How much can you learn about a person by glancing at his or her open email box? No fair reading the mail — just the in and out boxes. You would find subject lines, dates and times and the person’s contacts. A Privacy Impact Assessment (PDF) published recently in the United States asserts that this information is not private. Speaking for every email and Web user, the authors say:
“Electronic mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information is provided to and used by service providers for the specific purpose of directing the routing of information.”
That idea was published by the U.S. Department of Homeland Security and its Computer Emergency Readiness Team (US-CERT) in May. It was written for a narrow purpose, to satisfy a law that requires a privacy assessment be prepared when the government plans to collect “identifiable information.” It accompanies an upgrade to Einstein, which is an intrusion detection system and is one of the programs that protect federal networks.
But the reach of this assessment is wide, not narrow, if only because it asks everyone to read it. Unlike its predecessor four years ago, it “serves as a general notice to individuals” that network traffic at participating agencies may be collected for computer security purposes. Certainly collection is necessary for the purpose at hand. Federal networks of course need protection because they transport the most sensitive types of data, including the financial and medical records for millions of people.
Data ‘voluntarily turned over’
One page later comes the idea, however, that a person’s traffic and history is not private. The assessment likens email headers and IP addresses to telephone numbers, first explaining in simple terms that it takes information to route information. Then email subject lines, the names and addresses of senders and recipients, people’s Web visits, and the dates of their activity are equated with the series of numbers that are needed to route telephone calls. The authors go on to say that all of these details “are voluntarily turned over” to third parties.
The assessment may reach too far in an attempt to define what data is personal. It is one thing to meet regulations by stating the reasons and conditions of data permissions needed to carry out emergency response. It is an altogether different thing to originate a definition in a general sense that email headers and Web histories are not personal data, and to assert that Internet users knowingly give away data.
That personal profiles of Internet users are collected has been reported for years by researchers and in the press. Profiles are assets, bought and sold in corporate mergers and acquisitions. Profiles of persons have so much value in business that it will suffice to only state a reminder here that the sum of collections of email headers and Web histories is not in the public domain.
Users unaware of tracking, selling
Leslie Harris of the Center for Democracy and Technology testified in July to the U.S. Senate Commerce, Science & Transportation Committee that “most Internet users today do not know that their browsing information may be tracked, aggregated and sold.” Further, her testimony (PDF) describes an advertising model that may pay for Web free content in exchange for detailed access records from our Internet service providers (see Aug. 12 MinnPost article “Internet privacy gets Congress’ attention”), and concludes in part:
“The practice that has been described to us, whereby an ISP may enter into an agreement with an advertising network to copy and analyze the traffic content of the ISP’s customers, poses serious questions under the federal Wiretap Act.”
Ideally, profiles and histories ought to be the property of the people who create them. In the meantime, tendencies to believe otherwise and assumptions to the contrary by the U.S. government or by advertising providers need to be corrected.
Susan Lesch owns Textet and is not a lawyer. She lives in San Diego, Calif.; and Minneapolis.
Want to add your voice?
If you’re interested in joining the discussion by writing a Community Voices article, email Susan Albright at salbright [at] minnpost [dot] com.