Privacy Is Under Siege at Work, at Home, and Online
Technological advances and the spread of online discourse and commerce have led to ever more pervasive intrusions into our private lives: hidden cameras in bathrooms, the explosion of random urinalysis by companies and schools, and parents and spouses installing surveillance software on their home PCs to catch cybershenanigans. Meanwhile, developing technologies such as tracking of wireless devices, biometric identifiers, DNA coding, and "spy" TV are creating an entirely new set of privacy worries.
Yet while it may be tougher than ever to keep things private, individuals have some ways to fight back. First, in order to protect what's left, it's critical to understand how--and why--privacy is under assault. Then there are steps you can take to prevent its further erosion.
Face it, you're toiling in a fishbowl
When Renee Mcintosh bared her childhood fears, her desires, and her intimate marital struggles to a company psychiatrist, she never guessed the 15-page record of her internal life would one day be devoured by co-workers at a happy hour, along with nachos and margaritas. But that's what happened. "I told him things I've never shared with anyone," says McIntosh tearfully. A representative of Safeway in Fremont, Calif., where McIntosh worked as a payroll clerk for over 20 years, gave the document to one of her colleagues. Safeway contends the 1997 evaluation--which it required of McIntosh to receive worker's compensation--wasn't private. "It was a public document. . . . One could do pretty much what one wanted with that," testified Safeway attorney Michael Marks in a deposition last spring. The complaint is pending in state superior court.
In this way McIntosh discovered a cold fact of modern work life: There's precious little privacy left on the job. In most states, employers are entitled to--and increasingly do--read their workers' E-mail, conduct random drug tests, surreptitiously tape employees, monitor Web surfing--and even look into their workers' medical and genetic data. As work and home life become more intertwined, companies are requesting subpoenas to search workers' home computers for evidence. Employers say they have no choice but to ratchet up observation. Otherwise, they risk lawsuits stemming from the presence of sexually explicit, racist, or libelous material at work. Firms also are concerned about maintaining productivity with so many online distractions, safeguarding intellectual property, and preventing drug abuse. "Companies have to be more vigilant and restrictive in terms of the free speech of employees because they can be held responsible for it," says Stephen Paskoff, a consultant in Atlanta who advises companies on privacy. "The only place where you're safe from monitoring is in your private thoughts." The courts have agreed by overwhelmingly siding with employers in privacy cases.
Technological advances, like inexpensive minicams and easy-to-use spy software, are making it easier for employers at small and large firms to pry. Nearly three quarters of U.S. companies say they are electronically monitoring employees, according to this year's report by the American Management Association--double the 1997 figure. "All the painful, personal secrets of employees are now being spilled onto the boss's desk, and it's only going to get worse," says Lewis Maltby, president of the National Work Rights Institute.
This far-reaching surveillance has led to disciplinary actions against employees. Ten percent of computer users surveyed say they have worked with someone who was fired because of improper Web browsing or use of company E-mail, according to a recent study by the Pew Internet Project. Dow Chemical, the New York Times Co., and Xerox Corp. have punished workers over the past year for their cybertransgressions.
With few laws restricting them, some employers are pushing--and steaming open--the envelope. A federal appeals panel in San Francisco ruled last April that although Consolidated Freightways Inc. installed hidden cameras in its women's and men's' bathrooms--one camera pointing toward a urinal--workers cannot sue under the state's invasion of privacy law. The reason: The union agreement allowed for unspecified video surveillance. An attorney for the workers says there are about 1,000 hours' worth of recorded video, and thousands of employees appear on the tapes. "The guys were really shaken, and some of the women went home crying," says Joe Quilty, the dockworker who discovered the hidden cameras. The company says they were installed to catch potential drug use. Several other "company potty-cam" cases are pending nationwide.
Critics contend that employers seeking to lower their insurance costs are probing into workers' medical records. Paul Ortiz, a former employee of the State Bar of Nevada, says he received exemplary evaluations until he was suddenly fired after submitting $6,000 in medical claims for the treatment of his HIV infection. The Bar says Ortiz was fired because of poor job performance. A recent investigation by the Equal Employment Opportunity Commission supported Ortiz's side.
Here are some ways that you can better protect your privacy at work:
Get the scoop on snooping. Ask for a copy of your company's policy on employee monitoring. Better still, quiz your colleagues in the information technology department about how the company checks up on workers.
Beware of spouting off. Remember that your employer may track down the authors of anticorporate diatribes, even when posted pseudonymously on the Internet.
Know your rights. Many workers mistakenly believe their privacy is constitutionally guaranteed. Interestingly, government employees have more protections than those working in the private sector. -D.H.
The new math: keeping your finances secret
Like most people, Maureen and Ray Mitchell consider their financial affairs sacrosanct and strive to keep them that way. The Madison, Ohio, couple shun online banking and shopping, rarely order merchandise from catalogs, and carefully monitor their credit reports. Still, last year they discovered that someone had used 48-year-old Ray's name and Social Security number to successfully apply for $111,000 in credit. The thieves obtained numerous credit cards, cellphone service, a personal loan, and two SUVs. "You feel very violated--and very vulnerable," says Maureen Mitchell, 44, a real-estate agent. While the Mitchells were not financially liable, they have spent hundreds of hours cleaning up their credit reports and proving they did not apply for the loans.
As the Mitchells learned, it's increasingly difficult to keep a tight rein on your financial privacy. There's so much to worry about: Identity thieves, hackers, and marketers all seem to have insatiable appetites for your financial dossier. "Your personal information is worth money," says Evan Hendricks, editor of Privacy Times, a newsletter in Washington, D.C. With your data exposed to so many people these days, you're susceptible to fraud, questionable marketing spiels, bogus bills, and the potential destruction of your hard-earned credit history. Wielding control of your financial privacy means keeping tabs on who is plucking your data and why.
The Internet has spawned a new modus operandi for miscreants. Earlier this month, someone cracked Western Union's Web site and retrieved the credit and debit card numbers of more than 15,000 customers. Cyberhooligans can download programs from the Web that generate valid card numbers using the same algorithms used by banks. What's more, organized crime rings have planted employees in restaurants and gas stations to nab card data by "skimming" them off a genuine card with a special device that is easily concealed in a pocket.
It's not just crooks who dabble in financial intelligence. Minnesota Attorney General Mike Hatch last year sued U.S. Bank for fraud and deception for selling customer data, including credit card numbers and account balances, to a direct marketer--after saying it wouldn't. The telemarketer, says Hatch, used misleading pitches to sell unsuspecting customers discount memberships in health and travel clubs. U.S. Bank has settled the suit. Hatch and attorneys general in other states are investigating several similar arrangements, including one in which membership fees were added to consumers' mortgages without their knowledge or consent. These revelations caused quite a stir. "Everyone assumed that banks keep this information confidential," says Hatch. "We don't think to call the bank up and say: `Don't do this.' " Congress passed legislation last year that includes some financial-privacy measures. The trouble, say critics, is that the new law legitimizes the merging of customer information. As financial institutions expand and diversify, consumers will have a tough time keeping track of who knows what about them--and who can share it with whom.
Nonetheless, the burden remains on consumers. Here are ways that experts advise safeguarding your financial data:
Don't pass it on. Tell your bank, insurer, and brokerage that you don't want your financial details shared. To avoid a paper trail on sensitive transactions, pay cash.
Read up on yourself. Monitor your credit report annually. Reports cost about $8 in most states. Review every entry on your bank and credit card statements.
Tracking the web of data you weave
Online, you are your data dossier. Most computer users don't realize that Internet businesses are compiling data about them and their Web-surfing history and habits. Even those who are aware of the tactics would be dazed by the sheer bulk of their electronic profile. Web ad placement firm DoubleClick currently maintains over 100 terabytes of storage. If printed out, that would equal about 300 single-spaced sheets of paper for every Web user.
Companies are perfecting the art of prying online. Information has emerged as the hottest commodity on the Web--the more specific, the more valuable it is to firms that want to target their ads. The data can also be cross-referenced with information from insurers, credit bureaus, retail stores, stockbrokers, and others--then sold, even without the user's consent. While strict federal measures to safeguard children's data took effect last April, there are no similar protections for adults.
States, however, are clamping down. "People's hair would stand on end if they realized how much information about themselves is being sold," says Jennifer Granholm, the Michigan attorney general, who is spearheading the battle against Big Browser. "Things like porn-site visits that they'd never want anyone else to know about." Granholm has taken legal action this year against more than a dozen companies--most recently E*Trade -- alleging that they don't tell consumers they're being tracked online. She and other state attorneys general are moving aggressively while dozens of federal proposals to protect consumers languish in Congress. Reticent to impede the growth of E-commerce, Washington has so far left it to the industry to police itself. A case in point: The Network Advertising Initiative, which represents 90 percent of online ad companies, recently developed a plan--endorsed by the Federal Trade Commission--allowing consumers to request and correct their profiles. But it's up to surfers to check the "opt-out" box on Web sites they visit or their data may be sold.
DoubleClick and its competitors claim their data are anonymous. They're really not. These companies drop small ID tags, called cookies, onto users' hard drives. The cyberwiretaps can be linked to a name, phone number, or information provided while registering on a Web site or buying a product. Other tracking tags, called Web bugs, can be planted invisibly in Microsoft Word documents and E-mail.
Until technologies to protect consumers' privacy become easier to use, surfers will have to trust privacy policies posted on Web sites. These policies, however, are often lengthy, contradictory, confusing, and subject to change at any time. And now it appears that when companies merge or are sold, their consumer profiles can be sold as assets. Even after pledging that its data would "never be shared," the failed E-tailer Toysmart.com, which is owned by Disney, is trying to sell its client list containing 250,000 names and cyberprofiles. "I expect scam artists on the Web to sell customer data, but not big companies," says a Toysmart customer who ordered a dozen miniature cars just before the company filed for bankruptcy. Amazon.com changed its policy this month to inform its 20 million customers that their profiles could similarly be sold.
Here are some moves consumers can make to protect privacy online:
Say no to cookies. Set your Netscape browser to reject third-party cookies. Microsoft plans to roll out a similar feature.
Wall off your data. Install a personal firewall to heighten your online security. For a free download, go to www.zonelabs.com.
Think before you click. Don't enter private data into public computers. Hackers scoop up credit card numbers, E-mail addresses, and passwords from library and cybercafe PCs. -D.H.
Digital doctoring poses risks to patient records
Tom Butler was surprised to see a snazzy PC in the examination room during his recent appointment at Baylor Family Medicine. The computer systems analyst was equally impressed with how fast the physician electronically called up his drug dosage history and tied it to his current symptoms. "The doctor instantly came up to speed on my treatment," says Butler.
Like other online innovations, the Houston hospital's new digital record system offers its patients greater convenience. They can schedule appointments, get drug refills, peruse their health data, and E-mail their doctor. Medscape, the leader in this fledgling industry, has amassed 13.4 million digital patient records. With a password, patients and doctors can call up the information from anywhere. Hospital administrators say the system improves efficiency and helps doctors avoid tragic errors.
Yet in the race to put medical records on easily accessible networks--including the Internet--patient consent and privacy aren't necessarily a top concern. Baylor, for instance, doesn't get explicit permission before transferring its patients' data to the system, nor does it expressly inform them of the privacy and security risks of online health records. Yet the benefits outweigh the hazards, says John Bentivoglio, former chief privacy officer at the Department of Justice and now an attorney in Washington, D.C. "Privacy can't be considered in a vacuum," he says. "You can cut 100,000 medical errors and save lives by sharing data. That's huge."
Lawmakers typically are advocates of digitizing patient records, but they also want them to remain confidential. The White House is set to release rules that would, for the first time, require doctors, hospitals, pharmacists, and insurance companies to limit disclosure of health data and give patients the right to access their records. The regulations, however, contain a big loophole: They allow sharing of data without consent for what's vaguely labeled "disease management." Privacy consultant Robert Gellman interprets this to mean: "So if you're taking AZT, they could give your information to a marketer, your employer--any group that might want to remind you to take your pills."
Another oft-cited concern is security. While staffers routinely use passwords to gain access to the system, one doctor at Baylor recently remained logged on all morning to a laptop in a public area. E-mail messages from his patients regularly popped up on the screen: "refill vicodin," "blood in stool 5 days." At one point, the area was left unattended for 15 minutes. "Theoretically, you could've dropped in a Trojan horse that would've given you control over their system," says Internet security consultant James Settle. Mark Leavitt, Medscape's chairman, downplays the security risk. "Yes, if you had physical access to a computer--that could happen. But you also could pick up a paper record and walk out," he says.
The assurances are not enough for Butler, who also was unsettled to hear of an internal hospital memo awarding cash prizes to staffers who sign up the most patients for Medscape passwords. "I don't want to be part of a contest in my doctor's office," says Butler, wrinkling his nose. "I'm usually not squeamish about data on the Net, but this scares the heck out of me."
Here's how to better shield your medical records:
Read before you sign. Edit release forms before signing them to limit who will receive access to your medical data.
Consider all tests. Don't take genetic tests unless medically necessary. If the results are disseminated, they could affect your future job and insurance prospects. -D.H.
WHERE TO LEARN MORE
Workplace. Visit www.aclu.org to read more about employee monitoring.
Financial. The Federal Trade Commission's booklet, ID Theft: When Bad Things Happen To Your Good Name, is available at www.consumer.gov/idtheft.
Internet. Fed up with DoubleClick cookie crumbs? Follow the prompts at www.doubleclick.net/us/ to opt out.
Medical. Learn how to get a copy of your file from the Medical Information Bureau at www.healthprivacy.org.
With Margaret A. Mannix
This story appears in the October 2, 2000 print edition of U.S. News & World Report.