12 ≈ Privacy and Surveillance Reading 12-1 Remembrance of Data Passed: A Study of Disk Sanitization Practices Simson L. Garﬁnkel and Abhi Shelat EDITOR’S NOTE Many discarded hard drives, although thought to be reformatted or simply lacking worthwhile data, contain information that is both conﬁdential and recoverable. As this fascinating study in data recovery by Simson L. Garﬁnkel and Abhi Shelat shows, discarded drives contain a bounty of revealing information—from personal letters and pornography to bank account and credit card numbers—readily retrievable by data sleuths and computer hackers. In the study, just 9% of the 129 usable drives they purchased from eBay and analyzed had been properly cleaned (or “sanitized”) by having their sectors completely overwritten with zero-ﬁlled blocks. The availability of information from old hard drives is little publicized, but awareness of such poten- tially risky consumer exposure will surely spread once identity thieves and law enforcement agencies start looking to repurposed drives for conﬁdential material. As this reading and the article by James Rosenbaum (Reading 12-2) illustrate, neither the delete key nor the format command really do their job. CONSIDER 1. What is the difference between a sanitized ﬁle and a deleted ﬁle? Similarly, what is the difference between sanitizing and (re)formatting a hard drive? 308 CHAPTER 12 PRIVACY AND SURVEILLANCE 309 2. Despite the ready availability of sanitization tools, most computer users seem to make little effort to erase the information on their discarded hard drives. What explanations do the authors advance for this state of affairs? 3. Compare three data destruction techniques: reformatting, overwriting, and physical destruction. If you had a hard drive with sensitive information that needed to be discarded, which method would you be most com- fortable with? A fundamental goal of information security is to de- ■ In the spring of 2002, the Pennsylvania Depart- sign computer systems that prevent the unauthorized ment of Labor and Industry sold a collection of disclosure of conﬁdential information. There are many computers to local resellers. The computers con- ways to assure this information privacy. One of the tained “thousands of ﬁles of information about oldest and most common techniques is physical iso- state employees” that the department had failed lation: keeping conﬁdential data on computers that to remove.2 only authorized individuals can access. Most single- ■ In August 2001, Dovebid auctioned off more than user personal computers, for example, contain infor- 100 computers from the San Francisco ofﬁce of mation that is conﬁdential to that user. the Viant consulting ﬁrm. The hard drives con- Computer systems used by people with varying tained conﬁdential client information that Viant authorization levels typically employ authentication, had failed to remove.3 access control lists, and a privileged operating system to ■ A Purdue University student purchased a used maintain information privacy. Much of information Macintosh computer at the school’s surplus equip- security research over the past 30 years has centered on ment exchange facility, only to discover that the improving authentication techniques and developing computer’s hard drive contained a FileMaker methods to assure that computer systems properly im- database containing the names and demographic plement these access control rules. information for more than 100 applicants to the Absent a cryptographic ﬁle system, conﬁdential in- school’s Entomology Department. formation is readily accessible when owners improp- erly retire their disk drives. In August 2002, for ex- ■ In August 1998, one of the authors purchased ample, the United States Veterans Administration 10 used computer systems from a local computer Medical Center in Indianapolis retired 139 computers. store. The computers, most of which were three Some of these systems were donated to schools, while to ﬁve years old, contained all of their former others were sold on the open market, and at least three owners’ data. One computer had been a law ended up in a thrift shop where a journalist purchased ﬁrm’s ﬁle server and contained privileged client- them. Unfortunately, the VA neglected to sanitize the attorney information. Another computer had a computer’s hard drives—that is, it failed to remove the database used by a community organization that drives’ conﬁdential information. Many of the com- provided mental health services. Other disks puters were later found to contain sensitive medical in- contained numerous personal ﬁles. formation, including the names of veterans with AIDS ■ In April 1997, a woman in Pahrump, Nevada, and mental health problems. The new owners also purchased a used IBM computer for $159 and found 44 credit card numbers that the Indianapolis fa- discovered that it contained the prescription rec- cility used.1 ords of 2,000 patients who ﬁlled their prescrip- The VA ﬁasco is just one of many celebrated cases tions at Smitty’s Supermarket pharmacy in Tempe, in which an organization entrusted with conﬁdential Arizona. Included were the patient’s names, ad- information neglected to properly sanitize hard disks dresses and Social Security numbers and a list of before disposing of computers. Other cases include: all the medicines they’d purchased. The records included people with AIDS, alcoholism, and depression.4 Reprinted with permission from “Remembrance of Data Passed: A Study of Disk Sanitization Practices” by Simson L. These anecdotal reports are interesting because of Garﬁnkel and Abhi Shelat, IEEE Security & Privacy, 1(1) their similarity and their relative scarcity. Clearly, con- ( January/February 2003), pp. 17–27. Copyright © 2003 IEEE. ﬁdential information has been disclosed through com- 310 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS puters sold on the secondary market more than a few year 2002; this is up from a retirement rate of three times. Why, then, have there been so few reports of for 10 in 1997. As the VA Hospital’s experience dem- unintended disclosure? We propose three hypotheses: onstrates, many disk drives that are “retired” by one or- ganization can appear elsewhere. Unless retired drives 1. Disclosures of this type are exceedingly rare. are physically destroyed, poor information security 2. Conﬁdential information is disclosed so often on practices can jeopardize information privacy. retired systems that such events are simply not newsworthy. 3. Used equipment is awash with conﬁdential in- THE UBIQUITY OF HARD DISKS formation, but nobody is looking for it— or else there are people looking, but they are not publi- Compared with other mass-storage media, hard disks cizing that fact. pose special and signiﬁcant problems in assuring long- term data conﬁdentiality. One reason is that physi- To further investigate the problem, we purchased cal and electronic standards for other mass-storage more than 150 hard drives on the secondary market. devices have evolved rapidly and incompatibly over Our goal was to determine what information they con- the years, while the Integrated Drive Electronics/Ad- tained and what means, if any, the former owners had vanced Technology Attachment (IDE/ATA) and Small used to clean the drives before they discarded them. Computer System Interface (SCSI) interfaces have Here, we present our ﬁndings, along with our taxon- maintained both forward and backward compatibility. omy for describing information recovered or recover- People use hard drives that are 10 years old with mod- able from salvaged drives. ern consumer computers by simply plugging them in: the physical, electrical, and logical standards have been remarkably stable. THE HARD DRIVE MARKET This unprecedented level of compatibility has sus- tained both formal and informal secondary markets for Everyone knows that there has been a dramatic in- used hard drives. This is not true of magnetic tapes, op- crease in disk-drive capacity and a corresponding de- tical disks, ﬂash memory, and other forms of mass stor- crease in mass-storage costs in recent years. Still, few age, where there is considerably more diversity. With people realize how truly staggering the numbers actu- current devices, people typically cannot use older me- ally are. According to the market research ﬁrm Data- dia due to format changes (a digital audio tape IV drive, quest, nearly 150 million disk drives [were] retired in for example, cannot read a DAT I tape, nor can a 3.5- 2002 —up from 130 million in 2001. Although many inch disk drive read an 8-inch ﬂoppy.) such drives are destroyed, a signiﬁcant number are re- A second factor contributing to the problem of purposed to the secondary market. (This market is rap- maintaining data conﬁdentiality is the long-term con- idly growing as a supply source for even mainstream sistency of ﬁle systems. Today’s Windows, Macintosh, businesses, as evidenced by the cover story in CIO and Unix operating systems can transparently use the Magazine, “Good Stuff Cheap: How to Use the Sec- FAT16 and FAT32 ﬁle systems popularized by Micro- ondary Market to Your Enterprise’s Advantage.” 5 ) soft in the 1980s and 1990s. FAT stands for File Alloca- According to the market research ﬁrm IDC, the tion Table and is a linked list of disk clusters that DOS worldwide disk-drive industry [shipped] between 210 uses to manage space on a random-access device; 16 and 215 million disk drives in 2002; the total storage or 32 refers to the sector numbers’ bit length. Thus, of those disk drives [was] 8.5 million terabytes (8,500 not only are 10-year-old hard drives mechanically and petabytes, or 8.5 x 1018 bytes). While Moore’s Law electrically compatible with today’s computers, but the dictates a doubling of integrated circuit transistors data they contain is readily accessible without special- every 18 months, hard-disk storage capacity and the purpose tools. This is not true with old tapes, which are total number of bytes shipped are doubling at an even typically written using proprietary backup systems, faster rate. which might use proprietary compression and/or en- It’s impossible to know how long any disk drive cryption algorithms as well. will remain in service; IDC estimates the typical drive’s A common way to sanitize a cartridge tape is to use life-span at ﬁve years. Dataquest estimates that people a bulk tape eraser, which costs less than US$40 and will retire seven disk drives for every 10 that ship in the can erase an entire tape in just a few seconds. Bulk eras- CHAPTER 12 PRIVACY AND SURVEILLANCE 311 ers can erase practically any tape on the market. Once Sanitizing is complicated by social norms. Clearly, erased, a tape can be reused as if it were new. However, the best way to assure that a drive’s information is pro- bulk erasers rarely work with hard disks, creating a third tected is to physically destroy the drive. But many factor that complicates data conﬁdentiality. In some people feel moral indignation when IT equipment is cases, commercially available bulk erasers simply do not discarded and destroyed rather than redirected toward produce a sufﬁciently strong magnetic ﬁeld to affect the schools, community organizations, religious groups, or disk surface. When they do, they almost always render lesser-developed nations where others might beneﬁt the disk unusable: in addition to erasing user data, bulk from using the equipment— even if the equipment is a erasers remove low-level track and formatting infor- few years obsolete. mation. Although it might be possible to restore these formatting codes using vendor-speciﬁc commands, such commands are not generally available to users. SANITIZING THROUGH ER ASING THE SANITIZATION PROBLEM Many people believe that they’re actually destroying information when they erase computer ﬁles. In most Most techniques that people use to assure informa- cases, however, delete or erase commands do not actu- tion privacy fail when data storage equipment is sold ally remove the ﬁle’s information from the hard disk on the secondary market. For example, any protec- [see Reading 12-2]. Although the precise notion of tion that the computer’s operating system offers is lost “erase” depends on the ﬁle system used, in most cases, when someone removes the hard drive from the com- deleting a ﬁle most often merely rewrites the metadata puter and installs it in a second system that can read the that pointed to the ﬁle, but leaves the disk blocks con- on-disk formats, but doesn’t honor the access control taining the ﬁle’s contents intact. lists. This vulnerability of conﬁdential information left When the operating system erases a FAT ﬁle, two on information systems has been recognized since the things occur. First, the system modiﬁes the ﬁlename’s 1960s.6 ﬁrst character in the ﬁle’s directory entry to signal that Legal protections that assure data conﬁdentiality the ﬁle has been deleted and that the directory entry are similarly void. In California v. Greenwood, the U.S. can be recycled. Second, the system moves all of the Supreme Court ruled that there is no right to privacy ﬁle’s FAT clusters to the hard drive’s list of free clusters. in discarded materials.7 Likewise, it is unlikely that an The actual ﬁle data is never touched. Indeed, there are individual or corporation could claim that either has many programs available that can recover erased ﬁles, a privacy or trade-secret interest in systems that they as we discuss later. themselves have sold. Experience has shown that people Although our semantic notion of “erasing” implies routinely scavenge electronic components from the data removal, the FAT ﬁle system (and many other waste stream and reuse them without the original own- modern ﬁle systems) doesn’t meet our expectations. er’s knowledge. Thus, to protect their privacy, individuals and or- ganizations must remove conﬁdential information from SANITIZING THROUGH OVERWRITING disk drives before they repurpose, retire, or dispose of them as intact units—that is, they must sanitize their Because physical destruction is relatively complicated drives. and unsatisfying, and because using the operating sys- The most common techniques for properly sani- tem to erase ﬁles does not effectively sanitize them, tizing hard drives include many individuals prefer to sanitize hard-drive informa- tion by intentionally overwriting that data with other ■ Physically destroying the drive, rendering it data so that the original data cannot be recovered. Al- unusable though overwriting is relatively easy to understand and ■ Degaussing the drive to randomize the magnetic to verify, it can be somewhat complicated in practice. domains—most likely rendering the drive unus- One way to overwrite a hard disk is to ﬁll every ad- able in the process dressable block with ASCII NUL bytes (zeroes). If the ■ Overwriting the drive’s data so that it cannot be disk drive is functioning properly, then each of these recovered blocks reports a block ﬁlled with NULs on read-back. 312 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS We’ve observed this behavior in practice: for most exotic because they do not rely on the standard hard- home and business applications, simply ﬁlling an en- disk interface. tire disk with ASCII NUL bytes provides sufﬁcient Gutmann presents some 22 different patterns that sanitization. you can write in sequence to a disk drive to mini- One organization that has addressed the problem mize data recovery. In the eight years since the article of sanitizing storage media is the U.S. Department was published, some sanitation tool developers (such as of Defense, which has created a “Cleaning and Sani- those on the WIPE project, for example 11 ) have taken tizing Matrix”8 that gives DoD contractors three these “Gutmann patterns” as gospel, and have pro- government-approved techniques for sanitizing rigid grammed their tools to painstakingly use each pattern disk drives: on every disk that is sanitized. Moreover, other orga- nizations warn that failure to use these patterns or take ■ Degauss with a Type I or Type II Degausser other precautions, such as physically destroying a disk ■ Destroy by disintegrating, incinerating, pulveriz- drive, means that “someone with technical knowledge ing, shredding, or melting and access to specialized equipment may be able to re- ■ Overwrite all addressable locations with a random cover data from ﬁles deleted.” 12 character, overwrite against with the character’s But in fact, given the current generation of high- complement, and then verify. (However, as the density disk drives, it’s possible that none of these over- guidelines state—in all capital letters no less— write patterns are necessary—a point that Gutmann this method is not approved for sanitizing media himself concedes. Older disk drives left some space be- that contains top-secret information.) tween tracks; data written to a track could occasionally be recovered from this inter-track region using special The DoD’s overwriting strategy is curious, both instruments. Today’s disk drives have a write head that because it does not recommend writing a changing is signiﬁcantly larger than the read head: tracks are thus pattern, and because the method is speciﬁcally not ap- overlapping, and there is no longer any recoverable data proved for top-secret information. This omission and “between” the tracks. Moreover, today’s drives rely restriction is almost certainly intentional. Peter Gut- heavily on signal processing for their normal operation. mann, a computer security researcher at the University Simply overwriting user data with one or two passes of Auckland who has studied this issue, notes: “The . . . of random data is probably sufﬁcient to render the problem with ofﬁcial data destruction standards is that overwritten information irrecoverable—a point that the information in them may be partially inaccurate Gutmann makes in the updated version of the article, in an attempt to fool opposing intelligence agencies which appears on his Web site (www.cryptoapps.com/ (which is probably why a great many guidelines on peter/usenix01.pdf ). sanitizing media are classiﬁed).”9 Indeed, there is some consensus among research- Indeed, some researchers have repeatedly asserted ers that, for many applications, overwriting a disk with that simple overwriting is insufﬁcient to protect data a few random passes will sufﬁciently sanitize it. An en- from a determined attacker. In a highly inﬂuential 1996 gineer at Maxtor, one of the world’s largest disk-drive article, Gutmann argues that it is theoretically pos- vendors, recently told us that recovering overwritten sible to retrieve information written to any magnetic data was something akin “to UFO experiences. I be- recording device because the disk platter’s low-level lieve that it is probably possible . . . but it is not going magnetic ﬁeld patterns are a function of both the writ- to be something that is readily available to anyone out- ten and overwritten data. As Gutmann explains, when side the National Security Agency.” a computer attempts to write a one or a zero to disk, the media records it as such, but the actual effect is closer to obtaining 1.05 when one overwrites with a A SANITIZATION TAXONOMY one and 0.95 when a one overwrites a zero. Although normal disk circuitry will read both values as ones, “us- Modern computer hard drives contain an assortment ing specialized circuitry it is possible to work out what of data, including an operating system, application pro- previous ‘layers’ contained.” 10 Gutmann claims that grams, and user data stored in ﬁles. Drives also contain “a high-quality digital sampling oscilloscope” or Mag- backing store for virtual memory, and operating system netic Force Microscopy (MFM) can be used to retrieve meta-information, such as directories, ﬁle attributes, the overwritten data. We refer to such techniques as and allocation tables. A block-by-block disk-drive ex- CHAPTER 12 PRIVACY AND SURVEILLANCE 313 Table 12-1. A Sanitization Taxonomy Level Where Found Description Level 0 Regular ﬁles Information contained in the ﬁle system. Includes ﬁle names, ﬁle attributes, and ﬁle contents. By deﬁnition, no attempts are made to sanitize Level 0 ﬁles’ information. Level 0 also includes infor- mation that is written to the disk as part of any sanitization attempt. For example, if a copy of Windows 95 had been installed on a hard drive in an attempt to sanitize the drive, then the ﬁles installed into the C:\WINDOWS directory would be considered Level 0 ﬁles. No special tools are required to retrieve Level 0 data. Level 1 Temporary ﬁles Temporary ﬁles, including print spooler ﬁles, browser cache ﬁles, ﬁles for “helper” applications, and recycle bin ﬁles. Most users either expect the system to automatically delete this data or are not even aware that it exists. Note: Level 0 ﬁles are a subset of Level 1 ﬁles. Experience has shown that it is useful to distinguish this subset, because many naive users will overlook Level 1 ﬁles when they are browsing a computer’s hard drive to see if it contains sensitive information. No special tools are required to retrieve Level 1 data, although special training is required to teach the opera- tor where to look. Level 2 Deleted ﬁles When a ﬁle is deleted from a ﬁle system, most operating systems do not overwrite the blocks on the hard disk that the ﬁle is written on. Instead, they simply remove the ﬁle’s reference from the containing directory. The ﬁle’s blocks are then placed on the free list. These ﬁles can be recovered using traditional “undelete” tools, such as Norton Utilities. Level 3 Retained data Data that can be recovered from a disk, but which does not obviously belong to a named ﬁle. blocks Level 3 data includes information in slack space, backing store for virtual memory, and Level 2 data that has been partially overwritten so that an entire ﬁle cannot be recovered. A common source of Level 3 data is disks that have been formatted with Windows Format command or the Unix newfs command. Even though the output of these commands might imply that they over- write the entire hard drive, in fact they do not, and the vast majority of the formatted disk’s infor- mation is recoverable with the proper tools. Level 3 data can be recovered using advanced data recovery tools that can “unformat” a disk drive or special-purpose forensics tools. Level 4 Vendor-hidden This level consists of data blocks that can only be accessed using vendor-speciﬁc commands. This data level includes the drive’s controlling program and blocks used for bad-block management. Level 5 Overwritten data Many individuals maintain that information can be recovered from a hard drive even after it is overwritten. We reserve Level 5 for such information. amination also reveals remnants of previous ﬁles that boast government certiﬁcations, more than 50 tools li- were deleted but not completely overwritten. These censed for a single computer system, and free software/ remnants are sometimes called free space, and include open-source products that seem to offer largely the bytes at the end of partially ﬁlled directory blocks same features. Broadly speaking, two kinds of sanitiza- (sometimes called slack space), startup software that is tion programs are available: disk sanitizers and declassi- not strictly part of the operating system (such as boot ﬁers, and slack-space sanitizers. blocks), and virgin blocks that were initialized at the Disk sanitizers and declassiﬁers aim to erase all user factory but never written. Finally, drives also contain data from a disk before it’s disposed of or repurposed in blocks that are not accessible through the standard an organization. Because overwriting an operating sys- IDE/ATA or SCSI interface, including internal drive tem’s boot disk information typically causes the com- blocks used for bad-block management and for hold- puter to crash, disk sanitizers rarely operate on the boot ing the drive’s own embedded software. disk of a modern operating system. Instead, they’re usu- To describe data found on recovered disk drives ally run under an unprotected operating system, such and facilitate discussion of sanitization practices and as DOS, or as standalone applications run directly from forensic analysis, we created a sanitization taxonomy (see bootable media (ﬂoppy disks or CD-ROMs). (It’s rela- Table 12-1). tively easy to sanitize a hard disk that is not the boot disk. With Unix, for example, you can sanitize a hard Sanitization Tools disk with the device /dev/hda using the command dd Many existing programs claim to properly sanitize a if /dev/zero of /dev/hda.) Using our taxonomy, hard drive, including $1,695 commercial offerings that disk sanitizers seek to erase all of the drive’s Level 1, 314 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS 2, 3, and 5 information. Sanitizers equipped with ■ Lack of knowledge. The individual (or organiza- knowledge of vendor-speciﬁc disk-drive commands tion) disposing of the device simply fails to con- can erase Level 4 information as well. sider the problem (they might, for example, lack Slack space sanitizers sanitize disk blocks (and por- training or time). tions of disk blocks) that are not part of any ﬁle and ■ Lack of concern for the problem. The individual con- do not contain valid ﬁle system meta-information. For siders the problem, but does not think the device example, if a 512-byte block holds a ﬁle’s last 100 bytes actually contains conﬁdential information. and nothing else, a slack-space sanitizer reads the block, ■ Lack of concern for the data. The individual is aware leaves bytes 1–100 untouched, and zeros bytes 101– of the problem—that the drive might contain 512. Slack-space sanitizers also compact directories (re- conﬁdential information—but doesn’t care if the moving ignored entries), and overwrite blocks on the data is revealed. free list. Many of these programs also remove tempo- rary ﬁles, history ﬁles, browser cookies, deleted email, ■ Failure to properly estimate the risk. The individual is and so on. Using our taxonomy, slack-space sanitizers aware of the problem, but doesn’t believe that the seek to erase all Level 1 through Level 4 drive infor- device’s future owner will reveal the information mation, while leaving Level 0 information intact. (that is, the individual assumes that the device’s new owner will use the drive to store information, Forensic Tools and won’t rummage around looking for what the The ﬂip side of sanitization tools are forensic analysis previous owner left behind). tools, which are used for recovering hard-disk infor- ■ Despair. The individual is aware of the problem, mation. Forensic tools are harder to write than saniti- but doesn’t think it can be solved. zation tools and, not surprisingly, fewer of these tools ■ Lack of tools. The individual is aware of the prob- are available. Many of the packages that do exist are tai- lem, but doesn’t have the tools to properly sanitize lored to law enforcement agencies. the device. Almost all forensic tools let users analyze hard disks or hard-disk images from a variety of different operat- ■ Lack of training or incompetence. The individual at- ing systems and provide an Explorer-style interface so tempts to sanitize the device, but the attempts are you can read the ﬁles. Tools are of course limited by the ineffectual. original computer’s operating system, as different sys- ■ Tool error. The individual uses a tool, but it doesn’t tems overwrite different amounts of data or metadata behave as advertised. (Early versions of the Linux when they delete a ﬁle or format a disk. Nevertheless, wipe command, for example, have had numerous many of these forensic tools can ﬁnd “undeleted” ﬁles bugs which resulted in data not being actually (Level 2 data) and display hard-drive information that overwritten. Version 0.13, for instance, did not is no longer associated with a speciﬁc ﬁle (Level 3 data). erase half the data in the ﬁle due to a bug; see Most tools also offer varying search capabilities. Hence, http://packages.debian.org/unstable/utils/wipe an operator can search an entire disk image for key- .html.) words or patterns, and then display the ﬁles (deleted or ■ Hardware failure. The computer housing the hard otherwise) containing the search pattern. drive might be broken, making it impossible Programs tailored to law enforcement also offer to sanitize the hard drive without removing it to log every keystroke an operator makes during the and installing it in another computer—a time- hard-drive inspection process. This feature supposedly consuming process. Alternatively, a computer fail- prevents evidence tampering. ure might make it seem that the hard drive has also failed, when in fact it has not. O Sanitization, Where Art Thou? Despite the ready availability of sanitization tools and Among nonexpert users— especially those using the obvious threat posed by tools that provide forensic the DOS or Windows operating systems—lack of analysis, there are persistent reports that some systems training might be the primary factor in poor sanitiza- containing conﬁdential information are being sold on tion practices. the secondary market. Among expert users, we posit a different explana- We propose several possible explanations for this tion: they are aware that the Windows format com- state of affairs: mand does not actually overwrite a disk’s contents. CHAPTER 12 PRIVACY AND SURVEILLANCE 315 Paradoxically, the media’s fascination with exotic transverse the entire ﬁle system hierarchy and copy methods for data recovery might have decreased saniti- the ﬁles into compressed tar ﬁles. These ﬁles are exactly zation among these users by making it seem too oner- equal to our taxonomy’s Level 0 and Level 1 ﬁles. ous. In repeated interviews, users frequently say things We then analyzed the data using a variety of tools like: “The FBI or the NSA can always get the data back that we wrote speciﬁcally for this project. In particu- if they want, so why bother cleaning the disk in the ﬁrst lar, we stored the complete path name, length, and place?” Some individuals fail to employ even rudimen- an MD5 cryptographic checksum of every Level 0 and tary sanitization practices because of these unsubstanti- Level 1 ﬁle in a database. (MD5 is a one-way func- ated fears. This reasoning is ﬂawed, of course, because tion that reduces a block of data to a 128-bit elec- most users should be concerned with protecting their tronic “ﬁngerprint” that can be used for verifying ﬁle data from more pedestrian attackers, rather than from integrity.) U.S. law enforcement and intelligence agencies. Even if these organizations do represent a threat to some users, Initial Findings today’s readily available sanitization tools can neverthe- We acquired a total of 75 Gbytes of data, consisting of less protect their data from other credible threats. 71 Gbytes of uncompressed disk images and 3.7 Gbytes However interesting they might be, informal inter- of compressed tar ﬁles. views and occasional media reports are insufﬁcient to From the beginning, one of the most intriguing as- gauge current sanitization practices. To do that, we had pects of this project was the variation in the disk drives. to acquire numerous disk drives and actually see what When we briefed people on our initial project plans, data their former owners left behind. some people were “positive” that all the recovered drives would contain active ﬁle systems, while others were sure that all of the drives would be reformatted. OUR EXPERIMENT Some were certain we’d ﬁnd data, but that it would be too old to be meaningful, and others were sure that We acquired 158 hard drives on the secondary market nearly all of the drives would be properly sanitized, between November 2000 and August 2002. We pur- “because nobody could be so stupid as to discard a chased drives from several sources: computer stores spe- drive containing active data.” cializing in used merchandise, small businesses selling lots of two to ﬁve drives, and consolidators selling lots File System Analysis of 10 to 20 drives. We purchased most of the bulk hard The results of even this limited, initial analysis indi- drives by winning auctions at the eBay online auction cate that there are no standard practices in the industry. service. Of the 129 drives that we successfully imaged, only 12 As is frequently the case with secondary-market (9 percent) had been properly sanitized by having their equipment, the drives varied in manufacturer, size, date sectors completely overwritten with zero-ﬁlled blocks; of manufacture, and condition. A signiﬁcant fraction 83 drives (64 percent) contained mountable FAT16 of the drives were physically damaged, contained un- or FAT32 ﬁle systems. Another 46 drives did not have readable sectors, or were completely inoperable. mountable ﬁle systems. Because we were interested in each drive’s data, Of the 83 drives with mountable ﬁle systems, 51 rather than its physical deterioration, our goal was to appeared to have been freshly formatted—that is, they minimize drive handling as much as possible. Upon re- either had no ﬁles or else the ﬁles were created by the ceipt, we recorded each drive’s physical characteristics DOS format c:/s command; another six drives were and source in a database. We then attached the drives formatted and had a copy of DOS or Windows 3.1 in- to a workstation running the FreeBSD 4.4 operating stalled. Of these 51 drives, 19 had recoverable Level 3 system, and then copied the drive’s contents block- data—indicating that the drives had been formatted by-block—using the Unix dd command from the raw after they had been used in another application. ATA device—into a disk ﬁle we called the “image ﬁle.” Once we completed this imaging operation, we at- Document File Analysis tempted to mount each drive using several ﬁle systems: We performed limited analysis of the mountable ﬁle FreeBSD, MS-DOS, Windows NT File System, Unix systems to determine the type of documents left on the File System, and Novell ﬁle systems. If we successfully drives. Table 12-2 summarizes these results. mounted the drive, we used the Unix tar command to Overall, the 28 drives with active ﬁle systems con- 316 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS Table 12-2. Recoverable Level 0 Using slightly more sophisticated techniques, we and 1 Files by Type wrote a program that scans for credit card numbers. The program searches for strings of numerals (with Number On Max Files possible space and dash delimiters) that pass the mod- File Type Found Drives per Drive 10 check-digit test required of all credit card numbers, Microsoft Word (.doc) 675 23 183 and that also fall within a credit card number’s feasible Outlook (.pst) 20 6 12 numerical range. For example, no major credit card Microsoft PowerPoint number begins with an eight. (.ppt) 566 14 196 In our study, 42 drives had numbers that passed Microsoft Write (.wri) 99 21 19 these tests. Determining whether a number is actually Microsoft Works (.wks) 68 1 68 a valid credit card number requires an attempted trans- Microsoft Excel (.xls) 274 18 67 action on the credit card network. Rather than do this, we inspected the number’s context. Two drives con- tained consistent ﬁnancial-style log ﬁles. One of these drives contained 2,868 numbers in a log format. Upon further inspection, it appeared that this hard drive was tained comparatively few document ﬁles—far fewer most likely used in an ATM machine in Illinois, and than we’d expect to ﬁnd on actively used personal that no effort was made to remove any of the drive’s ﬁ- computers. We believe that this is because the drives’ nancial information. The log contained account num- previous owners intentionally deleted these ﬁles in an bers, dates of access, and account balances. In addition, attempt to at least partially sanitize the drives before the hard drive had all of the ATM machine software. disposing of them. Another drive contained 3,722 credit card num- To test this theory, we wrote a program that lets us bers (some of them repeated) in a different type of log scan for deleted ﬁles and directories. Using this pro- format. The ﬁles on this drive appeared to have been gram, we can scan the disks for data that was presum- erased, and the drive was formatted. Yet another drive ably deleted by the drive’s original owner prior to dis- contained 39 credit card numbers in a database ﬁle that posing of the drive. The results are illuminating: with included the correct type of credit card, and still an- the exception of the cleared disks (all blocks zeroed), other had a credit card number in a cached Web page practically every disk had signiﬁcant numbers of de- URL. The URL is a ‘GET’-type HTTP form that was leted directories and ﬁles that are recoverable. Even submitted to an e-commerce site; it contained all of the the 28 disks with many undeleted ﬁles contained sig- address and expiration information necessary to exe- niﬁcant numbers of deleted-but-recoverable directories cute an e-commerce transaction. Finally, another drive and ﬁles as well. A close examination of the deleted ﬁles had 21 credit card numbers in a ﬁle. indicates that, in general, users deleted data ﬁles, but We also wrote a program that searches for RFC left application ﬁles intact. mail headers. Of the 129 drives analyzed, 66 drives had more than ﬁve email messages. We use this threshold Recovered Data because some programs, such as Netscape Navigator, Some of the information we found in these ﬁles include a few welcome emails upon installation. One included: drive in our batch contained almost 9,500 email mes- sages, dated from 1999 through 2001. In all, 17 drives ■ Corporate memoranda pertaining to personnel had more than 100 email messages and roughly 20 issues drives had between 20 and 100 email messages. During ■ A letter to the doctor of a 7-year-old child from this analysis, we only investigated the messages’ subject the child’s father, complaining that the treatment headers; contents seemed to vary from typical spam to for the child’s cancer was unsatisfactory grievances about retroactive pay. ■ Fax templates for a California children’s hospital (we expect that additional analysis of this drive UNDERSTANDING DOS FORMAT will yield medically sensitive information) ■ Love letters It’s not clear if the 52 formatted drives were formatted ■ Pornography to sanitize the data or if they were formatted to deter- CHAPTER 12 PRIVACY AND SURVEILLANCE 317 mine their condition and value for sale on the second- Many routine email messages also contain medically ary market. sensitive information that should not be disclosed. If an In many interviews, users said that they believed employee sends a message to his boss saying that he’ll DOS and Windows format commands would prop- miss a meeting because he has a speciﬁc problem re- erly remove all hard drive data. This belief seems rea- quiring a doctor visit, for example, he has created a sonable, as the DOS and Windows format commands record of his medical condition in the corporate email speciﬁcally warn users that “ALL DATA ON NON- system. REMOVABLE DISK DRIVE C: WILL BE LOST” Third, our study indicates that the secondary hard- when a computer is booted from ﬂoppy and the user disk market is almost certainly awash in information attempts a format C: command. This warning might that is both sensitive and conﬁdential. rightly be seen as a promise that using the format com- Based on our ﬁndings, we make the following mand will in fact remove all of the disk drive’s data. recommendations: Many users were surprised when we told them that the format command does not erase all of the disk’s in- ■ Users must be educated about the proper tech- formation. As our taxonomy indicates, most operating niques for sanitizing disk drives. system format commands only write a minimal disk ﬁle ■ Organizations must adopt policies for properly system; they do not rewrite the entire disk. To illustrate sanitizing drives on computer systems and storage this assertion, we took a 10-Gbyte hard disk and ﬁlled media that are sold, destroyed, or repurposed. every block with a known pattern. We then initialized ■ Operating system vendors should include system a disk partition using the Windows 98 FDISK com- tools that securely delete ﬁles, and clear slack mand and formatted the disk with the format com- space and entire disk drives. mand. After each step, we examined the disk to deter- mine the number of blocks that had been written. ■ Future operating systems should be capable of au- Despite warnings from the operating system to the tomatically sanitizing deleted ﬁles. They should contrary, the format command overwrites barely more also be equipped with background processes that than 0.1 percent of the disk’s data. Nevertheless, the automatically sanitize disk sectors that the operat- command takes more than eight minutes to do its job ing system is not currently using. on the 10-Gbyte disk—giving the impression that the ■ Vendors should encourage the use of encrypting computer is actually overwriting the data. In fact, the ﬁle systems to minimize the data sanitization computer is attempting to read all of the drive’s data so problem. it can build a bad-block table. The only blocks that are ■ Disk-drive vendors should equip their drives with actually written during the format process are those tools for rapidly or even instantaneously remov- that correspond to the boot blocks, the root directory, ing all disk-drive information. For example, they the ﬁle allocation table, and a few test sectors scattered could equip a disk drive with a cryptographic throughout the drive’s surface. subsystem that automatically encrypts every disk Although 158 disk drives might seem like a lot, it’s block when the block is written, and decrypts the a tiny number compared to the number of disk drives block when it is read back. Users could then ren- that are sold, repurposed, and discarded each year. As a der the drive’s contents unintelligible by securely result, our ﬁndings and statistics are necessarily qualita- erasing the key.13 tive, not quantitative. Nevertheless, we can draw a few conclusions. With several months of work and relatively little ﬁ- First, people can remove conﬁdential information nancial expenditure, we were able to retrieve thousands from disk drives before they discard, repurpose, or sell of credit card numbers and extraordinarily personal them on the secondary market. Moreover, freely avail- information on many individuals. We believe that the able tools make disk sanitization easy. lack of media reports about this problem is simply be- Second, the current deﬁnition of “medical rec- cause, at this point, few people are looking to repur- ords” might not be broad enough to cover the range of posed hard drives for conﬁdential material. If sanitiza- medically sensitive information in the home and work tion practices are not signiﬁcantly improved, it’s only a environment. For example, we found personal letters matter of time before the conﬁdential information on containing medically sensitive information on a com- repurposed hard drives is exploited by individuals and puter that previously belonged to a software company. organizations that would do us harm. 318 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS NOTES 7. California v. Greenwood, 486 U.S. 35, 16 May 1988. 8. U.S. Department of Defense, “Cleaning and Sanitization 1. J. Hasson, “V.A. Toughens Security after PC Disposal Blun- Matrix,” DOS 5220.22-M, Washington, D.C., 1995; ders,” Federal Computer Week, 26 Aug. 2002; www.fcw.com/ www.dss.mil/isec/nispom_0195.htm. fcw/articles/2002/0826/news-va-08-26-02.asp. 9. P. Gutmann, “Secure Deletion of Data from Magnetic and 2. M. Villano, “Hard-Drive Magic: Making Data Disappear Solid-State Memory,” Proc. Sixth Usenix Security Symp., Forever,” New York Times, 2 May 2002. Usenix Assoc., 1996; www.cs.auckland.ac.nz/ pgut001/ 3. J. Lyman, “Troubled Dot-Coms May Expose Conﬁdential pubs/secure_del.html. Client Data,” NewsFactor Network, 8 Aug. 2001; www.news 10. Ibid. factor.com/perl/story/12612.html. 11. T. Vier, “Wipe 2.1.0,” 14 Aug. 2002; http://sourceforge 4. J. Markoff, “Patient Files Turn Up in Used Computer,” New .net/projects/wipe. York Times, 4 Apr. 1997. 12. D. Millar, “Clean Out Old Computers Before Selling/ 5. S. Berinato, “Good Stuff Cheap,” CIO, 15 Oct. 2002, Donating,” June 1997; www.upenn.edu/computing/ pp. 53 –59. security/advisories/oldcomputers.html. 6. National Computer Security Center, “A Guide to Under- 13. G. Di Crescenzo et al., “How to Forget a Secret,” Sympo- standing Data Remanence in Automated Information Sys- sium Theoretical Aspects in Computer Science (STACS 99), Lec- tems,” Library No. 5-236,082, 1991, NCSC-TG-025; www ture Notes in Computer Science, Springer-Verlag, Berlin, .radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-028.ps. 1999, pp. 500 –509. REL ATED LINKS ■ AutoClave (http://staff.washington.edu/jdlarios/autoclave) ■ CyberScrub (http://www.cyberscrub.com) ■ Wipe (http://wipe.sourceforge.net) ■ Disk and File Shredders: A Comparison (http://www.fortunecity.com/skyscraper/true/ 882/Comparison_Shredders.htm) ■ Simson Garﬁnkel’s blog (http://www.simson.net/blog) FOR FURTHER RESEARCH To ﬁnd out more about the topics discussed in this reading, use InfoTrac College Edition. Type in keywords and subject terms such as “disk sanitization,” “drive reformatting and overwrit- ing,” and “data conﬁdentiality.” You can access InfoTrac College Edition from the Wadsworth/ Thomson Communication Café homepage: http://communication.wadsworth.com. Reading 12-2 In Defense of the Delete Key James M. Rosenbaum EDITOR’S NOTE The computer delete key doesn’t really do its job. Allegedly erased ﬁles are merely removed from sight, not from your hard drive. As a result, a growing number of individuals and corporations, from Monica Lewinsky to Microsoft, are ﬁnding them- selves liable for acts never committed, only expressed. Once expressed electronically, however, ideas and desires seem to take on CHAPTER 12 PRIVACY AND SURVEILLANCE 319 a life of their own— often times well beyond the author’s actual intent. In this short but eloquent plea, James M. Rosenbaum, a federal district court judge for the District of Minnesota, argues that because we are not free to make mistakes online or retract messages once sent, we are gradually enforcing “a dangerous self-censorship over our ideas and expressions.” CONSIDER 1. Do you agree with Judge Rosenbaum that the computer delete key represents an “elaborate deception”? Should anything be done to change its operation? 2. How would individuals and companies be protected if the courts recognized cyber trash, “the stuff which, in less electronic times, would have been wadded up and thrown into a wastebasket”? 3. What is lost, in a digital age, when an increasing number of passing comments uttered electronically are for- ever archived? It is becoming widely known that a computer’s delete they had moved past this tacky, but probably innocent, key represents an elaborate deception. The decep- moment, it was truly gone. tion is pure, and inheres in the key’s name: When the Their words either vanished into the air, or the delete key is used, nothing is deleted.1 It is now clear note was wadded up and thrown into a wastebasket. that relatively simple devices can recover almost every- From there, the note was removed to a “delete” device thing that has been “deleted.” This durability of com- called an incinerator. Once there, it was destroyed for- puterized material compounds itself, because once a ever. The computer, and its evil spawn the e-mail, have computer ﬁle is generated—let alone disseminated ended this earlier time forever. For many of us, e-mail —internal and external copies proliferate. And each is and the computer now substitute for those doorway impervious to deletion. conversations and those idle notes. But unlike those In practice, this once-arcane fact has spawned a notes, they are not easily thrown away. new legal industry: the mining of e-mails, computer In the computer, the conversation lingers, and the ﬁles, and especially copies of hard drives to obtain de- note persists. In my view, this is wrong. leted material. Knowing these facts leads me to two thoughts: one, we have now placed an electronic recording device A PRECEPT SOME THOUGHTS over every ofﬁce door; and two, we should not stand ON THE L AW for it. Finally, I suggest a possible remedy. None of us is perfect. But the preservation and per- sistence of evidence of our imperfections does not THE ELECTRONIC RECORDER prove we are wrong, vile, venal, or even duplicitous. It just proves we are human—perhaps even farther There was a time when people spoke casually “off beneath the angels than we might have wished—but the record” amongst themselves. That time has passed. lower nonetheless. At this earlier time, two people could easily say some- Today, legal discovery deep-sea ﬁshes for snippets thing— even, perhaps, something politically incorrect of deleted e-mails and deleted ﬁles in search of proof —simply between themselves. They might even have of imperfections. And the ﬁsh which are caught are exchanged nasty notes between themselves. And when thrown, as proof, into courtrooms throughout the land. In my view, they are just ﬁsh, and as valueless as the From “In Defense of the Delete Key” by James M. Rosen- same ﬁsh might be if allowed to rot as long as the ﬁnally baum, The Green Bag, An Entertaining Journal of Law, Sum- recovered ﬁle has been deleted. mer 2000, pp. 393 –396. Copyright © 2000 by James M. Sometimes people just have bad ideas, or might just Rosenbaum. pass an idle—if imperfect—thought. This does not 320 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS mean the person is vile. Mere evidence that a person does anyone believe that people are “thinking” more who has done “A,” but once expressed “B,” does not perfect thoughts simply because they are increasingly prove that the person is lying or deceitful. The fallacy reluctant to express them? I seriously doubt it. in the “truth” of the recovered e-mail or computer ﬁle We are, instead, enforcing a dangerous self- is that it might just have been a bad idea, properly re- censorship over our ideas and expressions. And we do jected, and consigned to an imperfectly labeled waste- not restrict this censorship to ourselves. Businesses and basket. The problem is that on the computer’s hard organizations regularly adopt restrictions on the words drive, it looks like more. and ideas which can be input into the company’s or The second part of the fallacy is the almost univer- organization’s computers. Why? Because of the inter- sal—and I argue almost universally wrong—idea that section of legal developments and technology. ﬁnding this deleted material is the electronic equiva- Once upon a time, liability was based on objective lent of ﬁnding the inculpatory “second set of books.” acts done or omitted. Did the person threaten violence The evil of the second set of books lies not in the fact (assault); did he or she strike a victim (battery); did of their conception, but that they were used. The fact he or she fail to act reasonably under the circumstances that one conceives of something— even something im- (negligence)? If so, the actor was liable for the con- proper— does not necessarily mean it was acted upon. sequent act. Unless the actor’s intentions were objec- The preservation and discovery of computer- tively manifest, however, no liability accrued. In the deleted material has forced companies and prudent 1950s, the song “Standing on the Corner” was correct: individuals to severely curtail the practice of using “Brother, you can’t go to jail for what you’re thinking, e-mails for all but the most innocuous materials. Any or for the ‘oooh’ look in your eye. You’re only stand- other course of action subjects the computer user to ing on the corner, watching all the girls go by.” long term liability for idle thoughts. This is, unquestionably, a new century. And since the end of the last, the song’s proposition has been somewhat modiﬁed. At least in some cases, there has THE L ARGER RISK been a shift to subjective proof. In these areas, courts and the law consider the recipient’s perception of the In some ways, the greater risk in the preservation and actor’s behavior. But even here, purely subjective views discovery of computerized material lies in the knowl- do not alone sufﬁce—there must be some outward edge that things will not be expressed, and ideas will manifestation of the impure thoughts. not be exchanged, out of a pernicious—but valid— Into this classic legal environment comes the com- fear that their mere expression will be judged tanta- puter. It never forgets, and never forgives. An idle mount to the act. This is dangerous indeed. thought “jotted” onto a calendar, a tasteless joke passed One of the United States Constitution’s many ge- to a once-trusted friend, a suggestive invitation di- niuses lies in its lofty protection of free speech. Legally, rected at an uninterested recipient, if done electroni- it protects the speaker only from state rather than pri- cally, will last forever. Years later, it can subject its au- vate regulation. But the Constitution’s words express thor to liability. a higher ideal: The First Amendment’s premise is that a society is freer and in less danger when the wrong, the venal, the potentially evil is expressed and subjected A PROPOSAL to the light of day and to the “marketplace of ideas.” Conversely, but importantly, is the negative concept: While recognizing the difﬁculties inherent in such a the marketplace of ideas and expression is impover- suggestion, I recommend a cyber statute of limitations. ished and demeaned when it is deprived of ideas which This limitation recognizes that even the best humans may be discussed and tested, and ultimately, perhaps, may have a somewhat less than heavenly aspect. It ac- rejected. Knowledge of the computer’s awesome power knowledges that anyone is entitled to make a mistake to always remember, and never forget, a bad idea once and to think a less than perfect thought. I suggest that, expressed erodes and endangers this powerful concept. barring a pattern of egregious behavior, or an objec- People who recognize that whatever you say on a tive record of systematic conduct—absent, if you will, computer “can and will be used against you,” prudently a real “second set of books”—that the courts recognize avoid saying anything “dangerous” via computer. But the existence of cyber trash. This is the stuff, which, in CHAPTER 12 PRIVACY AND SURVEILLANCE 321 less electronic times, would have been wadded up and penalizes a momentary failing, cannot operate in the thrown into a wastebasket. This is what the delete real world. button was meant for, and why pencils still have erasers. The length of this cyber statute of limitations can be set as arbitrarily as any other. In light of the free ex- THE ULTIMATE FL AW pression risks I perceive, I suggest the length should be short—perhaps 6 months for an isolated message. If This suggestion recognizes that the computer is, itself, an idea was merely a lousy one, or was an isolated cy- ﬂawed. Its permanent memory is a ﬂaw which under- ber utterance, and the actor/author did not objectively mines its value and endangers its users. Its inability to manifest some untoward behavior, he or she would be forget weakens and undermines the very ideas it per- considered presumptively human, and—at least for manently holds. The real ﬂaw is that the computer lies: the law’s purposes—delete would mean delete. If, to it lies when it says delete. This mechanical lie ought the contrary, there was an objective continuation of the not to debase and degrade the humans who are, and challenged conduct, or a continuing pattern of wrong- ought to be, its master. ful acts, the cyber statute of limitations would be tolled as any other. NOTE This suggestion is feasible. Computers internally record the date on which a “document” was created. 1. For those with little knowledge, and less interest, a com- Once the limitations period has passed, documents puter’s delete key acts somewhat like a thief who steals a card should be legally consigned to the cyber wastebasket. from the old library’s card ﬁle. When the card was in place, My solution is imperfect. But so are humans. If the librarian could decode the library’s ﬁling system and ﬁnd perfect recall deﬁnes perfection, computers have the book. If the card was gone, or unreadable, the book was achieved it. But their operators have not achieved it still in the library, but it could no longer be found amidst the with them, and humans are unlikely to do so. A legal library’s stacked shelves. In a computer, the “lost” book can system which demands human perfection, and which be found with very little effort. REL ATED LINKS ■ Daemon Seed: Old E-mail Never Dies (http://www.wired.com/wired/archive/7.05/ email.html) ■ The Green Bag: An Entertaining Journal of Law (http://www.greenbag.org) ■ PC-Webopedia: Delete Key (http://webopedia.internet.com/ TERM/D/Delete_key.html) ■ Send Those Computer Files to the Shredder (http://www.law.com/jsp/statearchive.jsp? type Article&oldid ZZZY9DVV6MC) FOR FURTHER RESEARCH To ﬁnd out more about the topics discussed in this reading, use InfoTrac College Edition. Type in keywords and subject terms such as “delete key,” “e-mail lawsuits,” and “digital evidence.” You can access InfoTrac from the Wadsworth/ Thomson Communication Café homepage: http://communication.wadsworth.com. 322 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS Reading 12-3 Privacy and the New Technology: What They Do Know Can Hurt You Simson Garﬁnkel EDITOR’S NOTE Privacy is under siege from all sides. Over the next 50 years, we will see new types of privacy invasions that ﬁnd their roots in advanced technology and unbridled information exchange, including the selling of medical records and biological information. That’s the assessment of Simson Garﬁnkel in this excerpt from Database Nation: The Death of Privacy in the 21st Century. Threats to privacy can be tamed, he argues, by being careful and informed consumers, involving government in the privacy ﬁght, and stepping up our personal privacy protection efforts. CONSIDER 1. Why does Garﬁnkel think that the term “privacy” falls short of conveying the myriad ways in which tech- nology undermines individual autonomy and self-integrity? 2. Many people today say that in order to enjoy the beneﬁts of modern society, we must give up some degree of personal privacy. Do you agree? Why or why not? 3. Should government get involved in the privacy ﬁght and, if so, how? Or would it be better to leave issues of individual freedom to individual citizens? You wake to the sound of a ringing telephone—but hospital you visited last month. “We’re pleased that how could that happen? Several months ago, you re- our emergency room could serve you in your time of programmed your home telephone system so it would need,” the letter begins. “As you know, our fees (based never ring before the civilized hour of 8 am. But it’s on our agreement with your HMO) do not cover the barely 6:45. Who was able to bypass your phone’s cost of treatment. To make up the difference, a num- programming? ber of hospitals have started selling patient records to You pick up the receiver, then slam it down a medical researchers and consumer-marketing ﬁrms. moment later. It’s one of those marketing machines Rather than mimic this distasteful behavior, we have playing a recorded message. What’s troubling you now decided to ask you to help us make up the difference. is how this call got past the ﬁlters you set up. Later We are recommending a tax-deductible contribution on you’ll discover how: The company that sold you of $275 to help defray the cost of your visit.” the phone created an undocumented “back door”; last The veiled threat isn’t empty, but you decide you week, the phone codes were sold in an online auction. don’t really care who ﬁnds out about your sprained Now that you’re awake, you decide to go through wrist. You fold the letter in half and drop it into your yesterday’s mail. There’s a letter from the neighborhood shredder. Also into the shredder goes a trio of low- interest credit-card offers. Why a shredder? A few years ago you would never have thought of shredding your Reprinted with permission from Database Nation: The Death of Privacy in the 21st Century by Simson Garﬁnkel (Sebastopol, CA: junk mail—until a friend in your apartment complex O’Reilly & Associates, 2000). Copyright © 2000, O’Reilly & had his identity “stolen” by the building’s superintend- Associates, Inc. All rights reserved. Orders and Information: ent. As best as anybody can ﬁgure out, the super picked (800) 998-9938, www.oreilly.com. As edited and published by one of those preapproved credit-card applications out The Nation, February 28, 2000. of the trash, called the toll-free number and picked up CHAPTER 12 PRIVACY AND SURVEILLANCE 323 the card when it was delivered. He’s in Mexico now, lion each year from collecting and distributing personal with a lot of expensive clothing and electronics, all at information. your friend’s expense. Today the Internet is compounding our privacy On that cheery note, you grab your bag and head conundrum—largely because the voluntary approach out the door, which automatically locks behind you. to privacy protection advocated by the Clinton Ad- This is the future—not a far-off future but one ministration doesn’t work in the rough and tumble that’s just around the corner. It’s a future in which what world of real business. For example, a study just re- little privacy we now have will be gone. Some people leased by the California HealthCare Foundation found call this loss of privacy “Orwellian,” harking back to that nineteen of the top twenty-one health Web sites 1984, George Orwell’s classic work on privacy and have privacy policies, but most sites fail to follow them. autonomy. In that book, Orwell imagined a future in Not surprisingly, 17 percent of Americans questioned which a totalitarian state used spies, video surveillance, in a poll said they do not go online for health informa- historical revisionism and control over the media to tion because of privacy concerns. maintain its power. But the age of monolithic state But privacy threats are not limited to the Internet: control is over. The future we’re rushing toward isn’t Data from all walks of life are now being captured, one in which our every move is watched and recorded compiled, indexed and stored. For example, New York by some all-knowing Big Brother. It is instead a fu- City has now deployed the Metrocard system, which ture of a hundred kid brothers who constantly watch allows subway and bus riders to pay their fares by simply and interrupt our daily lives. Orwell thought the Com- swiping a magnetic-strip card. But the system also re- munist system represented the ultimate threat to in- cords the serial number of each card and the time and dividual liberty. Over the next ﬁfty years, we will see location of every swipe. New York police have used new kinds of threats to privacy that ﬁnd their roots this vast database to crack crimes and disprove alibis. not in Communism but in capitalism, the free market, Although law enforcement is a reasonable use of this advanced technology and the unbridled exchange of database, it is also a use that was adopted without any electronic information. signiﬁcant public debate. Furthermore, additional con- trols may be necessary: It is not clear who has access to the database, under what circumstances that access is WHAT DO WE MEAN BY PRIVACY? given and what provisions are being taken to prevent the introduction of false data into it. It would be ter- The problem with this word “privacy” is that it falls rible if the subway’s database were used by an employee short of conveying the really big picture. Privacy isn’t to stalk an ex-lover or frame an innocent person for a just about hiding things. It’s about self-possession, au- heinous crime. tonomy and integrity. As we move into the computer- “New technology has brought extraordinary ben- ized world of the twenty-ﬁrst century, privacy will be eﬁts to society, but it also has placed all of us in an one of our most important civil rights. But this right of electronic ﬁshbowl in which our habits, tastes and ac- privacy isn’t the right of people to close their doors and tivities are watched and recorded,” New York State pull down their window shades—perhaps because they Attorney General Eliot Spitzer said in late January, in want to engage in some sort of illicit or illegal activity. announcing that Chase Manhattan had agreed to stop It’s the right of people to control what details about selling depositor information without clear permission their lives stay inside their own houses and what leaks from customers. “Personal information thought to be to the outside. conﬁdential is routinely shared with others without our Most of us recognize that our privacy is at risk. Ac- consent.” cording to a 1996 nationwide poll conducted by Louis Harris & Associates, 24 percent of Americans have “personally experienced a privacy invasion.” In 1995 THE ROLE OF TECHNOLOGY the same survey found that 80 percent felt that “con- sumers have lost all control over how personal informa- Today’s war on privacy is intimately related to the re- tion about them is circulated and used by companies.” cent dramatic advances in technology. Many people to- Ironically, both the 1995 and 1996 surveys were paid day say that in order to enjoy the beneﬁts of modern for by Equifax, a company that earns nearly $2 bil- society, we must necessarily relinquish some degree of 324 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS privacy. If we want the convenience of paying for a taking simple measures to protect their privacy, mea- meal by credit card or paying for a toll with an elec- sures like making purchases with cash and refusing to tronic tag mounted on our rearview mirror, then we provide their Social Security numbers— or providing must accept the routine collection of our purchases and fake ones. And a small but growing number of people driving habits in a large database over which we have are speaking out for technology with privacy. In 1990 no control. It’s a simple bargain, albeit a Faustian one. Lotus and Equifax teamed up to create a CD-ROM This trade-off is both unnecessary and wrong. It product called Lotus Marketplace: Households, which reminds me of another crisis our society faced back in would have included names, addresses and demo- the ﬁfties and sixties—the environmental crisis. Then, graphic information on every household in the United advocates of big business said that poisoned rivers and States, so small businesses could do the same kind of lakes were the necessary costs of economic develop- target marketing that big businesses have been doing ment, jobs and an improved standard of living. Poison since the sixties. The project was canceled when more was progress: Anybody who argued otherwise simply than 30,000 people wrote to Lotus demanding that didn’t understand the facts. their names be taken out of the database. Today we know better. Today we know that sus- Similarly, in 1997 the press informed taxpayers tainable economic development depends on preserving that the Social Security Administration was making the environment. Indeed, preserving the environment detailed tax-history information about them available is a prerequisite to the survival of the human race. over the Internet. The SSA argued that its security Without clean air to breathe and clean water to drink, provisions—requiring that taxpayers enter their name, we will all die. Similarly, in order to reap the beneﬁts date of birth, state of birth and mother’s maiden name of technology, it is more important than ever for us to —were sufﬁcient to prevent fraud. But tens of thou- use technology to protect personal freedom. sands of Americans disagreed, several U.S. senators Blaming technology for the death of privacy isn’t investigated the agency and the service was promptly new. In 1890 two Boston lawyers, Samuel Warren and shut down. When the service was reactivated some Louis Brandeis, argued in the Harvard Law Review that months later, the detailed ﬁnancial information in the privacy was under attack by “recent inventions and SSA’s computers could not be downloaded over the business methods.” They contended that the pressures Internet. of modern society required the creation of a “right of privacy,” which would help protect what they called “the right to be let alone.” Warren and Brandeis re- THE ROLE OF GOVERNMENT fused to believe that privacy had to die for technology to ﬂourish. Today, the Warren/Brandeis article is re- But individual actions are not enough. We need to in- garded as one of the most inﬂuential law review articles volve government itself in the privacy ﬁght. The big- ever published. gest privacy failure of the U.S. government has been its Privacy-invasive technology does not exist in a failure to carry through with the impressive privacy vacuum, of course. That’s because technology itself groundwork that was laid in the Nixon, Ford and exists at a junction between science, the market and Carter administrations. It’s worth taking a look back society. People create technology to ﬁll speciﬁc needs at that groundwork and considering how it may serve and desires. And technology is regulated, or not, as us today. people and society see ﬁt. Few engineers set out to The 1970s were a good decade for privacy protec- build systems designed to crush privacy and auton- tion and consumer rights. In 1970 Congress passed the omy, and few businesses or consumers would willingly Fair Credit Reporting Act, which gave Americans the use or purchase these systems if they understood the previously denied right to see their own credit reports consequences. and demand the removal of erroneous information. El- liot Richardson, who at the time was President Nixon’s Secretary of Health, Education and Welfare, created a FIGHTING BACK commission in 1972 to study the impact of computers on privacy. After years of testimony in Congress, the How can we keep technology and the free market commission found all the more reason for alarm and from killing our privacy? One way is by being careful issued a landmark report in 1973. and informed consumers. Some people have begun The most important contribution of the Richard- CHAPTER 12 PRIVACY AND SURVEILLANCE 325 son report was a bill of rights for the computer age, base, to see the information and to demand that incor- which it called the Code of Fair Information Practices. rect information be removed. The Code is based on ﬁve principles: In fact, while most people in the federal govern- ment were ignoring the cause of privacy, some were ■ There must be no personal-data record-keeping actually pursuing an anti-privacy agenda. In the early system whose very existence is secret. 1980s, the government initiated numerous “computer ■ There must be a way for a person to ﬁnd out matching” programs designed to catch fraud and abuse. what information about the person is in a record Unfortunately, because of erroneous data these pro- and how it is used. grams often penalized innocent people. In 1994 Con- gress passed the Communications Assistance to Law ■ There must be a way for a person to prevent in- Enforcement Act, which gave the government dramatic formation about the person that was obtained for new powers for wiretapping digital communications. one purpose from being used or made available In 1996 Congress passed two laws, one requiring states for other purposes without the person’s consent. to display Social Security numbers on driver’s licenses ■ There must be a way for a person to correct or and another requiring that all medical patients in the amend a record of identiﬁable information about United States be issued unique numerical identiﬁers, the person. even if they pay their own bills. Fortunately, the imple- ■ Any organization creating, maintaining, using or mentation of those 1996 laws has been delayed, thanks disseminating records of identiﬁable personal data largely to a citizen backlash and the resulting inaction must assure the reliability of the data for their in- by Congress and the executive branch. tended use and must take precautions to prevent Continuing the assault, both the Bush and Clinton misuse of the data. administrations waged an all-out war against the rights of computer users to engage in private and secure com- The biggest impact of the Richardson report wasn’t munications. Starting in 1991, both administrations in the United States but in Europe. In the years after ﬂoated proposals for use of “Clipper” encryption sys- the report was published, practically every European tems that would have given the government access to country passed laws based on these principles. Many encrypted personal communications. Only recently did created data-protection commissions and commission- the Clinton Administration ﬁnally relent in its seven- ers to enforce the laws. Some believe that one reason year war against computer privacy. President Clinton for Europe’s interest in electronic privacy was its ex- also backed the Communications Decency Act (CDA), perience with Nazi Germany in the 1930s and 1940s. which made it a crime to transmit sexually explicit Hitler’s secret police used the records of governments information to minors—and, as a result, might have and private organizations in the countries he invaded required Internet providers to deploy far-reaching to round up people who posed the greatest threat to monitoring and censorship systems. When a court German occupation; postwar Europe realized the dan- in Philadelphia found the CDA unconstitutional, the ger of allowing potentially threatening private infor- Clinton Administration appealed the decision all the mation to be collected, even by democratic govern- way to the Supreme Court—and lost. ments that might be responsive to public opinion. But here in the United States, the idea of insti- tutionalized data protection faltered. President Jimmy PROTECTING PRIVACY Carter showed interest in improving medical privacy, but he was quickly overtaken by economic and politi- One important step toward reversing the current di- cal events. Carter lost the election of 1980 to Ronald rection of government would be to create a permanent Reagan, whose aides saw privacy protection as yet an- federal oversight agency charged with protecting pri- other failed Carter initiative. Although several privacy- vacy. Such an agency would: protection laws were signed during the Reagan/Bush era, the leadership for these bills came from Congress, ■ Watch over the government’s tendency to sac- not the White House. The lack of leadership stiﬂed any riﬁce people’s privacy for other goals and per- chance of passing a nationwide data-protection act. form government-wide reviews of new federal Such an act would give people the right to know if programs for privacy violations before they’re their name and personal information is stored in a data- launched. 326 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS ■ Enforce the government’s few existing privacy damental rights offered to consumers under the FCRA. laws. When negative information is reported to a credit bu- ■ Be a guardian for individual privacy and liberty in reau, the business making that report should be re- the business world, showing businesses how they quired to notify the subject of the report—the con- can protect privacy and proﬁts at the same time. sumer—in writing. Laws should be clariﬁed so that if a consumer-reporting company does not correct erro- ■ Be an ombudsman for the American public and neous data in its reports, consumers can sue for real rein in the worst excesses that our society has damages, punitive damages and legal fees. created. Further, we need laws that require improved com- Some privacy activists scoff at the idea of using puter security. In the eighties the United States ag- government to assure our privacy. Governments, they gressively deployed cellular-telephone and alphanu- say, are responsible for some of the greatest privacy vio- meric-pager networks, even though both systems were lations of all time. This is true, but the U.S. govern- fundamentally unsecure. Instead of deploying secure ment was also one of the greatest polluters of all time. systems, manufacturers lobbied for laws that would Today the government is the nation’s environmental make it illegal to listen to the broadcasts. The results police force, equally scrutinizing the actions of private were predictable: dozens of cases in which radio trans- business and the government itself. missions were eavesdropped. We are now making At the very least, governments can alter the devel- similar mistakes in the prosecution of many Internet opment of technology that affects privacy. They have crimes, going after the perpetrator while refusing to done so in Europe. Consider this: A growing number acknowledge the liabilities of businesses that do not of businesses in Europe are offering free telephone calls even take the most basic security precautions. —provided that the caller ﬁrst listens to a brief adver- We should also bring back the Ofﬁce of Technol- tisement. The service saves consumers money, even if ogy Assessment, set up under a bill passed in 1972. The it does expose them to a subtle form of brainwashing. OTA didn’t have the power to make laws or issue regu- But not all these services are equal. In Sweden both the lations, but it could publish reports on topics Congress caller and the person being called are forced to listen asked it to study. Among other things, the OTA con- to the advertisement, and the new advertisements are sidered at length the trade-offs between law enforce- played during the phone call itself. But Italy’s privacy ment and civil liberties, and it also looked closely at ombudsman ruled that the person being called could issues of worker monitoring. In total, the OTA pub- not be forced to listen to the ads. lished 741 reports, 175 of which dealt directly with The Fair Credit Reporting Act was a good law in privacy issues, before it was killed in 1995 by the newly its day, but it should be upgraded into a Data Pro- elected Republican-majority Congress. tection Act. Unfortunately, the Federal Trade Com- Nearly forty years ago, Rachel Carson’s book Silent mission and the courts have narrowly interpreted the Spring helped seed the U.S. environmental movement. FCRA. The ﬁrst thing that is needed is legislation And to our credit, the silent spring that Carson foretold that expands it into new areas. Speciﬁcally, consumer- never came to be. Silent Spring was successful because it reporting ﬁrms should be barred from reporting arrests helped people to understand the insidious damage that unless those arrests result in convictions. Likewise, pesticides were wreaking on the environment, and it consumer-reporting ﬁrms should not be allowed to re- helped our society and our planet to plot a course to a port evictions unless they result in court judgments in better future. favor of the landlord or a settlement in which both the Today, technology is killing one of our most cher- landlord and tenant agree that the eviction can be re- ished freedoms. Whether you call this freedom the ported. Companies should be barred from exchanging right to digital self-determination, the right to infor- medical information about individuals or furnishing mational autonomy, or simply the right to privacy, the medical information as part of a patient’s report with- shape of our future will be determined in large part by out the patient’s explicit consent. how we understand, and ultimately how we control or We also need new legislation that expands the fun- regulate, the threats to this freedom that we face today. CHAPTER 12 PRIVACY AND SURVEILLANCE 327 REL ATED LINKS ■ Center for Democracy and Technology (www.cdt.org) ■ Echelon Watch (www.aclu.org/echelonwatch/index.html) ■ Electronic Frontier Foundation (www.eff.org) ■ Global Internet Liberty Campaign (www.gilc.org) FOR FURTHER RESEARCH To ﬁnd out more about the topics discussed in this reading, use InfoTrac College Edition. Type in keywords and subject terms such as “privacy invasion,” “electronic databases,” and “privacy protection.” You can access InfoTrac from the Wadsworth/ Thomson Communication Café homepage: http://communication.wadsworth.com. Reading 12-4 The Challenge of an Open Society David Brin EDITOR’S NOTE Fifteen minutes into the future, society faces a dilemma. The proliferation of surveillance cameras and recording equipment— so-called “snoop technology”—has vanquished crime but at the expense of unprecedented monitoring of public spaces and pri- vate places. David Brin argues in this excerpt from The Transparent Society that early in the 21st century, we will confront a troubling choice: live free but under constant scrutiny on the one hand, or retain our supposed privacy while relying on the authorities to responsibly monitor society on the other. CONSIDER 1. Given the choice between Brin’s two mythical cities, which would be a more desirable place to live, and why? 2. What central issue will the citizens of countless 21st century communities have to confront, according to Brin? 3. Why does Brin consider accountability to be the keystone of Western civilization’s success? You’re wondering why I’ve called you here. The reason is simple. To answer all your questions. I mean—all. This is the greatest news of our time. As of today, whatever you want to know, provided it’s in the data-net, you can know. In other words, there are no more secrets. —John Brunner, The Shockwave Rider, 1974 328 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS This is a tale of two cities. Cities of the near future, say use his or her wristwatch television to call up images ten or twenty years from now. from any camera in town. Barring something unforeseen, you are apt to be Here a late-evening stroller checks to make sure no living in one of these two places. Your only choice may one lurks beyond the corner she is about to turn. be which one. Over there a tardy young man dials to see if his At ﬁrst sight, these two municipalities look pretty dinner date still waits for him by a city fountain. much alike. Both contain dazzling technological mar- A block away, an anxious parent scans the area to vels, especially in the realm of electronic media. Both ﬁnd which way her child wandered off. suffer familiar urban quandaries of frustration and de- Over by the mall, a teenage shoplifter is taken into cay. If some progress is being made in solving human custody gingerly, with minute attention to ritual and problems, it is happening gradually. Perhaps some kids rights, because the arresting ofﬁcer knows that the seem better educated. The air may be marginally entire process is being scrutinized by untold numbers cleaner. People still worry about overpopulation, the who watch intently, lest her neutral professionalism environment, and the next international crisis. lapse. None of these features is of interest to us right now, In city number two, such microcameras are banned for we have noticed something about both of these from some indoor places . . . but not from police head- twenty-ﬁrst century cities that is radically different. A quarters! There any citizen may tune in on bookings, trait that marks them as distinct from any metropolis of arraignments, and especially the camera control room the late 1990s. itself, making sure that the agents on duty look out for Street crime has nearly vanished from both towns. violent crime, and only crime. But that is only a symptom, a result. Despite their initial similarity, these are very differ- The real change peers down from every lamppost, ent cities, representing disparate ways of life, com- every rooftop and street sign. pletely opposite relationships between citizens and Tiny cameras, panning left and right, survey trafﬁc their civic guardians. The reader may ﬁnd both situa- and pedestrians, observing everything in open view. tions somewhat chilling. Both futures may seem unde- Have we entered an Orwellian nightmare? Have sirable. But can there be any doubt which city we’d the burghers of both towns banished muggings at the rather live in, if these two make up our only choice? cost of creating a Stalinist dystopia? Consider city number one. In this place, all the myriad cameras report their urban scenes straight to TECHNOLOGY’S VERDICT Police Central, where security ofﬁcers use sophisti- cated image processors to scan for infractions against Alas, they do appear to be our only options. For the public order— or perhaps against an established way of cameras are on their way, along with data networks that thought. Citizens walk the streets aware that any word will send a myriad images ﬂashing back and forth, or deed may be noted by agents of some mysterious faster than thought. bureau. In fact, the future has already arrived. The trend Now let’s skip across space and time. began in Britain a decade ago, in the town of King’s At ﬁrst sight, things seem quite similar in city num- Lynn, where sixty remote-controlled video cameras ber two. Again, ubiquitous cameras perch on every were installed to scan known “trouble spots,” report- vantage point. Only here we soon ﬁnd a crucial differ- ing directly to police headquarters. The resulting re- ence. These devices do not report to the secret police. duction in street crime exceeded all predictions; in or Rather, each and every citizen of this metropolis can near zones covered by surveillance, crime dropped to one-seventieth of the former rate. The savings in patrol costs alone paid for the equipment in a few months. From “The Challenge of an Open Society,” in The Transparent Dozens of cities and towns soon followed the example Society: Freedom vs. Privacy in a City of Glass Houses by David of King’s Lynn. Glasgow, Scotland, reported a 68 per- Brin. Copyright © 1998 by G. David Brin. Reprinted by per- cent drop in crime citywide, while police in Newcas- mission of Perseus Books Publishers, a member of Perseus tle ﬁngered over 1,500 perpetrators with taped evi- Books, LLC. dence. (All but seven pleaded guilty, and those seven CHAPTER 12 PRIVACY AND SURVEILLANCE 329 were later convicted.) In May 1997, Newcastle soccer Some of the same parents are less happy about the fans rampaged through downtown streets. Detectives lensed pickups that are sprouting in their own work- studying video tapes picked out 152 faces and pub- places, enabling supervisors to tune in on them in the lished 80 photographs in local newspapers. In days, all same way they use Kindercam to check up on their were identiﬁed. kids. Today, over 300,000 cameras are in place through- That is, if they notice the cameras at all. At present, out the United Kingdom, transmitting round-the- engineers can squeeze the electronics for a video unit clock images to a hundred constabularies [police into a package smaller than a sugar cube. Complete sets stations], all of them reporting decreases in public mis- half the size of a pack of cigarettes were recently conduct. Polls report that the cameras are extremely offered for sale by the Spy Shop, a little store in popular with citizens, though British civil libertarian New York City located two blocks from the United John Wadham and others have bemoaned this prolifer- Nations [see http://www.w2.com/docs2/z/spyshop ation of snoop technology, claiming, “It could be used .html]. Meanwhile, units with radio transmitters are for any other purpose, and of course it could be being disguised in clock radios, telephones, and toast- abused.” ers, as part of the burgeoning “nannycam” trend. So Visitors to Japan, Thailand, and Singapore will see high is demand for these pickups, largely by parents that other countries are rapidly following the British eager to check on their babysitters, that just one ﬁrm example, using closed circuit television (CCTV) to su- in Orange County, California, has recently been sell- pervise innumerable public areas. ing from ﬁve hundred to one thousand disguised cam- This trend was slower coming to North America, eras a month. By the end of 1997, prices had dropped but it appears to be taking off. After initial experiments from $2,500 to $399. garnered widespread public approval, the City of Bal- Cameras aren’t the only surveillance devices prolif- timore put police cameras to work scanning all 106 erating in our cities. Starting with Redwood City, near downtown intersections. In 1997, New York City be- San Francisco, several police departments have begun gan its own program to set up twenty-four-hour re- lacing neighborhoods with sound pickups that transmit mote surveillance in Central Park, subway stations, and directly back to headquarters. Using triangulation other public places. techniques, ofﬁcials can now pinpoint bursts of gunﬁre No one denies the obvious and dramatic short- and send patrol units swiftly to the scene, without hav- term beneﬁts derived from this early proliferation of ing to wait for vague telephone reports from neigh- surveillance technology. That is not the real issue. In bors. In 1995 the Defense Department awarded a $1.7 the long run, the sovereign folk of Baltimore and million contract to Alliant Techsystems for its proto- countless other communities will have to make the type system secures, which tests more advanced sound same choice as the inhabitants of our two mythical pickup networks in Washington and other cities. The cities. Who will ultimately control the cameras? hope is to distinguish not only types of gunﬁre but also Consider a few more examples. human voices crying for help. How many parents have wanted to be a ﬂy on the So far, so good. But from there, engineers say it wall while their child was at day care? This is now pos- would be simple to upgrade the equipment, enabling sible with a new video monitoring system known bored monitors to eavesdrop through open bedroom as Kindercam, linked to high-speed telephone lines and windows on cries of passion, or family arguments. “Of a central Internet server. Parents can log on, type course we would never go that far,” one ofﬁcial said, www.kindercam.com, enter their password, and access reassuringly. a live view of their child in day care at any time, from Consider another piece of James Bond apparatus anywhere in the world. Kindercam will be installed in now available to anyone with ready cash. Today, almost two thousand day care facilities nationwide by the end any electronics store will sell you night vision goggles of 1998. Mothers on business trips, fathers who live out using state-of-the-art infrared optics equal to those is- of state, even distant grandparents can all “drop in” on sued by the military, for less than the price of a video their child daily. Drawbacks? Overprotective parents camera. Agema Systems, of Syracuse, New York, has may check compulsively. And now other parents can sold several police departments imaging devices that observe your child misbehaving! can peer into houses from the street, discriminate the 330 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS heat given off by indoor marijuana cultivators, and locate its mobile subscribers within a few hundred me- sometimes tell if a person inside moves from one room ters. This aided several police investigations. But civil to the next. Military and civilian enhanced vision tech- libertarians expressed heated concern, especially since nologies now move in lockstep, as they have in the identical technology is used worldwide. computer ﬁeld for years. The same issues arise when we contemplate the In other words, even darkness no longer guarantees proliferation of vast databases containing information privacy. about our lives, habits, tastes, and personal histories. Nor does your garden wall. In 1995, Admiral The cash register scanners in a million supermarkets, William A. Owens, then vice chairman of the Joint video stores, and pharmacies already pour forth a ﬂood Chiefs of Staff, described a sensor system that he ex- of statistical data about customers and their purchases, pected to be operational within a few years: a pilotless ready to be correlated. (Are you stocking up on hem- drone, equipped to provide airborne surveillance for orrhoid cream? Renting a daytime motel room? The soldiers in the ﬁeld. While camera robots in the $1 mil- database knows.) Corporations claim this information lion range have been ﬂying in the military for some helps them serve us more efﬁciently. Critics respond time, the new system will be extraordinarily cheap and that it gives big companies an unfair advantage, en- simple. Instead of requiring a large support crew, it will abling them to know vastly more about us than we be controlled by one semiskilled soldier and will ﬁt in do about them. Soon, computers will hold all your the palm of a hand. Minuscule and quiet, such remote- ﬁnancial and educational records, legal documents, piloted vehicles, or RPVs, may ﬂit among trees to sur- and medical analyses that parse you all the way down vey threats near a riﬂe platoon. When mass-produced to your genes. Any of this might be examined by in huge quantities, unit prices will fall. strangers without your knowledge, or even against Can civilian models be far behind? No law or reg- your stated will. ulation will keep them from our cities for very long. As with those streetlamp cameras, the choices we The rich, the powerful, and ﬁgures of authority will make regarding future information networks—how have them, whether legally or surreptitiously. And the they will be controlled and who can access the data— contraptions will become smaller, cheaper, and smarter will affect our own lives and those of our children and with each passing year. their descendants. So much for the supposed privacy enjoyed by sun- bathers in their own backyards. Moreover, surveillance cameras are the tip of the A MODERN CONCERN metaphorical iceberg. Other entrancing and invasive innovations of the vaunted Information Age abound. The issue of threatened privacy has spawned a ﬂood of Will a paper envelope protect the correspondence you books, articles, and media exposes—from Janna Mala- send by old-fashioned surface mail when new-style mud Smith’s thoughtful Private Matters, and Ellen Al- scanners can trace the patterns of ink inside without derman and Caroline Kennedy’s erudite Right to Pri- ever breaking the seal? vacy all the way to shrill, paranoic rants by conspiracy Let’s say you correspond with others by e-mail and fetishists who see Big Brother lurking around every use a computerized encryption program to ensure that corner. Spanning this spectrum, however, there ap- your messages are read only by the intended recipient. pears to be one common theme. Often the author What good will all the ciphers and codes do, if some has responded with a call to arms, proclaiming that we adversary has bought a “back door” password to your must become more vigilant to protect traditional pri- encoding program? Or if a wasp-sized camera drone vacy against intrusions by faceless (take your pick) gov- ﬂits into your room, sticks to the ceiling above your ernment bureaucrats, corporations, criminals, or just desk, inﬂates a bubble lens, and watches every key- plain busybodies. stroke that you type? That is the usual conclusion—but not the one In late 1997 it was revealed that Swiss police had taken here. secretly tracked the whereabouts of mobile phone For in fact, it is already far too late to prevent the in- users via a telephone company computer that records vasion of cameras and databases. The djinn cannot be billions of movements per year. Swisscom was able to crammed back into its bottle. No matter how many laws CHAPTER 12 PRIVACY AND SURVEILLANCE 331 are passed, it will prove quite impossible to legislate Although this process of stripping off veils has been away the new surveillance tools and databases. They are uneven, and continues to be a source of contention, the here to stay. underlying moral force can clearly be seen pervading Light is going to shine into nearly every corner of our popular culture, in which nearly every modern ﬁlm our lives. or novel seems to preach the same message—suspicion The real issue facing citizens of a new century will of authority. The phenomenon is not new to our gen- be how mature adults choose to live—how they can eration. Schoolbooks teach that freedom is guarded by compete, cooperate, and thrive—in such a world. A constitutional “checks and balances,” but those same transparent society. legal provisions were copied, early in the nineteenth Our civilization is already a noisy one precisely be- century, by nearly every new nation of Latin America, cause we have chosen freedom and mass sovereignty, so and not one of them remained consistently free. In that the citizenry itself must constantly argue out the North America, constitutional balances worked only details, instead of leaving them to some committee of because they were supplemented by a powerful mythic sages. tradition, expounded in story, song, and now virtually What distinguishes society today is not only the every Hollywood ﬁlm, that any undue accumulation of pace of events but the nature of our tool kit for facing power should be looked on with concern. the future. Above all, what has marked our civilization Above all, we are encouraged to distrust gov- as different is its knack for applying two extremely ernment. hard-won lessons from the past. The late Karl Popper pointed out the importance of this mythology in the dark days during and after In all of history, we have found just one cure for World War II, in The Open Society and Its Enemies. Only error—a partial antidote against making and re- by insisting on accountability, he concluded, can we peating grand, foolish mistakes, a remedy against constantly remind public servants that they are ser- self deception. That antidote is criticism. vants. It is also how we maintain some conﬁdence that Scientists have known this for a long time. It is the merchants aren’t cheating us, or that factories aren’t keystone of their success. A scientiﬁc theory gains re- poisoning the water. As inefﬁcient and irascibly noisy spect only by surviving repeated attempts to demolish as it seems at times, this habit of questioning author- it. Only after platoons of clever critics have striven to ity ensures freedom far more effectively than any of come up with refuting evidence, forcing changes, do a the older social systems that were based on reverence or few hypotheses eventually graduate from mere theories trust. to accepted models of the world. And yet, another paradox rears up every time one If neo-Western civilization has one great trick in its interest group tries to hold another accountable in to- repertoire, a technique more responsible than any day’s society. other for its success, that trick is accountability. Espe- Whenever a conﬂict arises between privacy and cially the knack—which no other culture ever mas- accountability, people demand the former for tered— of making accountability apply to the mighty. themselves and the latter for everybody else. True, we still don’t manage it perfectly. Gaffes, bungles, and inanities still get covered up. And yet, one can look The rule seems to hold in almost every realm of at any newspaper or television news program and see modern life, from special prosecutors investigating the an eager press corps at work, supplemented by hordes ﬁnances of political ﬁgures to worried parents de- of righteously indignant individuals (and their lawyers), manding that lists of sex offenders be made public. all baying for waste or corruption to be exposed, se- From merchants anxious to see their customers’ credit crets to be unveiled, and nefarious schemes to be reports to clients who resent such snooping. From nipped in the bud. Disclosure is a watchword of the people who “need” caller ID to screen their calls to age, and politicians have grudgingly responded by pass- those worried that their lives might be threatened if ing the Freedom of Information Act (FOIA), truth-in- they lose telephone anonymity. From activists de- lending laws, open meeting rules, and codes to enforce manding greater access to computerized government candor in real estate, in the nutritional content of food- records in order to hunt patterns of corruption or in- stuffs, in the expense accounts of lobbyists, and so on. competence in ofﬁce to other citizens who worry 332 PART VI POLICING THE ELECTRONIC WORLD: ISSUES AND ETHICS about the release of personal information contained in But suppose the future does present us with an ab- those very same records. solute either-or decision, to select just one, at the cost In opposing this modern passion for personal and of the other. In that case, there can be no hesitation. corporate secrecy, I should ﬁrst emphasize that I like Privacy is a highly desirable product of liberty. If we privacy! Outspoken eccentrics need it, probably as remain free and sovereign, we may have a little privacy much or more than those who are reserved. I would in our bedrooms and sanctuaries. As citizens, we’ll be ﬁnd it hard to get used to living in either of the cities able to demand some. described in the example at the beginning of this chap- But accountability is no side beneﬁt. It is the one ter. But a few voices out there have begun pointing out fundamental ingredient on which liberty thrives. the obvious. Those cameras on every street corner are Without the accountability that derives from open- coming, as surely as the new millennium. ness— enforceable upon even the mightiest individuals Oh, we may agitate and legislate. But can “privacy and institutions—how can freedom survive? laws” really prevent hidden eyes from getting tinier, In the information age to come, cameras and data- more mobile, and clever? In software form they will bases will sprout like poppies— or weeds—whether cruise the data highways. “Antibug” technologies will we like it or not. Over the long haul, we as a people arise, but the resulting surveillance arms race can must decide the following questions: hardly favor the “little guy.” The rich, the powerful, Can we stand living exposed to scrutiny, our secrets laid police agencies, and a technologically skilled elite will open, if in return we get ﬂashlights of our own that we always have an advantage. can shine on anyone who might do us harm— even the In the long run, as author Robert Heinlein proph- arrogant and strong? esied years ago, will the chief effect of privacy laws sim- ply be to “make the bugs smaller”? Or is an illusion of privacy worth any price, even the The subtitle of this book—Will Technology Force Us cost of surrendering our own right to pierce the schemes to Choose Between Privacy and Freedom?—is intention- of the powerful? ally provocative. I think such a stark choice can be There are no easy answers, but asking questions avoided. It may be possible to have both liberty and can be a good ﬁrst step. some shelter from prying eyes. REL ATED LINKS ■ David Brin’s Web Page (http://www.kithrup.com/brin) ■ EarthCam: Webcam Network (http://www.earthcam.com) ■ HotSeat: The Transparent Society (http://hotwired.lycos.com/packet/hotseat/97/22/transcript4a.html) ■ Surveillance Camera News (http://www.mediaeater.com/cameras/news.html) ■ Video Surveillance (http://www.privacyinternational.org/issues/cctv) FOR FURTHER RESEARCH To ﬁnd out more about the topics discussed in this reading, use InfoTrac College Edition. Type in keywords and subject terms such as “surveillance,” “snoop technology,” and “transparent so- ciety.” You can access InfoTrac from the Wadsworth/ Thomson Communication Café home- page: http://communication.wadsworth.com.