Workplace Surveillance is the Top Privacy Story of 2000

Other Top Stories include Medical Privacy, Carnivore and DoubleClick

DENVER - 12/28/00 - The phenomenal rise, and technological
sophistication, of workplace surveillance leads the list of the Top 10
privacy stories of the year 2000, according to a Privacy Foundation
analysis.

Also in the Top 10 are proposed new medical privacy rules; the FBI's
controversial use of the Carnivore email wiretap; DoubleClick's stalled
plan to track consumers online; and the arrival of chief privacy
officers in corporate boardrooms.

"The rise of the Internet has sent a flood tide of privacy concerns
through business and society, and the waves are breaking big-time in the
workplace," said Stephen Keating, executive director of the Privacy
Foundation. "Two-thirds of major American firms now do some type of
in-house electronic surveillance, while an estimated 27 percent of firms
monitor email."

Some of the fallout from that surveillance can be measured in lost jobs,
as entities ranging from Dow Chemical to the Central Intelligence Agency
have fired or disciplined employees for alleged misuse of workplace
communication networks.

"Employers may be rightly concerned about security and productivity
issues, or legal liability arising from emailed sexual banter," said
Keating. "But pervasive or spot-check surveillance conducted through
keystroke monitoring software, storing voice-mail messages, and using
mini-video cameras will undoubtedly affect morale and labor law, as well
as employee recruitment and retention practices."

Servicing the workplace surveillance market are a host of companies,
including Checkpoint, SpectorSoft, Telemate, and WinWhatWhere. Noting
that employers have substantial economic, legal - and now, technical -
clout over employees in this area, one chief privacy officer for a major
corporation told the Privacy Foundation that, "Employees are toast."

Looking ahead, the Privacy Foundation expects that some companies,
particularly those in need of highly-skilled, high-tech workers, will
tout "spy-free workplaces" as a fringe benefit. The Privacy Foundation
has deployed a team of business, law and technical researchers to study
workplace surveillance issues and will have more to report in the first
quarter of 2001. Based at the University of Denver, the Privacy
Foundation is a non-profit and non-partisan organization dedicated to
research on privacy issues and efforts to educate the public.

Following is a list of the Top 10 privacy stories for the year 2000, as
well as forecasts, and a partial list of source material. The analysis
was done by Privacy Foundation personnel, including Keating; Richard
Smith, chief technology officer; and researcher Justin Rickard. For
questions, please contact Keating by email at sk@privacyfoundation.org
or at 303-717-2607; or Smith by email rms@privacyfoundation.org or at
617-962-8351.

------------------------------------------------

The Top 10 Privacy Stories of 2000

------------------------------------------------

1) Workplace Surveillance Heats Up: "Employees are Toast"

Millions of employees in the U.S. and worldwide are now subject to
electronic monitoring by employers - a stealthy trend fueled by
relatively cheap technology (like mini-surveillance cameras and
keystroke monitoring software) and employer paranoia about unauthorized
use of email and the Internet by employees. Two-thirds of major American
firms now do some type of in-house electronic surveillance, and 27
percent of all firms surveyed monitor email, according to the American
Management Association. Dozens of companies including Xerox, Dow
Chemical and The New York Times (and government agencies including the
Central Intelligence Agency) fired and disciplined employees in 2000
because of alleged bad behavior in using the companies' communications
networks. "Employees are toast," one chief privacy officer told the
Privacy Foundation, noting that employers have substantial economic,
legal - and now, technical - clout over employees in this area.

LOOK FOR: "Workplace privacy rights" to become a negotiated fringe
benefit, with New Economy companies leading the way.

SOURCES:

More U.S. Firms Checking Email , American Management Association,
4/14/00

Dow Chemical Fires 24 [and disciplines 235] in Email Controversy, CNET,
9/15/00

Big Boss is Watching, Yahoo Internet Life, 10/00

Narcware, Forbes, 5/1/00

------------------------------------------------

2) Patient Privacy Rules

Widespread public concerns about disclosing personal medical information
to doctors and hospitals - for fear the records will end up in the hands
of databanks, insurance companies and prospective employers - led to new
federal rules proposed in late December. Six years in the making, the
revisions to the Health Insurance Portability and Accountability Act
(HIPAA) will oblige doctors to seek patient consent to use medical
records in routine matters, and give patients greater access to their
own records. The 1,553 pages of new patient privacy rules, proposed by
the U.S. Department of Health and Human Services, will take two years
and billions of dollars in private sector costs to implement. In
February, President Clinton signed an executive order prohibiting the
use of genetic information in federal employment practices. The genetic
screening issue is still unsettled in the private sector.

LOOK FOR: Changes and delays in the proposed patient privacy rules, as
health care lobbyists target Congress and the Bush Administration.

SOURCES:

Clinton's Health Privacy Rules Await Congress' Perusal, Associated
Press, 12/21/00

$17.6 Billion over 10 Years to Protect Medical Files, Boston Globe,
12/21/00

President to Bar Genetic Discrimination, CNN, 2/8/00

------------------------------------------------

3) Carnivore Attacked

Acknowledgment by the FBI of an email surveillance technology named
Carnivore set off alarm bells among privacy advocates, who called for
more public disclosures about Carnivore's capabilities, and restraint in
its use. The FBI's claim that Carnivore had only been used 25 times,
primarily in national security cases, did little to allay concerns.
Carnivore operates under existing wiretap laws - laws that have been
broadened through court orders to allow an estimated two million phone
conversations to be monitored annually by law enforcement. A technical
review of Carnivore, done by an Illinois institute that was hand-picked
by the U.S. Justice Department, was seen by critics as a whitewash. The
broad fear is that the FBI could use Carnivore to tap the data pipes of
Internet Service Providers and cast a wide net for emails, not just
those sent and received by the targets of specific investigations.

LOOK FOR: Increased scrutiny of law enforcement surveillance
technologies by civil libertarian groups and activists.

SOURCES:

Carnivore Eats Your Privacy, Wired News, 7/11/00

Critics Blast FBI's First Release of Carnivore, CNET, 10/2/00

EPIC's Carnivore Archive, Electronic Privacy Information Center

------------------------------------------------

4) DoubleClick Unplugged

The merger of database marketer Abacus Direct with online ad company
DoubleClick hit front pages and sparked a federal investigation in
January 2000 when it was revealed that the company had compiled profiles
of 100,000 online users - without their knowledge - and intended to sell
them. The resulting outcry stymied the plan, which was shelved later in
the year as DoubleClick and combative chairman Kevin O'Connor endured
the steep decline among Internet ad stocks. In the press and in the
public square, the name "DoubleClick" became synonymous with Internet
privacy breaches. Nonetheless, the matching of consumers' web-surfing
habits with traditional "offline" personal data (name, address, income)
remains a lucrative lure for marketers. Avenue A and MatchLogic were two
online marketers hit with proposed class-action lawsuits alleging that
they track customers without permission.

LOOK FOR: The biggest online/offline direct marketing experiment in
history: the operational merger of AOL and Time Warner.

SOURCES:

DoubleClick Sued for Privacy Violations, CNN, 1/28/00

DoubleClick Postpones Data-Merging Plan, CNET, 3/2/00

Kevin O'Connor Gives People the Willies, eCompany, 10/00

Online Ad Companies Hit With Privacy Suits, CNET, 9/22/00

------------------------------------------------

5) Rise of the CPO

Microsoft, IBM, American Express and dozens of other firms, ranging from
the Fortune 500 to start-up e-commerce firms, created and filled a new
executive position called Chief Privacy Officer. With no clear career
path to the job, the first CPOs have backgrounds ranging from law to
marketing. Job duties are best described as Chief Flak Catcher, heavy on
public relations, with fledgling attempts to coordinate their company's
strategic, legal and technical teams to protect consumers - or at least
enforce the company's own posted privacy policies. At the federal level,
law professor Peter Swire wrapped up his two-year tenure as the nation's
first chief privacy counselor to the president.

LOOK FOR: Certification programs for CPOs, as exemplified by Alan
Westin's Privacy and American Business initiative, evolving into
graduate classes and degree programs at Universities.

SOURCES:

CPOs Make Boardroom Debut, Infoworld 12/15/00

IBM Appoints Chief Privacy Officer, Computerworld, 11/29/00

Privacy and American Business

------------------------------------------------

6) Amazon.com Surveys the Data Mine

Amazon.com, a bellwether of the Internet economy with 20 million
customers, changed its privacy policy in September to warn that customer
data will be considered a marketable asset if the company is ever
acquired, or sells off operations. The move, made as Amazon faced
scrutiny from Wall Street about its financial prospects, underscored
criticisms about the way that dot-com companies revise privacy policies
to capitalize on customer data. Several other high-profile cases made
the news in 2000. A company called Toysmart.com went bankrupt and its
customer database went up for auction - until the Federal Trade
Commission blocked the deal.

LOOK FOR: More civil lawsuits against Internet retailers for alleged
violations of privacy policies - and Congressional action in 2001.

SOURCES:

Privacy Watchdogs Blast Amazon, Ecommerce Times, 9/14/00

Privacy Groups Call Amazon Policy "Deceptive", CNET, 12/4/00

Toysmart.com: Back in the Middle Again, The Standard, 8/18/00

------------------------------------------------

7) The Urge to Merge Financial Information

The Gramm-Leach-Bliley Act went into effect in November, permitting
banks, brokerages and insurance companies under the same roof to share
customer information - and potentially share it with third parties -
provided that that they notify customers how confidential information
will be used and allow them to opt-out. An extension passed earlier in
the year gives financial institutions until July 2001 to comply with the
new rules. Privacy advocates complain that the act has loopholes and
does little to protect online transfer of information.

LOOK FOR: Consumer complaints about misuse of personal data by financial
institutions.

SOURCES:
Extension Granted on Financial-Data Privacy Law, The Standard, 5/9/00
Sharing Secrets, The Standard, 5/8/00
Gramm-Leach-Bliley Key Provisions, Securities Industry Association

------------------------------------------------

8) Wireless Privacy Battles Loom

New mandates for cell phone Emergency 911 service raised a host of
questions about wireless privacy in 2000 - and appear poised to create a
new wireless advertising industry. With tens of millions of cell phones
in use, the U.S. government is mandating the deployment of
location-sensing E911 service for cell phones in 2001. Just as
telemarketers exploited the ubiquity of wireline phone service, there
are a wide range of data-service providers and marketers eager to
piggyback on the new wireless technology to send text ads and discount
offers to cell phone subscribers.

LOOK FOR: Technology companies and federal regulators warding off
wireless spam by proposing an industry-wide "opt-in" solution for
consumers to receive text messages.

SOURCES:

Talking About Wireless Privacy, The Standard, 12/18/00

Richard Smith's Tipsheet on E911, Privacy Foundation

FCC Press Releases on E911, Federal Communications Commision

------------------------------------------------

9) Microsoft Crumbles on Cookie-Blocking

In the summer, Microsoft released a software patch for Internet Explorer
that would allow a computer user to automatically block third-party
cookies, which are small software files set on computer hard drives by
Internet advertisers. Facing grumbles from the online advertising
community, Microsoft backed off the patch, and instead will support the
P3P (Platform for Privacy Preferences) standard in the upcoming Internet
Explorer 6.0. P3P is a privacy dial that will allow users to set privacy
preferences for sites while web surfing. Earlier in the year revelations
that the National Drug Control Policy Office's Anti Drug Web placed
"cookies" on user's computers led to an executive order banning cookies
on federal websites.

SOURCES:

Microsoft Offers Tracking Alert for IE 5.5, CNET, 7/20/00

Cookie Patch Released for I.E. 5.5, CNET, 8/31/00

Microsoft Looks for Consensus on Security, ZDnet, 12/7/00

Memo on Federal Website Privacy Practices, 6/22/00

------------------------------------------------

10) A New Kind of Public Record

The emails subpoenaed from Microsoft during its federal antitrust trial,
and the email traffic to and from Florida Gov. Jeb Bush sought by the
media during the 2000 presidential election controversy, are just the
beginning. In a variety of cases, computer server logs of government
agencies and schools were sought by the media, and by individuals, as
public records. Among the incidents: a county prosecutor's secretary,
fired in Washington state, had her email traffic disclosed to the media;
in suburban Indianapolis, a school superintendent who resigned had his
alleged web-surfing activities published in the local newspaper.

LOOK FOR: Fishing expeditions by the media, political opponents, and
activist citizens, seeking email and computer server logs through public
open record law requests.

SOURCES:

Superintendent Who Resigned Had Viewed Sexually
Explicit Material on School Laptop Computer, Topics.com, 10/27/00

Media Examining Jeb Bush's E-Mails, About, 11/30/00