IN3 logo

The Archives of the International Informatics Institute

This article was developed from "CyberRights & Wrongs," a series of seminars produced at Internet World conferences.

 

CyberRights and Wrongs:
Internet Crime, Privacy and Security

By Lawrence Greenberg
Published: January 31, 2002


  • Identity theft complaints jumped from 23% of all fraud complaints in 2000 to 42% in 2001. In 2001, this was the highest percentage of all fraud complaints recorded. Many, if not most identity thefts are transacted via the Internet.

  • Skimming of credit cards is now more prevalent than it ever has been, and the Internet is playing a greater role than ever before in this process, as critical information is transferred via e-mail from one criminal party to another—and/or is entered directly into a Web-enabled database. Terrorists and mobsters alike are overly familiar with sophisticated skimming practices.

  • Recent government legislation was so stringent regarding monitoring of children’s access to the Internet that more than a few sites dedicated to positive content for children had to shut down—they were, in fact, in violation of this new act.


The Internet vs. the Real World

As the Internet continues to mushroom in size, scope and complexity, so too do the issues related to the access to and usage and protection of Internet-based information—both personal and corporate. Today, there is still a notable degree of uncertainty about how the regulations governing crime prevention in the real world should be applied to transactions effected on the Web. Should the same regulations apply? If not, what are the differences? Exactly how and where should the differences be implemented? How much and what types of information being made available by individuals and organizations alike are safe, legitimate, and/or trustworthy? To what extent am I, a single individual, at risk if I do effect a Web-based transaction? What should be done to regulate this process?

Because the Web, the virtual world, is vastly different from the real world in many critical ways, the fundamental issues of transactive behavior must be perceived differently. While the same transactional basics are in place—I enter a store/organization, I select an item/service that appeals to me, I purchase the item/service—the environment in which these actions occur is radically altered. When I go into Macy’s, nobody knows who I am—even if I’ve been there 20 times before. When I make a purchase, nobody effecting the purchase knows who I am—again, even if I’ve already been there a dozen times or more. If I fill out a customer survey questionnaire, or perform some related activity, I would expect to receive promotional literature in the mail—but not if I don’t.

On the Web, this all changes. To access a specific site’s services, a customer often has to enter personal information. Even if that’s not the case, if he returns to the same site (second time), because of what are termed cookies—markers that tell the site who he is—he’s known as soon as he shows up. And the more sites he visits, the more widely he’s known—almost immediately. Junk and promotional e-mail grows exponentially as you visit a greater number of sites. Without question, a critical issue facing the consumer is: now that all these organizations, vendors, entities know who I am—my name, my e-mail address, other things about me—what will they do with that information? Is there a chance it will fall into the wrong hands and something bad will happen?

One of the intriguing dichotomies of behavioral modes regarding the Internet is—who cares if a company knows about me, as long as nothing bad happens to me, vs. I don’t want anything bad to happen to me, so I will disable all the cookies that have been created about me (from my activity) and I will be very careful about where I go and what I do. The first perspective emphasizes an open approach to involvement in activity; the second, a cautious one that plays it safe. But is the open person he who is more easily swindled, more susceptible to identity theft? On the Internet, it’s very difficult to tell.

What makes it so difficult is the inability in many (if not most) cases of pinpointing the path that information takes, even from the get go. I never have even an initial real point of contact for any Web-based transaction. I may know the name of the specific Website, but I never know the individual I’m dealing with—because there never is an individual. Thus, because of this anonymous transactor, I can never really know if a transaction I effect is used for other purposes. While this is also true in the real world, there, the consumer more often than not has an initial real point of contact. On the Web, there’s no real starting point. This lack of starting point is a crucial missing element: it alienates the buyer, the transactor, the user from the transactive process and makes it, at least psychologically, more likely that my personal information could be used for any purpose at all. What, after all, is behind that spiffy-looking Website?

An example may illustrate the radical difference between the real world and the Internet in this context. Because many organizations use various types of bots on the Web, they can gather information relatively easily from the sites of competitive or partner organizations—with or without consent. If, for example, in the recent past I purchased prescription drugs over the Web on a regular basis, and subsequently receive a letter from my insurer stating that based on my use of this specific drug, my health insurance premium is now 50% higher, is this legal? Ethical? Would this have happened had I gone to a pharmacy in my neighborhood rather than purchased the drug on the Internet?

Yet Americans seem, to a large extent, somewhat oblivious to these issues. If I get a free T-shirt for the vendor collecting my name, address, hair color, shoe size—so what? I want the T-shirt. Is EarthLink’s claim that, unlike America OnLine, they don’t watch everything you do really a competitive edge? Or do Americans really care whether AOL "watches everything you do"?

Internet Crime

The Price Waterhouse estimate of cybercrime for the year 2000 is in the area of $250 billion in fraud, theft, damages, and other criminal activity. Even if the real number is 10% of this, that is a enormous amount, and attests to the ease of crime perpetration in this new environment. Crime on the Web differs from that in the real world in three fundamental ways:

  • It’s done much faster.

  • It’s easily done anonymously.

  • It can be perpetrated quickly and then, even before the victim knows he’s a victim, the perpetrator disappears—the Website’s shut down, e-mail address is disabled, etc.

The tremendous flexibility the criminal has at his disposal on the Internet has not gone unnoticed by law enforcement agencies. But because this is a relatively new form of crime and technically more complex than many real world crimes, the expertise to address these activities is often not in place. An FBI agent investigating an Internet crime, for example, has no informants and no physical evidence. He also has more limitations on what and how information is gathered than he would in the real world. What’s now termed digital evidence is significantly more difficult to track than physical evidence—it could be virtually anywhere.

But by the same token, the agencies that have been formed to meet the challenge of Internet crime also take advantage of the Web. The Internet Fraud Complaints Center (IFCC) and a similar Internet branch of the Federal Trade Commission are available 24/7, unlike their real world counterparts. They can act quickly, and they are more flexible—it’s much easier to aggregate the particulars of many cases reported online for a given merchant and subsequently pursue the perpetrator.

Identity and Privacy

Is it ethical to withhold one’s identity on the Internet? According to one point of view—no; it’s imperative that the individual identify himself, declare himself. Only by doing this can anyone on the Web know what’s true—or at least the true identity of those with whom one is dealing. Yet because of the anonymous transactor environment (here, transactor refers to any party with whom I converse, exchange money for goods and/or services, or otherwise interact with), I can never really know if the other party is revealing his true identity—even if I do. Opponents hold that not only is it ethical to withhold one’s identity, but necessary, in order to protect the weaker party from the stronger one. In this context, ‘weaker’ refers to he who can be more easily taken advantage of.

The degree to which I disclose my identity will depend on several factors:

  • The audience—they to whom I am disclosing

  • The transaction—what I’m disclosing the information for

  • The degree/level of perceived safety/security embedded in the transaction

  • The payoff—what I get in return for this disclosure

At the same time that these are the forces that drive the individual, laws are being enacted—every few months, it seems—further regulating what can and cannot be done on the Internet. The paradoxical nature of these laws is that while ostensibly protecting the individual from potentially criminal activities on the Internet, they simultaneously gather more information about the individual and hold it themselves. In essence, this is a redistribution of who has the information about the individual—the company or the government. Governments traditionally are not happy with individuals having privacy: the greater the level of privacy, the more difficult it is to administer laws that affect large groups of people. It’s for this reason, among others, that privacy is traditionally a luxury that the wealthy have been able to afford.

But as is true for many things, the Internet has changed all that. On the Web, every ‘street’ is Times Square—i.e., busy, crowded, and impossible to avoid people and their behavior. It doesn’t matter if you are rich or poor—if you enter a Website and want to make a purchase, nobody’s there to bow and scrape to an elite customer, or to snub a poor one. Only if the individual has some kind of magic identity protection shield that went wherever he did would he be immune to getting "cookied" or otherwise identified. So far, such a tool has not been developed.

Companies, too, discourage privacy because it increases the cost of transactions and limits the effectiveness of marketing. That magic identity protection shield would prevent any vendor/merchant from ever knowing enough about me to take advantage of that information. The merchant does gain access, as we’ve seen, to that information immediately upon the customer entering the site. And they can just as easily pass it on. This raises a critical issue: should a company be required to gain affirmative consent from me before they sell information about me? The answer to this question is problematic. Do I know when a regular (i.e., NOT Web-based) magazine I subscribe to sells its mailing list to a clothing vendor that wants to market to me? No, I don’t. Why should there be a different scenario for Internet activity?

In the real world, there are five implicit principles that characterize transactive behavior vis-à-vis privacy:

  1. I don’t have to give you my name to buy a pair of socks. The more that right is violated, the more likely it is the transaction will not occur

  2. If I don’t buy the socks, the merchant will not know who I am (just as, even if I do buy the socks, he probably won’t know). Here the critical point is that he will not actively do anything to gain my personal information if I don’t make a purchase.

  3. If I try to steal the socks, I could expect that a video camera might catch me. But I don’t expect the video camera to be used for other purposes.

  4. When I buy the socks, I can give the person at the counter my name—if I choose to. If I choose not to, he will not force me to give it to him.

  5. If I pay for the socks with a credit card, the card-issuing bank that knows about me is trustworthy enough so that I don’t have to worry about them doing something fraudulent with my personal information.

As we’ve seen, the Internet has changed virtually all of these expectations. Does this mean the customer is being violated? Another tough question, best answered, perhaps, by the T-shirt incident. None of the above matters, as long as I get my T-shirt. Or does it?

A related question is: should an individual consumer have a copyright on his transaction data, whereby every time a vendor sells buying behavior information of a specific customer to another vendor, the customer gets a small "piece of the action" because that transaction data is protected by law. Again, why is this different from real world transactions?

Actual limits—legal, cultural, ethical—on what I can or cannot do on the Internet have really not been determined. While some laws do exist, there’s enough leeway for an individual to pose as someone he’s not—in a chat room, on a dating site, on a bulletin board—and potentially cause severe damage. Is the Internet a public space where I can, and must be held accountable for all my actions? Or is it a private space where I can do whatever I want—when, where, and to whom? Because this too is a wide open issue, on the Web, I have no reasonable expectation of privacy; where I am, specifically, on the Internet determines in large part the level of expectation of privacy I will have.

Privacy can be seen as the currency on the Internet (and elsewhere) that buys power. Someone with no privacy is ignored; nobody wants anything from him. Conversely, someone with a high degree of privacy is beset on all sides. But is this a way to live? Do I really want to play it safe, or do I want to be involved in things, actively reaching out for what’s there, seeing it come to me, desiring information, knowledge, experience?

Internet Security

With the advent of new law regulating access to and usage of information on the Internet, the government’s possession of more consumer information also means that hackers, too, have access to this information—sometimes more easily than the government expects. In addition, information about individuals held by the private sector has been shown to be just as accessible as that held by the government. The infamous CD Universe case of 1999, in which close to 300,000 credit cards were hacked, points to the vulnerability of the large masses of information that are exchanged every day on the Internet. What is potentially of even greater concern is that this information is the same as what is stored from an in-person transaction at a real department store. While a hacker may not have any real means of accessing the information based on an in-store purchase, once the transaction is effected via the Internet, it’s wide open—for those who know how to get at it.

Hackers have supposedly hacked into the site of every major corporation in the world. Once information can be hacked, it can be easily distributed—another issue of great concern. Here is the credit card information skimmed by the clerk in a Brooklyn grocery store and transmitted via e-mail to a terrorist in Kabul.

A Final Note

Ultimately it is the choice and responsibility of the individuals in a free society—not the government, not large organizations—to determine to what degree they wish to establish privacy. They must and will find the level of privacy that works for them—that does not hurt them (too little), and that also does not restrict them (too much). And it’s the individuals of a society who will decide how they define their identities in a virtual environment that emphasizes, by default, a lack of personal identity.\\

BOOKS
in association with Amazon.com


"Cyber ethics" at Amazon

For IN3 updates, enter your email:

 

© 2002 International Informatics Institute, Inc. All Rights Reserved. Read our privacy guidelines. Contact us.