A veteran computer programmer, Smith knows how information collected through technology can be manipulated in ways the developer never intended. Currently the chief technology officer at the Privacy Foundation, Smith has gained prominence for revealing tracking technologies within software programs, operating systems and Internet services, including high-profile privacy flaws at RealNetworks and Microsoft.
A kind of ethical hacker, Smith uses the Internet to spy on the spies, such as his recent discovery that Microsoft Word documents can contain electronic surveillance tags that allow authors to track their use.
Such "computer-bites-man" stories add fuel to a privacy debate fire that began earlier this year with the DoubleClick-Abacus Direct merger. Since then, online profiling practices by marketers have become a flash point with legislators, consumer advocates and the public, who are concerned that personally identifiable information can be linked to data collected about online habits.
The well-respected Smith now has the ear of the industry, regularly advising lawyers, advocates, the media, legislators and the Federal Trade Commission on privacy issues.
Smith talked to CNET News.com at John Harvard's Brew House, a pub in Cambridge, Mass., located near his home in Brookline, Mass., where he works and lives with his family.
CNET News.com: How would you describe the two opposing sides of the Internet privacy debate?
Smith: On the Internet, the privacy debate is basically direct marketers vs. the privacy folks.
The direct marketers are always interested in getting information about individuals that will help them pitch products to those individuals. The problem with that is you have to spy on people to make that happen.
From a privacy standpoint, that spying can be fairly benign to fairly extreme. And since you've got marketers not willing to talk about how they track or spy on people, that breeds suspicion.
What are the dangers of spying?
The government has a fair amount of rules and laws to regulate how much they can spy. But when you get into the commercial sector, there are no rules in place. And it's possible to do very intrusive spying.
Why do we want to be concerned? Well, one reason is (companies) don't want to talk about it. (They should) have to ask for permission. Is it OK to watch to somebody? That's just basic human fairness.
(Marketers) don't really want to talk to consumers about the business they're in because they know that it's going to be creepy, even though you can argue it's not. And so they need to do a better job of marketing their products. They need to talk to consumers. And they need to ask permission.
So what's the worry?
I don't think that we have to worry about government, but we have to be worrying about the lawyers.
The big issue is not just direct marketing on the Internet. We have all these computers now that are collecting more and more information about us, saving it away. We're getting larger- and larger-capacity hard drives; we're building this faster and faster Internet that can communicate; we're coming up with new and interesting sensors that can get all this data.
So the sensors get the data, the Internet and wireless phones transmit it, and that goes on to these larger and larger disk drives. So the problem then is the lawyers over time are going to begin to learn about this data and start figuring out clever ways of using it in legal proceedings. And I think that's the most reasonable scenario why we want to be worried--it's the lawyers!
That's your doomsday scenario?
Right, the most practical problem is when people will be hurt ultimately by the collection system. That may not be by ad networks--we may never see a real problem there. But it may be other things, more innocuous things...getting little snippets of information or conversations taken out of context.
Today that's what law enforcement uses. Over time, it (will) be used more and more. Litigators may say, "Yeah, Amazon...They've got patterns of what books people are looking at. This guy was looking at the 'Anarchist Cookbook.' And he must be a terrorist." But we don't know why he was looking at that book.
The bigger picture is, it's not just the Internet. The Internet is sort of the prototype of all the spying that's going on. Cell phones are going to start identifying your location and where you're at within a few hundred feet or yards.
(There's also) interactive television. We have one-way cable today, but when you start two-way cable, then you start having all these same problems.
Are people overreacting or underreacting about their privacy on the Net?
I think most consumers don't care that much, frankly.
They think, maybe that's something I should worry about, but I don't know what that really means. They haven't been able to understand the tracking aspects of the Internet and how it can be misused.
The way it may come into focus is when we start hearing about famous people that run into some kind of problem related to Internet privacy.
In a divorce situation, which half of us will have to go through in our lives, when the other side says, "Turn over all your emails," or, "We want to see your browser or all your cookies," then they start caring about that kind of stuff.
If most people don't care about their privacy on the Internet right now, it must be difficult to justify your job.
That's a good point. Most people probably don't care about car safety either. They just want it to be there. Do you think about brakes on your car? Privacy is just that way and it's just something we sort of expect. Most people are kind of hazy about what it means to be on the Internet vs. in the regular world.
Do you believe in the absolute right to privacy?
That's sort of a political/philosophical question. I think more about how much more data can they collect about us, and I want to stop that. I want to sort of stop the clock and have the online electronic world mirror much more the older world where we were more private.
Is Congress doing a good job protecting people's privacy?
If you ask people in Washington who worry about privacy, the answer is no. There have been a lot of battles over the years. This is hardly a new one. The Internet just adds a new wrinkle in it. If you look at the long-term historical record in this country, it's not been the greatest.
Today, for whatever reason, there's a lot more talk about privacy; and the Internet is much more intrusive. I think they're certainly looking at it more carefully than they have in the past. But (the DoubleClick-Abacus Direct merger) ended up focusing way too much spotlight on the direct marketing business. I think the old-timers in business are probably fairly pissed at that.
Is the government acting too slowly in enacting Internet-related privacy laws?
Well, yeah. There are three arguments why they want to be careful. One is they don't want to rush into it. This is the new technology. And it could change overnight and then the new rules would become obsolete. And I kind of agree with that. I sort of think you want rules that are more principle-based than technology-based.
The other one is the industry always says, "Well, if you over-regulate us, you'll kill it."
The last thing is there are a lot of pushbacks from the direct marketing industry...they've been fighting.
What are your thoughts on self-regulation vs. government regulation?
There should be some super Draconian laws regulating information collection. The main thing about information collection is that we just have to have people's permission, and in this country, that's not the rule. The rule is you take it and if you don't like it it's either tough noogies or you're knocked out by that collection. We should have to ask.
What are your goals at the Privacy Foundation?
(My priority) at the Privacy Foundation is to cut down the amount of data that's sent in by sensors. So we cut off the data from the lawyers and from the marketers who are taking in information without asking for it first.
By forcing companies to disclose their practices, they begin to weigh the decision to track more. (They think), "We're going to lose business by disclosing this, so we'll just stop doing it." That's part of the disclosure game; it forces companies to make that decision, and a lot of times companies feel kind of reluctant to talk about it.
What's next for the Privacy Foundation?
The industry gets interested in some particular area, and then so do we. Interactive television is (probably) next. After that, wireless, (which is) still premature.
What's your favorite part about the job?
I think we're going to end up making a difference...By shining a light on behavior, it'll stop the behavior.
What's a typical day like for you?
I'm pretty much on the computer or the telephone all day long. I seem to have less time for (research) right now. But if I'm looking at a product, I install it on my computer, watch what it does, try out various experiments, look for things that I already know that people messed up on in the past. People kind of make the same mistakes over and over again at different companies. I know Product X had this problem, so let's see if Product Y has the same problem.
How do you pinpoint some of the problems?
You're running little experiments with their software. I use a packet snifter to watch the data that goes in and out of their servers. And there's a whole series of little tools that I use.
In the case of Word, I went looking for that problem. I saw it and it didn't dawn on me for two days what it meant.
What is the simplest thing you can do to protect your privacy on the Web?
Well, one thing is to get a cookie-cutter program or (software) to manage cookies. There's only two or three sites that you really need cookies for. The rest of them are sort of superfluous.
Another thing is you've got to be very careful how you give out any information at a Web site when they ask you to sign up; you still have to resist that temptation. They seem to be too nosy, like asking too much stuff like your household income or even gender and age. Just lie.
Can people expect in a few years that nothing they do is private?
Yes, I think people are going to start "getting" that they are being watched a lot. But it's going to have to be sort of more obvious to them. People are going to have to say, "Well, you're being watched." What the effect of being watched is you stop doing things. If employers watch you, you (may) stop working at the company. That's what will temper these people's desire to spy is that they'll start noticing people making use of their services less and less.
That used to happen in Russia. If people thought there was a bug, they would walk to the park to have a conversation. We will too. If we want to look up something on herpes cures, we'll maybe not do that on the Internet.
Is the Internet privacy debate raising awareness about privacy problems in other areas of our lives?
The Internet is fundamentally different than the offline world, and this is something that people in the industry are only kind of figuring out now.