My colleague Joel Stein let drop a while back that he was working on a book proposal. I found it a bit frustrating that he wouldn't tell me the topic. Joel had been traveling a lot lately too - to Iceland to interview Bjork; to Hollywood for the Oscars - but he was stingy with details. Where was he going? Whom was he hanging with, and how much money was he spending? I've also wondered what kind of websites he surfs. And, O.K., I wouldn't mind reading his e-mail.
So I did.
Joel went out of town recently, which allowed me to duck into his office and install spying software on his hard drive. You can buy commercial spyware these days, but I used VNC, which can be downloaded for free. VNC was designed to help people link their own computers. But it also worked as a cheap and easy way for me to keep tabs on Joel. Soon after loading VNC onto my computer, I was rifling through Joel's hard drive.
That book proposal? With a few mouse clicks, it appeared on Joel's screen - and on mine. (Adventures in Monogamy, a 12-chapter comic romp starring ... Joel. Mystery solved.) It was also easy to pore over his expense reports, checking out whom he took to dinner in L.A., and what he thinks passes for a legitimate expense. Has Bjork even recorded $112.76 worth of CDs?
Then I - or should I say Joel? - hit the Internet. The great thing about controlling another person's computer is you can surf the Web as if you were him or her. When you go to a site, his or her IP address - a kind of digital fingerprint - is the one that gets left behind, not yours.
I was going to mess with Joel. Stop by a few investing message boards, and have him break securities law by pumping stocks. Get him trapped by one of those FBI agents who patrol kiddie chat rooms, looking for predators. But in an effort to keep Joel - O.K., both of us - out of jail, I just posted a few items for him on pet newsgroups seeking poodle-grooming tips.
When Joel returned, I could look over his shoulder as he surfed the Net. It was weird but oddly riveting to see his cursor click, click, click its way across my screen. But in the end, there were no busty babes, no Catholic school girls looking for trouble. He actually spent most of his time on CNN.com.
Then he started opening his e-mail. The first was from our boss, about Joel's next column. I liked being a snoop in the loop. Another was from Joel's girlfriend's brother asking Joel to score free concert tickets. Then a chain e-mail from a few of our co-workers, with snarky comments about someone else on our floor they evidently don't like. Ah, isn't this what computer spying is all about?
I also had Joel's Social Security number, the keys to the kingdom. Those digits would be enough on some websites to get me a driver's license in his name - and to start a full-scale identity theft. Before long, I could be ruining his credit rating, draining his bank accounts, and - well, you get the idea.
Too bad my editors, darn them, insisted that I tell Joel what I was doing. (I can't help thinking he trashed some good stuff before I started spying.) Not that it would have been difficult to really spy on Joel at his home computer. I could have sent him spyware wrapped in an e-greeting card, programmed to install itself when he opened the card. He'd never know.
It's been two years since Sun Microsystems CEO Scott McNealy delivered his famous warning: "You have zero privacy [on the Internet] anyway. Get over it." Privacy advocates resisted that pessimistic assessment at the time. But since then, hardly a week goes by without a news story suggesting McNealy was on to something. Russian hackers breaking into e-commerce sites to steal credit-card numbers. Rings of Nigerian identity thieves. Cyberstalkers.
Just last week, Microsoft conceded that all versions of Windows 2000, and early "beta" versions of its new XP operating system due out this fall, have a "serious vulnerability" that lets hackers take control of victims' machines. Microsoft, which is making patches available for Windows 2000, has urged consumers to "take action immediately" to fix the glitch. And it is promising to cure the problem before XP's rollout.
Internet users are well aware they are trading off privacy when they dial up their modems. In a recent TIME/Harris-Yankelovich poll, 61% of respondents said they were "very concerned" or "somewhat concerned" that information about their Internet usage was being collected without their knowledge.
Yet websites that track users' movements are the least of it. Privacy advocates and law enforcement are homing in on nine areas - from spyware to identify theft - where they say the Internet's threat to privacy is the greatest. Here are the nine, followed by 10 ways individuals can defend themselves (see Protect Yourself):
Someone might use the Internet to steal your identity
When police arrested Brooklyn busboy Abraham Abdallah in March, he had Forbes magazine's issue on the 400 richest people in America, plus Social Security numbers, credit-card numbers, bank-account information and mothers' maiden names of an A list of intended victims drawn from the issue, including Steven Spielberg, Oprah Winfrey and Martha Stewart. Abdallah is accused of using websites, e-mail and off-line methods to try to steal the celebrities' identities and make off with millions in assets. One scheme that was caught in time: he allegedly sent an e-mail purporting to come from Siebel Systems founder Thomas Siebel to Merrill, Lynch, directing that $10 million be transferred to an offshore account. (Abdallah, who has yet to be indicted on federal charges, denied the charges at the time of his arrest.)
Abdallah's high-profile arrest brought national attention to identity theft, which the FBI says is the nation's fastest-growing white-collar crime. An estimated 500,000 Americans have their identities stolen each year. A sign of the times: at least four insurance companies now offer ID-theft insurance. The Privacy Rights Clearinghouse, which works with victims, says it takes an average victim of identity theft two years to clear his credit rating. A growing worst-case scenario: "criminal-identity theft," in which thieves use the stolen identity when they are arrested, leaving their victims with a criminal record that can be difficult to expunge.
Most identity theft still begins off-line, often in such low-tech ways as a criminal sifting through garbage to find an unwanted preapproved credit card. But once an ID theft is under way, the Internet can make the work considerably easier. A particular problem: fast-proliferating websites that sell fake IDs.
It was a fake-ID seller who helped an identity thief run up $30,000 in false charges to Charles Glueck, a Metarie, La., dentist. After Glueck lost his wallet, the man who took it went online to get a driver's license with his picture and Glueck's identity. He then used that license to get 15 credit cards in Glueck's name and started charging. Glueck was shocked to learn later from police that the website had not broken the law because when it shipped the driver's license to the thief, the license was marked for "novelty" use only. "Once you know how to work a computer, you can be whoever you want to," Glueck says.
You may be unintentionally revealing information about yourself as you move through cyberspace
Surfing the Internet feels anonymous, like looking through the pages of a magazine in a library. But the websites you visit can look back at you. Many use "cookies" to collect data about your visit - where you go in the site, what links you click on. There was a blowup last year when it appeared that Internet advertising agency Doubleclick would match up its cookies with data from an off-line marketing company that had names, addresses and phone numbers of 88 million Americans. That plan, since abandoned, would have let the company create personal profiles of individuals and their Web-surfing habits.
Your Web browser may also be giving away information about you as you travel through cyberspace. Whether you know it or not, your browser's "preferences" menu may include your name, e-mail address and other information that can be captured and stored by sites you visit. Your Internet Protocol address can also give you away. Every computer on the Internet is assigned an IP address, the online equivalent of a street address, that allows it to receive data. Dial-up connections usually assign you a new IP address every time you connect. But if you use a fixed connection (like DSL or cable), you may have a permanent IP address that any website you visit can capture and, by comparing it against a database, connect to you by name.