|
 |
|
|||||
Supplement to Intel Complaint: Potential Harm to Individuals
Submitted to:
Donald Clark
Office of the Secretary
Federal Trade Commission
6th Street & Pennsylvania Ave NW
Washington, DC 20580
April 8, 1999
Before the
Federal Trade Commission
Washington, DC 20580
|
In the Matter of |
) ) ) ) |
Our complaint argued that the introduction of the PSN was a violation of individual privacy and, therefore, an unfair and deceptive trade practice under Section 5 of the FTC Act. The complaint charged that the impending release of the Intel Corp.'s Pentium III chip with an identifying serial number would harm consumers' privacy. At its core, the Pentium III PSN establishes a system that supports the wide spread tracking and monitoring of individuals' online behavior. It stands to undermine consumers' efforts to control the use of their information. Our experience warns that unique identifiers without real consumer control and policies limiting their use threaten privacy. The Complaint stated that as the largest chip manufacturer in the consumer marketplace, Intel's product design decisions will have far-reaching impacts on consumers' online privacy. The combination of Intel's market dominance, the lack of accurate information about the privacy implications of the PSN, and the inability of individuals to control the use of the PSN, mean that the PSN places consumer privacy at risk.
This supplemental filing addresses two points identified during our subsequent discussions with the Commission’s staff.
I. How is the Processor Serial Number different from existing identifiers on the Internet and what risks does this pose?
It is true that there are numerous identifiers and numbers on the Internet. From the outset our complaint was grounded on the belief that the PSN highlights the need for a broader examination of identification, authentication, and security on the Internet. But the PSN threatens privacy in ways that make it unique from other identifiers. Unlike existing identifiers and numbers, the Intel PSN is bound for the consumer market and has been promoted by Intel as a unique identifier specifically for tracking users in electronic commerce. Unlike existing software registration numbers, Internet protocol addresses, and other identifiers, the PSN could come to reside in a majority consumer's computers.
Moreover, Intel encouraged other companies in the consumer marketplace to develop applications that collect the PSN. For example, Intel is working with several Australian content providers to establish Web sites that are not only optimized for PCs based on the Pentium III processor but restricted to Pentium III machines. The program intends for each Web site to probe the PC and use the PSN to identify a Pentium III client. http://www.it.fairfax.com.au/hardware/index.html
Intel’s unique position in the consumer-computing marketplace suggests that the PSN will have a market reach that other identifiers currently do not. Because of the possible wide adoption and Intel's plans for broad uses for the PSN, we believe it raises a greater potential for privacy erosion than other existing identifiers. [ 1 ]
II. The Potential Harm to Consumers Posed by the Processor Serial Number
The ability to surreptitiously track the movements of individuals on the Web through the PSN raises a number of risks to individuals. The PSN has the potential to expose users to specific harms, which are enabled by tracking devices and the availability of personally identifying information.
A. Harms to Privacy
There are several core "privacy expectations" [ 2 ] that individuals have long held, and which should carry over to their interactions on the Internet, that are at risk due to the PSN.
1. The Expectation of Anonymity
Imagine walking through a mall where every store, unbeknownst to you, placed a sign on your back. The signs tell every other store you visit exactly where you have been, what you looked at, and what you purchased. Something very close to this is possible on the Internet.
When individuals surf the World Wide Web, they have a general expectation of anonymity. More so than in the physical world, if an individual has not actively disclosed information about herself, she believes that no one knows who she is or what she is doing.
The introduction of the PSN threatens this expectation by providing a means of surreptitiously tracking and monitoring individuals’ behavior. The PSN will increase the ease with which information, revealing every stop a person makes on the Web can be aggregated. This transactional or click stream data can provide an extremely detailed "profile" of an individual's online life.
For some populations, such as children and teenagers, tracking technologies may increase the ability of predators to identify and harass them. Witnesses at the Commission’s 1997 Privacy Workshop identified several links between child safety and privacy protection. Representatives from the Federal Bureau of Investigation, Consumers Union, and other participants stated that the posting or revelation of personal information that identifies a child raises particularly serious safety concerns. With such information a predator can identify and contact a child. While the PSN may not provide the email address or name of a child, it may provide an additional method for the wily and sophisticated predator to track and potentially communicate with a child, defeating parents and policy-makers efforts to limit access to information about a child.
2. The Expectation of Fairness and Control over Personal Information
When individuals provide information to a doctor, a merchant, or a bank, they expect that those professionals/companies will be collecting only the information needed to render the service and will use it for the sole purpose of providing the service requested. The PSN has the potential to further the surreptitious collection and use of data without an individual’s consent. In today’s environment, where many entities are collecting and using personal information without adhering to the principles of Fair Information Practice, the introduction of devices that are designed to provide a tracking device for use in e-commerce present risk to privacy. Unlike a real world identifier, such as the Social Security Number, which an individual reveals knowingly (albeit often reluctantly) the PSN is capable of being collected without the individual’s knowledge and consent. The PSN does not provide individuals with direct control over its disclosure. While software controls may provide such functionality, we know that this software is not being preinstalled, or even directly provided with all Pentium III equipped computers.
The use of a single identifier across various online interactions will enable unscrupulous individuals and those seeking to profit from information about individuals to more efficiently correlate detailed profiles. The collection of PSNs by Web sites that offer products and services that may reveal sensitive information about individuals such as health conditions raises particularly troubling privacy concerns.
B. Chilling the use of the Internet and the search for information
Surveys indicate that the fear of privacy intrusions is keeping individuals off the Internet. [ 3 ] The introduction of an additional tool that can be used to surreptitiously track individual behavior is likely to erode consumer confidence and trust. As the use of cookies spurred consumer angst it is likely that the PSN will increase consumer angst about privacy.
Tracking and monitoring of Internet usage can have a negative effect on individuals’ access to information. The anonymity that the Internet affords individuals has made it an incredible resource for those seeking out information. Particularly where the information sought is on controversial topics such as sex, sexuality, or health issues such as HIV, depression, and abortion; the ability to access information without risking identification has been critical. This is not a new revelation. Protecting privacy and anonymity has consistently been recognized as an important component of ensuring full exercise of the First Amendment freedom to seek out information. But privacy is not just theoretically related to free expression. Our public policies, including laws that protect the confidentiality of library patron’s records and the confidentiality of video store patron’s records exist because they are critical to ensuring the public’s right to read and view information.
Studies in both the online and offline world reveal that an actual or perceived lack of privacy chills individual’s access to information. A 1989 study found that teenagers who used computer assisted games to gain information about pregnancy prevention sought out more information than those who were enrolled in health education classes. [ 4 ] Among the reasons for pursuing computer assisted health education, the authors stated that "Patients have indicated that they prefer computer to human interviewing or advice regarding sensitive topics such as sexuality. Computer-assisted instruction has been shown to enhance interactive skills with regard to sexuality without the sensitive personal exposure of class or groups sessions." [ 5 ] The privacy and confidentiality provided by computer-assisted education was critical to ensuring that students sought out desired information. Similarly, a more recent study found that online access was critical to gay youths’ ability to come to terms with their sexual orientation. The ability to gain information without risking exposure of their identity was pivotal. [ 6 ]
C. Risk of impersonation — or "online identity" theft
The widespread use of a single identifier to track individuals interactions across various online interactions raises concerns similar to the wide spread use of the SSN. The ability of an unscrupulous individual to masquerade as an individual, and potentially unlock information about the individual held by third parties, can be facilitated by the use of a single identifier that serves as the key to all the files. This problem is exacerbated when the "key" at issue is easily copied, "spoofed," as several computer security experts have suggested the PSN can be. [ 7 ]
The experience with the digital ESN, or electronic serial number, in cellular phones illustrates the risks to consumers posed by authenticators that are easily replicable. Thieves were able to capture ESNs using radio scanners. Because the numbers were easily replicable, the thieves would then code the ESNs into other chips and clone cellular phones. Consumers by the thousands were alarmed to find bogus charges on their cell phone bills. The cellular phone industry has made significant strides in reducing cell phone fraud involving ESNs, but the experience is an important warning to those who develop easily spoofed identifiers. A similar problem could occur with the PSN integrated into the Pentium III chip.
Identity theft is a growing public concern. While identity theft in the offline world is often accomplished through low-tech means — digging through mailboxes and dumpsters for personal information — in the online environment it will take new forms. The introduction of weak authenticators — ones that are easily spoofed, and by design turned over to many entities (of varying levels of trust-worthiness) — has the potential to facilitate online impersonation.
Today’s victims of identity theft routinely find that reestablishing one’s identity can be time consuming and frustrating. The introduction of an easily spoofed identifier may unintentionally create a catch-22 by making it more difficult for the individual to prove that they were not the person engaged in a specific behavior associated with a given PSN.
Associating the correct information with the correct individual is a core privacy principle. Associating inaccurate information can seriously damage an individual. Weak authenticators raise the likelihood of impersonation and the concurrent damage of inappropriately associating information or activities with the wrong individual. The fact that computers are often used by multiple individuals and when sold change hands completely, the risk of the PSN associating the inaccurate information with an individual increases.
III. Conclusion: The PSN raises a significant risk of concrete harm to consumers' privacy and other interests.
The PSN, whether the default is on or off, has the potential to transform the World Wide Web from a largely anonymous environment into one where individuals are expected, or even required, to identify themselves in order to participate in online activities, communicate, and make purchases. This is a far cry from the world we live in today -- either offline or online -- and would represent a grave erosion of consumer's online privacy. Many of the activities that individuals engage in on the Web do not require the collection of identifiers or personal information of any type.
The PSN will needlessly erode anonymity and facilitate the practice of collecting personal information from Web site visitors without proper notice to them and without their consent. The introduction of the all-purpose PSN threatens anonymity and undermines ongoing efforts to promote responsible and fair information practices in the online environment. It will result in increased pressure on individuals to permit the collection of the PSN, and other information that can be tied to it, as a quid pro quo of engaging in transactions and interactions online, placing a burden on individuals who choose to protect their privacy.
The ability to track and monitor individuals presents related risks from those seeking to cause harm -- such as the stalker, harasser, or identity-thief -- and from those seeking to collect information about individuals without their consent. In addition, studies have found that the collection of information and the tracking of individuals’ makes individual’s reluctant to participate in online life. Such tracking may have a particularly negative impact on those seeking out sensitive information.
Consumers desire stronger security for commerce and communication. However, the PSN would have consumers sacrifice their privacy in order to gain dubious security. Technical and policy solutions must be developed that provide strong security, offer robust and varied authentication tools to support electronic commerce, and protect individual privacy and anonymity. The Pentium III PSN does not meet this standard. The privacy risks inherent in this unique ID feature outweigh the security gains Intel has stated it is intended to provide.
There are no technical or legal limits on the collection, use, or disclosure of the PSN. Currently, there are no United States laws that would regulate, generally, the collection or use of the PSN. [ 8 ] Technically, the Pentium III does not limit who can request the PSN, how it is used or disclosed, under what conditions, or for what purposes. We know from our experience with both the Social Security Number and more recently with "cookies" that identifiers can be used for a variety of purposes. The PSN stands to further the collection of personal information in ways that undermine consumers' control. By providing an easy mechanism to track behavior across the Internet, Intel has created the blueprint for a de facto online identification system.
We once again, respectfully request the Commission to exercise its powers to protect consumers’ privacy interests in the online environment.
Sincerely,
Deirdre K. Mulligan, Staff Counsel
2. The phrase "expectations of privacy" is used here with intent. Despite case law suggesting that our the legal protections afforded to our expectations of privacy are limited by the technical and social possibilities for surveillance, we believe that, as a society, we do share some basic expectations of privacy. Privacy legislation enacted by Congress in response to some of the Court's decisions lends credence to this notion.
3. See CDT's privacy survey page: http://www.cdt.org/privacy/survey
4. Adolescent Pregnancy Prevention by Health Education Computer Games: Computer-Assisted Instruction of Knowledge and Attitudes, David M. Paperny et. al, Pediatrics Vol. 83 No. 5, May 1989.
5. Id.
6. 1997 survey conducted by Oasis Magazine and !OutProud!, the National Coalition of Lesbian, Gay, Bisexual and Transgender Youth, reported that 68% of gay youth were able to come to terms with their sexual orientation as a result of online access. (See letter submitted by GLAAD to the FTC, March 17, 1999.
7. See underlying complaint.
8. But see, the Privacy Act of 1974 and the Children's Online Privacy Protection Act of 1998.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |