Editorial - Bannerline Communications

Bannerline Home
Up
Internet Marketing 101
Pushing Back
Personal Privacy Policy

How they figure out who is a "live" one
An Introduction to Internet/Computer Privacy Invasion

Part 3
Government Privacy Legislation

The "Personal Information Protection and Electronic Documents (PIPED) Act" goes into full effect on January 1, 2004. It has actually been around for a couple of years, and even now will not be enforced harshly. See the link below to the Canadian Privacy Commissioner's web site for more detailed information.

Abstract from "Your Privacy Responsibilities"

The Act in Brief

Organizations covered by the Act must obtain an individual's consent when they collect, use or disclose the individual's personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.

Personal information

Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

	age, name, ID numbers, income, ethnic origin, or blood type
	opinions, evaluations, comments, social status, or disciplinary actions
	employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)

Personal information does not include the name, title, business address or telephone number of an employee of an organization.

I am not a lawyer (IANAL) but, having my e-mail address, I expect Yahoo could find a lot out about me because I have had the same address for quite some time, it is my own domain (not Hotmail or Yahoo) and the main page for the website for the domain has my address on it along with my name. The fact that they can do this does not mean they have my permission, since I did not actively give my consent to them - but there are some loopholes they can use (or drive a bus through) and of course they (Yahoo) are in the US so all bets are off.

Personal Privacy Policy Creation

OK, so we've seen all the various ways we can be tracked, with and without our knowledge and/or consent; and these are just the ones that legitimate business uses. Some of the ones the really bad guys use would curl your toes - but that too is for another day.

The question is, what can we as individuals do about this? My solution is really a goal and a number of stop-gap measures along the way.

The goal is to get the collectors of information to be completely forthright about everything they do with the information they collect from me and allow me to say when enough is enough, in real time, and make it stick. I also want them to realize that their need to track my purchase/browsing habits does not mean that I should endure pain of any kind - physical, mental or economic; I'll bow to them needing a number when I talk to their sales staff if they'll bow to the fact that they are not alone in my wallet.

The new privacy legislation is supposed to give me some of this power but I really don't think it goes far enough. On the other hand, at least it's a start.

Having the goal, the rest comes down to pushing back in various ways. The first is to recognize that many "company policies" have no basis in law, reality or even common sense - they just exist. Some exist from times past when things were done differently. Some were created by idiots. Some were created for a good reason but just don't work, and some are simply there to take as much advantage of you, the consumer/viewer as the company possibly can.

Well, as a consumer and viewer - you can have a policy too - and there's no reason why some of the items on it can't be just as crazy as theirs if you want. Once you create yours, you might just want to print it out on some really nice paper and carry it with you so you can show it to intractable clerks and managers.

Some of the things I have in my Personal Privacy Policy

	Give as little information as possible
	Obfuscate what I do give in some manner
	Randomness is my friend - be a 99th percentile - sometimes
	Let them know you know what they are doing
	Let them know that you care about your privacy
	Let them know that if they are good, you'll continue to give them your custom - and be firm in your resolve if they don't cooperate.
	Never do their work for them for free
	Ask to see my record (after January 1) - not often, and not always from the same company, but just to keep somebody on their toes - same thing applies to your credit record too by the way
	Don't let my physical identification out of my sight - credit cards, debit cards, driver's license, passport, affinity cards - anything
	Go up the food chain as high as necessary

Give as little information as possible

When faced with a fill-in form, fill in only enough blanks to get past the entry checking - mostly they are noted with an * or something. If doing things in person, ask why they need certain information. One favourite of mine is my SIN. In Canada, the law actually is that nobody but those who are remitting tax information about you to the Federal government may ask for your Social Insurance Number. This means your employer (withholding tax) and your bank (interest if you ever get any) and maybe your stock broker but nobody else.

Ever tried filling in a credit application and leaving it blank? Try it some time - interesting experience. Of course the SIN is such a widely used/abused identifier in the commercial world today that the Feds are talking about all new identifiers.

On the other hand, many software packages I have that "require" my first and last name have just my initials in the space. All the registrations seem to have gone through, and here in Canada the manufacturer must honor the warranty in any case, so I'm fine.

Obfuscate what I do give in some manner

Gee, I must have mistyped it. Close, but not quite. The address is a digit off or the postal code is out by a letter or something. Of course the good companies actually check that your address and postal code match, but since the postal code denotes one side of a street of some floors of an apartment building, you can still be out by a bit and pass the test. Same thing with phone numbers. Gee, I gave you the fax number as my voice - I'm terribly sorry. If they really want to get hold of me they'll send me a fax.

The validation questions for my magazine subscriptions are another area for obfuscation. I have a list of standard and wrong answers that I use. If the auditor calls, they get the answer I've given so things are fine, since I really am a live person and I really do read their magazine and sometimes even talk to their advertisers. What more could they ask, right?

Well, maybe my eyes aren't "pinque" and my birthdate isn't the first of January (close - only off by a couple of days) but who cares?

Randomness is my friend - be a 99th percentile - sometimes

As noted earlier, I change the use of my credit cards fairly randomly and sometimes use cash. Sometimes I use my affinity card, sometimes not. Sometimes I'll use the store's affinity card and sometimes I'll use Air Miles if they accept that.

The computers out there are looking for patterns using statistical analysis which in its basest form most people have seen as the "bell" curve. I actually met my wife while we were both taking the same statistics course but that was over 23 years ago. Then I could have given you all the equations and everything - today I'm just going to say that the computers are looking for things near the center/average - high point - of the curve and I want some of my data to be out at one or the other of the ends (left end is 1 percentile and right end is 99th percentile).

This means that if the average person goes to the same store all the time for commodity items, I'll work at going to different ones. In this way my purchasing habits as tracked by any one store are far less than average so they'll ignore me.

The same thing for answers to some of the surveys I get (the magazine ones for example) - I'll have one or two answers that are completely out in left field compared to the others - my purchasing power is none but my budget is huge or something. The rest would be fine and on average I'll qualify for the subscription - but the computers won't know what to do with the information.

Let them know you know what they are doing

This is a tough one. The average store clerk doesn't care. They're getting fairly minimal wage and didn't write the policies. You also can't talk to the web server itself. What you can do is ask to talk to the manager or send feedback to whatever address you can find if something warrants it. I've had some interesting success with both of these actions. One book store I frequent used to have their card scanners on a tray below the cash register and out of site of the customer - behind a fairly high counter. They now have the card scanner on the desk in plain view of the customer. Maybe the double swiping scandal at our local airport had something to do with their decision, but I'm hoping my talk to the manager had something to do with it too.

Let them know that you care about your privacy

After writing this, I intend to send a copy to Yahoo and request that they remove my e-mail address from their files, since I have never given them explicit permission to record it.

I just sent some feedback to the creators of a video DVD set I got for Christmas. The set virtually forced me to install a new DVD software package which not only set itself as my default for viewing DVDs, it didn't even work. Worse yet, the software said it would track my viewing and report back to its masters "anonymously" - despite the fact that I am quite identifiable since I have a fixed IP address at my house, unlike most people. I haven't yet heard back from them, but I'm going to follow up on my promise to them to mail out pieces of their product along with an explanation to some of the people I know if they don't get back to me soon. My regular DVD software won't read the main 2 disks but will read the "extras". Since the package is opened it's unlikely I can get a refund so the disks are useless anyway except as a lesson to the vendor.

On a different front, I've already mentioned that I sent my rant out to my Christmas list which I hope will let them know that I don't want to be included in some company's database - and of course I'm writing this for David and you for the same reason.

"Them" includes the people you deal with who might inadvertently expose your information as well as those who collect it. Consider that this is part of the education that people should have received but didn't - and you're just helping them learn.

If you absolutely must use some centralized greeting card site, or have some web site send a note to your best friend for you, ask the potential recipients if they mind (and maybe point them at this article if you want) and ask the web site for exact details of what they will do with the information you give them; how long they will keep it, if they will send out unsolicited e-mails to your friends, if they are connected with any other company that they will pass the information on to. If you are satisfied with the answers, tell them so and tell your friends. If you are not, do the same. Companies on the web exist by the instantaneous grape-vine it is. Both good and bad news travels fast, and truly service-oriented companies will respect and deal with their customers' concerns. Otherwise they'll die.

Let them know that if they are good, you'll continue to give them your custom - and be firm in your resolve if they don't cooperate.

As noted in the previous section, when you ask, tell them what you will do if things turn out ok - and if they don't, stop dealing with them and tell others (as well as telling them that you are doing this.) This is the consumer equivalent of a strike or boycott in the computer age. Don't use it for trivial matters, but know that it does work, but only if you tell people. The one thing to keep in mind is that you are using your opinion to guide others. You should understand the difference between opinion and defamation. One is ok, the other is illegal (libel/slander).

One of the two local stationary stores offers an affinity card with a healthy discount. Prior to applying I asked my standard question, especially in light of the fact that I could see that the card was even thicker than a normal credit card. "Can I simply give you my number instead of having to present your physical card?"

The answer was "no" so I asked to see the manager. I explained why this answer was unacceptable to me (sore back from too many cards) and asked if they would store the card at the store for me since it was the one I came to the most and I didn't care if I didn't get a discount at other stores in the chain. The answer again was "no" so I pulled out my wallet and put my credit card away and told them I'd come back when their policy changed as my policy forbid me from signing up for their card and their competition (whose card number was in my PDA) allowed me to just quote the number.

I have been back a couple of times since, hoping that the policy has changed. Each time I do my shopping and bring the goods to the counter - and end up leaving them there. Maybe they'll get the the message some day.

Never do their work for them for free

They want the information on you for their good, not yours. Well, that's not strictly true since being able to accurately predict purchasing patterns does cut down on inventory expense and allow them to drop their prices accordingly - but they usually don't until all of a particular market segment has the same efficiencies and they all drop at once. In the mean time, the better run companies try to put as much money away for their investors as they can. Hey, I'm in business too and I'd do the same thing.

On the other hand, there is only so much cooperation that buys from me.

If you feel you are getting adequate value from a company in return for the things they do with the information they gather from you, then fine. I'm certainly happy with my magazines.

I'm also happy with the discount I get from the major book store I visit, where they accept my affinity card number with no problem (but it took a couple of years and a corporate takeover to get there)

Personally, I don't use any of the major online web Portals except Google. I don't need any more e-mail addresses as we run our own server. I don't need web space for the same reason. I have my own "chat" system separate from the big guys and such.

Most other people on the other hand don't have the resources of an Internet service provider at their beck and call. You all have to balance the amount of privacy invasion you'll accept with the cost of replacing the services you get for "Free" from your particular favourite portal.

It's all a balance - and now that you know what is on their side, you can decide whether it is worth what you have on your side.

Ask to see my record (after January 1) - not often, and not always from the same company, but just to keep somebody on their toes - same thing applies to your credit record too by the way

In Canada, every person with a credit history has the right to ask for a copy of it each year from each credit reporting agency. When was the last time you asked for yours?

As of January 1, 2004, you'll be able to ask for similar information from Canadian companies who you deal with in any way and who you even suspect of having personal information on you. If you read the "Your Privacy Responsibilities" guide that the abstract above was taken from, you'll see that it shows what a company should do for you. It was written from the point of view of the business, but turning it around and using it as a guide for what you can (and should) do is fairly straight forward.

Don't let my physical identification out of my sight - credit cards, debit cards, driver's license, passport, affinity cards - anything

The stores, the government, everyone it seems needs to see some sort of identification from you if you visit them or pass through their jurisdiction. Of course you can always just not travel and pay for everything with cash only, but then that's giving in to them and who wants to lead that kind of a life?

As noted above I've already been instrumental in getting one store to change where they put their card scanners. I've also been very adamant to store clerks and even managers if they try to break my policy. Government officials are a slightly different story, but they get the lecture anyway and then I give in. Airport security guards can do whatever they please - but I take notes.

This extends to getting replacement cards too. We have had a lot of mail theft in the Vancouver area and the target is exactly what I'm talking about - identity items that the thieves can use to ruin your credit reputation. Have the cards sent to your local bank branch and pick them up in person.

Go up the food chain as high as necessary

If you feel strongly about some particular injustice you see or a policy that seems just plane wrong, tell it to the top if necessary. There is a show on TV lately that depicts upper management going down to the front-line positions for a day or two to get a feel for what is going on in the trenches. Many executives have no idea that there is a problem unless you follow up. Some of them don't care but many do. If you help them to understand a problem, don't just rant at them but truly get them to understand your point of view, many will do something about it.

I recently had a call from a bank executive because I'd pointed out to the branch employee that their privacy policy he wanted me to sign was at odds with their advertised policies and I'd made a note on the form to that effect. The form is being changed.

Amaze yourself with what you can accomplish, and keep your privacy in mind whenever you deal with anything computerized.

Interesting Links

	http://www.georgedillon.com/web/html_email_is_evil_still.shtml URL says it all - HTML e-mail is evil
	http://www.microsoft.com/uk/technet/fyi/issue6/spam_email.html Even Microsoft admits that there are problems - but they have "fixed" the problem in Outlook 2003 by setting not to download images by default (finally)
	http://support.microsoft.com/default.html?scid=kb;en-us;Q307594 and here is how to do it in Outlook 2002 - problem is, I don't see any such option in older versions. Of course this type of change is fairly drastic if you sometimes want to see HTML.
	http://www.extremetech.com/article2/0,3973,716787,00.html A review of the software I use - Ximian's Evolution 1.2
	http://www.flzone.net/ShowDetail.html?NewsId=6024 notes about updates to Outlook Express (finally) to turn off attachment execution and image downloads when viewing HTML mail
	http://mactips.info/tips/2003/02/26/p253 tip for MAC users of Eudora (may also apply to PC/Windows) to turn off image downloading
	http://privacy.yahoo.com/privacy/us/pers/ Yahoo's personal privacy statement - many other companies have similar ones. Note that they talk about cookies and "web beacons" - their name for the single-pixel GIF images most others call web bugs. Lots more discussion of cookies and bugs for your further reading.
	http://www.eff.org/Privacy/Marketing/web_bug.html Electronic Frontier Foundation's page on web bugs.
	http://www.privcom.gc.ca/index_e.html Office of the Canadian Privacy Commissioner web site.
	http://www.nytimes.com/2003/12/29/technology/29car.html (requires subscription) - article on technologies such as GM's OnStar and the toll technology called E-ZPass and how they have been used to track the owners of vehicles - interesting reading.

Previous

top of page