Communication - Download as PDF

Document Sample
Communication - Download as PDF Powered By Docstoc

                     Privacy and Surveillance

Reading 12-1

Remembrance of Data Passed:
A Study of Disk Sanitization Practices
Simson L. Garfinkel and Abhi Shelat


Many discarded hard drives, although thought to be reformatted or simply lacking worthwhile data, contain information that is
both confidential and recoverable. As this fascinating study in data recovery by Simson L. Garfinkel and Abhi Shelat shows,
discarded drives contain a bounty of revealing information—from personal letters and pornography to bank account and credit
card numbers—readily retrievable by data sleuths and computer hackers. In the study, just 9% of the 129 usable drives they
purchased from eBay and analyzed had been properly cleaned (or “sanitized”) by having their sectors completely overwritten
with zero-filled blocks. The availability of information from old hard drives is little publicized, but awareness of such poten-
tially risky consumer exposure will surely spread once identity thieves and law enforcement agencies start looking to repurposed
drives for confidential material. As this reading and the article by James Rosenbaum (Reading 12-2) illustrate, neither the
delete key nor the format command really do their job.


1. What is the difference between a sanitized file and a deleted file? Similarly, what is the difference between
   sanitizing and (re)formatting a hard drive?

                                         CHAPTER 12 PRIVACY AND SURVEILLANCE                                       309

2. Despite the ready availability of sanitization tools, most computer users seem to make little effort to erase the
   information on their discarded hard drives. What explanations do the authors advance for this state of affairs?
3. Compare three data destruction techniques: reformatting, overwriting, and physical destruction. If you had a
   hard drive with sensitive information that needed to be discarded, which method would you be most com-
   fortable with?

A fundamental goal of information security is to de-           ■   In the spring of 2002, the Pennsylvania Depart-
sign computer systems that prevent the unauthorized                ment of Labor and Industry sold a collection of
disclosure of confidential information. There are many              computers to local resellers. The computers con-
ways to assure this information privacy. One of the                tained “thousands of files of information about
oldest and most common techniques is physical iso-                 state employees” that the department had failed
lation: keeping confidential data on computers that                 to remove.2
only authorized individuals can access. Most single-           ■   In August 2001, Dovebid auctioned off more than
user personal computers, for example, contain infor-               100 computers from the San Francisco office of
mation that is confidential to that user.                           the Viant consulting firm. The hard drives con-
     Computer systems used by people with varying                  tained confidential client information that Viant
authorization levels typically employ authentication,              had failed to remove.3
access control lists, and a privileged operating system to
                                                               ■   A Purdue University student purchased a used
maintain information privacy. Much of information
                                                                   Macintosh computer at the school’s surplus equip-
security research over the past 30 years has centered on
                                                                   ment exchange facility, only to discover that the
improving authentication techniques and developing
                                                                   computer’s hard drive contained a FileMaker
methods to assure that computer systems properly im-
                                                                   database containing the names and demographic
plement these access control rules.
                                                                   information for more than 100 applicants to the
     Absent a cryptographic file system, confidential in-
                                                                   school’s Entomology Department.
formation is readily accessible when owners improp-
erly retire their disk drives. In August 2002, for ex-         ■   In August 1998, one of the authors purchased
ample, the United States Veterans Administration                   10 used computer systems from a local computer
Medical Center in Indianapolis retired 139 computers.              store. The computers, most of which were three
Some of these systems were donated to schools, while               to five years old, contained all of their former
others were sold on the open market, and at least three            owners’ data. One computer had been a law
ended up in a thrift shop where a journalist purchased             firm’s file server and contained privileged client-
them. Unfortunately, the VA neglected to sanitize the              attorney information. Another computer had a
computer’s hard drives—that is, it failed to remove the            database used by a community organization that
drives’ confidential information. Many of the com-                  provided mental health services. Other disks
puters were later found to contain sensitive medical in-           contained numerous personal files.
formation, including the names of veterans with AIDS           ■   In April 1997, a woman in Pahrump, Nevada,
and mental health problems. The new owners also                    purchased a used IBM computer for $159 and
found 44 credit card numbers that the Indianapolis fa-             discovered that it contained the prescription rec-
cility used.1                                                      ords of 2,000 patients who filled their prescrip-
     The VA fiasco is just one of many celebrated cases             tions at Smitty’s Supermarket pharmacy in Tempe,
in which an organization entrusted with confidential                Arizona. Included were the patient’s names, ad-
information neglected to properly sanitize hard disks              dresses and Social Security numbers and a list of
before disposing of computers. Other cases include:                all the medicines they’d purchased. The records
                                                                   included people with AIDS, alcoholism, and
Reprinted with permission from “Remembrance of Data
Passed: A Study of Disk Sanitization Practices” by Simson L.       These anecdotal reports are interesting because of
Garfinkel and Abhi Shelat, IEEE Security & Privacy, 1(1)        their similarity and their relative scarcity. Clearly, con-
( January/February 2003), pp. 17–27. Copyright © 2003 IEEE.    fidential information has been disclosed through com-

puters sold on the secondary market more than a few           year 2002; this is up from a retirement rate of three
times. Why, then, have there been so few reports of           for 10 in 1997. As the VA Hospital’s experience dem-
unintended disclosure? We propose three hypotheses:           onstrates, many disk drives that are “retired” by one or-
                                                              ganization can appear elsewhere. Unless retired drives
1. Disclosures of this type are exceedingly rare.
                                                              are physically destroyed, poor information security
2. Confidential information is disclosed so often on           practices can jeopardize information privacy.
   retired systems that such events are simply not
3. Used equipment is awash with confidential in-               THE UBIQUITY OF HARD DISKS
   formation, but nobody is looking for it— or else
   there are people looking, but they are not publi-          Compared with other mass-storage media, hard disks
   cizing that fact.                                          pose special and significant problems in assuring long-
                                                              term data confidentiality. One reason is that physi-
    To further investigate the problem, we purchased          cal and electronic standards for other mass-storage
more than 150 hard drives on the secondary market.            devices have evolved rapidly and incompatibly over
Our goal was to determine what information they con-          the years, while the Integrated Drive Electronics/Ad-
tained and what means, if any, the former owners had          vanced Technology Attachment (IDE/ATA) and Small
used to clean the drives before they discarded them.          Computer System Interface (SCSI) interfaces have
Here, we present our findings, along with our taxon-           maintained both forward and backward compatibility.
omy for describing information recovered or recover-          People use hard drives that are 10 years old with mod-
able from salvaged drives.                                    ern consumer computers by simply plugging them in:
                                                              the physical, electrical, and logical standards have been
                                                              remarkably stable.
THE HARD DRIVE MARKET                                              This unprecedented level of compatibility has sus-
                                                              tained both formal and informal secondary markets for
Everyone knows that there has been a dramatic in-             used hard drives. This is not true of magnetic tapes, op-
crease in disk-drive capacity and a corresponding de-         tical disks, flash memory, and other forms of mass stor-
crease in mass-storage costs in recent years. Still, few      age, where there is considerably more diversity. With
people realize how truly staggering the numbers actu-         current devices, people typically cannot use older me-
ally are. According to the market research firm Data-          dia due to format changes (a digital audio tape IV drive,
quest, nearly 150 million disk drives [were] retired in       for example, cannot read a DAT I tape, nor can a 3.5-
2002 —up from 130 million in 2001. Although many              inch disk drive read an 8-inch floppy.)
such drives are destroyed, a significant number are re-             A second factor contributing to the problem of
purposed to the secondary market. (This market is rap-        maintaining data confidentiality is the long-term con-
idly growing as a supply source for even mainstream           sistency of file systems. Today’s Windows, Macintosh,
businesses, as evidenced by the cover story in CIO            and Unix operating systems can transparently use the
Magazine, “Good Stuff Cheap: How to Use the Sec-              FAT16 and FAT32 file systems popularized by Micro-
ondary Market to Your Enterprise’s Advantage.” 5 )            soft in the 1980s and 1990s. FAT stands for File Alloca-
     According to the market research firm IDC, the            tion Table and is a linked list of disk clusters that DOS
worldwide disk-drive industry [shipped] between 210           uses to manage space on a random-access device; 16
and 215 million disk drives in 2002; the total storage        or 32 refers to the sector numbers’ bit length. Thus,
of those disk drives [was] 8.5 million terabytes (8,500       not only are 10-year-old hard drives mechanically and
petabytes, or 8.5 x 1018 bytes). While Moore’s Law            electrically compatible with today’s computers, but the
dictates a doubling of integrated circuit transistors         data they contain is readily accessible without special-
every 18 months, hard-disk storage capacity and the           purpose tools. This is not true with old tapes, which are
total number of bytes shipped are doubling at an even         typically written using proprietary backup systems,
faster rate.                                                  which might use proprietary compression and/or en-
     It’s impossible to know how long any disk drive          cryption algorithms as well.
will remain in service; IDC estimates the typical drive’s          A common way to sanitize a cartridge tape is to use
life-span at five years. Dataquest estimates that people       a bulk tape eraser, which costs less than US$40 and
will retire seven disk drives for every 10 that ship in the   can erase an entire tape in just a few seconds. Bulk eras-
                                        CHAPTER 12 PRIVACY AND SURVEILLANCE                                        311

ers can erase practically any tape on the market. Once            Sanitizing is complicated by social norms. Clearly,
erased, a tape can be reused as if it were new. However,     the best way to assure that a drive’s information is pro-
bulk erasers rarely work with hard disks, creating a third   tected is to physically destroy the drive. But many
factor that complicates data confidentiality. In some         people feel moral indignation when IT equipment is
cases, commercially available bulk erasers simply do not     discarded and destroyed rather than redirected toward
produce a sufficiently strong magnetic field to affect the     schools, community organizations, religious groups, or
disk surface. When they do, they almost always render        lesser-developed nations where others might benefit
the disk unusable: in addition to erasing user data, bulk    from using the equipment— even if the equipment is a
erasers remove low-level track and formatting infor-         few years obsolete.
mation. Although it might be possible to restore these
formatting codes using vendor-specific commands,
such commands are not generally available to users.
                                                             SANITIZING THROUGH ER ASING

THE SANITIZATION PROBLEM                                     Many people believe that they’re actually destroying
                                                             information when they erase computer files. In most
Most techniques that people use to assure informa-           cases, however, delete or erase commands do not actu-
tion privacy fail when data storage equipment is sold        ally remove the file’s information from the hard disk
on the secondary market. For example, any protec-            [see Reading 12-2]. Although the precise notion of
tion that the computer’s operating system offers is lost     “erase” depends on the file system used, in most cases,
when someone removes the hard drive from the com-            deleting a file most often merely rewrites the metadata
puter and installs it in a second system that can read the   that pointed to the file, but leaves the disk blocks con-
on-disk formats, but doesn’t honor the access control        taining the file’s contents intact.
lists. This vulnerability of confidential information left         When the operating system erases a FAT file, two
on information systems has been recognized since the         things occur. First, the system modifies the filename’s
1960s.6                                                      first character in the file’s directory entry to signal that
      Legal protections that assure data confidentiality      the file has been deleted and that the directory entry
are similarly void. In California v. Greenwood, the U.S.     can be recycled. Second, the system moves all of the
Supreme Court ruled that there is no right to privacy        file’s FAT clusters to the hard drive’s list of free clusters.
in discarded materials.7 Likewise, it is unlikely that an    The actual file data is never touched. Indeed, there are
individual or corporation could claim that either has        many programs available that can recover erased files,
a privacy or trade-secret interest in systems that they      as we discuss later.
themselves have sold. Experience has shown that people            Although our semantic notion of “erasing” implies
routinely scavenge electronic components from the            data removal, the FAT file system (and many other
waste stream and reuse them without the original own-        modern file systems) doesn’t meet our expectations.
er’s knowledge.
      Thus, to protect their privacy, individuals and or-
ganizations must remove confidential information from         SANITIZING THROUGH OVERWRITING
disk drives before they repurpose, retire, or dispose of
them as intact units—that is, they must sanitize their       Because physical destruction is relatively complicated
drives.                                                      and unsatisfying, and because using the operating sys-
      The most common techniques for properly sani-          tem to erase files does not effectively sanitize them,
tizing hard drives include                                   many individuals prefer to sanitize hard-drive informa-
                                                             tion by intentionally overwriting that data with other
■   Physically destroying the drive, rendering it
                                                             data so that the original data cannot be recovered. Al-
                                                             though overwriting is relatively easy to understand and
■   Degaussing the drive to randomize the magnetic           to verify, it can be somewhat complicated in practice.
    domains—most likely rendering the drive unus-                One way to overwrite a hard disk is to fill every ad-
    able in the process                                      dressable block with ASCII NUL bytes (zeroes). If the
■   Overwriting the drive’s data so that it cannot be        disk drive is functioning properly, then each of these
    recovered                                                blocks reports a block filled with NULs on read-back.

We’ve observed this behavior in practice: for most          exotic because they do not rely on the standard hard-
home and business applications, simply filling an en-        disk interface.
tire disk with ASCII NUL bytes provides sufficient                Gutmann presents some 22 different patterns that
sanitization.                                               you can write in sequence to a disk drive to mini-
     One organization that has addressed the problem        mize data recovery. In the eight years since the article
of sanitizing storage media is the U.S. Department          was published, some sanitation tool developers (such as
of Defense, which has created a “Cleaning and Sani-         those on the WIPE project, for example 11 ) have taken
tizing Matrix”8 that gives DoD contractors three            these “Gutmann patterns” as gospel, and have pro-
government-approved techniques for sanitizing rigid         grammed their tools to painstakingly use each pattern
disk drives:                                                on every disk that is sanitized. Moreover, other orga-
                                                            nizations warn that failure to use these patterns or take
■    Degauss with a Type I or Type II Degausser             other precautions, such as physically destroying a disk
■    Destroy by disintegrating, incinerating, pulveriz-     drive, means that “someone with technical knowledge
     ing, shredding, or melting                             and access to specialized equipment may be able to re-
■    Overwrite all addressable locations with a random      cover data from files deleted.” 12
     character, overwrite against with the character’s           But in fact, given the current generation of high-
     complement, and then verify. (However, as the          density disk drives, it’s possible that none of these over-
     guidelines state—in all capital letters no less—       write patterns are necessary—a point that Gutmann
     this method is not approved for sanitizing media       himself concedes. Older disk drives left some space be-
     that contains top-secret information.)                 tween tracks; data written to a track could occasionally
                                                            be recovered from this inter-track region using special
     The DoD’s overwriting strategy is curious, both        instruments. Today’s disk drives have a write head that
because it does not recommend writing a changing            is significantly larger than the read head: tracks are thus
pattern, and because the method is specifically not ap-      overlapping, and there is no longer any recoverable data
proved for top-secret information. This omission and        “between” the tracks. Moreover, today’s drives rely
restriction is almost certainly intentional. Peter Gut-     heavily on signal processing for their normal operation.
mann, a computer security researcher at the University      Simply overwriting user data with one or two passes
of Auckland who has studied this issue, notes: “The . . .   of random data is probably sufficient to render the
problem with official data destruction standards is that     overwritten information irrecoverable—a point that
the information in them may be partially inaccurate         Gutmann makes in the updated version of the article,
in an attempt to fool opposing intelligence agencies        which appears on his Web site (
(which is probably why a great many guidelines on              peter/usenix01.pdf ).
sanitizing media are classified).”9                               Indeed, there is some consensus among research-
     Indeed, some researchers have repeatedly asserted      ers that, for many applications, overwriting a disk with
that simple overwriting is insufficient to protect data      a few random passes will sufficiently sanitize it. An en-
from a determined attacker. In a highly influential 1996     gineer at Maxtor, one of the world’s largest disk-drive
article, Gutmann argues that it is theoretically pos-       vendors, recently told us that recovering overwritten
sible to retrieve information written to any magnetic       data was something akin “to UFO experiences. I be-
recording device because the disk platter’s low-level       lieve that it is probably possible . . . but it is not going
magnetic field patterns are a function of both the writ-     to be something that is readily available to anyone out-
ten and overwritten data. As Gutmann explains, when         side the National Security Agency.”
a computer attempts to write a one or a zero to disk,
the media records it as such, but the actual effect is
closer to obtaining 1.05 when one overwrites with a         A SANITIZATION TAXONOMY
one and 0.95 when a one overwrites a zero. Although
normal disk circuitry will read both values as ones, “us-   Modern computer hard drives contain an assortment
ing specialized circuitry it is possible to work out what   of data, including an operating system, application pro-
previous ‘layers’ contained.” 10 Gutmann claims that        grams, and user data stored in files. Drives also contain
“a high-quality digital sampling oscilloscope” or Mag-      backing store for virtual memory, and operating system
netic Force Microscopy (MFM) can be used to retrieve        meta-information, such as directories, file attributes,
the overwritten data. We refer to such techniques as        and allocation tables. A block-by-block disk-drive ex-
                                         CHAPTER 12 PRIVACY AND SURVEILLANCE                                                  313

Table 12-1. A Sanitization Taxonomy

Level      Where Found          Description
Level 0    Regular files         Information contained in the file system. Includes file names, file attributes, and file contents. By
                                definition, no attempts are made to sanitize Level 0 files’ information. Level 0 also includes infor-
                                mation that is written to the disk as part of any sanitization attempt. For example, if a copy of
                                Windows 95 had been installed on a hard drive in an attempt to sanitize the drive, then the files
                                installed into the C:\WINDOWS directory would be considered Level 0 files. No special tools
                                are required to retrieve Level 0 data.
Level 1    Temporary files       Temporary files, including print spooler files, browser cache files, files for “helper” applications, and
                                recycle bin files. Most users either expect the system to automatically delete this data or are not
                                even aware that it exists. Note: Level 0 files are a subset of Level 1 files. Experience has shown that
                                it is useful to distinguish this subset, because many naive users will overlook Level 1 files when
                                they are browsing a computer’s hard drive to see if it contains sensitive information. No special
                                tools are required to retrieve Level 1 data, although special training is required to teach the opera-
                                tor where to look.
Level 2    Deleted files         When a file is deleted from a file system, most operating systems do not overwrite the blocks on
                                the hard disk that the file is written on. Instead, they simply remove the file’s reference from the
                                containing directory. The file’s blocks are then placed on the free list. These files can be recovered
                                using traditional “undelete” tools, such as Norton Utilities.
Level 3    Retained data        Data that can be recovered from a disk, but which does not obviously belong to a named file.
           blocks               Level 3 data includes information in slack space, backing store for virtual memory, and Level 2
                                data that has been partially overwritten so that an entire file cannot be recovered. A common
                                source of Level 3 data is disks that have been formatted with Windows Format command or the
                                Unix newfs command. Even though the output of these commands might imply that they over-
                                write the entire hard drive, in fact they do not, and the vast majority of the formatted disk’s infor-
                                mation is recoverable with the proper tools. Level 3 data can be recovered using advanced data
                                recovery tools that can “unformat” a disk drive or special-purpose forensics tools.
Level 4    Vendor-hidden        This level consists of data blocks that can only be accessed using vendor-specific commands. This
           data                 level includes the drive’s controlling program and blocks used for bad-block management.
Level 5    Overwritten data     Many individuals maintain that information can be recovered from a hard drive even after it is
                                overwritten. We reserve Level 5 for such information.

amination also reveals remnants of previous files that              boast government certifications, more than 50 tools li-
were deleted but not completely overwritten. These                 censed for a single computer system, and free software/
remnants are sometimes called free space, and include              open-source products that seem to offer largely the
bytes at the end of partially filled directory blocks               same features. Broadly speaking, two kinds of sanitiza-
(sometimes called slack space), startup software that is           tion programs are available: disk sanitizers and declassi-
not strictly part of the operating system (such as boot            fiers, and slack-space sanitizers.
blocks), and virgin blocks that were initialized at the                 Disk sanitizers and declassifiers aim to erase all user
factory but never written. Finally, drives also contain            data from a disk before it’s disposed of or repurposed in
blocks that are not accessible through the standard                an organization. Because overwriting an operating sys-
IDE/ATA or SCSI interface, including internal drive                tem’s boot disk information typically causes the com-
blocks used for bad-block management and for hold-                 puter to crash, disk sanitizers rarely operate on the boot
ing the drive’s own embedded software.                             disk of a modern operating system. Instead, they’re usu-
    To describe data found on recovered disk drives                ally run under an unprotected operating system, such
and facilitate discussion of sanitization practices and            as DOS, or as standalone applications run directly from
forensic analysis, we created a sanitization taxonomy (see         bootable media (floppy disks or CD-ROMs). (It’s rela-
Table 12-1).                                                       tively easy to sanitize a hard disk that is not the boot
                                                                   disk. With Unix, for example, you can sanitize a hard
Sanitization Tools                                                 disk with the device /dev/hda using the command dd
Many existing programs claim to properly sanitize a                if /dev/zero of /dev/hda.) Using our taxonomy,
hard drive, including $1,695 commercial offerings that             disk sanitizers seek to erase all of the drive’s Level 1,

2, 3, and 5 information. Sanitizers equipped with             ■   Lack of knowledge. The individual (or organiza-
knowledge of vendor-specific disk-drive commands                   tion) disposing of the device simply fails to con-
can erase Level 4 information as well.                            sider the problem (they might, for example, lack
    Slack space sanitizers sanitize disk blocks (and por-         training or time).
tions of disk blocks) that are not part of any file and        ■   Lack of concern for the problem. The individual con-
do not contain valid file system meta-information. For             siders the problem, but does not think the device
example, if a 512-byte block holds a file’s last 100 bytes         actually contains confidential information.
and nothing else, a slack-space sanitizer reads the block,
                                                              ■   Lack of concern for the data. The individual is aware
leaves bytes 1–100 untouched, and zeros bytes 101–
                                                                  of the problem—that the drive might contain
512. Slack-space sanitizers also compact directories (re-
                                                                  confidential information—but doesn’t care if the
moving ignored entries), and overwrite blocks on the
                                                                  data is revealed.
free list. Many of these programs also remove tempo-
rary files, history files, browser cookies, deleted email,      ■   Failure to properly estimate the risk. The individual is
and so on. Using our taxonomy, slack-space sanitizers             aware of the problem, but doesn’t believe that the
seek to erase all Level 1 through Level 4 drive infor-            device’s future owner will reveal the information
mation, while leaving Level 0 information intact.                 (that is, the individual assumes that the device’s
                                                                  new owner will use the drive to store information,
Forensic Tools                                                    and won’t rummage around looking for what the
The flip side of sanitization tools are forensic analysis          previous owner left behind).
tools, which are used for recovering hard-disk infor-         ■   Despair. The individual is aware of the problem,
mation. Forensic tools are harder to write than saniti-           but doesn’t think it can be solved.
zation tools and, not surprisingly, fewer of these tools      ■   Lack of tools. The individual is aware of the prob-
are available. Many of the packages that do exist are tai-        lem, but doesn’t have the tools to properly sanitize
lored to law enforcement agencies.                                the device.
     Almost all forensic tools let users analyze hard disks
or hard-disk images from a variety of different operat-       ■   Lack of training or incompetence. The individual at-
ing systems and provide an Explorer-style interface so            tempts to sanitize the device, but the attempts are
you can read the files. Tools are of course limited by the         ineffectual.
original computer’s operating system, as different sys-       ■   Tool error. The individual uses a tool, but it doesn’t
tems overwrite different amounts of data or metadata              behave as advertised. (Early versions of the Linux
when they delete a file or format a disk. Nevertheless,            wipe command, for example, have had numerous
many of these forensic tools can find “undeleted” files             bugs which resulted in data not being actually
(Level 2 data) and display hard-drive information that            overwritten. Version 0.13, for instance, did not
is no longer associated with a specific file (Level 3 data).        erase half the data in the file due to a bug; see
Most tools also offer varying search capabilities. Hence,
an operator can search an entire disk image for key-              .html.)
words or patterns, and then display the files (deleted or      ■   Hardware failure. The computer housing the hard
otherwise) containing the search pattern.                         drive might be broken, making it impossible
     Programs tailored to law enforcement also offer              to sanitize the hard drive without removing it
to log every keystroke an operator makes during the               and installing it in another computer—a time-
hard-drive inspection process. This feature supposedly            consuming process. Alternatively, a computer fail-
prevents evidence tampering.                                      ure might make it seem that the hard drive has
                                                                  also failed, when in fact it has not.
O Sanitization, Where Art Thou?
Despite the ready availability of sanitization tools and          Among nonexpert users— especially those using
the obvious threat posed by tools that provide forensic       the DOS or Windows operating systems—lack of
analysis, there are persistent reports that some systems      training might be the primary factor in poor sanitiza-
containing confidential information are being sold on          tion practices.
the secondary market.                                             Among expert users, we posit a different explana-
     We propose several possible explanations for this        tion: they are aware that the Windows format com-
state of affairs:                                             mand does not actually overwrite a disk’s contents.
                                        CHAPTER 12 PRIVACY AND SURVEILLANCE                                      315

Paradoxically, the media’s fascination with exotic           transverse the entire file system hierarchy and copy
methods for data recovery might have decreased saniti-       the files into compressed tar files. These files are exactly
zation among these users by making it seem too oner-         equal to our taxonomy’s Level 0 and Level 1 files.
ous. In repeated interviews, users frequently say things          We then analyzed the data using a variety of tools
like: “The FBI or the NSA can always get the data back       that we wrote specifically for this project. In particu-
if they want, so why bother cleaning the disk in the first    lar, we stored the complete path name, length, and
place?” Some individuals fail to employ even rudimen-        an MD5 cryptographic checksum of every Level 0 and
tary sanitization practices because of these unsubstanti-    Level 1 file in a database. (MD5 is a one-way func-
ated fears. This reasoning is flawed, of course, because      tion that reduces a block of data to a 128-bit elec-
most users should be concerned with protecting their         tronic “fingerprint” that can be used for verifying file
data from more pedestrian attackers, rather than from        integrity.)
U.S. law enforcement and intelligence agencies. Even if
these organizations do represent a threat to some users,     Initial Findings
today’s readily available sanitization tools can neverthe-   We acquired a total of 75 Gbytes of data, consisting of
less protect their data from other credible threats.         71 Gbytes of uncompressed disk images and 3.7 Gbytes
     However interesting they might be, informal inter-      of compressed tar files.
views and occasional media reports are insufficient to            From the beginning, one of the most intriguing as-
gauge current sanitization practices. To do that, we had     pects of this project was the variation in the disk drives.
to acquire numerous disk drives and actually see what        When we briefed people on our initial project plans,
data their former owners left behind.                        some people were “positive” that all the recovered
                                                             drives would contain active file systems, while others
                                                             were sure that all of the drives would be reformatted.
OUR EXPERIMENT                                               Some were certain we’d find data, but that it would
                                                             be too old to be meaningful, and others were sure that
We acquired 158 hard drives on the secondary market          nearly all of the drives would be properly sanitized,
between November 2000 and August 2002. We pur-               “because nobody could be so stupid as to discard a
chased drives from several sources: computer stores spe-     drive containing active data.”
cializing in used merchandise, small businesses selling
lots of two to five drives, and consolidators selling lots    File System Analysis
of 10 to 20 drives. We purchased most of the bulk hard       The results of even this limited, initial analysis indi-
drives by winning auctions at the eBay online auction        cate that there are no standard practices in the industry.
service.                                                     Of the 129 drives that we successfully imaged, only 12
     As is frequently the case with secondary-market         (9 percent) had been properly sanitized by having their
equipment, the drives varied in manufacturer, size, date     sectors completely overwritten with zero-filled blocks;
of manufacture, and condition. A significant fraction         83 drives (64 percent) contained mountable FAT16
of the drives were physically damaged, contained un-         or FAT32 file systems. Another 46 drives did not have
readable sectors, or were completely inoperable.             mountable file systems.
     Because we were interested in each drive’s data,             Of the 83 drives with mountable file systems, 51
rather than its physical deterioration, our goal was to      appeared to have been freshly formatted—that is, they
minimize drive handling as much as possible. Upon re-        either had no files or else the files were created by the
ceipt, we recorded each drive’s physical characteristics     DOS format c:/s command; another six drives were
and source in a database. We then attached the drives        formatted and had a copy of DOS or Windows 3.1 in-
to a workstation running the FreeBSD 4.4 operating           stalled. Of these 51 drives, 19 had recoverable Level 3
system, and then copied the drive’s contents block-          data—indicating that the drives had been formatted
by-block—using the Unix dd command from the raw              after they had been used in another application.
ATA device—into a disk file we called the “image file.”
Once we completed this imaging operation, we at-             Document File Analysis
tempted to mount each drive using several file systems:       We performed limited analysis of the mountable file
FreeBSD, MS-DOS, Windows NT File System, Unix                systems to determine the type of documents left on the
File System, and Novell file systems. If we successfully      drives. Table 12-2 summarizes these results.
mounted the drive, we used the Unix tar command to               Overall, the 28 drives with active file systems con-

Table 12-2. Recoverable Level 0                                  Using slightly more sophisticated techniques, we
and 1 Files by Type                                         wrote a program that scans for credit card numbers.
                                                            The program searches for strings of numerals (with
                         Number       On       Max Files    possible space and dash delimiters) that pass the mod-
File Type                 Found      Drives    per Drive    10 check-digit test required of all credit card numbers,
Microsoft Word (.doc)       675        23         183       and that also fall within a credit card number’s feasible
Outlook (.pst)               20         6          12       numerical range. For example, no major credit card
Microsoft PowerPoint                                        number begins with an eight.
(.ppt)                      566        14         196            In our study, 42 drives had numbers that passed
Microsoft Write (.wri)       99        21          19       these tests. Determining whether a number is actually
Microsoft Works (.wks)       68         1          68       a valid credit card number requires an attempted trans-
Microsoft Excel (.xls)      274        18          67       action on the credit card network. Rather than do this,
                                                            we inspected the number’s context. Two drives con-
                                                            tained consistent financial-style log files. One of these
                                                            drives contained 2,868 numbers in a log format. Upon
                                                            further inspection, it appeared that this hard drive was
tained comparatively few document files—far fewer            most likely used in an ATM machine in Illinois, and
than we’d expect to find on actively used personal           that no effort was made to remove any of the drive’s fi-
computers. We believe that this is because the drives’      nancial information. The log contained account num-
previous owners intentionally deleted these files in an      bers, dates of access, and account balances. In addition,
attempt to at least partially sanitize the drives before    the hard drive had all of the ATM machine software.
disposing of them.                                               Another drive contained 3,722 credit card num-
     To test this theory, we wrote a program that lets us   bers (some of them repeated) in a different type of log
scan for deleted files and directories. Using this pro-      format. The files on this drive appeared to have been
gram, we can scan the disks for data that was presum-       erased, and the drive was formatted. Yet another drive
ably deleted by the drive’s original owner prior to dis-    contained 39 credit card numbers in a database file that
posing of the drive. The results are illuminating: with     included the correct type of credit card, and still an-
the exception of the cleared disks (all blocks zeroed),     other had a credit card number in a cached Web page
practically every disk had significant numbers of de-        URL. The URL is a ‘GET’-type HTTP form that was
leted directories and files that are recoverable. Even       submitted to an e-commerce site; it contained all of the
the 28 disks with many undeleted files contained sig-        address and expiration information necessary to exe-
nificant numbers of deleted-but-recoverable directories      cute an e-commerce transaction. Finally, another drive
and files as well. A close examination of the deleted files   had 21 credit card numbers in a file.
indicates that, in general, users deleted data files, but         We also wrote a program that searches for RFC
left application files intact.                               mail headers. Of the 129 drives analyzed, 66 drives had
                                                            more than five email messages. We use this threshold
Recovered Data                                              because some programs, such as Netscape Navigator,
Some of the information we found in these files              include a few welcome emails upon installation. One
included:                                                   drive in our batch contained almost 9,500 email mes-
                                                            sages, dated from 1999 through 2001. In all, 17 drives
■    Corporate memoranda pertaining to personnel            had more than 100 email messages and roughly 20
     issues                                                 drives had between 20 and 100 email messages. During
■    A letter to the doctor of a 7-year-old child from      this analysis, we only investigated the messages’ subject
     the child’s father, complaining that the treatment     headers; contents seemed to vary from typical spam to
     for the child’s cancer was unsatisfactory              grievances about retroactive pay.
■    Fax templates for a California children’s hospital
     (we expect that additional analysis of this drive
                                                            UNDERSTANDING DOS FORMAT
     will yield medically sensitive information)
■    Love letters                                           It’s not clear if the 52 formatted drives were formatted
■    Pornography                                            to sanitize the data or if they were formatted to deter-
                                        CHAPTER 12 PRIVACY AND SURVEILLANCE                                     317

mine their condition and value for sale on the second-        Many routine email messages also contain medically
ary market.                                                   sensitive information that should not be disclosed. If an
     In many interviews, users said that they believed        employee sends a message to his boss saying that he’ll
DOS and Windows format commands would prop-                   miss a meeting because he has a specific problem re-
erly remove all hard drive data. This belief seems rea-       quiring a doctor visit, for example, he has created a
sonable, as the DOS and Windows format commands               record of his medical condition in the corporate email
specifically warn users that “ALL DATA ON NON-                 system.
REMOVABLE DISK DRIVE C: WILL BE LOST”                             Third, our study indicates that the secondary hard-
when a computer is booted from floppy and the user             disk market is almost certainly awash in information
attempts a format C: command. This warning might              that is both sensitive and confidential.
rightly be seen as a promise that using the format com-           Based on our findings, we make the following
mand will in fact remove all of the disk drive’s data.        recommendations:
     Many users were surprised when we told them that
the format command does not erase all of the disk’s in-       ■   Users must be educated about the proper tech-
formation. As our taxonomy indicates, most operating              niques for sanitizing disk drives.
system format commands only write a minimal disk file          ■   Organizations must adopt policies for properly
system; they do not rewrite the entire disk. To illustrate        sanitizing drives on computer systems and storage
this assertion, we took a 10-Gbyte hard disk and filled            media that are sold, destroyed, or repurposed.
every block with a known pattern. We then initialized         ■   Operating system vendors should include system
a disk partition using the Windows 98 FDISK com-                  tools that securely delete files, and clear slack
mand and formatted the disk with the format com-                  space and entire disk drives.
mand. After each step, we examined the disk to deter-
mine the number of blocks that had been written.              ■   Future operating systems should be capable of au-
     Despite warnings from the operating system to the            tomatically sanitizing deleted files. They should
contrary, the format command overwrites barely more               also be equipped with background processes that
than 0.1 percent of the disk’s data. Nevertheless, the            automatically sanitize disk sectors that the operat-
command takes more than eight minutes to do its job               ing system is not currently using.
on the 10-Gbyte disk—giving the impression that the           ■   Vendors should encourage the use of encrypting
computer is actually overwriting the data. In fact, the           file systems to minimize the data sanitization
computer is attempting to read all of the drive’s data so         problem.
it can build a bad-block table. The only blocks that are      ■   Disk-drive vendors should equip their drives with
actually written during the format process are those              tools for rapidly or even instantaneously remov-
that correspond to the boot blocks, the root directory,           ing all disk-drive information. For example, they
the file allocation table, and a few test sectors scattered        could equip a disk drive with a cryptographic
throughout the drive’s surface.                                   subsystem that automatically encrypts every disk
     Although 158 disk drives might seem like a lot, it’s         block when the block is written, and decrypts the
a tiny number compared to the number of disk drives               block when it is read back. Users could then ren-
that are sold, repurposed, and discarded each year. As a          der the drive’s contents unintelligible by securely
result, our findings and statistics are necessarily qualita-       erasing the key.13
tive, not quantitative. Nevertheless, we can draw a few
conclusions.                                                      With several months of work and relatively little fi-
     First, people can remove confidential information         nancial expenditure, we were able to retrieve thousands
from disk drives before they discard, repurpose, or sell      of credit card numbers and extraordinarily personal
them on the secondary market. Moreover, freely avail-         information on many individuals. We believe that the
able tools make disk sanitization easy.                       lack of media reports about this problem is simply be-
     Second, the current definition of “medical rec-           cause, at this point, few people are looking to repur-
ords” might not be broad enough to cover the range of         posed hard drives for confidential material. If sanitiza-
medically sensitive information in the home and work          tion practices are not significantly improved, it’s only a
environment. For example, we found personal letters           matter of time before the confidential information on
containing medically sensitive information on a com-          repurposed hard drives is exploited by individuals and
puter that previously belonged to a software company.         organizations that would do us harm.

NOTES                                                                7. California v. Greenwood, 486 U.S. 35, 16 May 1988.
                                                                     8. U.S. Department of Defense, “Cleaning and Sanitization
1. J. Hasson, “V.A. Toughens Security after PC Disposal Blun-           Matrix,” DOS 5220.22-M, Washington, D.C., 1995;
   ders,” Federal Computer Week, 26 Aug. 2002;   
   fcw/articles/2002/0826/news-va-08-26-02.asp.                      9. P. Gutmann, “Secure Deletion of Data from Magnetic and
2. M. Villano, “Hard-Drive Magic: Making Data Disappear                 Solid-State Memory,” Proc. Sixth Usenix Security Symp.,
   Forever,” New York Times, 2 May 2002.                                Usenix Assoc., 1996; pgut001/
3. J. Lyman, “Troubled Dot-Coms May Expose Confidential                  pubs/secure_del.html.
   Client Data,” NewsFactor Network, 8 Aug. 2001;          10. Ibid.                                11. T. Vier, “Wipe 2.1.0,” 14 Aug. 2002; http://sourceforge
4. J. Markoff, “Patient Files Turn Up in Used Computer,” New            .net/projects/wipe.
   York Times, 4 Apr. 1997.                                         12. D. Millar, “Clean Out Old Computers Before Selling/
5. S. Berinato, “Good Stuff Cheap,” CIO, 15 Oct. 2002,                  Donating,” June 1997;
   pp. 53 –59.                                                          security/advisories/oldcomputers.html.
6. National Computer Security Center, “A Guide to Under-            13. G. Di Crescenzo et al., “How to Forget a Secret,” Sympo-
   standing Data Remanence in Automated Information Sys-                sium Theoretical Aspects in Computer Science (STACS 99), Lec-
   tems,” Library No. 5-236,082, 1991, NCSC-TG-025; www                 ture Notes in Computer Science, Springer-Verlag, Berlin,                1999, pp. 500 –509.

                                    REL ATED LINKS

                                    ■    AutoClave (
                                    ■    CyberScrub (
                                    ■    Wipe (
                                    ■    Disk and File Shredders: A Comparison (
                                    ■    Simson Garfinkel’s blog (

                                    FOR FURTHER RESEARCH

                                    To find out more about the topics discussed in this reading, use InfoTrac College Edition. Type
                                    in keywords and subject terms such as “disk sanitization,” “drive reformatting and overwrit-
                                    ing,” and “data confidentiality.” You can access InfoTrac College Edition from the Wadsworth/
                                    Thomson Communication Café homepage:

Reading 12-2

In Defense of the Delete Key
James M. Rosenbaum


The computer delete key doesn’t really do its job. Allegedly erased files are merely removed from sight, not from your hard
drive. As a result, a growing number of individuals and corporations, from Monica Lewinsky to Microsoft, are finding them-
selves liable for acts never committed, only expressed. Once expressed electronically, however, ideas and desires seem to take on
                                           CHAPTER 12 PRIVACY AND SURVEILLANCE                                               319

a life of their own— often times well beyond the author’s actual intent. In this short but eloquent plea, James M. Rosenbaum,
a federal district court judge for the District of Minnesota, argues that because we are not free to make mistakes online or retract
messages once sent, we are gradually enforcing “a dangerous self-censorship over our ideas and expressions.”


1. Do you agree with Judge Rosenbaum that the computer delete key represents an “elaborate deception”?
   Should anything be done to change its operation?
2. How would individuals and companies be protected if the courts recognized cyber trash, “the stuff which, in
   less electronic times, would have been wadded up and thrown into a wastebasket”?
3. What is lost, in a digital age, when an increasing number of passing comments uttered electronically are for-
   ever archived?

It is becoming widely known that a computer’s delete                they had moved past this tacky, but probably innocent,
key represents an elaborate deception. The decep-                   moment, it was truly gone.
tion is pure, and inheres in the key’s name: When the                    Their words either vanished into the air, or the
delete key is used, nothing is deleted.1 It is now clear            note was wadded up and thrown into a wastebasket.
that relatively simple devices can recover almost every-            From there, the note was removed to a “delete” device
thing that has been “deleted.” This durability of com-              called an incinerator. Once there, it was destroyed for-
puterized material compounds itself, because once a                 ever. The computer, and its evil spawn the e-mail, have
computer file is generated—let alone disseminated                    ended this earlier time forever. For many of us, e-mail
—internal and external copies proliferate. And each is              and the computer now substitute for those doorway
impervious to deletion.                                             conversations and those idle notes. But unlike those
      In practice, this once-arcane fact has spawned a              notes, they are not easily thrown away.
new legal industry: the mining of e-mails, computer                      In the computer, the conversation lingers, and the
files, and especially copies of hard drives to obtain de-            note persists. In my view, this is wrong.
leted material.
      Knowing these facts leads me to two thoughts: one,
we have now placed an electronic recording device                   A PRECEPT SOME THOUGHTS
over every office door; and two, we should not stand                 ON THE L AW
for it. Finally, I suggest a possible remedy.
                                                                    None of us is perfect. But the preservation and per-
                                                                    sistence of evidence of our imperfections does not
THE ELECTRONIC RECORDER                                             prove we are wrong, vile, venal, or even duplicitous.
                                                                    It just proves we are human—perhaps even farther
There was a time when people spoke casually “off                    beneath the angels than we might have wished—but
the record” amongst themselves. That time has passed.               lower nonetheless.
At this earlier time, two people could easily say some-                  Today, legal discovery deep-sea fishes for snippets
thing— even, perhaps, something politically incorrect               of deleted e-mails and deleted files in search of proof
—simply between themselves. They might even have                    of imperfections. And the fish which are caught are
exchanged nasty notes between themselves. And when                  thrown, as proof, into courtrooms throughout the land.
                                                                    In my view, they are just fish, and as valueless as the
From “In Defense of the Delete Key” by James M. Rosen-              same fish might be if allowed to rot as long as the finally
baum, The Green Bag, An Entertaining Journal of Law, Sum-           recovered file has been deleted.
mer 2000, pp. 393 –396. Copyright © 2000 by James M.                     Sometimes people just have bad ideas, or might just
Rosenbaum.                                                          pass an idle—if imperfect—thought. This does not

mean the person is vile. Mere evidence that a person           does anyone believe that people are “thinking” more
who has done “A,” but once expressed “B,” does not             perfect thoughts simply because they are increasingly
prove that the person is lying or deceitful. The fallacy       reluctant to express them? I seriously doubt it.
in the “truth” of the recovered e-mail or computer file              We are, instead, enforcing a dangerous self-
is that it might just have been a bad idea, properly re-       censorship over our ideas and expressions. And we do
jected, and consigned to an imperfectly labeled waste-         not restrict this censorship to ourselves. Businesses and
basket. The problem is that on the computer’s hard             organizations regularly adopt restrictions on the words
drive, it looks like more.                                     and ideas which can be input into the company’s or
     The second part of the fallacy is the almost univer-      organization’s computers. Why? Because of the inter-
sal—and I argue almost universally wrong—idea that             section of legal developments and technology.
finding this deleted material is the electronic equiva-              Once upon a time, liability was based on objective
lent of finding the inculpatory “second set of books.”          acts done or omitted. Did the person threaten violence
The evil of the second set of books lies not in the fact       (assault); did he or she strike a victim (battery); did
of their conception, but that they were used. The fact         he or she fail to act reasonably under the circumstances
that one conceives of something— even something im-            (negligence)? If so, the actor was liable for the con-
proper— does not necessarily mean it was acted upon.           sequent act. Unless the actor’s intentions were objec-
     The preservation and discovery of computer-               tively manifest, however, no liability accrued. In the
deleted material has forced companies and prudent              1950s, the song “Standing on the Corner” was correct:
individuals to severely curtail the practice of using          “Brother, you can’t go to jail for what you’re thinking,
e-mails for all but the most innocuous materials. Any          or for the ‘oooh’ look in your eye. You’re only stand-
other course of action subjects the computer user to           ing on the corner, watching all the girls go by.”
long term liability for idle thoughts.                              This is, unquestionably, a new century. And since
                                                               the end of the last, the song’s proposition has been
                                                               somewhat modified. At least in some cases, there has
THE L ARGER RISK                                               been a shift to subjective proof. In these areas, courts
                                                               and the law consider the recipient’s perception of the
In some ways, the greater risk in the preservation and         actor’s behavior. But even here, purely subjective views
discovery of computerized material lies in the knowl-          do not alone suffice—there must be some outward
edge that things will not be expressed, and ideas will         manifestation of the impure thoughts.
not be exchanged, out of a pernicious—but valid—                    Into this classic legal environment comes the com-
fear that their mere expression will be judged tanta-          puter. It never forgets, and never forgives. An idle
mount to the act. This is dangerous indeed.                    thought “jotted” onto a calendar, a tasteless joke passed
     One of the United States Constitution’s many ge-          to a once-trusted friend, a suggestive invitation di-
niuses lies in its lofty protection of free speech. Legally,   rected at an uninterested recipient, if done electroni-
it protects the speaker only from state rather than pri-       cally, will last forever. Years later, it can subject its au-
vate regulation. But the Constitution’s words express          thor to liability.
a higher ideal: The First Amendment’s premise is that
a society is freer and in less danger when the wrong,
the venal, the potentially evil is expressed and subjected     A PROPOSAL
to the light of day and to the “marketplace of ideas.”
Conversely, but importantly, is the negative concept:          While recognizing the difficulties inherent in such a
the marketplace of ideas and expression is impover-            suggestion, I recommend a cyber statute of limitations.
ished and demeaned when it is deprived of ideas which          This limitation recognizes that even the best humans
may be discussed and tested, and ultimately, perhaps,          may have a somewhat less than heavenly aspect. It ac-
rejected. Knowledge of the computer’s awesome power            knowledges that anyone is entitled to make a mistake
to always remember, and never forget, a bad idea once          and to think a less than perfect thought. I suggest that,
expressed erodes and endangers this powerful concept.          barring a pattern of egregious behavior, or an objec-
     People who recognize that whatever you say on a           tive record of systematic conduct—absent, if you will,
computer “can and will be used against you,” prudently         a real “second set of books”—that the courts recognize
avoid saying anything “dangerous” via computer. But            the existence of cyber trash. This is the stuff, which, in
                                          CHAPTER 12 PRIVACY AND SURVEILLANCE                                                321

less electronic times, would have been wadded up and              penalizes a momentary failing, cannot operate in the
thrown into a wastebasket. This is what the delete                real world.
button was meant for, and why pencils still have erasers.
     The length of this cyber statute of limitations can
be set as arbitrarily as any other. In light of the free ex-      THE ULTIMATE FL AW
pression risks I perceive, I suggest the length should be
short—perhaps 6 months for an isolated message. If                This suggestion recognizes that the computer is, itself,
an idea was merely a lousy one, or was an isolated cy-            flawed. Its permanent memory is a flaw which under-
ber utterance, and the actor/author did not objectively           mines its value and endangers its users. Its inability to
manifest some untoward behavior, he or she would be               forget weakens and undermines the very ideas it per-
considered presumptively human, and—at least for                  manently holds. The real flaw is that the computer lies:
the law’s purposes—delete would mean delete. If, to               it lies when it says delete. This mechanical lie ought
the contrary, there was an objective continuation of the          not to debase and degrade the humans who are, and
challenged conduct, or a continuing pattern of wrong-             ought to be, its master.
ful acts, the cyber statute of limitations would be tolled
as any other.
     This suggestion is feasible. Computers internally
record the date on which a “document” was created.
                                                                  1. For those with little knowledge, and less interest, a com-
Once the limitations period has passed, documents
                                                                     puter’s delete key acts somewhat like a thief who steals a card
should be legally consigned to the cyber wastebasket.
                                                                     from the old library’s card file. When the card was in place,
     My solution is imperfect. But so are humans. If                 the librarian could decode the library’s filing system and find
perfect recall defines perfection, computers have                     the book. If the card was gone, or unreadable, the book was
achieved it. But their operators have not achieved it                still in the library, but it could no longer be found amidst the
with them, and humans are unlikely to do so. A legal                 library’s stacked shelves. In a computer, the “lost” book can
system which demands human perfection, and which                     be found with very little effort.

                                  REL ATED LINKS

                                  ■   Daemon Seed: Old E-mail Never Dies (
                                  ■   The Green Bag: An Entertaining Journal of Law (
                                  ■   PC-Webopedia: Delete Key ( TERM/D/Delete_key.html)
                                  ■   Send Those Computer Files to the Shredder (
                                      type Article&oldid ZZZY9DVV6MC)

                                  FOR FURTHER RESEARCH

                                  To find out more about the topics discussed in this reading, use InfoTrac College Edition. Type
                                  in keywords and subject terms such as “delete key,” “e-mail lawsuits,” and “digital evidence.”
                                  You can access InfoTrac from the Wadsworth/ Thomson Communication Café homepage:

Reading 12-3

Privacy and the New Technology:
What They Do Know Can Hurt You
Simson Garfinkel


Privacy is under siege from all sides. Over the next 50 years, we will see new types of privacy invasions that find their roots in
advanced technology and unbridled information exchange, including the selling of medical records and biological information.
That’s the assessment of Simson Garfinkel in this excerpt from Database Nation: The Death of Privacy in the 21st
Century. Threats to privacy can be tamed, he argues, by being careful and informed consumers, involving government in the
privacy fight, and stepping up our personal privacy protection efforts.


1. Why does Garfinkel think that the term “privacy” falls short of conveying the myriad ways in which tech-
   nology undermines individual autonomy and self-integrity?
2. Many people today say that in order to enjoy the benefits of modern society, we must give up some degree
   of personal privacy. Do you agree? Why or why not?
3. Should government get involved in the privacy fight and, if so, how? Or would it be better to leave issues of
   individual freedom to individual citizens?

You wake to the sound of a ringing telephone—but                   hospital you visited last month. “We’re pleased that
how could that happen? Several months ago, you re-                 our emergency room could serve you in your time of
programmed your home telephone system so it would                  need,” the letter begins. “As you know, our fees (based
never ring before the civilized hour of 8 am. But it’s             on our agreement with your HMO) do not cover the
barely 6:45. Who was able to bypass your phone’s                   cost of treatment. To make up the difference, a num-
programming?                                                       ber of hospitals have started selling patient records to
    You pick up the receiver, then slam it down a                  medical researchers and consumer-marketing firms.
moment later. It’s one of those marketing machines                 Rather than mimic this distasteful behavior, we have
playing a recorded message. What’s troubling you now               decided to ask you to help us make up the difference.
is how this call got past the filters you set up. Later             We are recommending a tax-deductible contribution
on you’ll discover how: The company that sold you                  of $275 to help defray the cost of your visit.”
the phone created an undocumented “back door”; last                    The veiled threat isn’t empty, but you decide you
week, the phone codes were sold in an online auction.              don’t really care who finds out about your sprained
    Now that you’re awake, you decide to go through                wrist. You fold the letter in half and drop it into your
yesterday’s mail. There’s a letter from the neighborhood           shredder. Also into the shredder goes a trio of low-
                                                                   interest credit-card offers. Why a shredder? A few years
                                                                   ago you would never have thought of shredding your
Reprinted with permission from Database Nation: The Death of
Privacy in the 21st Century by Simson Garfinkel (Sebastopol, CA:    junk mail—until a friend in your apartment complex
O’Reilly & Associates, 2000). Copyright © 2000, O’Reilly &         had his identity “stolen” by the building’s superintend-
Associates, Inc. All rights reserved. Orders and Information:      ent. As best as anybody can figure out, the super picked
(800) 998-9938, As edited and published by        one of those preapproved credit-card applications out
The Nation, February 28, 2000.                                     of the trash, called the toll-free number and picked up
                                        CHAPTER 12 PRIVACY AND SURVEILLANCE                                      323

the card when it was delivered. He’s in Mexico now,           lion each year from collecting and distributing personal
with a lot of expensive clothing and electronics, all at      information.
your friend’s expense.                                             Today the Internet is compounding our privacy
      On that cheery note, you grab your bag and head         conundrum—largely because the voluntary approach
out the door, which automatically locks behind you.           to privacy protection advocated by the Clinton Ad-
      This is the future—not a far-off future but one         ministration doesn’t work in the rough and tumble
that’s just around the corner. It’s a future in which what    world of real business. For example, a study just re-
little privacy we now have will be gone. Some people          leased by the California HealthCare Foundation found
call this loss of privacy “Orwellian,” harking back to        that nineteen of the top twenty-one health Web sites
1984, George Orwell’s classic work on privacy and             have privacy policies, but most sites fail to follow them.
autonomy. In that book, Orwell imagined a future in           Not surprisingly, 17 percent of Americans questioned
which a totalitarian state used spies, video surveillance,    in a poll said they do not go online for health informa-
historical revisionism and control over the media to          tion because of privacy concerns.
maintain its power. But the age of monolithic state                But privacy threats are not limited to the Internet:
control is over. The future we’re rushing toward isn’t        Data from all walks of life are now being captured,
one in which our every move is watched and recorded           compiled, indexed and stored. For example, New York
by some all-knowing Big Brother. It is instead a fu-          City has now deployed the Metrocard system, which
ture of a hundred kid brothers who constantly watch           allows subway and bus riders to pay their fares by simply
and interrupt our daily lives. Orwell thought the Com-        swiping a magnetic-strip card. But the system also re-
munist system represented the ultimate threat to in-          cords the serial number of each card and the time and
dividual liberty. Over the next fifty years, we will see       location of every swipe. New York police have used
new kinds of threats to privacy that find their roots          this vast database to crack crimes and disprove alibis.
not in Communism but in capitalism, the free market,          Although law enforcement is a reasonable use of this
advanced technology and the unbridled exchange of             database, it is also a use that was adopted without any
electronic information.                                       significant public debate. Furthermore, additional con-
                                                              trols may be necessary: It is not clear who has access
                                                              to the database, under what circumstances that access is
WHAT DO WE MEAN BY PRIVACY?                                   given and what provisions are being taken to prevent
                                                              the introduction of false data into it. It would be ter-
The problem with this word “privacy” is that it falls         rible if the subway’s database were used by an employee
short of conveying the really big picture. Privacy isn’t      to stalk an ex-lover or frame an innocent person for a
just about hiding things. It’s about self-possession, au-     heinous crime.
tonomy and integrity. As we move into the computer-                “New technology has brought extraordinary ben-
ized world of the twenty-first century, privacy will be        efits to society, but it also has placed all of us in an
one of our most important civil rights. But this right of     electronic fishbowl in which our habits, tastes and ac-
privacy isn’t the right of people to close their doors and    tivities are watched and recorded,” New York State
pull down their window shades—perhaps because they            Attorney General Eliot Spitzer said in late January, in
want to engage in some sort of illicit or illegal activity.   announcing that Chase Manhattan had agreed to stop
It’s the right of people to control what details about        selling depositor information without clear permission
their lives stay inside their own houses and what leaks       from customers. “Personal information thought to be
to the outside.                                               confidential is routinely shared with others without our
     Most of us recognize that our privacy is at risk. Ac-    consent.”
cording to a 1996 nationwide poll conducted by Louis
Harris & Associates, 24 percent of Americans have
“personally experienced a privacy invasion.” In 1995          THE ROLE OF TECHNOLOGY
the same survey found that 80 percent felt that “con-
sumers have lost all control over how personal informa-       Today’s war on privacy is intimately related to the re-
tion about them is circulated and used by companies.”         cent dramatic advances in technology. Many people to-
Ironically, both the 1995 and 1996 surveys were paid          day say that in order to enjoy the benefits of modern
for by Equifax, a company that earns nearly $2 bil-           society, we must necessarily relinquish some degree of

privacy. If we want the convenience of paying for a         taking simple measures to protect their privacy, mea-
meal by credit card or paying for a toll with an elec-      sures like making purchases with cash and refusing to
tronic tag mounted on our rearview mirror, then we          provide their Social Security numbers— or providing
must accept the routine collection of our purchases and     fake ones. And a small but growing number of people
driving habits in a large database over which we have       are speaking out for technology with privacy. In 1990
no control. It’s a simple bargain, albeit a Faustian one.   Lotus and Equifax teamed up to create a CD-ROM
    This trade-off is both unnecessary and wrong. It        product called Lotus Marketplace: Households, which
reminds me of another crisis our society faced back in      would have included names, addresses and demo-
the fifties and sixties—the environmental crisis. Then,      graphic information on every household in the United
advocates of big business said that poisoned rivers and     States, so small businesses could do the same kind of
lakes were the necessary costs of economic develop-         target marketing that big businesses have been doing
ment, jobs and an improved standard of living. Poison       since the sixties. The project was canceled when more
was progress: Anybody who argued otherwise simply           than 30,000 people wrote to Lotus demanding that
didn’t understand the facts.                                their names be taken out of the database.
    Today we know better. Today we know that sus-               Similarly, in 1997 the press informed taxpayers
tainable economic development depends on preserving         that the Social Security Administration was making
the environment. Indeed, preserving the environment         detailed tax-history information about them available
is a prerequisite to the survival of the human race.        over the Internet. The SSA argued that its security
Without clean air to breathe and clean water to drink,      provisions—requiring that taxpayers enter their name,
we will all die. Similarly, in order to reap the benefits    date of birth, state of birth and mother’s maiden name
of technology, it is more important than ever for us to     —were sufficient to prevent fraud. But tens of thou-
use technology to protect personal freedom.                 sands of Americans disagreed, several U.S. senators
    Blaming technology for the death of privacy isn’t       investigated the agency and the service was promptly
new. In 1890 two Boston lawyers, Samuel Warren and          shut down. When the service was reactivated some
Louis Brandeis, argued in the Harvard Law Review that       months later, the detailed financial information in the
privacy was under attack by “recent inventions and          SSA’s computers could not be downloaded over the
business methods.” They contended that the pressures        Internet.
of modern society required the creation of a “right
of privacy,” which would help protect what they called
“the right to be let alone.” Warren and Brandeis re-        THE ROLE OF GOVERNMENT
fused to believe that privacy had to die for technology
to flourish. Today, the Warren/Brandeis article is re-       But individual actions are not enough. We need to in-
garded as one of the most influential law review articles    volve government itself in the privacy fight. The big-
ever published.                                             gest privacy failure of the U.S. government has been its
    Privacy-invasive technology does not exist in a         failure to carry through with the impressive privacy
vacuum, of course. That’s because technology itself         groundwork that was laid in the Nixon, Ford and
exists at a junction between science, the market and        Carter administrations. It’s worth taking a look back
society. People create technology to fill specific needs      at that groundwork and considering how it may serve
and desires. And technology is regulated, or not, as        us today.
people and society see fit. Few engineers set out to              The 1970s were a good decade for privacy protec-
build systems designed to crush privacy and auton-          tion and consumer rights. In 1970 Congress passed the
omy, and few businesses or consumers would willingly        Fair Credit Reporting Act, which gave Americans the
use or purchase these systems if they understood the        previously denied right to see their own credit reports
consequences.                                               and demand the removal of erroneous information. El-
                                                            liot Richardson, who at the time was President Nixon’s
                                                            Secretary of Health, Education and Welfare, created a
FIGHTING BACK                                               commission in 1972 to study the impact of computers
                                                            on privacy. After years of testimony in Congress, the
How can we keep technology and the free market              commission found all the more reason for alarm and
from killing our privacy? One way is by being careful       issued a landmark report in 1973.
and informed consumers. Some people have begun                   The most important contribution of the Richard-
                                       CHAPTER 12 PRIVACY AND SURVEILLANCE                                    325

son report was a bill of rights for the computer age,       base, to see the information and to demand that incor-
which it called the Code of Fair Information Practices.     rect information be removed.
The Code is based on five principles:                             In fact, while most people in the federal govern-
                                                            ment were ignoring the cause of privacy, some were
■   There must be no personal-data record-keeping           actually pursuing an anti-privacy agenda. In the early
    system whose very existence is secret.                  1980s, the government initiated numerous “computer
■   There must be a way for a person to find out             matching” programs designed to catch fraud and abuse.
    what information about the person is in a record        Unfortunately, because of erroneous data these pro-
    and how it is used.                                     grams often penalized innocent people. In 1994 Con-
                                                            gress passed the Communications Assistance to Law
■   There must be a way for a person to prevent in-
                                                            Enforcement Act, which gave the government dramatic
    formation about the person that was obtained for
                                                            new powers for wiretapping digital communications.
    one purpose from being used or made available
                                                            In 1996 Congress passed two laws, one requiring states
    for other purposes without the person’s consent.
                                                            to display Social Security numbers on driver’s licenses
■   There must be a way for a person to correct or          and another requiring that all medical patients in the
    amend a record of identifiable information about         United States be issued unique numerical identifiers,
    the person.                                             even if they pay their own bills. Fortunately, the imple-
■   Any organization creating, maintaining, using or        mentation of those 1996 laws has been delayed, thanks
    disseminating records of identifiable personal data      largely to a citizen backlash and the resulting inaction
    must assure the reliability of the data for their in-   by Congress and the executive branch.
    tended use and must take precautions to prevent              Continuing the assault, both the Bush and Clinton
    misuse of the data.                                     administrations waged an all-out war against the rights
                                                            of computer users to engage in private and secure com-
     The biggest impact of the Richardson report wasn’t     munications. Starting in 1991, both administrations
in the United States but in Europe. In the years after      floated proposals for use of “Clipper” encryption sys-
the report was published, practically every European        tems that would have given the government access to
country passed laws based on these principles. Many         encrypted personal communications. Only recently did
created data-protection commissions and commission-         the Clinton Administration finally relent in its seven-
ers to enforce the laws. Some believe that one reason       year war against computer privacy. President Clinton
for Europe’s interest in electronic privacy was its ex-     also backed the Communications Decency Act (CDA),
perience with Nazi Germany in the 1930s and 1940s.          which made it a crime to transmit sexually explicit
Hitler’s secret police used the records of governments      information to minors—and, as a result, might have
and private organizations in the countries he invaded       required Internet providers to deploy far-reaching
to round up people who posed the greatest threat to         monitoring and censorship systems. When a court
German occupation; postwar Europe realized the dan-         in Philadelphia found the CDA unconstitutional, the
ger of allowing potentially threatening private infor-      Clinton Administration appealed the decision all the
mation to be collected, even by democratic govern-          way to the Supreme Court—and lost.
ments that might be responsive to public opinion.
     But here in the United States, the idea of insti-
tutionalized data protection faltered. President Jimmy
                                                            PROTECTING PRIVACY
Carter showed interest in improving medical privacy,
but he was quickly overtaken by economic and politi-
                                                            One important step toward reversing the current di-
cal events. Carter lost the election of 1980 to Ronald
                                                            rection of government would be to create a permanent
Reagan, whose aides saw privacy protection as yet an-
                                                            federal oversight agency charged with protecting pri-
other failed Carter initiative. Although several privacy-
                                                            vacy. Such an agency would:
protection laws were signed during the Reagan/Bush
era, the leadership for these bills came from Congress,     ■   Watch over the government’s tendency to sac-
not the White House. The lack of leadership stifled any          rifice people’s privacy for other goals and per-
chance of passing a nationwide data-protection act.             form government-wide reviews of new federal
Such an act would give people the right to know if              programs for privacy violations before they’re
their name and personal information is stored in a data-        launched.

■    Enforce the government’s few existing privacy           damental rights offered to consumers under the FCRA.
     laws.                                                   When negative information is reported to a credit bu-
■    Be a guardian for individual privacy and liberty in     reau, the business making that report should be re-
     the business world, showing businesses how they         quired to notify the subject of the report—the con-
     can protect privacy and profits at the same time.        sumer—in writing. Laws should be clarified so that if
                                                             a consumer-reporting company does not correct erro-
■    Be an ombudsman for the American public and
                                                             neous data in its reports, consumers can sue for real
     rein in the worst excesses that our society has
                                                             damages, punitive damages and legal fees.
                                                                  Further, we need laws that require improved com-
     Some privacy activists scoff at the idea of using       puter security. In the eighties the United States ag-
government to assure our privacy. Governments, they          gressively deployed cellular-telephone and alphanu-
say, are responsible for some of the greatest privacy vio-   meric-pager networks, even though both systems were
lations of all time. This is true, but the U.S. govern-      fundamentally unsecure. Instead of deploying secure
ment was also one of the greatest polluters of all time.     systems, manufacturers lobbied for laws that would
Today the government is the nation’s environmental           make it illegal to listen to the broadcasts. The results
police force, equally scrutinizing the actions of private    were predictable: dozens of cases in which radio trans-
business and the government itself.                          missions were eavesdropped. We are now making
     At the very least, governments can alter the devel-     similar mistakes in the prosecution of many Internet
opment of technology that affects privacy. They have         crimes, going after the perpetrator while refusing to
done so in Europe. Consider this: A growing number           acknowledge the liabilities of businesses that do not
of businesses in Europe are offering free telephone calls    even take the most basic security precautions.
—provided that the caller first listens to a brief adver-          We should also bring back the Office of Technol-
tisement. The service saves consumers money, even if         ogy Assessment, set up under a bill passed in 1972. The
it does expose them to a subtle form of brainwashing.        OTA didn’t have the power to make laws or issue regu-
But not all these services are equal. In Sweden both the     lations, but it could publish reports on topics Congress
caller and the person being called are forced to listen      asked it to study. Among other things, the OTA con-
to the advertisement, and the new advertisements are         sidered at length the trade-offs between law enforce-
played during the phone call itself. But Italy’s privacy     ment and civil liberties, and it also looked closely at
ombudsman ruled that the person being called could           issues of worker monitoring. In total, the OTA pub-
not be forced to listen to the ads.                          lished 741 reports, 175 of which dealt directly with
     The Fair Credit Reporting Act was a good law in         privacy issues, before it was killed in 1995 by the newly
its day, but it should be upgraded into a Data Pro-          elected Republican-majority Congress.
tection Act. Unfortunately, the Federal Trade Com-                Nearly forty years ago, Rachel Carson’s book Silent
mission and the courts have narrowly interpreted the         Spring helped seed the U.S. environmental movement.
FCRA. The first thing that is needed is legislation           And to our credit, the silent spring that Carson foretold
that expands it into new areas. Specifically, consumer-       never came to be. Silent Spring was successful because it
reporting firms should be barred from reporting arrests       helped people to understand the insidious damage that
unless those arrests result in convictions. Likewise,        pesticides were wreaking on the environment, and it
consumer-reporting firms should not be allowed to re-         helped our society and our planet to plot a course to a
port evictions unless they result in court judgments in      better future.
favor of the landlord or a settlement in which both the           Today, technology is killing one of our most cher-
landlord and tenant agree that the eviction can be re-       ished freedoms. Whether you call this freedom the
ported. Companies should be barred from exchanging           right to digital self-determination, the right to infor-
medical information about individuals or furnishing          mational autonomy, or simply the right to privacy, the
medical information as part of a patient’s report with-      shape of our future will be determined in large part by
out the patient’s explicit consent.                          how we understand, and ultimately how we control or
     We also need new legislation that expands the fun-      regulate, the threats to this freedom that we face today.
                                          CHAPTER 12 PRIVACY AND SURVEILLANCE                                             327

                                   REL ATED LINKS

                                   ■    Center for Democracy and Technology (
                                   ■    Echelon Watch (
                                   ■    Electronic Frontier Foundation (
                                   ■    Global Internet Liberty Campaign (

                                   FOR FURTHER RESEARCH

                                   To find out more about the topics discussed in this reading, use InfoTrac College Edition. Type
                                   in keywords and subject terms such as “privacy invasion,” “electronic databases,” and “privacy
                                   protection.” You can access InfoTrac from the Wadsworth/ Thomson Communication Café

Reading 12-4

The Challenge of an Open Society
David Brin


Fifteen minutes into the future, society faces a dilemma. The proliferation of surveillance cameras and recording equipment—
so-called “snoop technology”—has vanquished crime but at the expense of unprecedented monitoring of public spaces and pri-
vate places. David Brin argues in this excerpt from The Transparent Society that early in the 21st century, we will confront
a troubling choice: live free but under constant scrutiny on the one hand, or retain our supposed privacy while relying on the
authorities to responsibly monitor society on the other.


1. Given the choice between Brin’s two mythical cities, which would be a more desirable place to live,
   and why?
2. What central issue will the citizens of countless 21st century communities have to confront, according
   to Brin?
3. Why does Brin consider accountability to be the keystone of Western civilization’s success?

    You’re wondering why I’ve called you here. The reason is simple. To answer all your questions. I mean—all. This is the
    greatest news of our time. As of today, whatever you want to know, provided it’s in the data-net, you can know. In other
    words, there are no more secrets.
         —John Brunner, The Shockwave Rider, 1974

This is a tale of two cities. Cities of the near future, say      use his or her wristwatch television to call up images
ten or twenty years from now.                                     from any camera in town.
     Barring something unforeseen, you are apt to be                   Here a late-evening stroller checks to make sure no
living in one of these two places. Your only choice may           one lurks beyond the corner she is about to turn.
be which one.                                                          Over there a tardy young man dials to see if his
     At first sight, these two municipalities look pretty          dinner date still waits for him by a city fountain.
much alike. Both contain dazzling technological mar-                   A block away, an anxious parent scans the area to
vels, especially in the realm of electronic media. Both           find which way her child wandered off.
suffer familiar urban quandaries of frustration and de-                Over by the mall, a teenage shoplifter is taken into
cay. If some progress is being made in solving human              custody gingerly, with minute attention to ritual and
problems, it is happening gradually. Perhaps some kids            rights, because the arresting officer knows that the
seem better educated. The air may be marginally                   entire process is being scrutinized by untold numbers
cleaner. People still worry about overpopulation, the             who watch intently, lest her neutral professionalism
environment, and the next international crisis.                   lapse.
     None of these features is of interest to us right now,            In city number two, such microcameras are banned
for we have noticed something about both of these                 from some indoor places . . . but not from police head-
twenty-first century cities that is radically different. A         quarters! There any citizen may tune in on bookings,
trait that marks them as distinct from any metropolis of          arraignments, and especially the camera control room
the late 1990s.                                                   itself, making sure that the agents on duty look out for
     Street crime has nearly vanished from both towns.            violent crime, and only crime.
But that is only a symptom, a result.                                  Despite their initial similarity, these are very differ-
     The real change peers down from every lamppost,              ent cities, representing disparate ways of life, com-
every rooftop and street sign.                                    pletely opposite relationships between citizens and
     Tiny cameras, panning left and right, survey traffic          their civic guardians. The reader may find both situa-
and pedestrians, observing everything in open view.               tions somewhat chilling. Both futures may seem unde-
     Have we entered an Orwellian nightmare? Have                 sirable. But can there be any doubt which city we’d
the burghers of both towns banished muggings at the               rather live in, if these two make up our only choice?
cost of creating a Stalinist dystopia?
     Consider city number one. In this place, all the
myriad cameras report their urban scenes straight to              TECHNOLOGY’S VERDICT
Police Central, where security officers use sophisti-
cated image processors to scan for infractions against            Alas, they do appear to be our only options. For the
public order— or perhaps against an established way of            cameras are on their way, along with data networks that
thought. Citizens walk the streets aware that any word            will send a myriad images flashing back and forth,
or deed may be noted by agents of some mysterious                 faster than thought.
bureau.                                                                In fact, the future has already arrived. The trend
     Now let’s skip across space and time.                        began in Britain a decade ago, in the town of King’s
     At first sight, things seem quite similar in city num-        Lynn, where sixty remote-controlled video cameras
ber two. Again, ubiquitous cameras perch on every                 were installed to scan known “trouble spots,” report-
vantage point. Only here we soon find a crucial differ-            ing directly to police headquarters. The resulting re-
ence. These devices do not report to the secret police.           duction in street crime exceeded all predictions; in or
Rather, each and every citizen of this metropolis can             near zones covered by surveillance, crime dropped to
                                                                  one-seventieth of the former rate. The savings in patrol
                                                                  costs alone paid for the equipment in a few months.
From “The Challenge of an Open Society,” in The Transparent       Dozens of cities and towns soon followed the example
Society: Freedom vs. Privacy in a City of Glass Houses by David   of King’s Lynn. Glasgow, Scotland, reported a 68 per-
Brin. Copyright © 1998 by G. David Brin. Reprinted by per-        cent drop in crime citywide, while police in Newcas-
mission of Perseus Books Publishers, a member of Perseus          tle fingered over 1,500 perpetrators with taped evi-
Books, LLC.                                                       dence. (All but seven pleaded guilty, and those seven
                                        CHAPTER 12 PRIVACY AND SURVEILLANCE                                       329

were later convicted.) In May 1997, Newcastle soccer              Some of the same parents are less happy about the
fans rampaged through downtown streets. Detectives           lensed pickups that are sprouting in their own work-
studying video tapes picked out 152 faces and pub-           places, enabling supervisors to tune in on them in the
lished 80 photographs in local newspapers. In days, all      same way they use Kindercam to check up on their
were identified.                                              kids.
     Today, over 300,000 cameras are in place through-            That is, if they notice the cameras at all. At present,
out the United Kingdom, transmitting round-the-              engineers can squeeze the electronics for a video unit
clock images to a hundred constabularies [police             into a package smaller than a sugar cube. Complete sets
stations], all of them reporting decreases in public mis-    half the size of a pack of cigarettes were recently
conduct. Polls report that the cameras are extremely         offered for sale by the Spy Shop, a little store in
popular with citizens, though British civil libertarian      New York City located two blocks from the United
John Wadham and others have bemoaned this prolifer-          Nations [see
ation of snoop technology, claiming, “It could be used       .html]. Meanwhile, units with radio transmitters are
for any other purpose, and of course it could be             being disguised in clock radios, telephones, and toast-
abused.”                                                     ers, as part of the burgeoning “nannycam” trend. So
     Visitors to Japan, Thailand, and Singapore will see     high is demand for these pickups, largely by parents
that other countries are rapidly following the British       eager to check on their babysitters, that just one firm
example, using closed circuit television (CCTV) to su-       in Orange County, California, has recently been sell-
pervise innumerable public areas.                            ing from five hundred to one thousand disguised cam-
     This trend was slower coming to North America,          eras a month. By the end of 1997, prices had dropped
but it appears to be taking off. After initial experiments   from $2,500 to $399.
garnered widespread public approval, the City of Bal-             Cameras aren’t the only surveillance devices prolif-
timore put police cameras to work scanning all 106           erating in our cities. Starting with Redwood City, near
downtown intersections. In 1997, New York City be-           San Francisco, several police departments have begun
gan its own program to set up twenty-four-hour re-           lacing neighborhoods with sound pickups that transmit
mote surveillance in Central Park, subway stations, and      directly back to headquarters. Using triangulation
other public places.                                         techniques, officials can now pinpoint bursts of gunfire
     No one denies the obvious and dramatic short-           and send patrol units swiftly to the scene, without hav-
term benefits derived from this early proliferation of        ing to wait for vague telephone reports from neigh-
surveillance technology. That is not the real issue. In      bors. In 1995 the Defense Department awarded a $1.7
the long run, the sovereign folk of Baltimore and            million contract to Alliant Techsystems for its proto-
countless other communities will have to make the            type system secures, which tests more advanced sound
same choice as the inhabitants of our two mythical           pickup networks in Washington and other cities. The
cities. Who will ultimately control the cameras?             hope is to distinguish not only types of gunfire but also
     Consider a few more examples.                           human voices crying for help.
     How many parents have wanted to be a fly on the               So far, so good. But from there, engineers say it
wall while their child was at day care? This is now pos-     would be simple to upgrade the equipment, enabling
sible with a new video monitoring system known               bored monitors to eavesdrop through open bedroom
as Kindercam, linked to high-speed telephone lines and       windows on cries of passion, or family arguments. “Of
a central Internet server. Parents can log on, type          course we would never go that far,” one official said,, enter their password, and access          reassuringly.
a live view of their child in day care at any time, from          Consider another piece of James Bond apparatus
anywhere in the world. Kindercam will be installed in        now available to anyone with ready cash. Today, almost
two thousand day care facilities nationwide by the end       any electronics store will sell you night vision goggles
of 1998. Mothers on business trips, fathers who live out     using state-of-the-art infrared optics equal to those is-
of state, even distant grandparents can all “drop in” on     sued by the military, for less than the price of a video
their child daily. Drawbacks? Overprotective parents         camera. Agema Systems, of Syracuse, New York, has
may check compulsively. And now other parents can            sold several police departments imaging devices that
observe your child misbehaving!                              can peer into houses from the street, discriminate the

heat given off by indoor marijuana cultivators, and          locate its mobile subscribers within a few hundred me-
sometimes tell if a person inside moves from one room        ters. This aided several police investigations. But civil
to the next. Military and civilian enhanced vision tech-     libertarians expressed heated concern, especially since
nologies now move in lockstep, as they have in the           identical technology is used worldwide.
computer field for years.                                          The same issues arise when we contemplate the
     In other words, even darkness no longer guarantees      proliferation of vast databases containing information
privacy.                                                     about our lives, habits, tastes, and personal histories.
     Nor does your garden wall. In 1995, Admiral             The cash register scanners in a million supermarkets,
William A. Owens, then vice chairman of the Joint            video stores, and pharmacies already pour forth a flood
Chiefs of Staff, described a sensor system that he ex-       of statistical data about customers and their purchases,
pected to be operational within a few years: a pilotless     ready to be correlated. (Are you stocking up on hem-
drone, equipped to provide airborne surveillance for         orrhoid cream? Renting a daytime motel room? The
soldiers in the field. While camera robots in the $1 mil-     database knows.) Corporations claim this information
lion range have been flying in the military for some          helps them serve us more efficiently. Critics respond
time, the new system will be extraordinarily cheap and       that it gives big companies an unfair advantage, en-
simple. Instead of requiring a large support crew, it will   abling them to know vastly more about us than we
be controlled by one semiskilled soldier and will fit in      do about them. Soon, computers will hold all your
the palm of a hand. Minuscule and quiet, such remote-        financial and educational records, legal documents,
piloted vehicles, or RPVs, may flit among trees to sur-       and medical analyses that parse you all the way down
vey threats near a rifle platoon. When mass-produced          to your genes. Any of this might be examined by
in huge quantities, unit prices will fall.                   strangers without your knowledge, or even against
     Can civilian models be far behind? No law or reg-       your stated will.
ulation will keep them from our cities for very long.             As with those streetlamp cameras, the choices we
The rich, the powerful, and figures of authority will         make regarding future information networks—how
have them, whether legally or surreptitiously. And the       they will be controlled and who can access the data—
contraptions will become smaller, cheaper, and smarter       will affect our own lives and those of our children and
with each passing year.                                      their descendants.
     So much for the supposed privacy enjoyed by sun-
bathers in their own backyards.
     Moreover, surveillance cameras are the tip of the       A MODERN CONCERN
metaphorical iceberg. Other entrancing and invasive
innovations of the vaunted Information Age abound.           The issue of threatened privacy has spawned a flood of
Will a paper envelope protect the correspondence you         books, articles, and media exposes—from Janna Mala-
send by old-fashioned surface mail when new-style            mud Smith’s thoughtful Private Matters, and Ellen Al-
scanners can trace the patterns of ink inside without        derman and Caroline Kennedy’s erudite Right to Pri-
ever breaking the seal?                                      vacy all the way to shrill, paranoic rants by conspiracy
     Let’s say you correspond with others by e-mail and      fetishists who see Big Brother lurking around every
use a computerized encryption program to ensure that         corner. Spanning this spectrum, however, there ap-
your messages are read only by the intended recipient.       pears to be one common theme. Often the author
What good will all the ciphers and codes do, if some         has responded with a call to arms, proclaiming that we
adversary has bought a “back door” password to your          must become more vigilant to protect traditional pri-
encoding program? Or if a wasp-sized camera drone            vacy against intrusions by faceless (take your pick) gov-
flits into your room, sticks to the ceiling above your        ernment bureaucrats, corporations, criminals, or just
desk, inflates a bubble lens, and watches every key-          plain busybodies.
stroke that you type?                                             That is the usual conclusion—but not the one
     In late 1997 it was revealed that Swiss police had      taken here.
secretly tracked the whereabouts of mobile phone                  For in fact, it is already far too late to prevent the in-
users via a telephone company computer that records          vasion of cameras and databases. The djinn cannot be
billions of movements per year. Swisscom was able to         crammed back into its bottle. No matter how many laws
                                        CHAPTER 12 PRIVACY AND SURVEILLANCE                                      331

are passed, it will prove quite impossible to legislate            Although this process of stripping off veils has been
away the new surveillance tools and databases. They are       uneven, and continues to be a source of contention, the
here to stay.                                                 underlying moral force can clearly be seen pervading
    Light is going to shine into nearly every corner of       our popular culture, in which nearly every modern film
our lives.                                                    or novel seems to preach the same message—suspicion
    The real issue facing citizens of a new century will      of authority. The phenomenon is not new to our gen-
be how mature adults choose to live—how they can              eration. Schoolbooks teach that freedom is guarded by
compete, cooperate, and thrive—in such a world. A             constitutional “checks and balances,” but those same
transparent society.                                          legal provisions were copied, early in the nineteenth
    Our civilization is already a noisy one precisely be-     century, by nearly every new nation of Latin America,
cause we have chosen freedom and mass sovereignty, so         and not one of them remained consistently free. In
that the citizenry itself must constantly argue out the       North America, constitutional balances worked only
details, instead of leaving them to some committee of         because they were supplemented by a powerful mythic
sages.                                                        tradition, expounded in story, song, and now virtually
    What distinguishes society today is not only the          every Hollywood film, that any undue accumulation of
pace of events but the nature of our tool kit for facing      power should be looked on with concern.
the future. Above all, what has marked our civilization            Above all, we are encouraged to distrust gov-
as different is its knack for applying two extremely          ernment.
hard-won lessons from the past.                                    The late Karl Popper pointed out the importance
                                                              of this mythology in the dark days during and after
    In all of history, we have found just one cure for
                                                              World War II, in The Open Society and Its Enemies. Only
    error—a partial antidote against making and re-
                                                              by insisting on accountability, he concluded, can we
    peating grand, foolish mistakes, a remedy against
                                                              constantly remind public servants that they are ser-
    self deception. That antidote is criticism.
                                                              vants. It is also how we maintain some confidence that
     Scientists have known this for a long time. It is the    merchants aren’t cheating us, or that factories aren’t
keystone of their success. A scientific theory gains re-       poisoning the water. As inefficient and irascibly noisy
spect only by surviving repeated attempts to demolish         as it seems at times, this habit of questioning author-
it. Only after platoons of clever critics have striven to     ity ensures freedom far more effectively than any of
come up with refuting evidence, forcing changes, do a         the older social systems that were based on reverence or
few hypotheses eventually graduate from mere theories         trust.
to accepted models of the world.                                   And yet, another paradox rears up every time one
     If neo-Western civilization has one great trick in its   interest group tries to hold another accountable in to-
repertoire, a technique more responsible than any             day’s society.
other for its success, that trick is accountability. Espe-
                                                                  Whenever a conflict arises between privacy and
cially the knack—which no other culture ever mas-
                                                                  accountability, people demand the former for
tered— of making accountability apply to the mighty.
                                                                  themselves and the latter for everybody else.
True, we still don’t manage it perfectly. Gaffes, bungles,
and inanities still get covered up. And yet, one can look         The rule seems to hold in almost every realm of
at any newspaper or television news program and see           modern life, from special prosecutors investigating the
an eager press corps at work, supplemented by hordes          finances of political figures to worried parents de-
of righteously indignant individuals (and their lawyers),     manding that lists of sex offenders be made public.
all baying for waste or corruption to be exposed, se-         From merchants anxious to see their customers’ credit
crets to be unveiled, and nefarious schemes to be             reports to clients who resent such snooping. From
nipped in the bud. Disclosure is a watchword of the           people who “need” caller ID to screen their calls to
age, and politicians have grudgingly responded by pass-       those worried that their lives might be threatened if
ing the Freedom of Information Act (FOIA), truth-in-          they lose telephone anonymity. From activists de-
lending laws, open meeting rules, and codes to enforce        manding greater access to computerized government
candor in real estate, in the nutritional content of food-    records in order to hunt patterns of corruption or in-
stuffs, in the expense accounts of lobbyists, and so on.      competence in office to other citizens who worry

about the release of personal information contained in               But suppose the future does present us with an ab-
those very same records.                                         solute either-or decision, to select just one, at the cost
     In opposing this modern passion for personal and            of the other. In that case, there can be no hesitation.
corporate secrecy, I should first emphasize that I like               Privacy is a highly desirable product of liberty. If we
privacy! Outspoken eccentrics need it, probably as               remain free and sovereign, we may have a little privacy
much or more than those who are reserved. I would                in our bedrooms and sanctuaries. As citizens, we’ll be
find it hard to get used to living in either of the cities        able to demand some.
described in the example at the beginning of this chap-              But accountability is no side benefit. It is the one
ter. But a few voices out there have begun pointing out          fundamental ingredient on which liberty thrives.
the obvious. Those cameras on every street corner are            Without the accountability that derives from open-
coming, as surely as the new millennium.                         ness— enforceable upon even the mightiest individuals
     Oh, we may agitate and legislate. But can “privacy          and institutions—how can freedom survive?
laws” really prevent hidden eyes from getting tinier,                In the information age to come, cameras and data-
more mobile, and clever? In software form they will              bases will sprout like poppies— or weeds—whether
cruise the data highways. “Antibug” technologies will            we like it or not. Over the long haul, we as a people
arise, but the resulting surveillance arms race can              must decide the following questions:
hardly favor the “little guy.” The rich, the powerful,
                                                                      Can we stand living exposed to scrutiny, our secrets laid
police agencies, and a technologically skilled elite will
                                                                      open, if in return we get flashlights of our own that we
always have an advantage.
                                                                      can shine on anyone who might do us harm— even the
     In the long run, as author Robert Heinlein proph-
                                                                      arrogant and strong?
esied years ago, will the chief effect of privacy laws sim-
ply be to “make the bugs smaller”?                                    Or is an illusion of privacy worth any price, even the
     The subtitle of this book—Will Technology Force Us               cost of surrendering our own right to pierce the schemes
to Choose Between Privacy and Freedom?—is intention-                  of the powerful?
ally provocative. I think such a stark choice can be                 There are no easy answers, but asking questions
avoided. It may be possible to have both liberty and             can be a good first step.
some shelter from prying eyes.

                                  REL ATED LINKS

                                  ■    David Brin’s Web Page (
                                  ■    EarthCam: Webcam Network (
                                  ■    HotSeat: The Transparent Society
                                  ■    Surveillance Camera News (
                                  ■    Video Surveillance (

                                  FOR FURTHER RESEARCH

                                  To find out more about the topics discussed in this reading, use InfoTrac College Edition. Type
                                  in keywords and subject terms such as “surveillance,” “snoop technology,” and “transparent so-
                                  ciety.” You can access InfoTrac from the Wadsworth/ Thomson Communication Café home-

Shared By:
Description: Communication