No Subject

[Anonymous <nobody@replay.com>]

http://www.upside.com/texis/mvm/news/story?id=36d4613c0

The Rise of Little Brother
February 24, 1999
by John Markoff
 
There's a chilling scene in the recent Will Smith-Gene
Hackman thriller, "Enemy of the State," when a rogue
National Security Agency technician sitting before an array
of computers simultaneously sifts through banking, phone
call and credit card data, concluding--erroneously--that
Smith is still having an affair. 

>From data mining vast commercial-transaction databases to
real-time, high-resolution satellite video, "Enemy of the
State" has it all. The movie's message is simple: The most
intimate details of anyone's life can be revealed and woven
into a remarkably invasive fabric. 

It's probably good that "Enemy of the State" arrived when it
did because in recent years, Big Brother hasn't been getting
much respect. The privacy debate of the 1970s and '80s over
the emergence of an Orwellian surveillance state has given
way to a very different reality in the '90s. 

Call it the rise of Little Brother. 

While Big Brother evokes the aura of an omnipotent
high-tech police state, Little Brother is more banal. In the
new surveillance world, it's no longer the FBI agent
hunkered down in a listening van tracking your every word
but rather the local Safeway manager or Federal Express
Corp. database administrator who has access to the details
of your life as a consumer. But unlike the FBI agent, these
watchers don't care who you are; it's what you buy and
what you eat that interests them. 

It's the very banality of the new surveillance world that
makes it so frightening. Forget electronic-commerce
mania--personal information is becoming the currency of
cyberspace. On the Net, information 

is captured, collated, bartered and sold: New York-based
DoubleClick Inc. faithfully captures each Web browser's
mouse click and uses the information to direct customized
ads; Firefly Network Inc. of Cambridge, Mass., Microsoft
Corp. and Mountain View, Calif.-based Netscape
Communications Corp. (which is being acquired by America
Online Inc. of Dulles, Va.) track individual interests in
everything from music to Web pages; and Boulder,
Colo.-based MessageMedia Inc. (a Softbank Holdings Inc.
company) links traditional direct marketing databases to
cyberspace pitches. 

"We're heading toward the profiling of America," says
Robert Gellman, a privacy-rights consultant based in
Washington, D.C. "[It's] the creation of a consumption
bureau to parallel the credit bureau--someone is going to
keep track of all the details of your life." 

Personal privacy is at risk as never before. However, this
rush to electronic profiling is about more than just the digital
invasion of privacy.

The Rise of Little Brother
page 2: Corporate Databases
 
Now, each electronic transaction--whether it's an online
purchase via the Internet or a telephone call to purchase an
item from a catalog retailer--may also be revealed to more
than a dozen other companies, including phone companies,
payment processors and package-delivery companies. And
thus far, no one has told these companies which data they
can buy and sell. 

Privacy advocates have long warned about enormous
unregulated corporate databases that store detailed
personal dossiers. But until the mid-1990s, the threat was
more potential than real: It was simply too difficult and too
costly to share information among disparate databases and
to sort and cross-reference it in any meaningful way. 

Now, though, the rapid rise of e-commerce on the Internet,
combined with increasingly sophisticated data-mining
software, has created a new industry in which even the
tiniest nuggets of personal data suddenly have market value.

Indeed, consumers' transactional and personal information
has become so valuable that a bitter corporate turf war has
broken out over who has rights to the data generated by a
company's customers. Meanwhile, some consumer-rights
experts have begun to argue that if the material is so
valuable, then people should be paid for use of their personal
data. As a result, the fight for control of personal data that's
electronically collected and digitally manipulated--usually
without a person's permission or knowledge--could lead to
a new definition of privacy rights in the information age. And
depending on one's perspective, the new market for
consumer data is either a boon to free enterprise or a bane to
individual privacy. 

"For the first time, retail stores can record every sale, banks
can capture each push of the button at an ATM, and
telephone companies can keep [track of] every phone call,"
says Ralph Kimball, founder of Red Brick Systems Inc., a
wholly owned subsidiary of Menlo Park, Calif.-based
Informix Corp. that develops software for vast data
warehouses used in analyzing consumer activity. "It's
wonderful to be able to see the detailed [consumer]
behavior," Kimball says. 

But one of the leading developers of data-mining software,
Gregory Piatetsky-Shapiro, director and chief scientist at
Chicago-based consulting and integration company
Knowledge Stream Partners Inc., sees things differently. For
him, the technology's latest wave brings as much peril as
promise. "This is power that was unimaginable just a few
years ago," he laments. 

Confesses Mike Lynch, a former Cambridge University
lecturer whose San Francisco-based company, Autonomy
Inc., develops profiling software, "I wake up at night in a cold
sweat wondering [whether] I'm the Edward Teller of the
information age."

The Rise of Little Brother
page 3: No Rules
 
Clad in leotards and Lycra, the hard-bodied and the hopeful
at The San Francisco Bay Club, a popular waterfront gym,
toil away on computerized stair-steppers and stationary
bikes that record their every heartbeat, the duration of each
workout and the distance covered. For sharing these vital
statistics, Bay Club members receive airline frequent-flier
miles through a promotional program run by a tiny
data-gathering company based in a loft across town. 

Sounds innocuous, but what these affluent, athletically
inclined consumers may not realize is that the company,
Netpulse Communications Inc., uses the Internet to link the
output of their exercise machines to a national database of
health club-member profiles. By surveying members,
Netpulse plans to flesh out the profiles to include the
person's age, weight, gender, birth date, address and
product-buying preferences. 

Online advertising, tailored to individual health-club
members, appears during workouts on a video monitor
attached to the stair-stepper or stationary bike. Netpulse
has deployed advertising on exercise equipment at a number
of clubs around the country, including the Bay Club. And
Netpulse's database has other moneymaking possibilities. 

Distributed via the Internet or through some other method,
health club-member profiles might be easily sold to direct
marketing merchandisers of workout clothing, for example.
Or they could be sold to health maintenance organizations
hoping to recruit and retain physically fit
subscribers--perhaps even to insurance companies looking
for the hidden hypertensives among their policyholders. 

The point isn't that Netpulse is doing anything wrong--its
executives insist, in fact, that they would never sell data
behind their members' backs. The point is that there are no
rules determining what Netpulse is allowed to do with the
data it collects. 

A clash of industries 

Not long ago, the credit card bills of 400,000 Americans
included a special solicitation from a Concord, Calif., flower
company. Global Florists Corp. had found that it could reach
just the consumers who had previously bought flowers using
their credit cards. 

"We [discovered] we could reach people who had purchased
flowers in the past three months, or six months, or ever,"
explains Jerry Olivarez, former CEO of Global Florists. 

Behind this data-mining service is a controversial and
comprehensive venture initiated by First Data Corp., a giant
Atlanta-based company that most consumers have probably
never heard of. As the leading processor of credit card
transactions for the nation's banks, First Data has
electronic access to the data generated by virtually every
transaction made with more than 180 million credit, debit and
other card accounts worldwide. Each time a consumer uses
one of these cards to buy something in a store, eat at a
restaurant, check into a motel or to make any other
purchase, First Data knows the who, what, when and where
of the transaction.

The Rise of Little Brother
page 4: Digital Dossiers
 
Using this data to compile digital dossiers on each
cardholder, a partnership of 20 of First Data's bank clients
has begun selling ads in the form of customer-specific
product pitches that are mailed out with customers' monthly
credit card statements. The enterprise, known as USA
Value Exchange LP, or Usave, has the distinction of
angering privacy-rights groups and other data miners. 

Privacy advocates attack First Data's plan as unauthorized
use of personal information that the consumers have not
agreed to share. The credit card companies, meanwhile, say
First Data has no right to use its middleman role to intercept
the sort of data that American Express Co., MasterCard
International Inc. and Visa International Inc. have
themselves been compiling into vast data warehouses.
When the service was first started several years ago, the
credit card companies bitterly, but quietly, opposed it. For a
time, the dispute threatened to tear apart The Direct
Marketing Association (an industry trade group). But so far,
the large credit card companies such as American Express
and Visa have refused to speak openly about the
issue--perhaps because they have their own data-mining
plans. 

Winding up in First Data's huge database is so automatic
that it may be easy to overlook. Eight of every 10 times a
credit card's magnetic strip passes through one of millions of
authorization terminals at stores, hotels and restaurants
across the United States each day, a detailed record of that
transaction goes through First Data's network for
processing and billing. 

Mining this data, First Data and a number of its banking
clients have created their Usave partnership, which
eventually plans to send out tens of millions of promotional
mailings each month. It's the most ambitious effort yet to
use data-mining technology to aim ads and promotions at
individual consumers. So, if a consumer has been dining out
regularly at a particular restaurant, say, she may be offered a
15 percent discount for a meal from a nearby competitor. Or,
if First Data's records show no sign that a cardholder has
made a footwear purchase lately, he may receive a discount
coupon from a local shoe store. 

Such highly focused marketing appears to pay off. In tests,
Usave found that in some cases more than 20 percent of
such mailings elicited a response from consumers--more
than double the best of averages typically achieved by
conventional direct-mail techniques. Although this kind of
marketing may raise few privacy concerns, critics wonder
what sort of targeted mailings might be received, for
example, by the person who has paid by credit card for a
series of radiologist visits--or who else may be privy to
such information. 

Usave executives say they've taken various steps to protect
cardholders' privacy and will not sell or rent the data to
other parties. Moreover, the database identifies individuals
only by account number--not by name or address, both of
which are added to the mailer at a subsequent step in the
process. 

Usave executives contend that most consumers are willing
to share data about their personal purchases in exchange for
discounts or other promotional offers. And all cardholders
have the option of checking off a box on their credit card
statements, or calling a toll-free telephone number, to
request that their data not be mined by Usave. 

Critics, however, argue that rather than having their
consumer data automatically monitored and marketed unless
they object, people should have to opt in--by granting
permission to Usave or other data miners. "None of this is
done with customer consent," notes Rick Barlow, president
of Frequency Marketing Inc., a direct marketing consulting
firm in Milford, Ohio. "I think this is an area of abuse that
can get out of control quickly." 

And privacy-rights advocates worry that premiums or
discounts may lure unwitting consumers into giving up
personal information they wouldn't part with if they fully
understood how and by whom the data might be used. 

"In the information age, the [battle cry] is no longer, 'Follow
the money,' it's 'Follow the data,'" says Marc Rotenberg,
executive director of the Electronic Privacy Information
Center, a Washington, D.C.-based public policy group. "U.S.
policy makers have been satisfied with notice and consent,
but the story doesn't end when someone [marks] a check
box. That's only part of a large constellation of privacy
issues that need to be considered." 

The Rise of Little Brother
page 5: A Gold Rush for Data
 
Like many advances in science and technology, the
dystopian implications of data mining have been described
best by science-fiction writers. 

In the pathbreaking novels Neuromancer (reprint, Ace
Books, 1994) and Snow Crash (Bantam Books, 1992) by
William Gibson and Neal Stephenson, respectively, the
authors captured the emergence of a new realm that Gibson
coined cyberspace and Stephenson referred to as the
Metaverse. Both writers imagined an immense
interconnected web of computer databases where
information effectively came alive and where rogue
programmers illicitly hunted for hidden data patterns. 

Since the time these novels were published, the frontier
cyberuniverses that Gibson and Stephenson described have
materialized in the rapid expansion of the Internet. Indeed,
the first data raids have already occurred. 

Several years ago, over Memorial Day weekend, a small
Internet startup whose business is based on an immense
electronic version of the white pages found its database the
target of a concerted data raid. Four11 Corp., since acquired
by Yahoo Inc. of Santa Clara, Calif., was one of about six
small startup companies offering white pages directory
information via the Internet. Companies such as Four11;
New York-based Bigfoot International Inc.; InfoSpace.com
Inc. of Redmond, Wash.; Internet Address Finder (part of
DoubleClick); Westboro, Mass.-based Switchboard Inc. (a
Banyan Systems Inc. company); WhoWhere Inc. (part of
Waltham, Mass.-based Lycos Inc.); and several others had
begun compiling extensive databases containing address,
phone number, e-mail and, in many cases, personal
information, making it available free to computer users.
These companies have a variety of plans for making money:
selling advertising with each address lookup, building online
communities by helping people find others with like interests
and offering e-mail services. 

Within this small business community, there has been much
discussion during the past year about a computer technique
referred to as hoovering. Hoovering is the process of running
programs that comb through public databases--now widely
available via the Internet--and recompile information into
other databases. For example, a number of the white pages
companies have searched through Internet archives looking
for e-mail addresses and other personal data and then
systematically collected this information into their
databases. 

Other examples of hoovering include the systematic
acquisition of directory information wherever it's publicly
available on the Internet. In 1996, for example, Jeffrey
Schiller, manager of systems and operations at the
Massachusetts Institute of Technology, watched as a
program run from a Four11 computer in Menlo Park, Calif.,
captured information from the university's faculty, employee
and student database, adding the data to the Four11
system. In this case, both sides stress, Four11's software
did nothing illegal. 

The Rise of Little Brother
page 6: Data Raids
 
However, the Four11 executives were unprepared for the
automatic flurry of computer downloads that began that
Memorial Day weekend. Someone had written a program
that was flooding Four11's computers with thousands of
address lookups per second. During a tense struggle, the
company's system operators blocked the program from one
Internet address, only to have it start again--each time
from a different location. 

The data raids continued throughout the weekend, and as
the Four11 staff investigated, it began to appear as if the
attacks were coming from a competitor, InfoSpace.com, a
startup founded by ex-Microsoft employee Naveen Jain. 

Four11 executives had several angry phone conversations
with Jain, during which, they say, he first denied any
involvement in the raids, but then later called to say he had
stopped them. Geoff Ralston, then Four11's vice president
of engineering, recalls Jain saying, "Let's get together for a
beer sometime and talk about this." 

Four11 wasn't the only directory company that found itself
under attack that weekend. Others, such as Bigfoot,
WhoWhere and a small directory system called Okra at the
University of California, Riverside, all found they had been
raided. 

"We had the same problem," says Ashutosh Roy, who was
then chairman of WhoWhere in Mountain View, Calif. "We
kept logs, and when we checked [them], we would see the
InfoSpace name." He says the company consulted its
lawyers, who recommended a technical solution: Block out
the raider. 

Roy believes that as the industry matures, such incidents
will happen less frequently, but he also believes that as
more information is placed publicly on the Internet, there will
be new enticements. "As this information becomes more
valuable, the temptation to [execute assaults] will
increase," he predicts. 

Jain denies that InfoSpace conducted the raids, saying the
attacks were made by someone else using a technique
known as Internet protocol spoofing. In the chaotic world of
the Internet, spoofing--or pretending that you're coming
over the Net from a false address--is easy for a network
expert. And there is, as yet, little authentication software
built into the Net to prevent such digital masquerades. 

Jain says one of the UC Riverside students called him,
angrily demanding to know why he was stealing their data.
He says he met with the student and convinced him that
InfoSpace had been the victim of an Internet spoofing attack. 

Why would someone conduct such an attack on InfoSpace?
Because of the company's success, Jain says. "We came
from nowhere, and we have an impressive business model.
Our competitors began spreading rumors."

The Rise of Little Brother
page 7: Digital Redlining
 
So far, data-mining technology users--including credit card
companies, telephone solicitors and direct-mail
merchants--have advocated a system of self-regulation
under voluntary privacy guidelines spelled out by The Direct
Marketing Association. Initially, the Clinton administration
took the position that such self-regulation was preferable to
government bureaucracy. 

However, Ira Magaziner, formerly the president's senior
adviser for policy development, had begun to express second
thoughts, suggesting that self-regulation may be inadequate
in the Internet era. 

Indeed, while the administration has pondered the need for
regulation, U.S. businesses have raced ahead. Data-mining
technology, once an experimental tool used only by the
largest Fortune 500 companies and intelligence agencies,
has rapidly been transformed into a standard competitive
marketing weapon. 

Meta Group Inc., a Stamford, Conn.-based computer
industry market research firm, estimates that the market for
data-mining tools grew from $100 million in 1995 to $300
million by the end of 1997. The firm expects this market to
hit $800 million by 2000. 

Privacy advocates say data-mining software fundamentally
changes the way vast computer data files are used and that
the unregulated deployment of data-mining systems raises
the potential for new privacy abuses. And technologists
acknowledge that data mining generates linkages that could
never be found any other way. 

"Data mining is this guy landing from Mars saying, 'I know
nothing, tell me all the relations,'" says Rob Geller, vice
president of mass-market information technology at
Jackson, Miss.-based MCI WorldCom Inc. 

What distinguishes data mining from previous database
search technologies is that corporations can now use a
variety of mathematical and statistical techniques to find
behavioral patterns that would otherwise remain hidden in
large computer databases. "Until now, data mining has been
a top-secret activity because it offers corporations a
competitive advantage," says Aaron Zornes, a Meta Group
executive vice president. 

Many of the technology's uses are, in fact, innocuous. One
example is the exploitation of data mining's ability to detect
hidden behavioral patterns in immense seas of computer
data to allow supermarkets to arrange items on their
shelves in ways that will encourage customers to buy more
of certain products. Another example: using the technology
to look for seasonal buying variations. Wal-Mart Stores
Inc., for instance, was able to use data-mining techniques to
discover it needed to stock smaller, travel-size bottles of
mouthwash during holidays. 

Other applications of data mining, however, raise privacy
concerns more directly. For example, banks and credit card
companies routinely use data-mining technology to detect
fraud, and supermarkets are beginning to use it intensively
in shopper-loyalty programs.

The Rise of Little Brother
page 8: Software Sentinels
 
Now, banks and other financial institutions are beginning to
deploy applications that use data mining to monitor credit
risk and attempt to predict bankruptcy. Banks will
increasingly deploy software sentinels to alert them when a
customer exhibits behavior that typically leads to
bankruptcy. The software will potentially permit banks to
detect bankruptcies as far as 90 days ahead, significantly
cutting their losses. 

Citibank Credit Services, Zornes notes, is developing a
system known as Cards Analytic Model, which uses parallel
processing and artificial intelligence to create sophisticated
data-warehousing and data-mining capabilities. And Visa
has a pilot program with 12 member banks to develop
bankruptcy-prediction software based on its current
fraud-detection system, which uses neural network
technology, a set of analytical software techniques that can
recognize well-defined behavior patterns in data. 

Data-mining software companies including San
Diego-based HNC Software Inc.; IBM Corp.; Neovista
Software Inc. of Cupertino, Calif.; Providence, R.I.-based
Nestor Inc.; Neuristics Corp. of Hunt Valley, Md.; and
Burlington, Mass.-based Thinking Machines Corp. are
developing bankruptcy-prediction products, Zornes says. 

Privacy and consumer advocates suggest that applying
data-mining techniques to predict bankruptcies is a new
electronic way to do what has previously been done by other
means. "This is a form of digital redlining," says Donna L.
Hoffman, associate professor of management at Vanderbilt
University's Owen Graduate School of Management in
Nashville, Tenn. In the nondigital world, redlining is the
banking or insurance company practice of refusing to make
loans or issue policies in certain neighborhoods for racial or
economic reasons. In the digital world, redlining can be
performed with a database based on a statistical profile,
which has nothing to do with a person's actual behavior. 

In many cases, companies know they're skating near
unresolved privacy issues as they begin to deploy new
data-mining applications. For example, MCI WorldCom,
one of the nation's largest data miners, has created a
2-terabyte database (which it maintains on a 90-processor
IBM SP-2 mainframe); the database has permitted the
company to narrow the focus of its marketing efforts from the
household level down to the individual customer level, Geller
says. 

MCI created its database by taking its customer records and
merging them with demographic data purchased from
database marketing companies, as well as mailing lists from
magazines such as Rolling Stone, in an effort to more
precisely target customer preferences. Improving MCI's
customer-retention rate is one focus of its data-mining
activities; providing better customer service is a way to
accomplish this. For example, customers who have pagers,
Internet access and spend $100 a month on international
phone calls will automatically be connected to more
sophisticated agents when calling the company for help. 

However, MCI has stopped short of adding actual telephone
calling information to its database, both because of privacy
concerns and because merging in that data would require an
additional 3 terabytes of storage capacity. "Technologically,
this is absolutely doable," Geller says, "but from a privacy
point of view, there are still a lot of issues with respect to
our Friends and Family marketing program."

The Rise of Little Brother
page 9: Individual Privacy
 
In fact, the nation's telephone companies are held in check
by special restrictions placed on them by the
Telecommunications Act of 1996. The law prohibits the
resale or marketing use of customer proprietary network
information, or CPNI, except in special circumstances. CPNI
data consists of information detailing who is calling whom.
With this data, marketers could create personal caller
profiles by blending telephone calling habits with
demographic information. 

Significantly, while experts consider the 1996 law to be a
good privacy model, there are no similar restrictions covering
newer communications media such as the Internet or
interactive television. "The same privacy rules should apply
across media and services," says Deirdre Mulligan, staff
counsel for the Center for Democracy and Technology, a
Washington, D.C.-based lobbying group. 

Indeed, the Internet represents uncharted privacy territory.
That's because thousands of Web sites routinely collect
enormous amounts of information from computer users, and
much of that data is related to personal interests, not just
commercial transactions. 

"The [use] of Web data concerns me," says Ed Zyszkowski,
the researcher who helped coin the term data mining while
working as a scientist at Thinking Machines in 1989. "You
use [the Web] for more than making purchases; you're there
looking for information." 

The trend toward collecting computer data on all of a
person's activities changes the privacy threat presented by
the Internet, Zyszkowski argues. But many Internet
entrepreneurs say they can gather the marketing data they
need without invading individual privacy. For example, to
build detailed behavior profiles for advertisers to exploit,
DoubleClick collects information about where computer
users click their mice, but knowing who is clicking the mouse
is of no value, says Kevin O'Connor, the company's founder
and CEO. "We don't know it's you," he says. The premise
behind the DoubleClick technology, O'Connor argues, is that
its network makes it possible to target ads that are
immediately responsive to what the user is looking for at
any given moment. 

However, Zyszkowski believes it will be increasingly
difficult for Internet advertisers to honor barriers erected
between data collected about computer users' activities and
demographic data collected by traditional direct marketers.
"There's a lot of rhetoric now about privacy, but the idea of
having Chinese firewalls in cyberspace will always be
artificial," he says. 

That observation is virtually certain because in the new
world of the Internet, there are no rules. Daryl Pregibon, a
data-mining expert and division manager at AT&T
Laboratories (a unit of AT&T Corp.), sees that clearly: "On
the Internet, it's the Wild West," he says. And like the Wild
West of the 1800s, today's digital badlands have become a
risky place for innocent cyberspace dwellers, who should
have no illusions about their privacy online.