http://www.theatlantic.com/issues/2001/03/lester-p1.htm It used to be that business and technology were considered the enemies of privacy. Not anymore.
A relatively unsung virtue of the U.S. Patent and Trademark Office is that its databases can be viewed collectively as a sort of cultural seismograph, registering interesting spikes of entrepreneurial enthusiasm. A patent application filed on January 10, 1995, is part of one such spike. Issued as U.S. Patent 5,629,678 ("Personal tracking and recovery system"), the patent is summed up in an abstract that begins,
Apparatus for tracking and recovering humans utilizes an implantable transceiver incorporating a power supply and actuation system allowing the unit to remain implanted and functional for years without maintenance. The implanted transmitter may be remotely actuated, or actuated by the implantee. Power for the remote-activated receiver is generated electromechanically through the movement of body muscle. The device is small enough to be implanted in a child.
Until recently such an idea might have seemed better suited to science fiction or political allegory than to real life. But in December of 1999 the patent was acquired by a Florida-based company named Applied Digital Solutions, and it is now the basis of an identity-verification and remote-monitoring system that ADS calls Digital Angel. "We believe the potential global market for this device," ADS announces on its Web site, "could exceed $100 billion."
New surveillance and information-gathering technologies are everywhere these days, and they're setting off all sorts of alarm bells for those who worry about the erosion of privacy. The result has been a clangor of dire predictions. Books have recently appeared with such titles as Database Nation: The Death of Privacy in the 21st Century (by Simson Garfinkel), The Unwanted Gaze: The Destruction of Privacy in America (by Jeffrey Rosen), and The End of Privacy: How Total Surveillance Is Becoming a Reality (by Reg Whitaker). Polls suggest that the public is gravely concerned: a 1999 Wall Street Journal-NBC survey, for instance, indicated that privacy is the issue that concerns Americans most about the twenty-first century, ahead of overpopulation, racial tensions, and global warming. Politicians can't talk enough about privacy, and are rushing to pass laws to protect it. Increasingly, business and technology are seen as the culprits. "Over the next 50 years," the journalist Simson Garfinkel writes in Database Nation, "we will see new kinds of threats to privacy that don't find their roots in totalitarianism, but in capitalism, the free market, advanced technology, and the unbridled exchange of electronic information."
There's a general sense, too, that businesses in the modern free market are indifferent to the threats their new technologies pose to privacy. That sense seemed powerfully confirmed in early 1999, when Scott McNealy, the chief executive officer of Sun Microsystems, was asked whether privacy safeguards had been built into a new computer-networking system that Sun had just released. McNealy responded that consumer-privacy issues were nothing but a "red herring," and went on to make a remark that still resonates. "You have zero privacy anyway," he snapped. "Get over it."
But something very interesting is happening: the market for goods and services that protect privacy is surging. Entrepreneurs are realizing that privacy and technology are not fundamentally at odds — and that, in fact, expectations of privacy have in large measure always been created or broadened by the arrival of new technologies. People are coming to accept the notion that the protection of privacy is a pervasive and lasting concern in the computer age — and that, indeed, it may turn out to be the true enabler of the information economy.
Companies old and new are getting into the business. The number of newly registered privacy-related trademarks and patents has risen dramatically in the past few years; they include everything from banking services and computer technologies to window treatments and even an independent software agent ("for protecting consumers' privacy") called Privacy Just Got Cool. Anonymous Web-browsing and e-mailing services are available from companies called Anonymizer, Hushmail, IDcide, PrivacyX, and ZipLip. An outfit called Disappearing has developed an e-mail system that allows users to send messages that permanently unwrite themselves after a previously specified amount of time. Sales of personal paper shredders are up. Personal bodyguards are increasingly in demand. American Express has just unveiled a system called Private Payments, which generates a random, unique card number for each online purchase. A California law firm now offers to prepare something it calls The Privacy Trust, which, it claims, "successfully conceals ownership of bank and brokerage accounts, the family home, rental properties, and interests in other entities." Money may soon begin to be "minted" solely in electronic form, creating "digital cash" that could make credit cards (and the data gathering they make possible) obsolete. There is serious talk of building privacy protection into the infrastructure of the Internet, and of using such protection, paradoxically, to make the flow of information freer than ever before.
Billions of dollars are at stake. A new sector of the economy seems to be coming into being. Among entrepreneurs and venture capitalists it already has a name. It's known as the privacy space.
The Decade of Tracking and Monitoring
The privacy debate is, essentially, a debate about the control of personal information. What's unsettling about Digital Angel, for example, is not that the remote electromechanical monitoring of a human being is possible. In fact, it's easy to see the potential benefits of such a technology: doctors and hospitals could use it to keep an unobtrusive twenty-four-hour watch on patients at home; military commanders could use it to monitor the exact locations of soldiers in battle. What is unsettling to a lot of people is the idea that personal data — in this case, one's very life signs — might be converted into information that could be exchanged, bought, or sold for secondary use without one's knowledge or consent. Conceivably, for instance, insurers or drug companies might pay a lot of money for access to the very specific information in hospitals' Digital Angel databases.
These examples are hypothetical, but the issue most certainly is not: there are plenty of ways in which personal data is already gathered and exchanged for secondary use. People give away vast amounts of valuable information about themselves, wittingly or unwittingly, by using credit cards, signing up for supermarket discount programs, joining frequent-flyer clubs, sending e-mail, browsing on the Internet, using electronic tollbooth passes, mailing in rebate forms, entering sweepstakes, and calling toll-free numbers. Such behaviors are essentially voluntary (although a somewhat abstract case can be made that they are the product of what has been called "the tyranny of convenience"), but many other ways of participating in everyday life basically require the divulging of information about oneself. A person can't function in American society without regularly using a Social Security number, which has become a de facto national ID number—and which, as such, is the key to all sorts of private information. If one needs a mortgage, as almost everybody buying a home does, one has to turn over pages of detailed background data, some of which banks can then sell to whomever they like. People who buy prescription drugs now leave a trail of highly sensitive (and therefore valuable) personal information that is often gathered up and sold. The proliferation of surveillance cameras in public places means that one's comings and goings are increasingly a matter of public record.
The now very familiar reaction to all of this was recently reprised for me by the privacy activist Richard M. Smith, who has made a name for himself by exposing false or misleading claims made by companies about their privacy practices. "This coming decade is going to be known as the decade of tracking and monitoring," I was told by Smith, who recently became the chief technology officer of a watchdog organization called the Privacy Foundation. "Technologies are going to come online to monitor us in ways we would never have imagined ten years ago. It's going to be with us throughout our lives. The past five years on the Internet have been the prototype of what's going to happen in the offline world. Cell phones. Smart cards. Digital TV. Biometrics. It's happening. There are going to be millions of things tracking us that we've never even dreamed of."
It's a complicated equation, of course. "The same technologies that have raised concerns about a 'surveillance society' have historically made possible many benefits that most citizens would prefer not to surrender," Phil Agre, an associate professor of information studies at the University of California at Los Angeles, has written, in Technology and Privacy: The New Landscape (1997), a thought-provoking collection of essays edited by Agre and the privacy advocate Marc Rotenberg. Even Alan Greenspan, the chairman of the Federal Reserve Board, has weighed in on the topic. In a 1998 letter to Congressman Edward J. Markey, Greenspan wrote,
The appropriate balancing of the increasing need for information in guiding our economy to ever higher standards of living, and essential need of protection of individual privacy in such an environment, will confront public policy with one of its most sensitive tradeoffs in the years immediately ahead.
The gloomy assessment of that tradeoff today is that privacy concerns are losing out, and that something needs to be done about the problem right now, before patterns are established and built into the infrastructure of the economy. (In some respects this argument is made for the benefit of future generations, because voluminous information about people alive today has already seeped out into the public domain.) The national mood has led to a flurry of privacy-related activity in Congress. Pending Senate bills include the Consumer Privacy Protection Act, the Privacy and Identity Protection Act of 2000, the Notice of Electronic Monitoring Act, the Consumer Internet Privacy Enhancement Act, the Secure Online Communication Enforcement Act of 2000, and the Freedom From Behavioral Profiling Act of 2000.
Not everybody, however, has faith in the government's ability to legislate control of — or even to understand — an issue as complicated and as rapidly changing as privacy in the information age. American industry has therefore come out in favor of self-regulation — assuming that businesses, in response to a form of peer pressure, will individually and collectively develop reasonable methods for protecting privacy. (To date the most visible results of this approach are the fairly easy-to-find privacy policies posted on company Web sites.)
The relative merits of legislation and self-regulation are fiercely debated, and will no doubt continue to be so for some time. But this story is not about that debate. Rather, it is about the fact that many businesses view the coming several years — the period during which the debate will probably play itself out — as an opportunity to seize lucrative leadership in the privacy space.
"An Emerging Business Imperative"
"What so many businesses don't get," Ann Cavoukian, the information and privacy commissioner of Ontario, Canada, told me not long ago, "is that you shouldn't be having an adversarial relationship with privacy. Privacy is good for business. I've argued this from day one. If you're in the information business today, you've got to lead with privacy."
We were sitting in Cavoukian's office, on the seventeenth floor of a high-rise in midtown Toronto, chatting and nibbling chocolate-covered biscuits. The room was huge, immaculate, and tastefully appointed in the somewhat generic way that the offices of important government officials often are. We sat next to a coffee table, on tightly upholstered furniture; CNN flickered silently on a television in the background. A wall of windows provided a commanding view of the city.
I had sought out Cavoukian because I had just read the book she wrote with Don Tapscott, Who Knows: Safeguarding Your Privacy in a Networked World (1997), and had been impressed by its pragmatic approach. One sentence in particular had struck me: "Protection of privacy is not just a moral or social issue; it is also an emerging business imperative." This ran counter to most of what I had read, and I wanted to hear more.
Cavoukian — an energetic woman of Armenian descent, who happens to be the sister of the children's songwriter Raffi — radiates enthusiasm, especially when the topic is privacy. This is as it should be: her job, as commissioner, is to educate the public about privacy matters and to ensure that all government agencies in Ontario abide by the province's freedom-of-information and protection-of-privacy laws. Her office's mandate doesn't yet include oversight of the private sector, but pending legislation may soon change that. In any case, she's clearly committed to engaging local companies in a meaningful dialogue about privacy.
Cavoukian's reach extends far beyond Ontario. She and her staff have developed enough of a reputation for leadership and innovative thinking that companies from the United States — where her job has no equivalent — regularly seek her advice. The day before my visit a delegation from American Express had come to discuss the company's brand-new suite of privacy initiatives.
"What I caution people against," Cavoukian said, "is throwing in the towel. It's still early days, and we can't give up just because people say 'You have no privacy, get over it.' So much has been written about the erosion of privacy that it makes you want to say 'Enough!' Let's take all that as a given, and focus on the exciting new things that are happening. In this decade we're going to see the emergence of a new breed of privacy-protective company. It's leading-edge."
Cavoukian shifted forward in her seat excitedly. "There's a book that predicted much of this back in 1997, when there was a lot of privacy erosion happening without much protection. It was one of those turn-of-the-millennium books (what's going to happen, lots of predictions, that sort of stuff), by two business types, Jim Taylor and Watts Wacker, called The 500-Year Delta: What Happens After What Comes Next. I loved their take on things. They said, and I can quote this because I use it so much, 'Here's a prediction you can take to the bank: Within a decade, privacy management will be one of America's great growth service industries.' Their argument was that privacy is becoming increasingly scarce, and as it becomes more scarce, it's going to become more valuable — and that means you'll soon find new businesses that are developing to try to protect it. I thought that was great. And you know what? It's starting to happen. For example, have you heard of Zero-Knowledge Systems, in Montreal?"
Cavoukian went on to describe the company as "in a class by itself" and "the Mercedes-Benz of anonymizer-technology companies." It sounded intriguing.
Hitting a Fly With a Sledgehammer? It's a neat space to be in," Dov Smith told me, as we walked through the offices of Zero-Knowledge Systems. "The privacy space." Young and soft-spoken, Smith is the company's director of public relations, and he was giving me a tour of its brand-new headquarters, which occupy three floors of an upscale office building in Montreal's Latin Quarter. The design was spare, in a Bauhaus sort of way that implied a recent and significant influx of venture capital. Doors were made of glass, and clicked open only when employees flashed special cards at nearby sensors. Imposing stacks of sleek black computer equipment stood behind big hallway windows, quietly flashing little red and green lights. Tiny black halogen lamps hung over clusters of colorful retro chairs and tables in the central hallways, which formed a square around a large glassed-in atrium.
"We like to think of ourselves as a Silicon Valley company in Montreal," Smith said proudly. He showed me vending machines stocked with free juice and soda; a cappuccino bar with a pool table, a Ping-Pong table, and a dart board; an in-house cafeteria run by a local restaurateur; and bunk beds for anybody who might need to crash. Massage was of course also available — for a high-tech start-up these days, Smith said, it is "almost de rigueur."
Zero-Knowledge is a privately held company that was co-founded in 1997 by two brothers, Austin and Hamnett Hill, and their father, Hammie. It claims, quite simply, to be "leading the privacy revolution." Currently the only product the company offers is something it calls Freedom 2.0, which combines a free computer program with an international network of participating Internet service providers. Some basic privacy and security services are free, such as a personal firewall and an ad manager, but for $49.95 one gets access to a premium service that essentially amounts to an impenetrable online cloaking device. By wrapping information in multiple layers of the strongest encryption available and passing it through the Freedom network, Zero-Knowledge allows customers to establish as many as five untraceable pseudonymous digital identities, or "nyms," with which to browse Web sites and send e-mail.
Plenty of other companies have in the past couple of years jumped into the online anonymizing business. Many provide their services free, in fact. But none offers the pseudonymous segmentation of identity that Zero-Knowledge makes possible, and none makes the claim, as Zero-Knowledge does, that information about its users simply cannot be retrieved. Many anonymizer companies concede that if presented with a subpoena, they can, and indeed must, supply information about a given user's browsing habits and identity. This prompts skeptics to point out that if a company can access data about its users, then others (unprincipled government agents, hackers, snooping employers, litigious ex-spouses, criminals, and so on) can too, with or without a subpoena — and that means privacy isn't protected.
To avoid that bind Zero-Knowledge has invested a lot of time and money in developing cryptographic privacy solutions that, it claims, guarantee that it has no data on and — as its name implies — knows absolutely nothing about its users. "Some people might think we're hitting a fly with a sledgehammer," Dov Smith told me. "I mean, all of this crypto for e-mail and Web browsing. But we wanted to establish ourselves. We think we can become the dominant player in a multinational business that cuts horizontally through every market."
That stopped me short. It seemed quite a claim for a company operating in what had to be the rather limited niche of anonymous Web browsing and e-mailing. It called to mind a conversation I had had not long before with Ruvan Cohen, the president and chief operating officer of iPrivacy, a new and ambitious New York-based company that aims to enable private online buying and shipping—a tricky feat that almost nobody else is now attempting. "A lot of these companies float privacy up the flagpole," Cohen said about the anonymizers, "and then nobody comes. So to have five thousand customers, or even twenty thousand customers, the best of whom are Chinese dissidents and Kosovar rebels who don't want to be tracked when they're surfing, and the worst of whom are pedophiles and drug dealers—that's not a business that I would particularly want to be in. The truth is, how do you make money in an e-mail business? How do you make money in surfing? The only way you can do it is advertising. And the only way you can get advertising is if you're going to have customer information — and if you're going to use it. To me, the logic of that business model tends to fall apart." I agreed, and planned to press Austin and Hamnett Hill about such questions.
As we wrapped up our tour, Smith deposited me in a conference room and handed me a collection of articles that I "really should read" about the importance of cryptography, specifically for Zero-Knowledge but also for the privacy world in general. Then he went to find the Hill brothers.
In 1787, while serving as the U.S. ambassador in Paris, Thomas Jefferson sent a report to James Madison on the volatile situation in pre-Revolutionary France. "These views are said to gain upon the nation," he wrote. "The 1647 678.914 for 411.454 is 979.996.607.935 of all 789. The 404 is 474.872. And an 223 435.918 of some sort is not impossible."
The message was diplomatically sensitive, and to keep its contents private Jefferson had resorted to using a secret cipher that he knew only Madison could unlock. (Decrypted, the message read, "These views are said to gain upon the nation. The king's passion for drink is divesting him of all respect. The queen is detested. And an explosion of some sort is not impossible.")
According to Bruce Schneier, the author of Applied Cryptography (1995), the development and use of such codes was until recently "the province of learned people everywhere." After World War II, however, cryptography essentially became the secret and exclusive province of government. In fact, the cryptographic systems produced by computers in this country were considered so powerful and so important to the national interest that they were classified as munitions, and their export was eventually banned by the Department of State. But the advent of personal computers changed everything. Suddenly the idea emerged that cryptography could and should protect not only national secrets but also private personal data stored on and transmitted between computers. In 1991 a software engineer named Philip Zimmerman created and made freely available a powerful encryption program called Pretty Good Privacy. PGP soon made its way overseas, and the U.S. government — which strongly resisted the idea of putting top-grade cryptography into public hands, for fear of its abuse by unsavory elements — opened a criminal investigation into Zimmerman for, among other things, having exported a munition. Defenders of PGP and other forms of encryption rallied behind Zimmerman and made his case a cause célèbre, arguing that the expression of ideas in cryptography, like any other form of expression, is protected by the First Amendment. (Applied Cryptography, a sort of how-to manual, was written and published very much in that spirit.) The government investigated Zimmerman for three years before yielding to the inevitability of publicly available cryptography and dropping the case.
Zimmerman became the model for a new breed of privacy activist — namely, one who uses computer technology to protect privacy. In 1992, inspired by his example, a band of mathematicians, computer scientists, and software engineers based primarily in the San Francisco area began to discuss ways to defend personal privacy in the computer age. They were brought together by an intense ideological commitment to privacy and free speech, and by an anarchistic mistrust of government and big business. They dedicated themselves to creating and widely disseminating the best cryptography possible, for all to use. They called themselves the Cypherpunks.
"Privacy is necessary for an open society in the electronic age," Eric Hughes, one of the original Cypherpunks, wrote in the opening of "A Cypherpunk's Manifesto," which he put online in 1993. The document continued,
People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do.
We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money...
Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible.
The Cypherpunks' philosophy is extreme — they believe that cryptography and anonymous transactions should and will inevitably make the idea of the nation-state wither away — and their numbers are relatively few, but their influence has nevertheless been impressive. Their successful efforts to spread cryptography around the globe were a major factor in the U.S. government's decision in 1999 to relax its restrictions on the export of cryptography. And they have worked on and enabled a host of technologies that businesses — Zero-Knowledge Systems among them — are beginning to use to protect privacy online.