Indecent exposures in an electronic regime.

• Author: Regoli, Natalie L.

1. INTRODUCTION

   "The privacy that any computer user would and should and is justified in expecting is illusory; Big Brother shrunk to a miniature cyber spy always looms and never sleeps." (1) This is because an Internet user's online activity leaves electronic footprints, commonly called a "clickstream," that businesses routinely use to collect and create user profiles of personally identifiable data that they later use and sell. As the Internet is now a part of virtually every aspect of our lives, this process introduces wide-ranging dangers regarding personal autonomy and dignity. Professor Lawrence Lessig explains that "[t]he system watches what you do; it fits you into a pattern; the pattern is then fed back to you in the form of options set by the pattern; the options reinforce the pattern; the cycle begins again." (2) This constant surveillance shifts power over one's identity from the user to the commercial entity, absorbing individuality and self-determined independence. It destroys the feeling of freedom brought by anonymity and the ability to be free from unsanctioned intrusion. And, it is pervasive. In fact, in a recent lawsuit, Universal Image accused Yahoo! of watching, spying, conducting surveillance, and analyzing "the habits, inclinations, preferences, and tastes, and otherwise ... follow[ing] and stalk[ing] those who visit the ... site." (3) Without recourse to an effective privacy law, Universal Image has resorted to suing Yahoo! for violations of the criminal and civil theft laws, criminal stalking laws, civil conversion laws, and civil trespass laws. (4) Indeed, in the largely unregulated cyber realm, the applications of computer technology have introduced new possibilities for marketers, insurance companies, employers, and other interested parties to profit from users' personal information in a variety of ways. Given the ubiquity of unauthorized online profiling, what changes should be made to safeguard privacy?

   As the topic of data privacy is vast and the subject of much scrutiny, this Comment focuses narrowly on commercial cyber-activities relating to the nonconsensual Internet acquisition of personally identifiable user data. This Comment begins with a brief examination of the technology that has exacerbated privacy law's inadequacies. It briefly discusses failed attempts to safeguard privacy rights through the market and federal agency management. It then addresses current U.S. privacy legislation and the 1995 European Privacy Directive. Finally, this Comment proposes the creation of a new legislative system to effectively combat the surreptitious collection, storage, use, and sale of personal data.

2. THE NEW FRONTIER OF WOE

   Cyberspace introduces new privacy concerns. Its lack of physical boundaries enables abusers to invade privacy with greater ease, efficiency, and power than has been experienced in the offline world. What once required extraneous methods of snooping, such as the manual planting of listening devices or the tapping of phones, can now be done universally and inexpensively through the online monitoring of clickstream data and built-in computer hardware. This invasion of privacy can also be done in much greater detail. Unlike a transaction receipt in the physical world that simply evidences a completed transaction, clickstream data is a record of a user's every online keystroke. (5) Realizing its value, many online businesses, including Yahoo!, RealNetworks, DoubleClick, and Amazon.com, actively accumulate personally identifiable visitor information while an individual visits their sites. (6) Yahoo! President Jeffrey Mallet even publicly stated that the information Yahoo! surreptitiously collects from users is its "single greatest asset." (7) Internet Service Providers ("ISPs") possess even greater collection abilities, as they can record a user's entire clickstream because the ISP is the user's gateway to the Internet. Further, the decentralized nature of the Internet guarantees the ability easily and instantaneously to transfer accumulated data to any party, anywhere in the world, at any time.

   Most browsers make information collection easy by disclosing the referring page to a subsequent site every time a person clicks on a link, along with their name or e-mail address, if it has been entered in the browser's software. (8) This feature cannot be turned off. (9) Although users can purchase software to disguise themselves while online, they may encounter situations where they have to disclose personal information in order to get a desired benefit, such as making purchases, registering for free services, or filling out surveys. (10) By default, most browsers also enable Web sites to read "cookies," which allow the information a user gives to the Web site to be stored and used to create a user profile. Cookies may be used to silently track and record search terms, visited sites, and articles read in order to build a detailed profile from information given to other Web sites; this data can be shared between Web sites. (11) Moreover, software makers like Microsoft routinely exploit their collection abilities by embedding unique identification numbers into documents so that documents transmitted through Ethernet cards can be traced back to the sender's computer. (12) Additionally, computer hardware makers, like Intel, have stealthily built tracking features into their systems, making electronic anonymity nearly impossible. (13) More drastically, the upcoming Internet protocol version most likely will use a computer's Ethernet card to establish a permanent globally unique identifier ("GUID"), creating unalterable fingerprints for each computer. (14)

3. LAW IN AN ELECTRONIC REGIME

   1. Failed Avenues

      Internet threats to individual privacy abound, and many agree that it is necessary to end the clandestine private sector invasion of individuals' cherished ability to control the uses of their personal information. (15) Internet users should be empowered to make informed decisions about explicitly trading their personal dossiers for desired benefits. Various approaches exist to facilitate this end--among them self-regulation and legislation--and it is important to examine each to understand why the creation of new legislation for protecting online privacy is now necessary.

      1. The Market Approach

         Studying online privacy issues since 1995, the Federal Trade Commission ("FTC" or "Commission") found through its first online survey in 1998 that 92% of Web sites collected personal information from online visitors, but only 14% disclosed their collection practices. (16) The FTC advocated industry use of "the widely-accepted fair information practice principles of notice, choice, access, and security." (17) Despite its efforts, in 1999 the Commission reported "that only 10% of the sites posted disclosures that even touched on all four fair information practice principles." (18) Still, the Commission recommended that self-regulatory efforts be given a chance to work. (19) The FTC's attitude changed in 2000, however, when it found that despite its recommendations, 97% of Web sites collected an e-mail address or some other type of personally identifying information while only 20% even partially implemented the four fair information practice principles. (20) Moreover the Commission found that only 8% of Web sites participated in the industry's self-regulatory enforcement initiative--online privacy seal programs--and concluded that reliance on industry efforts was futile. (21)

         This is a classic case of self-regulatory failure. Businesses, given ample time to get things right, have chosen to steal information aggressively and secretly from citizens while maintaining a facade of effort to self-regulate and to comply with governmental requests to take action. While the government has patiently encouraged industry to act, harvesting personal data has become a $1.5 billion market. (22) This market is comprised of "data warehousing" businesses like Acxiom and First Data that collect and sell information such as ethnic and religious affiliations, property purchases and loan data, travel destinations, and even pet ownership on 165 million Americans. (23)

         These covert undertakings are further disguised by companies such as TRUSTe.com, which licenses online merchants with "trustmarks" and provides users with a false sense of security. (24) Although TRUSTe.com is currently the most successful self-regulatory program, it does not assess the quality of the privacy policy, conduct an audit, or revoke certification if the online licensee violates its own privacy policy. Licensees only need to pay a licensing fee and have a privacy policy in existence to obtain a trustmark. (25) To illustrate the falseness of this supposed privacy protection system, TRUSTe.com declined to revoke GeoCities' trustmark even alter the FTC brought charges against GeoCities for collecting and disclosing detailed consumer information to marketers--including e-mail addresses, postal addresses, income, education, gender, marital status, and occupation--despite GeoCities' promise that customer registration information would not be released without the customer's permission. (26) Another trustmark holder, RealNetworks Real Jukebox Software, created and transmitted GUIDs through the Internet to catalog an individual's listening habits whenever the individual used the software. (27) Even though RealNetworks' privacy policy concealed this practice, TRUSTe.com again declined to revoke RealNetworks' trustmark. (28) Nor did TRUSTe.com revoke Microsoft's trustmark after discovering that Microsoft routinely sent GUIDs during Windows 98 registrations when users expressly denied Microsoft permission to do so. (29)

         The fraudulent nature of this system is not surprising, as TRUSTe.com and other certification programs have no incentive to strangle their sole revenue sources. (30) Considering that the vast majority of the public may be...