All Eyes Are on You
Tollbooths, ATMs, doctors' offices, online chat: You leave critical personal data behind wherever you go. Let's follow one American as he scatters his digital DNA.
First, Meet Mark, a graphic designer in Chicago. Like most of us, Mark knows his boss can read his e-mail, insurers can access his medical data. but he’s blind to the bigger truth: personal data is collected, and sometimes shared, at a fantastic rate.
7:20 am: ATM
Mark withdraws $100 at his bank’s ATM machine.
Who’s watching: An ATM is a data terminal that’s connected to a central computer, or hub, at a bank networking company such as NYCE Network or MAC. The ATM sends Mark’s request to the hub; it, in turn, contacts Mark’s bank. Once the bank’s computers approve the transaction, the hub gives the ATM machine the go-ahead to spit out the bills. Though the three computer networks involved may be hundreds or more miles apart, the transaction takes just 2.5 seconds.
The NYCE Network alone logs 68.4 million transactions per month; each is stored on tape for seven years, as required by law. ATMs have become a vital, if secretive, way for authorities to track people who are either on the run or just raising suspicions. In May of this year, for example, an 18-year-old Miami girl was kidnapped and murdered on a Saturday night. By working with her bank to track transactions on her ATM card, the police were able to follow her abductors as they traveled from one location to another. The men were arrested Monday morning, soon after making yet another ATM withdrawal.
Financial information isn’t the only data an ATM stores. It also holds photos of every customer-as we were vividly reminded by the haunting pictures of September 11 hijackers Mohamed Atta and Abdulaziz Alomari, taken at two Portland, Maine, ATMs the night before the attacks.
7:49 am: Surveillance
Mark enters his office building and takes the elevator to 5.
Who’s watching: Virtually every large U.S. company employs video surveillance-mounting cameras on buildings (to monitor people’s movements from as far away as one city block), on elevator ceilings, and in some cases even focusing them on workers’ offices. There are at least 2,400 outdoor surveillance cameras in Manhattan alone, many of them installed by corporations, according to the New York Civil Liberties Union. Municipal governments have also embraced the technology: More than a dozen cities, including Memphis, Tennessee, and Hollywood, California, have placed video cameras on street corners, hoping to catch criminal activities such as drug deals or robberies.
Most companies say they keep videotapes for 30 days, and the Washington, D.C., police department-which hopes to expand its surveillance capabilities from 12 cameras to 1,000-has tried to placate privacy advocates by saying it might destroy footage after 72 hours. But no laws limit how the cameras must be used or the tapes archived. Researchers at the University of Hull in England have found that when a human operator is controlling surveillance cameras-whether at a police station or behind a security desk-they are often used improperly: to spy on women, monitor political protesters, or for racial profiling. And the tapes can get into the wrong hands. A British video called “Caught in the Act,” available on the Internet, consists of a compilation of sex acts and illegal activities captured by surveillance cameras; the “filmmaker” created it from tapes he’d purchased from private companies and police departments.
Some surveillance technology goes well beyond mere videotape. Several airports across the country, including Logan Airport in Boston and Oakland International Airport in California, are testing software that scans people’s faces as they pass through checkpoints and compares those digital photos to a database of mug shots that includes suspected criminals and people on watch lists supplied by the CIA, FBI, and other agencies. Visionics’ FaceIt system can scan as many as 15 faces a second. For now, though, the technology is far from foolproof: Sunglasses, smiles, and hats can confuse it.
10:31 am: E-mail
Mark writes a friend: “No raise. My boss is a liar.”
Who’s watching: When Mark sends an e-mail, it’s routed through an exchange server on the company’s network that places a copy in Mark’s Sent folder. If Mark tries to purge this message by pressing “Delete,” he creates yet another copy, which pops up in his Delete folder. A third copy of the e-mail will be stored in the daily backup of Mark’s mail folders that’s automatically made by his employer’s network at the end of each day and archived on tape. These tapes, which at many companies are never erased, can be examined by supervisors at any time, subpoenaed as evidence in lawsuits, or viewed by law enforcement authorities with a warrant. In addition, some corporations have e-mail filtering systems that set off an alarm when an employee sends a message that is clearly non-company-related. Many of these programs also monitor employee Web usage, providing supervisors with real-time logs of Internet activity for each individual at the company. These detailed readouts include which Web sites employees visit, how long they stay there, which chat groups they access, and what they say during those chat sessions.
Because Mark’s e-mails travel across the Web, copies of them may also reside in the computers of the various service providers that carry Internet traffic. These files, and all of Mark’s other Internet activity, are accessible to the government. Last October, in reaction to the September 11 terrorist attacks, Congress passed the USA Patriot Act, which requires Internet service providers (ISPs) to release individuals’ Web browsing records to law enforcement officials armed with merely a subpoena, not a harder-to-obtain warrant. Such a blanket order can snare a variety of information: terms entered into search engines, pages surfed, session times and durations, and the source of e-commerce payments, including credit card or bank account numbers. The targeted person does not have to be notified of the investigation, and the government does not have to report any findings back to the court that issued the subpoena.
Private companies also have access to sensitive ISP information. Raytheon Corp. recently sued 21 employees who had criticized the company anonymously on a Yahoo message board, for breach of contract and disclosure of proprietary information. Raytheon’s lawyers didn’t know the workers’ names when they filed the suit, but a court-approved subpoena to Yahoo yielded them. Once the employees’ identities were revealed, the suit was dropped, but several exposed workers resigned.
**9:14 am: Instant messaging
Mark IMs his girlfriend: “Don’t worry about last night. I’ll get tested. Love you.”
Who’s watching**: Though often thought to be untraceable, instant messages can be monitored using software like FaceTime Communications’ IM Auditor 2.0, which maps an employee’s screen name to his corporate network ID and then stores every instant message that is sent. The software can be programmed to automatically notify supervisors when, for example, an employee sends an instant message to someone who works for a competitor. The program can also put out an alert to management whenever an instant message contains suspicious-or non-business-related-words or phrases, including endearments, profanity, or proprietary information.
**11:23 am: Hard drive
Mark deletes a file containing freelance work he did for a competitor.
Who’s watching**: Mark thinks he erased the file, but what he actually deleted was the computer’s pointer to it. The file is still on the hard drive, though it has disappeared from his directory and now has no identifier. After a few weeks (sooner if the computer is used intensively), new data will be stored over the old file and it will truly disappear. Several programs-Guidance Software’s EnCase and Panara Soft’s PC Smart Cleaner among them-can restore deleted data before it’s overwritten (afterward, nothing can bring it back). These utilities produce a snapshot of the hard drive at an earlier period, including a directory of now-pointerless files, listed by the last name they had before they were deleted. The ability to recover so-called orphaned files has been at the heart of the Enron case. Almost as soon as it was learned that auditor Arthur Andersen had deleted potentially incriminating computer data
in the months leading up to the energy company’s bankruptcy last year, high-tech forensic experts were called in by prosecutors to scour Andersen’s network. In many cases, the computer sleuths were able to successfully unearth the missing files, according to lawyers involved in the case. To stymie recovery of deleted data, government agencies that handle top-secret information, such as the CIA, FBI, and the National Security Agency, use proprietary programs that constantly overwrite free space on hard drives.
**12:36 pm: Cellphone
Mark calls a friend from the street at his lunch break. “Dude, she wants me to get an AIDS test,” he confides.
Who’s watching**: A cellphone operates like a radio transmitter and receiver: The phone sends signals to the cell tower and the tower sends signals back. Analog phones like Mark’s older model broadcast calls via FM waves, which are easily intercepted by police scanners, baby monitors, and cordless phones. Digital phones are harder to monitor, because calls are encrypted. But newly mandated emergency locator services known as E911 (see page 56) may make it impossible for anyone to hide their whereabouts, whether from law enforcement authorities or marketers.
**12:42 pm: Medical data
Mark gets tested.
Who’s watching**: In a few days, Mark will learn from his doctor that he is HIV-free. But had the result been positive, it would have set in motion a cascade of data sharing. A network of databases would have given thousands of people access to Mark’s HIV-positive diagnosis before he knew it himself.
Because HIV must be reported-like syphilis, Lyme disease, rabies, and tuberculosis-the lab would have sent a positive result to the Illinois Board of Health. All test results, meanwhile, are distributed to the patient’s insurer, the clearinghouse that sends doctors’ bills to his health plan, the company that handles the lab’s insurance claims, the patient’s employer-and the Medical Information Bureau. MIB, a consortium of 600 health insurers, was created to give underwriters access to medical data, but employers may check its records before making hiring decisions. In addition, some insurance plans call for pharmacies to inform companies about the drugs workers are taking.
No federal laws protect the privacy of medical records. Moreover, a black market has developed: Tennis star Arthur Ashe’s AIDS diagnosis became public when a health care worker disclosed it for a price. And a few years ago, a Colorado medical student was found selling patient records to lawyers looking for malpractice cases.
**5:47 pm: Discount card
Almost home, Mark stops to buy deodorant and toilet paper; the card saves him 36 cents.
Who’s watching**: Supermarkets can link a customer’s discount card to his name, address, e-mail address, phone number, social security number, and state ID (likely a driver’s license) in a database that also includes a list of the products he’s purchased. Grocery chains claim this data is used only to ensure that the most popular products are always on the shelves and to target discounts effectively; they say they do not sell, rent, or lease customer information. A former Food Lion employee, however, has said that during two separate periods between 1994 and 1999, he was instructed by his superiors to send the detailed purchasing preferences of customers, along with their names and addresses, to database marketing companies and major product manufacturers. Food Lion, which is based in Salisbury, North Carolina, has denied the allegation.
Meanwhile, Larry Ponemon, the CEO of Privacy Council, says that since September 11 he’s been hired by at least one major supermarket chain to oversee the handing over to law enforcement agencies of the buying records of customers with specific ethnic backgrounds. The authorities requested the data, Ponemon says, because they were trying to compile a profile of “terrorist eating habits.”
**6:15 pm: Identity scanning
Mark shows his driver’s license to enter his favorite bar.
Who’s watching**: Before letting Mark in, the bouncer runs the license through a scanner that captures its magnetic strip data-which, depending on the state, could include age, date of birth, address, social security number, fingerprint, and photo. Some scanners can hold as many as 64,000 records, providing a database of potentially embarrassing information-depending on the type of establishment-such as who has been in the bar, how frequently, and when. Mark has a beer with friends.
**7:03 pm: Tollbooths
Mark drives through a toll plaza.
Who’s watching**: Mark’s car has an I-Pass tag above the rearview mirror that lets him prepay tolls. The tag-a transponder that’s activated by a signal from an antenna at the tollgate-sends the I-Pass ID number and the price of the toll to the system’s central database. If there’s enough money in the driver’s account to cover the toll, an OK is transmitted back and the car is allowed to proceed. At the same time, a record of the time the vehicle arrived and left the tollbooth is logged into the I-Pass database.
Because the system uses the standard 802.11 wireless transmission protocol, it’s dangerously easy to hack, potentially allowing snoops to keep track of the movements of specific cars. What’s more, law enforcement authorities regularly subpoena records from I-Pass and similar systems to monitor individuals suspected of illicit activity.
Toll lanes may also be routinely monitored by video surveillance to nab scofflaws. In general, three cameras monitor each booth: One is aimed at the vehicle, the coin machine, and the fare display; the second camera is focused on the car’s rear license plate and the stoplight at the front of the booth; and the third camera watches for vandalism and other incidents by recording from above.
**7:11 pm: GPS
On his way to reassure his girlfriend at a new bistro, Mark gets lost.
Who’s watching**: Many new cars employ GPS-based navigation systems, which use a network of 24 satellites to help drivers find their way. The newest equipment also enables individuals to trace their own cars from a distance. For instance, parents can monitor the speed of teenage drivers; if they exceed a limit, the GPS system in the car will notify the parent, who can-via the Internet, cellphone, or a pager-honk the horn to tell the teenager to slow down. This technology also opens the way for government agencies to monitor the movement of people suspected of illegal activity. Car rental companies have already adopted these systems aggressively. Two years ago, James Turner of New Haven, Connecticut, discovered that Acme Rent-A-Car had taken $450 from his bank account as a penalty for speeding-based on information the company obtained by watching Turner’s driving habits remotely. The company utilized a software program, AirIQ, that makes it possible to continuously monitor the location, speed, and direction of a fleet on digitized maps. Turner sued and won, because the state’s Department of Consumer Protection ruled that Acme had not adequately notified him of the purpose of the GPS/AirIQ system. Still, more such cases seem inevitable.
Mark falls into bed feeling secure and anonymous. Just one thing’s on his mind: how did that blood test turn out?