows you’re online, and it might soon keep track of more. In 2005, the European Parliament passed legislation requiring phone and Internet providers to retain records of calls and online activity for between six months and two years. In 2006, then–U.S. attorney general Alberto Gonzales and FBI director Robert Mueller met privately with America’s major ISPs to request that they, too, hold on to these records for two years. Search engines already keep records of queries, a practice that’s become enough of a concern among users that in December, Ask.com launched AskEraser, a service that deletes your searches within hours. When you send an unencrypted e-mail, it can be intercepted and read and may be stored indefinitely on a server, even if you’ve deleted it. And Web sites routinely retain such information as how you got there, how long you lingered on each page, and your scrolling, clicks and mouse-overs.
Anonymizer has two potential weaknesses, though. First, Anonymizer itself knows what sites you’re visiting, although the company claims not to retain this information. And then there’s the conspiracy theory. “There are reports that the government has sneakily had people volunteer to run Anonymizer server nodes who are actually “quislings”—traitors—Holtzman told me. “I don’t know if it’s true,” he said. “But if it were my job to spy on people, I’d be doing it.”
There are Anonymizer alternatives (the freeware Tor is probably the best-known), but according to Holtzman, if you want to be sure of anonymity, “you just cannot use your own computer. The only way to do so is if it’s brand-new and you never put it online.” Unfortunately, I didn’t have a brand-new computer, and I needed to use the Internet. I decided to avoid using my own ISP whenever possible. Instead I needed to either piggyback on neighbors’ open connections or use public Wi-Fi hotspots (8).
Lastly, there was the question of e-mail. I set my usual address to forward to a Hotmail account I’d created with fake user information and signed up for a free account through Hushmail, a service that allows you to send encrypted, anonymous e-mail. I figured that if I monitored my messages through Hotmail but responded using only Hushmail, no one would be able to connect the two accounts—or know definitively that the person checking the Hotmail was me. Only later did I discover that even Hushmail has occasionally spilled information to the feds.
7. Because of something called “automatic number identification,” there’s no way to stop your information from showing up when you call toll-free or 900 numbers. Back to text
8. Even then, I still wouldn’t be entirely anonymous. Every networking device in every computer is assigned a media access control (MAC) address, a unique identifying number picked up by your router when you go online. See this website to learn how to find your MAC address. Back to text
I started marking items off Hoofnagle’s to-do list. I signed up for the do-not-call registry to avoid telemarketers and sent a letter opting out of all prescreened offers of credit. I called my bank and opted out of its information sharing (9). Then I called my phone company and told them I didn’t want them to share my CPNI—customer proprietary network information.
Your CPNI includes records of what services you use, what types of calls you make, when you place them, and a log of the numbers you’ve called. Before 1996, phone companies were allowed to freely sell this information to third parties for marketing purposes. Today, thanks to legislation limiting what they can do without your permission, CPNI is mainly used to sell you other services offered by your phone company, such as a new long-distance plan.
When my phone company’s automated system picked up, a voice announced that my call might be monitored or recorded but that I could ask to be on an unrecorded line. So I did. “Uh, OK,” the representative said. “But all the lines are recorded automatically. If you don’t want to be recorded, I’m going to have to call you back.”
“How long will that take?” I asked, having already spent 10 minutes on hold.
“We’ll call you as soon as we have a chance,” he said. “Probably within an hour.” In other words, the cost of privacy would be an hour of my time.
I told him that a recorded line was fine and then asked him to stop using my CPNI to market things to me. He agreed. Then he asked if I had a few minutes to talk about my phone service and proceeded to use my CPNI to try to sell me a unified messaging system.
This was getting exhausting. I’d thought a yoga class would be a nice break, but I’d forgotten one thing: The yoga studio I go to has a computer system that keeps track of all its students’ names. I scrawled “CPrice” illegibly on the sign-in sheet and paid in cash. I thought I’d gotten away with my ploy until the end of class when, just after our final “om,” the teacher picked up a piece of paper that the front desk had slipped under the door. “Would whomever signed in as number 19 please stop by the front on the way out?” he asked. “They couldn’t read your signature.”
I doubt the young Buddhists behind the yoga-studio desk are profit-minded enough to sell my personal information, but many other businesses are. Data-broker Web sites sell lists of information you never thought would be for sale—records of 750,000 people who signed up for medical alert services, for example, or a list of 11,418 people, mostly men over the age of 55, who bought a particular herbal sexual-potency product in September or October. Private investigators buy phone records from pizza-delivery places, and a few years ago, data aggregator LexisNexis advertised that it, too, used pizza-delivery records to get hard-to-find phone numbers. If you want to invalidate some of the information on the lists, you could move, but you’d have to carry your own boxes—moving companies sell lists of new addresses to marketers.
More disturbing is the fact that this relatively disparate information is frequently rounded up by other data-aggregator companies such as ChoicePoint and Acxiom. Acxiom’s databases contain records on 96 percent of American households. Its newest customer intelligence database, InfoBase-X, includes 199 million names and can draw on 1,500 “data elements” to help companies market to potential customers, including “Life Event, Buying Activity, Travel, Behavior, Ethnicity, Lifestyle/Interests, Real Property, Automotive and more.”
9. Banks sell lists of information that you’d think would be kept private—transaction histories, bank balances, where you’ve sent payments—and can continue to do so even if your account is closed. But banks are better than they used to be: Until the Gramm-Leach-Bliley Act in 1999, banks could even sell account and credit-card numbers to unaffiliated third parties. Back to text
These companies are only minimally regulated, in part because the government itself is one of their largest clients. Contracting data-collection projects to outside companies allows the government to purchase data that would be illegal for it to collect itself. Take, for example, what happened in 2002 when a now-defunct information-mining company and Department of Defense contractor called Torch Concepts got five million itinerary records for JetBlue passengers—records that included names, addresses and phone numbers—for a project whose goal was ostensibly to identify high-risk airline passengers. Torch Concepts then bought demographic data from Acxiom on about 40 percent of the passengers whose records JetBlue had released.
This demographic data included passengers’ genders, home-ownership status, occupations, length of time spent at their residence, income level, vehicle information, Social Security numbers and how many kids they had. The company used the information to create detailed profiles of the passengers, including one (with the name stripped off but all other information still intact) that it used as part of a presentation to pitch potential clients.
Transportation was tricky. I’d been wearing my hat and sunglasses so I couldn’t be recognized on cameras, but to take buses or the train would be to willingly subject myself to heavy surveillance, and that was against my rules. I couldn’t drive my car through toll plazas—they’re covered in cameras, and if you have an automatic toll-payment system that uses a pre-paid account, like E-ZPass or, in the Bay Area, FasTrak, you leave behind a record (10).
I’d also learned about EDRs, or event data recorders, small devices installed in most new passenger vehicles that monitor things like speed, steering-wheel angle, acceleration, braking and seatbelt use. EDRs were first developed in the 1970s and began to be installed as part of airbag systems in the 1990s (11). If safety sensors in your car detect a sudden deceleration, they trigger the airbag, and the EDR retains a record of what happened in the seconds preceding and following the collision.
But today, EDRs are part of sophisticated systems that do much more. If you subscribe to GM’s OnStar service, for example, and get in a wreck, your car will notify OnStar so a representative can contact you through the speaker system in your car and medics can respond to the scene more quickly.
It’s hard to complain about a voluntary service that could save your life, but other features are more intrusive. Starting in 2009, OnStar will be able to remotely deactivate a car’s accelerator, forcing it to drive at a top speed of five miles an hour—which is great if your car is stolen but not so good if someone were to hack into OnStar’s computers. Plus, systems like these include a two-way microphone and speakers that the company can activate remotely, which means they can be used for eavesdropping.
The FBI took advantage of this capability a few years ago, when it got court authority to compel a company (which was unnamed in court documents) to turn on the microphone in a suspect’s car to monitor conversations. The FBI eventually lost the case on appeal, but only when a court decided that the agency had forced the company to breach its contract with the suspect, because using the car’s microphone for surveillance rendered it useless in case of emergency.
Fortunately, my car is old enough that it doesn’t have an EDR. If I were to just drive around my neighborhood, I’d only have to worry about traffic and red-light cameras, whose images generally aren’t archived unless something noteworthy happens. But I needed to go to San Francisco—the International Association of Privacy Professionals was having a conference. The problem was that attending it would require getting across the Bay Bridge.
10. Some states have sensors along the road that use toll passes to identify cars as they pass through two points. This information is used to make calculations about traffic speed and feed electronic billboards that provide up-to-the-minute estimated driving times to various locations. This information could also be used, hypothetically, to automatically issue speeding tickets. Back to text
11. If you want to see whether your car has an EDR, check your owner’s manual—it’s usually disclosed in the section about airbags. But EDRs aren’t the only thing to be aware of. Car-rental companies have used GPS to tell when customers violated the terms of their contracts by speeding or crossing state lines. Back to text
At first I thought this might be impossible. Then I remembered Casual Carpool, an informal system in which drivers can use toll-free lanes by picking up passengers throughout the East Bay and dropping them off in San Francisco.
Up to that point, I’d been wearing a cap and sunglasses every time I went outside (12). I liked my camouflage. It made me feel like I could be mistaken for J. Lo. But I thought that for my grand trip into surveillance-camera-dense San Francisco, I should try something different. I decided to wear my visor.
Let me be clear: This was no ordinary face visor. Designed to provide complete sun protection, it was more of a mask, with a wraparound piece of dark plastic that extended from my forehead all the way down to my chin. It made me look like a welder. It also made it difficult to see. But I still managed to find a car, and surprisingly, no one commented on the visor. In fact, they didn’t talk to me at all.
And then there are RFID (radio-frequency identification) chips, small devices that consist of a microchip and an antenna that use radio waves to identify objects and people (13). About five years ago, these chips (often called tags) were the obsession of conspiracy theorists everywhere. But the time to really worry about RFID may be near. Experts like Holtzman predict that soon the price of the tags will drop enough that they will be attached to almost everything we buy and will become so small as to basically be invisible. “You couldn’t get away with this experiment in a couple years because of the RFID chips,” Holtzman told me later. “You’d literally have to get rid of everything you own and start over, since every artifact you’d bought from a major manufacturer would probably have a chip embedded in it that could identify you as the buyer.”
Just before the conference ended, I tracked down Richard Purcell, the former CPO of Microsoft. After dodging security cameras in the hallway, we ducked into an empty ballroom to talk. He was not encouraging. “The thing is, surveillance is a fact of our electronic society,” he said. “You are going to be tracked. One has to be thoughtful about that.” He’s right. No one knows exactly how many surveillance cameras are being used in the U.S. right now, but consider that the much-smaller U.K. has three to four million.
And more cameras arrive all the time. The New York City Police Department, for instance, aims to install an additional 3,000 public and private security cameras below Canal Street, with video feeds that could broadcast directly to the Department of Homeland Security and the FBI. That’s understandable—once the Freedom Tower goes up at the World Trade Center site, lower Manhattan will once again be home to one of the most conspicuous terrorist targets in the world. But the surveillance-camera craze has begun to veer into absurdity: The British government recently approved funding to pay for cameras in the hats of more than 2,000 police officers.
12. The quality of the images taken by most surveillance cameras—at least the surveillance cameras of today—is unrefined enough that you don’t need too much of a disguise. Back to text
13. Starting last year, all new U.S. passports are embedded with RFID chips that contain the person’s identifying information and a photo, and research is under way on how to embed the chips in paper currency. RFID tags are already used to “microchip” pets. One company, VeriChip, has implanted 500 people in the U.S. with RFID chips and it has proposed replacing military dog tags by implanting the chips into American soldiers. It sounds far-fetched, but this is a real enough possibility that last October, California governor Arnold Schwarzenegger signed a bill forbidding employers to force employees to have RFID chips implanted under their skin. Back to text
The problem with Casual Carpool is that it primarily runs into the city, which left me without a way to get home. I decided to take a cab but then noticed a plastic decal that read “Smile, you’re on camera!” Whatever. By that point, one more camera was the least of my worries. Instead, I spent the cab ride mulling the most common counterargument to concerns over lost privacy: So what? If giving up personal information makes it easier for me to shop online, so be it. If total surveillance can prevent terrorist attacks, bring on Big Brother.
Here’s the thing, though—We don’t know what information is being collected about us, whom it’s being shared with, what it’s being used for, or where it’s being held. As companies and the government collect more and more data on us, some of it will inevitably be incorrect, and the effect of those errors could range from trivial to severe. It’s not a big deal to get coupons for products you don’t want, but if a mistake in your file or an identity theft caused by a data breach drives down your credit score, you could find yourself knocked into the subprime-mortgage market. And privacy-invading safeguards don’t just catch bad guys. Anyone could end up like Senator Ted Kennedy, who was erroneously placed on a do-not-fly list because a terrorist had once used the alias “T. Kennedy.”
For now, few systems are in place to help us understand what data is being gathered or correct the inevitable mistakes, and in the absence of laws that define punishments for data breaches—and judges who enforce them—companies can walk away from serious privacy violations with nothing more than a slap on the wrist.
Case in point: When EPIC filed a complaint with the FTC against JetBlue for disclosing passenger information to Torch Concepts, the agency never publicly opened an investigation; in response to a separate suit filed by JetBlue passengers, a federal judge agreed that the company had violated its privacy policies but dismissed the lawsuit because passengers weren’t able to prove that anything had happened to them as a result of the profiling, and that JetBlue hadn’t “unjustly enriched” itself by sharing the information. And because this kind of news is so often met with no more than a collective shrug, such privacy violations are likely to keep happening.
At the end of my week of paranoia, I met Hoofnagle at the Yerba Buena Center of the Arts in San Francisco so he could grade me on my performance.
His verdict: I did a pretty good job. But his approval seemed less satisfying when I considered all the aspects of my life that made it easier to minimize my digital trail. I don’t use pay-per-view or FasTrak. I don’t work in an office, which would require an ID card and logging on to and e-mailing from company computers. I don’t use Instant Messenger, play online games, visit chatrooms, or sell things on eBay. I’ve never been married or arrested, or owned property or a business, so few public records are associated with my name.
Also, spending one week undercover doesn’t do anything about information that’s already out there—information that, for the most part, I volunteered. Countless Web sites have records on me. UPS, FedEx and the Department of Motor Vehicles know where I live. My bank, credit-card company, gym and phone company all have me in their records, and my information is in alumni databases. Both my college and graduate school have lost laptops containing my Social Security number.
I was reminded of something Holtzman had told me earlier that week. “No matter what you do, you’ll never really know if you’re successful at keeping private,” he said. “There are all sorts of trails you leave that you’ll never even know about.”
Once Hoofnagle had left, I walked through an exhibit, “Dark Matters,” that happened to feature—no kidding—pieces about surveillance. One installation in particular captivated me. Called Listening Post, it was a darkened room with gray walls, empty except for a large lattice hanging from the ceiling made from 231 small screens, each the shape and size of a dollar bill. The screens displayed scrolling blue-green sentence fragments that were being culled, in real time, from Internet chatrooms. Occasionally the program would search for sentences that began with key words—“I am,” “I like,” “I love”—and the results would roll across the screens. “I love my new cellphone.” “I love you and your sexy hair.” “I love Quark.”
It was strangely calming, standing in this dim room, watching the words and thoughts of strangers reveal themselves to me. I still had my hat on, but for once there were no surveillance cameras, so I sat down on a bench in the room and pulled out my notebook, grateful to finally be the observer rather than the observed. And then, out of the corner of my eye, I saw her: a security guard standing in the room’s darkened corner—silent, motionless, watching.
Writer Catherine Price lives in an undisclosed location in Oakland, California.
The incredible innovations, like drone swarms and perpetual flight, bringing aviation into the world of tomorrow. Plus: today's greatest sci-fi writers predict the future, the science behind the summer's biggest blockbusters, a Doctor Who-themed DIY 'bot, the organs you can do without, and much more.