By Simson Garfinkel
Book Price: $16.95 USD
£11.95 GBP
PDF Price: $13.99

Cover | Table of Contents

Table of Contents

Chapter 1: Privacy Under Attack

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You wake to the sound of a ringing telephone—but how could that happen?

Several months ago, you reprogrammed your home telephone system so the phone would never ring before the civilized hour of 8:00 a.m. But it's barely 6:45 a.m. Who could be calling at this time? More importantly, who was able to bypass your phone's programming?

You pick up the telephone receiver, then slam it down a moment later. It's one of those marketing machines playing a prerecorded message. Computerized telemarketing calls have been illegal within the United States for more than a decade now, but ever since international long-distance prices dropped below 10 cents a minute, calls have been pouring in to North America from all over the world. And they're nearly all marketing calls—hence the popularity of programmable phones today. What's troubling you now is how this call got past the filters you set up. Later on, you'll discover how: the company that sold you the phone created an undocumented "back door"; last week, the phone codes were sold in an online auction. Because you weren't paying attention, you lost the chance to buy back your privacy.

Oops.

Now that you're awake, you decide to go through yesterday's mail. There's a letter from the neighborhood hospital you visited last month. "We're pleased that our emergency room could serve you in your time of need," the letter begins. "As you know, our fees (based on our agreement with your HMO) do not cover the cost of treatment. To make up the difference, a number of hospitals have started selling patient records to medical researchers and consumer marketing firms. Rather than mimic this distasteful behavior, we have decided to ask you to help us make up the difference. We are recommending a tax-deductible contribution of $275 to help defray the cost of your visit."

The veiled threat isn't empty, but you decide you don't really care who finds out about your sprained wrist. You fold the letter in half and drop it into your shredder. Also into the shredder goes a trio of low-interest credit card offers.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What Do We Mean By Privacy?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The concept of privacy is central to this book, yet I wish I had a better word to express the aspect of individual liberty that is under attack by advanced technology as we enter the new millennium.

For decades, people have warned that pervasive databanks and surveillance technology are leading inevitably to the death of privacy and democracy. But these days, many people who hear the word "privacy" think about those kooks living off in the woods with their shotguns: these folks get their mail at post office boxes registered under assumed names, grow their own food, use cash to buy what they can't grow for themselves, and constantly worry about being attacked by the federal government—or by space aliens. If you are not one of these people, you may well ask, "Why should I worry about my privacy? I have nothing to hide."

The problem with this word "privacy" is that it falls short of conveying the really big picture. Privacy isn't just about hiding things. It's about self-possession, autonomy, and integrity. As we move into the computerized world of the twenty-first century, privacy will be one of our most important civil rights. But this right of privacy isn't the right of people to close their doors and pull down their window shades—perhaps because they want to engage in some sort of illicit or illegal activity. It's the right of people to control what details about their lives stay inside their own houses and what leaks to the outside.

To understand privacy in the next century, we need to rethink what privacy really means today:

• It's not about the man who wants to watch pornography in complete anonymity over the Internet. It's about the woman who's afraid to use the Internet to organize her community against a proposed toxic dump—afraid because the dump's investors are sure to dig through her past if she becomes too much of a nuisance.
• It's not about people speeding on the nation's highways who get automatically generated tickets mailed to them thanks to a computerized speed trap. It's about lovers who will take less joy in walking around city streets or visiting stores because they know they're being photographed by surveillance cameras everywhere they step.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Role of Technology

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Today's war on privacy is intimately related to the dramatic advances in technology we've seen in recent years. As we'll see time and again in this book, unrestrained technology ends privacy. Video cameras observe personal moments; computers store personal facts; and communications networks make personal information widely available throughout the world. Although some specialty technology may be used to protect personal information and autonomy, the overwhelming tendency of advanced technology is to do the reverse.

Privacy is fundamentally about the power of the individual. In many ways, the story of technology's attack on privacy is really the story of how institutions and the people who run them use technology to gain control over the human spirit, for good and ill. That's because technology by itself doesn't violate our privacy or anything else: it's the people using this technology and the policies they carry out that create violations.

Many people today say that in order to enjoy the benefits of modern society, we must necessarily relinquish some degree of privacy. If we want the convenience of paying for a meal by credit card, or paying for a toll with an electronic tag mounted on our rear view mirror, then we must accept the routine collection of our purchases and driving habits in a large database over which we have no control. It's a simple bargain, albeit a Faustian one.

I think this tradeoff is both unnecessary and wrong. It reminds me of another crisis our society faced back in the 1950s and 1960s—the environmental crisis. Then, advocates of big business said that poisoned rivers and lakes were the necessary costs of economic development, jobs, and an improved standard of living. Poison was progress: anybody who argued otherwise simply didn't understand the facts.

Today we know better. Today we know that sustainable economic development depends on preserving the environment. Indeed, preserving the environment is a prerequisite to the survivability of the human race. Without clean air to breathe and clean water to drink, we will all surely die. Similarly, in order to reap the benefits of technology, it is more important than ever for us to use technology to protect personal freedom.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Role of Government

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

With everything we've heard about Big Brother, how can we think of government as anything but the enemy of privacy? While it's true that federal laws and actions have often damaged the cause of privacy, I believe that the federal government may be our best hope for privacy protection as we move into the new millennium.

The biggest privacy failure of American government has been its failure to carry through with the impressive privacy groundwork that was laid in the Nixon, Ford, and Carter administrations. It's worth taking a look back at that groundwork and how it may serve us today.

The 1970s were a good decade for privacy protection and consumer rights. In 1970, Congress passed the Fair Credit Reporting Act. Elliot Richardson, who at the time was President Nixon's secretary of health, education, and welfare (HEW), created a commission in 1972 to study the impact of computers on privacy. After years of testimony in Congress, the commission found all the more reason for alarm and issued a landmark report in 1973.

The most important contribution of the Richardson report was a bill of rights for the computer age, which it called the Code of Fair Information Practices (see the shaded box). That Code remains the most significant American thinking on the topic of computers and privacy to this day.

The Code of Fair Information Practices is based on five principles:

• There must be no personal data record-keeping systems whose very existence is secret.
• There must be a way for a person to find out what information about the person is in a record and how it is used.
• There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.
• There must be a way for a person to correct or amend a record of identifiable information about the person.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Fighting Back

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Privacy is certainly on the ropes in America today, but so was the environment in 1969. Thirty years ago, the Cuyahoga River in Ohio caught on fire and Lake Erie was proclaimed dead. Times have certainly changed. Today it's safe to eat fish that are caught in the Cuyahoga, Lake Erie is alive again, and the overall environment in America is the cleanest it's been in decades.

There are signs around us indicating that privacy is getting ready to make a comeback as well. The war against privacy is commanding more and more attention in print, on television, and on the Internet. People are increasingly aware of how their privacy is compromised on a daily basis. Some people have begun taking simple measures to protect their privacy, measures like making purchases with cash and refusing to provide their Social Security numbers—or providing fake ones. And a small but growing number of people are speaking out for technology with privacy, and putting their convictions into practice by developing systems or services that protect, rather than attack, our privacy.

Over the past few decades, we've learned that technology is flexible, and that when it invades our privacy, the invasion is usually the result of a conscious choice. We now know, for instance, that when a representative from our bank says:

I'm sorry that you don't like having your Social Security number printed on your bank statement, but there is no way to change it.

that representative is actually saying:

Our programmers made a mistake by telling the computer to put your Social Security number on your bank statement, but we don't think it's a priority to change the program. Take your business elsewhere.

Today we are relearning this lesson and discovering how vulnerable business and government can be to public pressure. Consider these three examples from the past decade:

Lotus Development Corporation

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Why This Book?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this book we'll take a look at today's wide-ranging—and frightening—threats to our personal privacy:

The end of due process

Governments and businesses went on a computer buying spree in the second half of the twentieth century, replacing billions of paper files with electronic data processing systems. Today, humans often are completely absent from digital decision making. As a result, we've created a world in which the smallest clerical errors can have devastating effects on a person's life. It's a world where computers are assumed to be correct, and people wrong.

The fallibility of biometrics

Fingerprints, iris scans, and genetic sequences are widely regarded as infallible techniques for identifying human beings. They're so good, in fact, that 50 years from now, identification cards and passports probably won't exist. Instead, a global data network will allow anyone on the planet to be instantly identified from the unique markings of that person's own body. Who controls access to the databank, who has the power to change its contents, and what do we do if the infallible system is nevertheless wrong?

The systematic capture of everyday events.

We are entering a new world in which every purchase we make, every place we travel, every word we say, and everything we read is routinely recorded and made available for later analysis. But while the technology exists to capture this data, we lack the wisdom to figure out how to treat it fairly and justly. The result is an unprecedented amount of data surveillance, the effects of which we're just beginning to grasp.

The bugging of the outside world

Orwell thought the ultimate threat to privacy would be the bugging of bedrooms and offices. Today, an equally large threat to freedom is the systematic monitoring of public places through microphones, video cameras, surveillance satellites, and other remote sensing devices, combined with information processing technology. Soon it may be impossible for most people to escape the watchful outdoor eye.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Database Nation

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

WASHINGTON, D.C., 1965. The Bureau of the Budget's proposal was simple yet revolutionary. Instead of each federal agency's investing in computers, storage technology, and operations personnel, the United States government would build a single National Data Center . The project would start by storing records from four federal agencies: population and housing data from the Bureau of the Census; employment information from the Bureau of Labor Statistics; tax information from the Internal Revenue Service; and benefit information from the Social Security Administration. Eventually, it would store far more.

While the original motivation was simply to cut costs, it soon became clear that there would be additional benefits. Accurate statistics could be created quickly and precisely from the nation's data. By building a single national database, the government could track down and stamp out the misspelled names and other inconsistent information that haunts large-scale databank projects. A single database would also let government officials and even outsiders use the data in the most efficient manner possible.

The Princeton Institute for Advanced Study issued a report enthusiastically supporting the databank project, saying that centralized storage of the records could actually improve the security of the information, and therefore the privacy of the nation. Carl Kaysen, the Institute's director and the chairman of the study group, further urged that Congress pass legislation that would give the records additional protections, provide for privacy, and promote accountability of the databank workers. Others latched on to the idea, and the concept of the National Data Center slowly evolved into that of a massive databank containing cradle-to-grave electronic records for every U.S. citizen. The database would contain every person's electronic birth certificate, proof of citizenship, school records, draft registration and military service, tax records, Social Security benefits, and ultimately, their death records and estate information. The FBI might even use the system to store criminal records.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Thirty-four Years Later

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

SEATTLE, 1999. I order a pair of white chocolate lattés, and hand my Mileage Plus First Card to the barista for payment. Although the drinks cost only $3 each, I'd rather charge the transaction than pay cash. By putting every single purchase on my credit card, I've managed to accumulate a balance of more than 50,000 frequent-flyer miles in less than a year—enough to buy my wife and myself a pair of round-trip tickets anywhere in the United States.

Thirty years ago, the idea of a centralized computer tracking one's every purchase seemed like part of an Orwellian nightmare. Fifteen years ago, the mathematical genius Dr. David Chaum invented "E-Cash," an anonymous payment system designed to let consumers buy things electronically without revealing their identities. Who could have imagined that the day would come when millions of people would not only wish to have their purchases tracked—but would complain when transactions were missed? Yet that is one of the most intriguing results of so-called loyalty programs such as United's credit card: they have created massive databanks that paint a detailed electronic mosaic of consumer behavior, and they have done so with the willing participation of the monitored.

I call my mother when I get home. In the back of my mind, I know that a record of my call is being kept in the phone company's computer system. My records will probably never be reviewed by a human being, but at least once a month I hear of some big crime in which the suspect's guilt was "proven," in part, with these kinds of telephone records. In trials after the bombing of the Murrah Federal Building in Oklahoma City in 1995, for instance, one critical piece of evidence presented by the prosecution was the telephone call records from prepaid calling cards used by Timothy McVeigh and Terry Nichols. Right-wing extremists in the militia movement thought that calls made with these calling cards, purchased with cash, would be anonymous and untraceable. In fact, records of every call made with each card had been carefully kept. Prosecutors presented hundreds of pages of phone card records, with calls to auto racing tracks, chemical companies, motels, storage facilities, and rental truck outlets.4 Those records allowed the prosecution to show that Timothy McVeigh and Terry Nichols had been in frequent contact by telephone during the months and weeks leading up to the most murderous act of terrorism in U.S. history.5

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

How We Got Here

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

If you want to blame somebody for the computerization of America, blame George Washington and the other framers of the Constitution. Way back in 1787, Washington and company decreed that the new republic would conduct a census every ten years. It sounded easy enough at the time, but as the United States expanded in both geographical size and population, the job of the census takers became increasingly difficult.

Figure : Herman Hollerith

Herman Hollerith was an academic, a U.S. Census Office employee, and an inventor who built a machine that could automate the tedious process of counting the nation's census forms. Hollerith's quest to build an automatic tabulator nearly bankrupted his family, but ultimately led to the formation of his company, the Tabulating Machine Company, in 1896. In time, Hollerith's company was sold to a company that eventually became International Business Machines Corporation (IBM). [Photo courtesy The Computer Museum, Boston, MA, and The History Center, Mountain View, CA]

The problem wasn't just the growing numbers of "huddled masses" in search of freedom that were docking at U.S. ports. Like any government program, the census suffered mission creep. By 1880, the census was much more than a simple head count: it had become a tool for learning more about the people who made up the nation. Congress ordered the recording of people's gender, marital status, age, place of birth, education, occupation, and literacy status. All this information was sent to Washington, D.C. for tabulation. The whole process was strictly manual: census clerks made repeated passes over the forms, counting the number of responses that matched particular criteria. It took 18 weeks from start to finish, there were a lot of errors, and it was getting harder all the time.

Herman Hollerith was a young man who came to the census office after graduating from Columbia College in 1879. Hollerith saw the census problems and soon became obsessed with the idea of building a machine that would somehow automate the clerical work. He spent a year looking at the problem, then left and spent a year teaching mechanical engineering at MIT. He returned to Washington, this time spending a year in the Patent Office. Finally, he quit government service in 1884 to become a full-time inventor.6

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

It Could Happen To You

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Many people in American society do their best to follow the rules, but inadvertently get ground up by computer systems that have been poorly designed—systems that somehow can't quite cope with the messiness of day-to-day life. Just take the case of Steve and Nancy Ross, who did a lot of traveling in the early 1980s and paid for it with a ruined credit report, courtesy of the Internal Revenue Service.15

In 1983, Nancy Ross won a fellowship to spend six months in Hawaii, paid for by the Japanese American Institute for Management Sciences. At the time, her husband Steve was a freelance writer and self-employed computer consultant, so the two of them packed up their kids and went off on their Pacific adventure. At the end of the trip, they returned to their home in Leonia, New Jersey.

A few months later, Nancy was invited to spend a year in the Far East and Japan. It was the chance of a lifetime for her kids, so they packed their bags again and left. By this time, Steve had accepted a job at the journalism department of Columbia University, so he stayed behind. To save money, the family rented out their house in New Jersey and Steve moved into a tiny apartment in New York City.

Shortly after Steve and Nancy moved back home, they received a nasty letter from the IRS: a lien had been placed on their house. "I immediately called the IRS in Holtsville [New York] and said essentially, 'What are you talking about?'" recalls Steve Ross. "I reached a good clerk. We were on the phone for about half an hour. She figured it out. She said, 'I bet I know what happened.' She called out to California, and within six hours I had a call back from the IRS. She said 'Just to set your mind at ease, you are clean. We are sending you a letter.'" The lien was immediately removed.

What had happened was one of those weird confluences of errors that have a way of popping up whenever computers are involved. Because Steve and Nancy were both self-employed, they had to make quarterly income tax payments to the IRS. During the summer of 1983, they sent their $3,500 check from Hawaii to the regional IRS processing center on Long Island. But the post office mistakenly redirected the check to an IRS processing center in California.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Identity theft: a Stolen self

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Stories like what happened to the Ross family made up the bulk of credit reporting problems in the 1980s and early 1990s. But in recent years, there has been a sudden and dramatic growth of a new kind of crime, made possible by the ready availability of both credit and once-private information on Americans. In these cases, one person finds another's name and Social Security number, applies for a dozen credit cards, and proceeds to run up huge bills. (Many banks make this kind of theft far easier than it should be by printing their customers' Social Security numbers on their bank statements.) Sometimes the thieves enjoy the merchandise for themselves, go on lavish trips, and eat in fine restaurants. Other times, the thieves fence the ill-gotten merchandise, turning it into cash. This crime has become so common that it has earned its own special name: identity theft .

Sometimes the crook gets the personal information from inside sources: in April 1996, federal prosecutors charged a group of Social Security Administration employees with stealing personal information on more than 11,000 people and selling the data to credit fraud rings, who used the information to activate stolen credit cards and ring up huge bills.18 Other times, crooks pose as homeless people and rummage through urban trash cans, looking for bank and credit card statements.

A typical case is what happened to Stephen Shaw, a Washington-based journalist.19 Sometime during the summer of 1991, a car salesman from Orlando, Florida with a similar name—Steven Shaw—obtained Stephen Shaw's credit report. This is actually easier than it sounds. For years, Equifax had aggressively marketed its credit reporting service to car dealers. The service lets salespeople weed out the Sunday window-shoppers from the serious prospects by asking a customer's name and then surreptitiously disappearing into the back room and running a quick credit check. In all likelihood, says the Washington-based Shaw, the Shaw in Florida had simply gone fishing for someone with a similar-sounding name and a good credit history.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Looking Forward By Looking back

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Looking back from thirty years later, there are a lot of lessons to learn from the failed federal National Data Center proposal and the nationwide system of databanks, access terminals, and computer networks that private industry built in the resulting vacuum.

Perhaps the most important lesson is that decisions made early on have far-reaching effects. Designed in 1932, the Social Security number has had its role in society constantly expanded over the last two-thirds of this century. No matter how you look at it, the SSN is a bad number. But our country has been unable to stop using it. Witness the huge number of uses that the number has today.20

Year	Authorized Uses of Social Security Numbers
1943	Federal agencies use SSN exclusively for employees.
1961	Civil Service Commission uses SSN as an employee identifier.
1962	Internal Revenue Service uses SSN as taxpayer identification.
1967	Department of Defense uses SSN as an Armed Forces identifier.
1972	U.S. begins issuing SSNs to legally admitted aliens at U.S. entry and to anyone receiving or applying for federal benefits.
1975	AFDC (Aid for Families with Dependent Children) uses SSN for
1976	States use SSN for tax and general public assistance identification and for driver's licenses.
1977	Food stamp program uses SSN for household member eligibility.
1981	School lunch program uses SSN for adult household member eligibility.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Our Databanked Future

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

And what if we look in the other direction? Looking forward, we can see a future in which technology will increasingly be used to limit ambiguity. Anything that can be known will be known, and it will be known to a greater degree of precision than was ever thought possible. Left to its own devices, it's quite likely that business will repeat the mistakes of the past, designing systems that are fundamentally unfair, undemocratic, and unaccountable.

Back in 1965, the United States government stood at a computational crossroads. On the table was a proposal to create a massive government database. But when details of the project reached the public, the project was terminated. Instead, the U.S. Congress held hearings on the threat of computers to privacy, a U.S. government commission formulated the idea of data protection, and a (relatively) small part of the U.S. government's executive branch was given the mission to enforce a new set of laws.

We blew it. A national database could have headed off the excesses of the credit reporting industry. If the system had allowed strong user controls, or had avenues for redress, it further could have prevented the sea of errors that exist in the plethora of private databanks today. Moreover, with a public system, uses of the data for purposes other than those originally intended would have been debated in public, rather than proposed and approved behind closed doors.

Today, we stand at another computational crossroads. We are moving past the 1960s vision of computers that hold important financial, educational, and credit information. We are moving into an integrated future in which computers will track the most mundane and the most intimate aspects of our lives. They will measure and record the happenings on our planet. They will let us distinguish one person from another with the most fine-grained precision. Once again, there may be a need for the government to step in and set the rules for what can and cannot be done with this advanced information technology. Otherwise, we risk recreating the information abyss that we handled so deftly before. Sadly, this level of analysis is missing from most public discourse on credit card fraud, unauthorized uses of database information, and identity theft.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: Absolute Identification

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Confronted with database discrepancies, identity theft, illegal immigration, and unsolved crimes, many policymakers have put their faith in the technological promise of biometric identification. These technologies , their boosters say, will ultimately usher in a regime of absolute identification in which each individual can be precisely known by the unique characteristics of that person's body.

Absolute identification is a policy goal that is within our grasp. Indeed, a growing number of scientists, engineers, and politicians now see identification of human bodies not as a technical problem, but rather as a political one. If society has the will, they argue, we could uniquely register every person in the United States, Europe, Asia, and possibly the entire planet. We could then routinely identify individuals at banks, at school, at work, and on the road. Absolute identification could eliminate mismatched computer records, stolen identities, and the ambiguity that comes with the messiness of day-to-day life. By replacing anonymity with absolute identity, we would create a society in which each person could be absolutely granted the privileges that come with his or her station in life, and each person could be held uniquely and absolutely accountable for his or her own actions.

Absolute identification is a seductive idea. It's a pity that it is also fundamentally flawed. To understand why, you need to understand the technology and its shortcomings.

Three thousand years ago, two women in Jerusalem came before King Solomon. Both women had recently given birth to a child. Now one child was dead, and both women claimed the remaining child as their own. Solomon needed to identify the child and assign it to its rightful mother.

Today, Solomon's dilemma would be easy to solve. Unless the women were identical twins, they would have different genetic makeups. By testing blood from both adults and the child, the baby's true mother could be easily determined. Indeed, such genetic tests are routinely performed in the modern world to determine the paternity of children in child support cases.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

On the Identification of infants

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Three thousand years ago, two women in Jerusalem came before King Solomon. Both women had recently given birth to a child. Now one child was dead, and both women claimed the remaining child as their own. Solomon needed to identify the child and assign it to its rightful mother.

Today, Solomon's dilemma would be easy to solve. Unless the women were identical twins, they would have different genetic makeups. By testing blood from both adults and the child, the baby's true mother could be easily determined. Indeed, such genetic tests are routinely performed in the modern world to determine the paternity of children in child support cases.

But Solomon didn't have modern biology at his disposal. So Solomon called for his sword. Since the women could not decide between themselves, he said, the child would be divided in half. Solomon knew that the baby's true mother would rather yield custody than see her child killed. And moments later, when one of the women hastily gave up the baby, Solomon knew that the other woman was the liar.

Twenty-five hundred years later, the explorer João de Barros wrote about a different way to identify young children. In his book Décadas da Ásia, published in 1563, de Barros described how Chinese merchants identified young children by stamping their palm prints and footprints on paper with ink. These weren't just any pieces of paper, of course: they were deeds of sale.1 Once recorded in this way, there could be no chance of mistaking one child for another, which is quite important when human beings are being bought or sold.

Had Solomon wanted to, he could have instituted a similar system for registering the prints of every Israelite child at birth. Ancient Israel certainly had the necessary technology—parchment and ink—to carry out such a project. Ancient Israelites also knew that fingerprints were unique: in recent years, archeologists digging in Israel have discovered caches of clay pottery in which a thumbprint is clearly visible on each piece. Presumably, the potter had used his thumbprint as his own personal mark. But the idea of a national identification system never would have occurred to Solomon or any of his courtiers, because identification of adults was generally not a problem until the modern age.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Anthropometrical Signalment

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A constellation of events in the late nineteenth century forced governments to find better ways to identify the people within their borders. The first was the rise of the modern city, in which people routinely carried out their day-to-day business with strangers. In the city, citizens needed a way of identifying each other so they could avoid being cheated: identity promotes accountability. The second event was the improved ease of travel, which created waves of immigrants seeking new homes. In short order, xenophobic lawmakers throughout Europe and the United States passed strict immigration laws to keep out the newly mobile foreigners. This, in turn, created a need for strong identification systems to let officials distinguish citizens from noncitizens. The third reason for strong identification was the nouveau concept of criminal rehabilitation—the idea that people who committed a crime could be rehabilitated and set on a new path, rather than simply put to death or exiled. Some sort of identification system was required to distinguish a first-time pickpocket from a habitual offender.

It was the problem of identifying convicted criminals that caught the attention of Alphonse Bertillion (1853-1914), a Parisian anthropologist. How do you identify a pickpocket who has been caught for the fourth time, if each time the crook is arrested he gives a different name? How is it possible to establish the continuity of identity without the cooperation of the individual?

Bertillion realized that even if names changed, even if a person cut his hair or put on weight, certain elements of the body remained fixed. He created a system called anthropometrical signalment for measuring these bodily invariants. The system was remarkably straightforward:

• When a person was arrested for a crime, Bertillion would have one of his assistants make careful measurements of the suspect's head, arms, feet, and ears. Also recorded were distinguishing scars, marks, and other unique bodily information. These measurements and the person's name were then recorded on an index card and stored at the central police station.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Science of Fingerprints

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Two black brothers, identical twins, are accused of a grisly murder in Missouri. The weapon is a bloody knife found at the scene of the crime. At the trial, the defense lawyer shows the jury that the murderer's fingers have each left their own characteristic prints on the weapon, and those prints match not the twins, but another person in the courtroom. The court is stunned: clearly, the wrong people are on trial!

The story is Mark Twain's Pudd'nhead Wilson, first published in 1893 by Century Magazine. Wilson's address to the jury gave many Americans their first introduction to the science of fingerprints:

Every human being carries with him from his cradle to his grave certain physical marks which do not change their character, and by which he can always be identified—and that without shade or doubt or question. These marks are his signature, his physiological autograph, so to speak, and this autograph cannot be counterfeited, nor can he disguise it or hide it away, nor can it become illegible by the wear and mutations of time.4

Our understanding of fingerprints has changed little to this day. Determined by a combination of genetics and random processes inside the womb, fingerprints are fixed by birth and remain fixed for life. The marks truly are a unique signature: there is so much room for variation that no two people ever have shared, or ever will share, the same pattern.

Perhaps most importantly, fingerprints are permanent. I learned this firsthand when I took a chemistry course at Bryn Mawr College. I was performing a series of experiments with anhydrous acetic acid. After a few weeks, I noticed that the tips of my fingers had become smooth; the acid had actually etched away my fingerprints. But within a month after finishing the experiments, my fingerprints were back, exactly as they had been before and no worse for their absence.

The reason for this permanence is that the fingerprint pattern is determined by the very bottom layers of the epidermis. The only way to change an individual's fingerprints is to remove the skin entirely and replace it with new skin from elsewhere on the body. This painful and disfiguring operation was employed by a few gangsters in the 1930s, but hasn't found much use since.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Dna Identification

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Deoxyribonucleic acid, better known as DNA, is the molecule that separates us and connects us. DNA is an intergenerational messenger, the basis of family and clan identity, and the imaginary binder of many nations. And yet, DNA is also the basis of most people's individuality.

Figure : Automatic Fingerprint Identification System

This terminal is used by a technician to view the results of a computerized search through a databank of digitized fingerprints. To look up a fingerprint, the AFIS system first analyzes the print and makes a list of the print's minutiae points—the points where a fingerprint ridge starts, stops, or forks. The matrix of these points is then used as a key into the computer's databank. Searches are very fast and very accurate: it can take less than a minute to search a database of a million prints and find an exact match.

The system shown here was developed by NEC Technologies' AFIS Division, which introduced one of the first biometric applications nearly 30 years ago and continues to lead the market today. Today, NEC's biometric identification technology is being used at more than 300 installations in 14 countries. Specially tailored systems are available for healthcare, licensing, welfare, and security. Many cities and states are aggressively deploying this technology, seeking to build a master database containing the fingerprints of every citizen, whether or not that person has committed a crime. Such a database, advocates say, would have a tremendous impact on both crime-fighting and identification of the dead or missing. [Photos courtesy NEC Technologies]

Just as our DNA connects us to both of our parents, our own unique pattern separates us from them.

DNA identity testing uses the genetic code as the basis of a near-perfect identification system. Today, this testing has three primary uses:

• Paternity testing
• Identification of blood and semen left at crime scenes

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Computerized Biometrics

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Despite their apparent accuracy, neither fingerprints nor DNA samples are suitable for identifying individuals on a day-to-day basis. Fingerprints may be a lost cause: after more than 100 years, proponents have still been unable to shake the stain of criminality from their use. DNA identification is unworkable because the biological reactions on which DNA testing is based require minutes or hours, rather than seconds, to take place. Fortunately, for the past 100 years, the world has relied on another kind of biometric that can be nearly as good as a fingerprint or a DNA sample. That biometric is the photograph.

The most common form of identification today is a photograph fixed to an official document. Worldwide, the "universal currency" for personal identification is the passport. Most European countries supplement passports with identity cards. In the United States, the photo driver's license is the most common form of identification for both private industry and government.

The reliability of a driver's license depends on two factors. First, the state must be sure that the driver's license is being issued to the correct person. Second, the driver's license itself needs to be reasonably tamperproof, so it can't be changed once it is issued. (A driver's license that can be easily modified is an invitation to crime, since the license can be stolen, altered, and then used for fraudulent purposes.) States have increasingly, and somewhat successfully, turned to exotic materials to make driver's licenses more difficult to forge. But they generally do only a fair job of verifying the identity of the prospective driver. An even bigger problem with the U.S. driver's license system is that each state's license looks radically different from every other's. It can be very difficult for a check casher in Massachusetts to know if an offered driver's license really came from the state of Montana or if it is a forgery.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Identifying Bodies, Not People

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Absolute identification is a seductive idea. Unfortunately, it's an idea that is fundamentally flawed. All of the identification techniques discussed in this chapter share a common flaw: the techniques do not identify people, they identify bodies. In modern society, people are legal entities. People have names, Social Security numbers, and histories. People buy and sell property. People have obligations. Bodies, on the other hand, are the warm-blooded, two-legged animals that are walking around on our planet's surface. Bodies are born, and bodies die.

When a murder is committed in our society, one body has taken the life of another body. It is then the job of the police to determine the people involved—that is, identifying the victim and finding the perpetrator. Bodies are imprisoned, but people go to jail. Any identification databank, whether it's the passports issued by the U.S. State Department or the FBI's CODIS system, attempts to draw lines connecting legal people with the bodies that they inhabit. This is an imperfect exercise.

Today, it is remarkably easy for a criminal to adopt an assumed name and construct an alias, complete with a state-issued driver's license. Many underground and semi-underground tracts give precise directions on how to create a fraudulent identity: first, search public records and find somebody who was born at roughly the same time and died in early childhood. Next, request a duplicate birth certificate and Social Security card. Subscribe to magazines in the stolen name. Just start using it. At some point, take a driver's license test.

The United States does not operate a central computerized registry of every birth and death in the country. Instead, cities, counties, and states all operate their own record systems. Sometimes records get lost—hospitals burn down, computer files get destroyed. Sometimes there are duplicate records, sometimes there aren't. Many record-keeping systems are antiquated. This lack of centralization can be exploited by people who know how. Once the identity of a dead child is appropriated in this manner, it can be remarkably difficult to disprove. Just about the only way one of these constructed identities can unravel is if the individual was previously arrested or fingerprinted—and if that information has been stored in some biometrically indexed, computerized database, such as a police department's fingerprint files. The databanks don't prove that the new identity is false. All they prove is that the biometrically identified body once used some other person's name.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 4: What Did You Do Today?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

When I was teenager, I tried keeping a diary. I took out my pen every night before I went to sleep and wrote down the details of the previous day. I had just started dating and soon the book's pages were filled with stories of my teenage romances: I'd write down who I liked and who I didn't; who I had seen at school and who I had talked to on the phone. And, of course, I wrote down the details of my dates themselves: who they were with, where we had gone, what we had eaten, and what we had done.

After a month or so I had created quite an impressive historical record of my teenage exploits. But as time passed, my entries started getting shorter and shorter. It was just too much work to write down all of the details. Ultimately, my project collapsed under the weight of its own data.

Keeping that diary in today's world would be much easier. Every time I buy something with a credit card, I get back a little yellow slip telling me the exact time and location of my purchase. I get a much more detailed receipt at my neighborhood supermarket that lists the name and size of everything in my shopping cart. My airline's frequent flyer statement lists every city that I've flown to over the past year. Should I accidentally throw out the statement, all of this information is stored safely in numerous computer databanks.

Even my telephone calls are carefully recorded, tabulated, and presented to me at the end of each month. I remember in college when my girlfriend broke up with me during a long-distance phone call. We talked for 20 minutes, then she hung up. I called her back again and again; I got her answering machine each time. A few weeks later, the phone bill came in the mail, and there were the calls: one for 20 minutes, and then five calls in rapid succession, each one lasting just 15 seconds.

But by far the most detailed records of my life reside on my computer's hard drive: my stored email messages, going back to my freshman year in college. All told, there are more than 600 megabytes of information—roughly 315,000 pages of double-spaced text, or 40 pages of text for every day since September 3, 1983, when I got my first email account at MIT.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Information Crisis

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

As an experiment, make a list of the data trails that you leave behind on a daily basis. Did you buy lunch with a credit card? Write that down. Did you buy lunch with cash, but visit the automatic teller machine (ATM) beforehand? If so, then that withdrawal makes up your data shadow as well. Every long distance phone call, any time you leave a message inside a voice mailbox, and every web page you access on the Internet—all of these are part of your comprehensive data profile.

You are more likely to leave records if you live in a city, if you pay for things with credit cards, and if your work requires that you use a telephone or a computer. You will leave fewer records if you live in the country or if you are not affluent. This is really no surprise: detailed records are what makes the modern economy possible.

What is surprising, though, is the amount of collateral information that these records reveal. Withdraw cash from an ATM, and a computer records not just how much money you took out, but the fact that you were physically located at a particular place and time. Make a telephone call to somebody who has Caller ID, and a little box records not just your phone number (and possibly your name), but also the exact time that you placed your call. Browse the Internet, and the web server on the other side of your computer's screen doesn't just record every page that you download—it also records the speed of your computer's modem, the kind of web browser you are using, and even your geographical location.

There's nothing terribly new here, either. In 1986, John Diebold wrote about a bank that seven years earlier

had recently installed an automatic teller machine network and noticed "that an unusual number of withdrawals were being made every night between midnight and 2:00 a.m."...Suspecting foul play, the bank hired detectives to look into the matter. It turns out that many of the late-night customers were withdrawing cash on their way to a local red light district!1

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

False Data Syndrome

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Another insidious problem with this data sea is something I call false data syndrome . Because much of the information in the data sea is correct, we are predisposed to believe that it is all correct—a dangerous assumption that is all too easy to make. The purveyors of the information themselves often encourage this kind of sloppy thinking by failing to acknowledge the shortcomings of their systems.

For example, in 1997, the telephone company NYNEX (now part of Bell Atlantic) launched an aggressive campaign to sell the new Caller ID service to its subscribers. With the headline "See Who's Calling Before You Pick Up the Phone," the advertisement read:

Caller ID lets you see both the nam e and nu mber of the incoming call so you can decide to take the call now or return it later. Even if the caller doesn't leave a message, your Caller ID box automatically stores the name, number, and time of the incoming call. Caller ID also works with Call Waiting, so you can see who's calling even while you're talking to someone else. 5

Clearly, NYNEX was confusing human identities with telephone numbers. Caller ID doesn't show the telephone number that belongs to the person who is making the call—it shows the number of the telephone from which the call is being placed. So-called "enhanced" Caller ID services that display a name and number don't really display the caller's name—they display the name of the person who is listed in the telephone book. If I make an obscene call from your house during a party, or if I use your telephone to make a threat on the life of the president of the United States (a federal crime), Caller ID will say that you are the culprit—not me.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Tracking Process: How Our Information is turned Against Us

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Nobody set out to build a society in which the most minute details of everyday life are permanently recorded for posterity. But this is the future that we are marching towards, thanks to a variety of social, economic, and technological factors.

Humans are born collectors. Psychologically, it's much easier to hold on to something than to throw it away. This is all the more true for data. Nobody really feels comfortable erasing business correspondence or destroying old records—you never know when something might be useful. Advancing technology is making it possible to realize our collective dream of never throwing anything away—or at least never throwing away a piece of information.

The first computer that I bought in 1978 stored information on cassette tapes. I could fit 200 kilobytes on a 30-minute cassette, if I was lucky. The computer that I use today has an internal hard disk that can store 6 gigabytes of information—a 30,000-fold increase in just two decades. And this story is hardly unique: all over the world, businesses, governments, and individuals have seen similar improvements in their ability to store data. As a civilization, we've used this newfound ability to store more and more minute details of everyday existence. We are building the world's datasphere: a body of information that describes the Earth and our actions upon it.

Building the world's datasphere is a three-step process—one that we've been blindly following without considering its ramifications for the future of privacy. First, industrialized society creates new opportunities for data collection. Next, we dramatically increase the ease of automatically capturing information into a computer. The final step is to arrange this information into a large-scale database so it can be easily retrieved at a moment's notice.

Once the day-to-day events of our lives are systematically captured in a machine-readable format, this information takes on a life of its own. It finds new uses. It becomes indispensable in business operations. And it often flows from computer to computer, from business to business, and between industry and government. If we don't step back and stop the collection and release of this data, we'll soon have a world in which every moment and every action is permanently "on the record."

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Biggest Database In the World

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Probably the largest database in the world today is the collection of web pages on the Internet. While much of the Web is filled with pornographic images, magazine articles, and product advertisements, there is a staggering amount of personal information as well: individual home pages, email messages, and postings to the Usenet. This record can be automatically searched for revealing disclosures, unintentional admissions of guilt, or other kinds of potentially valuable information.

Back before the explosive growth of the World Wide Web , Rick Gates, a student and lecturer at the University of Arizona, was interested in exploring the limits of the Internet database. In September 1992, he created the Internet Hunt, a monthly scavenger hunt for information on the Net. Early hunts had the participants locate satellite weather photographs or the text to White House speeches. The hunt was especially popular among librarians, who were at the time trying to make the case that the Internet could be a valuable reference tool.

Figure : Electronic Toll Collection

This statement from the Orlando-Orange County Expressway Authority shows the comings and goings of a car as it travels along the state's expressway system. The cars are tracked using a passive electronic tag that is placed on the windshield or under the car's frame. Although the E-Pass is designed for automatic toll collection, the system can also be used to precisely calculate the speed of automobiles, track cars that are stolen, or even snoop on errant spouses. In the future, these records could be used for marketing as well. Automatic toll collection systems create a goldmine of private information. Nevertheless, there have been few public discussions on the appropriate uses of this data. [Statement courtesy Orlando-Orange County Expressway Authority]

In June 1993, Gates decided to have a different kind of hunt. It was the first where the goal was simply to find as much information as possible about the person behind an email address.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

The Age of Public Statements

Content preview·