The Globe & Mail
Tuesday, March 18, 1997

Who's reading your electronic mail?

Internet service providers employ any number of people
who can monitor subscribers' Web activities

by Erik Heinrich

Rules governing privacy on the Internet are murky at best.

"The single biggest issue is the access ISPs [Internet service providers] have to everything you say and do on the Internet", says Richard Reiner, chief executive of Toronto-based FSC Internet Inc., a supplier of Internet services.

"A typical Internet service provider has about a dozen people who can, on a whim, read the E-mail or monitor the Web activity of any subscriber", Mr. Reiner says. "And I have yet to see an organization where those same people have had their backgrounds checked or been security bonded."

Worse, if you know where to go on the Internet, it's easy enough to download software that makes it possible to eavesdrop on your employer's local area network (LAN). If your employer happens to be an ISP, you also automatically gain access to customer accounts.

What does that mean? For all you know, the receptionist at your local ISP is killing time by reading your private E-mail right now. And that kind of activity is impossible to detect.

"People need to be aware that there are curious 18-year-olds, perhaps mischievous or even malicious in some cases, working for their ISPs, who can do pretty much whatever they please", Mr. Reiner warns.

David Jones, president of Electronic Frontier Canada, a non-profit organization dedicated to protecting freedom of expression and the right to privacy in cyberspace, says that Canada needs is federal legislation that spells out what kind of information ISPs are obligated to keep confidential.

As thing stand, most ISPs wait for the police to show up at their door with an information request before they begin to consider the privacy of their subscribers.

"A decision is usually made on the spot, perhaps by a technician who is not necessarily the appropriate person", says Dr. Jones, who is also a computer science professor at McMaster University in Hamilton.

In most cases, ISPs will have no problem confirming that someone is a subscriber, or providing police with transaction data such as names of Web sites visited or the parties with whom the individual is communicating via E-mail. Some might go so far as to reveal the content of a subscriber's E-Mail or chat-group conversations.

"It's not clear whether the ISPs are making a completely independent decision", Dr. Jones says. "There's a certain amount of fear that if the police are forced to obtain a court order, they might seize the computers." And if you're an ISP and you lose your computers, you're out of business.

In the absence of Internet legislation that is perhaps two years away, ISPs should, as a minimum, formulate a policy governing privacy and articulate it to customers, Dr. Jones says.

He adds that there is no reason why an Internet company should give police more than a person's name, telephone number, and address when confronted with an informal request. AOL Canada, a Toronto-based ISP, follows the lead of its U.S. parent America Online Inc. when it comes to complying with information requests.

Under the Electronic Communication Privacy Act, a U.S. federal statute, ISPs are required to provide subscriber information to police only if served with appropriate legal papers such as a search warrant or court order.

"We scrupulously honour member privacy", says John Ryan, assistant general counsel for America Online of Dulles, VA. "In Canada, we require the functional equivalent of a U.S. court order or subpoena before making information available to authorities.

By contrast, Sympatico, the Internet service provided by Canada's Stentor alliance of telecommunications companies, has no policy.

"We would look at information requests on a case-by-case basis", says Irene Shimoda, spokeswoman for Sympatico, now the country's biggest ISP with more than 200,000 subscribers. "If required to comply, we would."

Perhaps the answer to ensuring privacy on the Internet is encryption, or coding, of information.

Security software such as PGP, for "pretty good privacy", is available free on the World Wide Web. With E-mail accounting for as much as 45 per cent of Internet traffic, encryption could go a long way toward enhancing privacy. But there is a drawback.

Widespread use of encryption software will result in a small my measurable slowing down of Internet communication. Still, it's a tradeoff more Internet users might be thinking about.


Copyright © 1997 by The Globe & Mail. All Rights Reserved. Reprinted with permission.