(2 of 3)
Sometimes, the spy is an "E.T." program, so called because once it is embedded in your computer it is programmed to "phone home" to its corporate master. RealNetworks' RealJukebox program was found in 1999 to be sending back information to headquarters about what music a user listened to. The Federal Trade Commission decided in May that zBubbles, a now-defunct online shopping service once owned by Amazon, probably deceived consumers when it told them the information it collected about a user's Web surfing would remain anonymous.
That personal information you just provided to a website might be sold - or stolen
Websites, particularly e-commerce sites, collect a lot of data from visitors. If you buy a book or a magazine at a bookstore and pay cash, there will be no record linking you to the purchase. But the books, magazines, music and movies you buy online are all linked to you by name. Web retailers are collecting a sizable database of information on individual purchasers. Who's buying pornography, and who's buying extreme political tracts. Who's buying cancer drugs, or contraception.
E-commerce sites routinely share your information, or sell it. The Electronic Frontier Foundation launched a campaign in early June against Macys.com for giving away info from its bridal registry to its business partners. Amazon, which once permitted users to choose to keep their data confidential, rewrote its privacy policy last year to say customer data are an "asset" it may sell or transfer in the future. If an e-commerce site you bought from goes bankrupt, it could be legally required to sell your data to the highest bidder. And sites routinely sell or exchange your personal information. Privacy advocates are pushing for federal legislation requiring websites to let users opt out of sharing, as has recently happened in financial services. (See Who's Got Your Number?.)
Theft of personal data from websites is also growing. Egghead.com sent a chilly wind through cyberspace late last year when it disclosed that hackers had broken into its system and may have accessed millions of credit-card numbers from its database. (It later found that no credit cards were compromised.) It was a stark reminder that financial data are only as safe as every website you share them with.
There have been other recent high-profile hacks. Music retailer CD Universe lost up to 300,000 credit-card numbers; Bibliofind, a subsidiary of Amazon, had the names, addresses and credit-card numbers of 98,000 customers stolen. One thing that makes online credit-card theft more tolerable than some cyberscams: if consumers find false charges, banks and merchants should pay most of the bill.
That website on which you just entered your credit-card number may be a fake
In April, the FBI cracked a Russian ring and charged a pair of its members with conspiracy and fraud. The hackers were also allegedly involved in website spoofing. Federal officials said they tried to create a counterfeit website that mimicked the real home page of PayPal, the popular online fund-transfer service. PayPal has been hit with such spoofs several times. When a fake site was operating, hackers e-mailed PayPal users and got them to click on a hyperlink with the spoof site's domain name: www.paypai.com. On many computers, a capital I looks identical to the l at the end of the word PayPal.
Near-identical domain names are easy to obtain. Banks have also been a frequent target of spoofers. Bank of America got wwwbankofamerica.com taken down - its domain name, minus the dot after www, but not before some customers were tricked into entering financial information.
The government may be giving out your home address, social security number and other personal information online
If you live in Ohio, anyone who types your name into a county database can learn your address and how much your house is worth. He can also inspect detailed floor plans of your house, showing placement of your windows, porches and balconies. Supporters of the state's online initiative call it a breakthrough for open access to government records. Critics have another way of describing it: a breaking-and-entering handbook.
Governments around the country have been rushing to put property records online. Many jurisdictions have joined Ohio in creating databases searchable by name. If you go to the Brookline, Mass., website, you can find out where Michael Dukakis lives. Miami's will tell you Janet Reno's home address.
It isn't just property databases. Wisconsin has most of its arrest and court records online. (I discovered that a former law-school classmate of mine has had two traffic violations and was a defendant in a civil lawsuit.) The federal courts have put many of their records online through a system called Public Access to Court Electronic Records (pacer). Among the data available: Social Security numbers; financial assets, which often must be revealed in court proceedings; and the names and ages of minor children.
Critics say the government has gone too far in making data available online, and there are signs the tide may be turning. California's court system is considering new rules that would deny Internet access to certain court records, including those of criminal, family and mental-health proceedings. "The purpose of making public records accessible is to ensure accountability," says Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center. That, he argues, does not require putting details of divorce and child-custody disputes or bankruptcy proceedings on the Internet.
For-profit companies and people who don't like you may be broadcasting your private information on the Internet
The murder of Amy Boyer, a 20-year-old New Hampshire dental assistant, by an obsessed admirer in 1999 called attention to an obscure part of the cybereconomy - online data brokers. Boyer's assailant paid $45 to Florida-based docusearch.com for her Social Security number and later purchased the name of her employer. He then tracked her down on the job and killed her.
Data brokers insist they are doing necessary work, providing background information to employers, creditors and other people who legitimately need it. But many sell Social Security numbers and private financial information to anyone willing to pay their fees. Often they are the first stop for identity thieves and stalkers.
Data brokers get most of their information from government records. Privacy advocates want governments to be more selective about what information they allow brokers to harvest. California, for example, has a law that permits police to release arrest data to reporters while withholding it from businesses that would use it for commercial purposes. Privacy advocates say more jurisdictions should follow California's lead.
The Internet makes it easier for people to broker information about people they don't like. In Seattle, a battle is raging over justicefiles.org, a frequent critic of local law enforcement. The group began posting police officers' Social Security numbers on its website. A state court has ordered the group to stop, holding that it was infringing on the officers' privacy rights. Free-speech advocates are fighting the ruling, arguing that there is no basis for preventing the dissemination of truthful, legally obtained information.
Your company or your spouse may be using your computer to spy on you
Companies have the legal right to monitor their employees' web surfing, e-mail and instant messaging. Many do, whether they warn their workers or not - so don't count on any of it remaining private. Last month the University of Tennessee released more than 900 pages of archived e-mail between an administrator and a married college president in which the administrator wrote of her love for him and of her use of drugs and alcohol to deal with her unhappiness. Employers, including the New York Times and Dow Chemical, have fired workers for sending inappropriate e-mail.
But the fastest-growing area for Internet spying is the home. SpectorSoft, a leading manufacturer of spyware, at first marketed its products to parents and employers. Sales jumped fivefold, however, when the company changed its pitch to target spouses and romantic partners. "In just one day of running Spector on my home PC, I was able to identify my fiancé's true personality," a testimonial on the company's website trumpets. "I found all 17 of his girlfriends."