News » Cover Stories


Brought home anything strange in your shopping bag lately? Like, maybe, a radio transponder?


Stealth. It's the first rule of tracking, as any hunter knows. See without being seen. Know your quarry. Don't let it know you. Now imagine that you are the quarry. It's an uncomfortable thought, but valid. Because a serious hunt is on, and quarry is what you are. Businesses want to know everything they can about you. To "serve you better," as they say. And to serve themselves in the process by targeting their goods, services and advertising more precisely. Now, since the attacks of 9/11, government agencies want to know everything they can about you, too. To "defend against terrorists," as they say. And perhaps, as a growing number of citizens fear, to extend domestic policing powers into realms heretofore forbidden. But how much do you know about your trackers - the entities that are watching you, and their technologies? And do you know what they're doing with the information they are acquiring about you? Take me, if you will, as an example. I am 57 years old. My doctor recommended that I get a baseline bone density scan. When I showed up for my appointment a few weeks ago, the receptionist at Little Rock's Radiology Consultants asked for my insurance card. Then she requested my driver's license. That came as a surprise. "Doesn't my insurance card have all the information you need?" I asked. The woman explained that my driver's license was needed to confirm my identity. I stammered, "I've never had to do this before." She told me politely that both of the cards would be scanned into the company's computer. Then she handed me a brochure entitled "Notice of Privacy Practices," along with a sheet of paper for me to sign, stating that I had received the document. It noted that, in the course of receiving their services, I would be providing Radiology Consultants with my name, address and phone number; my Social Security number and date of birth; information relating to my medical history; the names of physicians, my employer, my insurance carrier, and other "personal information." Then it offered to explain, "HOW WE MAY USE & DISCLOSE INFORMATION ABOUT YOU." Most of what followed made sense to me. The firm could use the information about me to report findings to my primary doctor; to collect insurance payments, and to comply with certain laws, such as those pertaining to public health. But the brochure also noted: "We sometimes work with outside individuals and businesses who help us operate our business successfully. We may disclose your health information to these business associates so that they can perform the tasks that we hire them to do." The statement seemed both broad and vague. As I signed my name acknowledging that I had received the brochure, I felt little consoled by its assurance offered in the brochure that, "Our business associates must guarantee to us that they will respect the confidentiality of your personal and identifiable health information." Later, I called the number listed on the brochure for Radiology Consultants' privacy officer. I wanted to ask more about what "outside individuals and businesses" might gain access to my private information. The woman who answered identified herself only as "Judy." She said the firm's privacy officer was unavailable. When I requested the privacy officer's name, Judy said it was "Lucille." "Lucille What?" I asked. "Well," Judy said, "just 'Lucille'." I had just provided Radiology Consultants with my name, address, phone number, Social Security number, and driver's license - everything it needed, if it chose, to check out my life in detail. Yet, when I called the firm, I could not even get the name of the person serving as its "privacy officer." I have no reason to believe that Radiology Consultants (or any business mentioned in this article) engages in anything but the finest practices. And I doubt I'd have reason to mistrust Lucille, even if I did know who she was. But the situation illustrates the lopsided relationship that exists between the acquirers of our information and us. We see that relationship more clearly when we look at two other Arkansas companies - Acxiom and Wal-Mart - both giants compared to Radiology Consultants. We see it too in the ambiguous roles played by two other Arkansas individuals - Bill Clinton and Wesley Clark - both considerably more prominent than "Lucille." Maryalice Hurst, owner of That Bookstore at Mountebanq Place in Conway, sees the field of privacy from a uniquely informed point of view. Hurst was prominent in the direct marketing world when she moved to Conway in 1992 to work for Acxiom. The electronic information company was still relatively young in the industry, but it was coming on strong, largely through alliances with other data marketing services, particularly the behemoth credit-reporting company, TransUnion of Chicago. By the time Hurst joined Acxiom as its new vice president for strategic marketing and planning, the company had been able to boast for years that its computers kept updated information on "every single market-active consumer in the country." Hurst herself was a serious player in the game of getting-to-know-you. She'd begun her career in the mid-1970s in St. Louis, where, serving as a volunteer, she learned how to attract audiences to arts events through targeted direct mail. The secret was to combine information. In Hurst's case, that meant combining information about an event's most likely patrons, with demographic information collected by a company such as R.L. Polk, with the U.S. Postal Service's handy new system of ZIP codes. Working with files of 3x5 cards, Hurst was so successful at selling her events that she moved on to New York, where, as a professional now, she handled marketing for some of the biggest accounts in the world, such as the Metropolitan Opera Company, TWA, Mercedes-Benz, General Foods, American Express, Merrill Lynch, Steuben Glass, Marriott, and the British Royal Mint. Hurst loved direct marketing and saw it as a "win" for all involved. She got to support herself and her children. Her clients saved money by more effectively focusing their advertising, services and products. And consumers received information about goods and services that was tailored more specifically to them. It was not until 1983, when Hurst was president of an international direct-marketing agency, that the dark side of all this information gathering - the issue of what it can do to individuals' privacy - almost literally knocked her over. That was the year that a doctor at Sloan-Kettering Cancer Center told Hurst, following surgery, that she appeared to have a rare form of cancer. He added, however, that because this particular cancer had never been seen before in a woman, that diagnosis was still uncertain. She did not ask, and her doctor did not say, if the diagnosis turned out to be right, what her prognosis might be. Hurst left the hospital clinging to hope, But, when she returned to work, a friend stopped her in the hall. "You have to watch everything you do," she remembers the friend warning her, "because they're looking for a reason to fire you." "Why?" she demanded. "Because they know you have cancer. And they know that you only have three to five years to live." Hurst assured her friend that he was wrong and that her diagnosis was still in doubt. "That's not what I heard," he said. He told Hurst that her health had been a hot topic of conversation among the company's top executives. Ultimately, Hurst would learn that, at that moment, her friend and her employers knew more about her medical affairs than she did. And they were right. Hurst's hospital had determined a prognosis and reported it to her insurance company before she'd been told of it herself. And the insurer had notified her employer. For Hurst, that moment marked a turning point. Not only was she facing cancer and a prognosis of early death, but she also had to face the malignant side of a business she loved and had helped to develop. That experience, 20 years ago, taught Hurst what many Americans have since discovered: that information they considered private actually was not - and that, when privacy is breached, the consequences can be severe. Obviously, Hurst defied her prognosis. She received a bone-marrow transplant, and became one of the first transplantees to survive the ordeal. Eventually, she was able to return to her career in direct marketing. But now it was with a passion for protecting consumer privacy. She realized that, with the invention of powerful computers and specialized software, her industry had gone from working with gross knowledge to "getting under the covers and getting personal information." She saw that by fine-tuning data, collectors could "begin to discriminate on an individual basis." As she puts it, "I became very sensitized to the fact that the more personal information we marketers could get, the more abusive the business was becoming." In 1992 she was elected to the Direct Marketing Association's Ethics Committee. That same year, she moved to Arkansas to join Acxiom as vice president for strategic planning and marketing. She resigned from Acxiom in a matter of months. Though she does not discuss her reasons for leaving, she says the decision was made "shortly after the consummation of Acxiom's joint venture with TransUnion," through which Acxiom took over management of TransUnion's immense credit data center in Chicago. Hurst restarted her consulting company, specializing on privacy issues for clients like R.R. Donnelley's Metromail division, and remained on the DMA's Ethics Committee for six more years, the last four as its chair. The position placed her on the front line of the nation's mounting battle over consumer privacy. Hurst says she was particularly concerned about the widening, unauthorized use of citizens' Social Security numbers, which historically had been protected. "There were legitimate uses of Social Security numbers, and therefore there were legitimate reasons to transfer that data," she says. "But this thing was getting out of hand." She says that data reporting bureaus were saying, in effect, that they needed to cross-reference names with Social Security numbers to make sure that they were referencing the right individual. Hurst and others thought that was a smoke screen; that there were other ways to make sure that the "Tom Smith on Main Street in Little Rock" whose credit was being checked was the same Tom Smith who had applied. It's just that it cost a bit more to confirm such identities without using a person's Social Security number, Hurst says, and some of the data bureaus' clients balked at the extra expense. It was a pivotal moment, Hurst believes, in the battle to keep the numbers from being linked to individuals' non-financial data. "There were people in the press anointing me as the 'lightning rod' of the ethical arm of the DMA," she says. "But there were also consumer advocates like [Ralph] Nader raising holy hell, and the Clinton administration would do nothing." Hurst and other activists begged the Federal Trade Commission to crack down on the widening use of Social Security numbers. They wanted the numbers to remain protected - to stay "below the line," in industry parlance. But the FTC did not get involved. Instead, Hurst says, the Senate Banking Committee held hearings and determined that, since the banking industry would not be hurt, there was "no problem." "They did not want it to go to the FTC, and the FTC did not want to do the study," she fumes, "because they already knew there was a problem. "All this is to say that there have been warnings at very high levels to the FTC and the U.S. Congress that the use of Social Security numbers was going to come back and haunt us, that it was the key to destroying privacy. "But the Clinton administration refused to do it. The Clinton administration's FTC was the one that said, 'We will leave the Social Security number above the line.' And, of course, now it's everywhere. "Now, Social Security numbers are so imbedded that every system in the country having to do with individual data runs on them. They are the key to any information anyone has." Hurst's term on the DMA's Ethics Committee ended in 1998. "That was the last year it was independent," she says. "After that, the Ethics Committee became a committee of the board of directors." Three years later, in 2001, the DMA's board of directors would be chaired by Charles Morgan, Acxiom's company leader. (Acxiom shuns executive titles.) That same year, following the attacks of Sept. 11, Acxiom developed a computerized system to perform instant identity checks on airline passengers. The company promoted it as a "security-enhancing identity verification system." Morgan hired retired Army Gen. Wesley Clark to help sell the system to federal officials. Clark, who recently dropped out of the race for president, reported being paid about a half-million dollars to serve on Acxiom's board of directors and to lobby for Acxiom in Washington. During Clark's run at the presidency, the Washington Post reported that, while with Acxiom, he met with Vice President Dick Cheney and other administration officials. In late 2002, the Transportation Security Administration announced creation of a Computer Assisted Passenger Prescreening program, known as CAPPS II, to perform instant background checks on everyone who flies. Privacy advocates' concern about the program was validated the very next year, when JetBlue Airways admitted that, at the request of federal employees, they had provided a defense contractor with personal information on about 1.5 million passengers. The passengers, of course, knew nothing about the exchange. As Hurst explains, "It has become impossible, unless you really know how it works, to track who is selling your data." Powerful computers, gigantic databases, access to Social Security numbers, programs to monitor consumers' behavior, and now an exchange of citizens' information, not just between commercial entities, but between data collectors and the government... It was enough to give civil libertarians the willies - and it did. Barry Steinhardt, director of the Technology and Liberty Program for the American Civil Liberties Union, spoke at the annual meeting of the Arkansas ACLU last fall. (In the interest of full disclosure, readers should know that I, the author of this piece, was there. I am not only a member of the ACLU. I serve on its board of directors.) In measured tones Steinhardt reported some of the warnings expressed in the ACLU's report, "Bigger Monster, Weaker Chains: The Growth of an American Surveillance Society." In that report, published in 2003, Steinhardt and co-author Jay Stanley call for stronger restraints on both government and corporate surveillance. They cite the spread of surveillance video cameras and the "unexamined assumptions that cameras provide security." They cite the spread of "data surveillance," defined as "the collection of information about an identifiable individual, often from multiple sources, that can be assembled into a portrait of that person's activities." The ACLU report warns: "Some think comprehensive public tracking will make no difference, since life in public places is not 'private' in the same way as life inside the home. "This is wrong; such tracking would represent a radical change in American life. "A woman who leaves her house, drives to a store, meets a friend for coffee, visits a museum, and then returns home may be in public all day, but her life is still private in that she is the only one who has an overall view of how she spent her day. "In America, she does not expect that her activities are being watched or tracked in any systematic way-she expects to be left alone. "But if current trends continue, it will be impossible to have any contact with the outside world that is not watched and recorded." This goes far beyond the seemingly benign recording of everything in our shopping carts, along with date and time, whenever we use our Kroger cards or place an order on-line. Of particular concern to privacy activists such as Steinhardt are recent attempts by agencies of the federal government to expand their view into our lives through efforts such as the Pentagon's "Total Information Awareness" program. According to its director, John Poindexter, TIA's aim was to give officials easy, unified access to every possible government and commercial database in the world. The Senate blocked TIA last year, although covert aspects of it have reportedly been continued in other forms. And, though CAPPS II is meeting resistance, the Department of Homeland Security considers CAPPS II a priority. Steinhardt and other opponents see such programs as "turning the defense capabilities of the United States inward and applying them to the American people." As he puts it, the trend represents "a radical branching off from the centuries-old Anglo-American tradition that the police conduct surveillance only where there is evidence of involvement in wrongdoing. "It would seek to protect us by monitoring everyone for signs of wrongdoing-in short, by instituting a giant dragnet capable of sifting through the personal lives of Americans in search of 'suspicious' patterns." But not everyone likes the ACLU, so let's look at some other entity with, say, a higher acceptance rate. And, again, let's look close to home. Since this is a story of synergies - powerful combinations of intelligence, alliances and technologies - let's look at what's happening at Wal-Mart. Like countless other retailers, the country's largest employer accepts credit cards, issues credit cards of its own, and conducts a sizeable on-line business. It can track customers' purchases via credit card records. And, by using "cookies" - packets of electronic information sent between servers and browsers - it can track shoppers' movements around its Web site. Lands' End, - almost every on-line business - does exactly the same thing. And many buy and sell such information. But now a new element for tracking has been added to the mix. Perhaps you've recently bought a pack of Gillette razor blades and brought home something new in your purchase, a little plastic tag called an RFID. Finding one means that you have carried home a "radio frequency identification" tag. This is a wireless AIDC, or "automatic identification and data capture" device. It is essentially a microchip that acts as a transponder. An RFID is always listening for a radio signal sent by a transceiver, or RFID reader. Most of the time, the RFID does nothing. But when it receives a radio signal from the reader, it wakes up. It responds by transmitting its unique ID code back to the transceiver. The RFID doesn't need a battery. And, since it's only a third of a millimeter wide or less, it's too small to hold a battery, anyway. All it needs to wake up and respond is the power it receives from the reader's radio signal. When an RFID reader sends out a signal, all the RFID tags in its vicinity respond by transmitting their stored data to the reader. Today, the maximum read-range is about 30 feet, though that range is expected to lengthen. The attraction of RFIDs for retailers, manufacturers, the military and shippers is the ability they offer for tracking. With RFIDs in place, readers can track everything from a store's inventory of lipsticks to guns on their way to Iraq. Delta has tagged thousands of pieces of luggage in order to reduce baggage loss and to test easier routing of bags. A casino in Australia has reportedly placed RFID tags in 80,000 employee uniforms, so that by tracking workers they might prevent theft. Commuters in several American cities already have RFID tags in decals on their cars, so that readers in toll booths can track their passing and charge their EZPass cards. Michelin, which manufactures 800,000 tires a day, reported last year that all of its tires will soon be imbedded with RFIDs. On new cars, the tire identification number will now be associated with the vehicle identification number (VIN) making the tires uniquely identifiable with an individual vehicle. Similarly, major manufacturers and retailers such as Gillette, Home Depot, The Gap, Procter & Gamble, and Target have announced plans for extended use of RFIDs. But Wal-Mart is the clincher. For years, retailers and industries have relied on bar codes to track inventory, shipments, and transactions. Only Wal-Mart was big enough, by itself, to switch the technology to RFIDs. When Wal-Mart told its top 100 suppliers to insert RFID technology in their products by 2005, the demand was like rerouting a river. Where the top suppliers to Wal-Mart go, other suppliers tend strongly to follow. But will customers know which items they buy. wear, drive, or carry are imbedded with RFIDs? The answer, at this point, ranges from "not necessarily" to "no." There is no law requiring that products carrying an RFID chip be so labeled. Those who fret about the erosion of privacy fear that the day may not be far off when most consumer items, as well as credit cards and even money, are imbedded with RFIDs. A market researcher with a reader could scan the contents of a purse or briefcase. Your RFID-tired car could be tracked as it travels. And if RFIDs are placed in documents such as driver's licenses, the surveillance possibilities explode. A plain-clothed police officer could scan IDs anywhere. An FBI agent with a reader could identify everyone attending a church service, a lecture or a political rally. Last year in China, delegates to a Communist Party Congress were required to wear identification badges imbedded with RFID chips at all times. That was in May. In September, a company called Applied Digital Solutions announced creation of an RFID called VeriPay that can be implanted under a person's skin. The idea is that a chip about the size of a grain of rice, would be implanted under a person's skin for "a variety of security, financial, emergency identification and other applications." Don't want to carry your driver's license, or those cumbersome credit cards? According to the company, soon, all you'll need do is submit to a "brief outpatient 'chipping' procedure," and have the VeriChip implanted under your skin." It will be "inconspicuous to the naked eye," but it will communicate with radio-signal readers, much as your debit card now communicates with your bank. All of this, of course, is promoted in terms of ease and security. As Motor Trend reported when it announced Michelin's move to RFIDs, "For vehicle and tire makers it means a simple and innovative way to comply with federal record keeping and safety standards.... For consumers it means convenience and confidence." The problem that some people see, however, is that, unlike a credit card or other ID, you can't leave RFIDs unseen, hidden in your garage or pocket. You can't say "no" to the reader. With or without your knowledge, if the reader "calls" to your chip, your chip is bound to answer. Combine that technology with the widening use of GPS chips, both in rental cars and private vehicles, and worriers really get bugged. Who could not be tracked when inexpensive location devices can be attached to individuals or implanted under their skin, whether they knew it or not? Perhaps a clamor for protection of privacy has begun. To its apparent dismay, the Direct Marketing Association notes in its 2003 annual report that, "Over 550 privacy bills were introduced on Capitol Hill and in 48 states in 2003. Many seek to restrict the collection, usage and sharing of consumer data that could, in the long term, adversely impact consumers as well as our industry." On March 9, the Wall Street Journal published a column by Stephen Aftergood, an intelligence policy specialist at the Federation of American Scientists. Aftergood, who was the plaintiff in a lawsuit against the CIA that led to the declassification of the total intelligence budget ($26.6 billion in 1977), is particularly concerned about the increased surveillance of citizens by a government that is increasingly secret. Warning in the Journal article that the U.S. military is now joining the rush to gather information on citizens, Aftergood cited as an example comments made by Gen. Ralph "Ed" Eberhart, commander of the Pentagon's newly created Northern Command, based in Colorado Springs. According to Aftergood, Eberhart told a group of National Guardsmen in 2002 that, henceforth, the military would have to "not just look out" but "look in" to protect the country against terrorism. Aftergood wrote that, last year, when Eberhart was asked about the remark on PBS's "News Hour," the general responded, "We are not going to be out there spying on people," though he added, "we get information from people who do." The day after that column appeared, William Safire raised a similar alarm in a column in the New York Times. He began by quoting candidate George W. Bush, a month before his election as president. "I believe privacy is a fundamental right," Bush said, "and that every American should have absolute control over his or her personal information." But since 9/11, Safire wrote, Americans have grown less passionate about privacy. Citing preboarding searches, the fingerprinting of foreigners at our borders, hidden security cameras, "cookies on our computers," and "electronic location devices in our cars," he lamented: "To keep our national defense up, we have let our personal defenses down." No single piece of this mosaic worries privacy advocates more than the so-called USA PATRIOT Act, passed by Congress just six weeks after the attacks of 9/11. In a single stroke, the ACLU's Steinhardt said in Little Rock last fall, passage of that law "vastly expanded the government's authority to spy on its own citizens and reduced checks and balances on those powers, such as judicial oversight." Under the PATRIOT Act, he warned, "the FBI can force anyone to turn over records on their customers or clients. This gives the government unchecked power to rifle through individuals' financial records, medical histories, Internet usage, travel patterns or any other records." Even citizens' reading habits can be tracked, through records from libraries and bookstores. Under the PATRIOT Act, Steinhardt added, "The FBI does not have to show suspicion of a crime. It can gag the recipient of a search order from disclosing the search to anyone. And it is not subject to any meaningful oversight." Activists such as Steinhardt, Safire, Aftergood and Hurst see the incremental loss of privacy as nothing less than a threat to our freedom. As Steinhardt put it: "If we do not take steps to control and regulate surveillance to bring it into conformity with our values, we will find ourselves being tracked, analyzed, profiled, and flagged in our daily lives to a degree we can scarcely imagine today." He notes that, in contrast to Europe, for example, "the U.S. has no strong, comprehensive law protecting privacy - only a patchwork of largely inadequate protections... The technologies of surveillance are developing at the speed of light, but the body of law that protects us is stuck back in the Stone Age." The DMA and businesses such as Acxiom lobby hard against the types of legislative controls sought by Steinhardt and others. They say they can be self-regulating. But Hurst disagrees. She says, "Self-regulation is a farce," and that, "because the fox cannot guard the henhouse," laws to protect privacy are needed. As for me, I'm happy to tell you - before you hear it from somebody I don't know - that my bone-density scan came out fine. But the experience at Radiology Consultants made me start to think about the budding movement to transform driver's licenses into national ID cards. That could immediately combine new technologies such as RFID chips with an already enormously powerful database, accessible by both businesses and government agencies. I looked closely at my own driver's license, the one a company had just scanned into its computer. Then I called Mike Munns - he gave me his full name - the administrator of Arkansas's Driver's License Information Office. With my driver's license in hand, I asked him what information is contained in that magnetic strip and bar code on the back. Munns explained that the hidden technology contains only the information that is printed on the front of the card. He said it is perfectly legal for businesses to acquire information from the card, visually or electronically, if you give it to them. "You don't have to let them see your license," he said. "But if you do, they can use it. "It's your choice, as an individual."

Add a comment