(MONEY Magazine) – "On each landing, opposite the lift shaft, the poster with the enormous face gazed from the wall. It was one of those pictures which are so contrived that the eyes follow you about when you move. BIG BROTHER IS WATCHING YOU, the caption beneath it ran." --George Orwell, 1984

In his prescient novel published 48 years ago, Orwell imagined a world in which the government could see and hear everything any citizen said or did. In this world, you could never be alone and your most personal information would be instantly accessible to strangers. Fortunately, Big Brother never materialized. But 13 years after 1984, there are ominous signs that your privacy is being invaded in ways even Orwell couldn't have foreseen. As you're receiving your first phone call in the morning, driving past a tollbooth camera en route to work, e-mailing an office colleague, visiting the pharmacist to fill a prescription, picking up groceries or letting your kids surf the Internet, it's possible that you and your family are being watched, listened to or recorded, while data about your personal finances and medical status is being collected--and then sold.

That's right: sold. Companies that get your address and Social Security number and gather information about your assets, health, buying habits and personal interests often resell it all for $50 to $125 per 1,000 names. That information has a variety of uses. It can help government agents catch criminals, families track down long-lost relatives and marketers alert consumers about products they want. But it can also be used for more nefarious purposes. "Individuals are denied jobs and insurance based on the contents of these databases," says Beth Givens, project director for the San Diego-based Privacy Rights Clearinghouse, a nonprofit consumer advocacy group. And lives can be ruined.

So much for Supreme Court Justice Louis Brandeis' lofty assertion that it's the right of every American "to be left alone." Indeed, a two-month MONEY investigation has concluded that you now face significant threats to your privacy in five areas: your financial life, your medical records, your spending patterns, your children's purchasing habits and your work life. In this article, we'll tell you who's selling your secrets and, more important, what you can do to stop them. If you have any doubt that average Americans are being harmed financially and psychologically, consider these tales:

--Darylle Goodfield, 51, pictured on page 111, still doesn't know how a stranger got her Social Security number and a valid copy of a California ID early last year. But she does know that the impostor racked up more than $40,000 worth of charges in her name before she was caught.

--Jane Gass, 56, lost her job after 13 years as a nurse for a Kentucky manufacturer of bonded rubber products after refusing to hand over to a new manager the keys to employees' private medical files.

--Charles Freude, 38, was fired from his job as a power-plant engineer at the University of Oklahoma last January for sending a tasteless joke over what he thought was a confidential e-mail system (see the box on page 109).

--"Julie," an undercover FBI agent posing on the Internet as a 13-year-old girl, was e-mailed child pornography by a 77-year-old Maryland CEO who also invited her to meet him in a Virginia hotel. He was arrested there by the FBI.

--Beverly Dennis, 57, a grandmother in Ohio, received a lewd letter from a Texas prisoner after filling out a marketing survey in return for coupons and free product samples, unaware that the information would be processed by prison labor. "I'm still frightened when I think about it," Dennis says.

Some Washington leaders are rushing to ease such fears. In May, President Clinton called for "new protections for privacy in the face of new technological reality." Meanwhile, more than two dozen bills have been introduced in Congress to give citizens greater control over such sensitive personal data as their Social Security numbers and medical records. Predictably, business leaders--particularly in the Internet and direct-marketing worlds--are rushing to head off government action with proposed self-regulatory and technological solutions. Says Leslie Byrne, director of the U.S. Office of Consumer Affairs: "Privacy has become the consumer battleground of the decade."

Here is how the war is being fought to snare your secrets, and the weapons you have at your disposal to protect yourself:

FINANCIAL PRIVACY

One of the fastest-growing types of credit fraud in America is the violation of your financial privacy known as true-name fraud or identity theft, which Federal Trade Commission associate director David Medine calls "a nightmarish experience that can devastate lives." Simply stated, true-name fraud occurs when someone steals personal information about you, like your Social Security number and your mother's maiden name, creates a fake ID and then assumes your identity in a way that's even scarier than in Face/Off. The impostor then commonly opens bank accounts in your name or establishes instant credit and buys expensive items charged to you.

Like Darylle Goodfield, most victims of identity theft don't know how the impostor got hold of their personal data. What is clear is that the Internet and the proliferation of online services has made it much easier for people to find out all about you without leaving their PCs. Says Givens, whose clearinghouse operates a Website for victims of identity fraud and other invasions of privacy (http://www.privacyrights.org): "If someone is intent on taking over a specific person's identity, it is very, very easy to do, since they can just hire services that look up this kind of information." Case in point: For only $136, a MONEY reporter was able to get a Houston company called Infotel to retrieve my Social Security number, current and past addresses, home phone number and the purchase price of my home and mortgage, as well as my neighbors' names, addresses and, in some cases, phone numbers.

Poor security in some computer networks also makes it possible for clever hackers to filch your financial secrets for fast bucks. Last August, three hackers from Germany broke into the computers of a small South Florida Internet service provider, downloaded credit files containing personal information on 11,000 of its customers and then threatened to post them on the Web unless the company forked over $30,000. Fortunately, the U.S. Secret Service alerted German police, who arrested the cyberthieves first.

HOW TO PROTECT YOURSELF

--Order your credit report once a year from the three major credit bureaus (Trans Union, 610-690-4909; Equifax, 770-612-2500; and Experian, 888-397-3742) to check for any inaccuracies or false charges that may indicate fraud. The fees range from free to $9, depending on where you live.

--Hire a firm that will monitor the activity in your credit files. For example, for $69.95 a year, CreditComm (800-777-9700) will watch your accounts with the big credit bureaus and tell you about any unusual activity or requests made for your credit information.

--When buying over the Internet, get your correspondence encrypted, so the information you provide will be scrambled and impossible to read by hackers. If you are using the latest browsers from Netscape Navigator (version 4.0) or Microsoft's Internet Explorer (version 4.0), you already have first-rate encryption. Otherwise, you can download encryption software for about $50 at a Website called Pretty Good Privacy (www.pgp.com).

--If encryption isn't an option, use anonymous online payment schemes developed by companies like DigiCash, First Virtual and CyberCash, which let you pay electronically or by credit card while offering encryption that prevents anyone else from seeing your credit-card number.

MEDICAL PRIVACY

Of all the aspects of American life where privacy is invaded, this area is unquestionably the most disturbing. "Many people imagine that their doctor keeps their medical records and no one else sees them," says Robert Gellman, a leading privacy expert who is advising the Department of Health and Human Services on the development of medical privacy standards. "That's a joke."

Case in point: The private Medical Information Bureau houses files on some 15 million Americans, which are used by MIB's member insurance companies to help determine who gets life and health insurance and what they'll pay. Medical personnel in managed-care networks can read your files that aren't kept at MIB too. So can pharmacy benefits-management companies and some employers. In a new study of the privacy practices of 300 Fortune 500 companies by University of Illinois professor David Linowes, 35% of employers said they use personal medical information as a basis for hiring, promotion and firing decisions.

Jane Gass learned about the sharing of employee medical records the hard way. After the nurse was fired by her longtime employer for refusing to give her new boss the keys to employees' private medical files, she sued the company for wrongful termination. A federal district court judge has since held that the law did not limit an employer's ability to designate who holds those keys. Complains Gass: "I try to uphold a code of ethics. But when I do, I get fired."

The drive by managed-care companies to hold down medical costs has led some of these firms to demand ever more detailed medical records from doctors to justify--or refuse--coverage. Psychiatrist Denise Nagel, executive director of the National Coalition for Patient Rights, tells of one psychiatric patient who was horrified to learn that explicit reports of his sexual fantasies were available online to his dermatologist, podiatrist and anyone with access to his health maintenance organization's computers. While that HMO has since limited online file sharing, Nagel says: "The practice is still widespread throughout the health-care industry."

Similarly, employers regularly get reports from pharmacies and pharmaceutical benefit managers about their workers' prescription-drug use and, increasingly, employers are strong-arming insurers for their workers' medical histories and the nature of their office visits. For instance, in November 1992 the Rite Aid drugstore chain gave the Southeastern Pennsylvania Transportation Authority (SEPTA) a list of employees taking more than $100 worth of drugs a month, enabling a supervisor to single out workers on Retrovir, a drug used to treat AIDS. Says Philadelphia lawyer Clifford Boardman, who sued SEPTA and Rite Aid on behalf of an HIV-positive employee: "My impression is that this is a standard approach in the pharmaceutical industry." Rite Aid settled, but SEPTA won on appeal after the judge ruled that the harm inflicted to the employee was minimal.

The prognosis for the future looks even more alarming, since the dawn of genetic testing is creating medical records that contain information not only on actual ailments but also on patients' genetic predisposition to diseases like breast cancer, Alzheimer's and Parkinson's. Think your employer can't order up this stuff? Think again. In a recent landmark ruling, a California judge dismissed a lawsuit filed by seven employees against Lawrence Berkeley Laboratory for secretly testing them for sickle-cell anemia, a genetic disease prevalent among African Americans, during a routine physical.

HOW TO PROTECT YOURSELF

--Call the Medical Information Bureau (617-426-3660) to find out whether it has your medical records. If it does, get a copy to check their accuracy. Should you find mistakes, MIB will investigate and, if the bureau agrees that any records are inaccurate, it will edit or delete them. Otherwise, you can put a statement of dispute in the file, which will come up whenever the report is pulled. If you get in touch with the MIB within 30 days of having been denied insurance or charged a new, higher premium because of an MIB report, the copy of your file is free. Otherwise you'll pay $8.

--Interview potential doctors, particularly mental-health practitioners, about their policy on reporting your medical condition and treatment to managed-care companies and employers.

--You can minimize the risk that results of a medical test, mental-health consultation or prescription-drug purchase will appear in your records. If possible, don't file for reimbursement from your insurer, and go to a practitioner or druggist who agrees not to report the results to your insurer or employer. Says Bryant Welch, a Washington, D.C. clinical psychologist and attorney: "That's not paranoid. It's pragmatic."

CONSUMER PRIVACY

Have you ever filled out a new-product warranty card, entered a sweepstakes, called an 800 or 900 number to make a purchase, used a supermarket frequent-buyer card or shopped on the Internet? If so, your name is almost surely in one of the hundreds of data banks compiled by database-marketing companies like Metromail and Polk that help companies target potential customers. Warns Carole Lane, author of Naked in Cyberspace: How to Find Information Online (Pemberton, $29.95): "There is nothing stopping these kinds of companies from finding imaginative ways to merge the lists with Census data and phone books" to create and sell megadirectories.

Direct marketers, which earned a total of $630 billion last year selling directly to consumers via mail or telephone, defend such consumer profiling as a way to better target customers and reduce costs. (Full disclosure: Time Inc., the parent of MONEY, routinely buys lists of magazine subscribers in order to find prospective MONEY customers and sells its own subscriber list to the likes of credit-card companies and financial newsletters. But MONEY, like all Time Inc. magazines, offers subscribers the option of having their name removed from the list it sells.)

Some people who've had their name and address distributed, however, are not pleased about it. Among this group is Beverly Dennis, the Ohio grandmother who heard from a Texas prisoner after filling out a Metromail marketing survey. In the letter, he fantasized about rubbing Neutrogena soap all over Dennis' body and asked her lewd questions. Metromail hadn't told Dennis (nor any of the approximately 2 million consumers filling out the surveys) that the company used prison labor to process the questionnaires, which included such personal details as her birthday, the fact that she was divorced, and her favorite brand of soap. Indeed, in the course of suing Metromail for invasion of privacy and fraud, she learned that Metromail had 25 pages of info in its Beverly Dennis file. Metromail has discontinued the use of prison labor but is fighting Dennis in part on the grounds that she voluntarily filled out the survey and that the letter was "not so extreme" as to satisfy the legal standard for emotional distress. The case is expected to go to trial within a year.

The capture of data about consumer purchases and preferences has become especially aggressive in the online world. A June survey of the 100 most frequently visited Websites by the Electronic Privacy Information Center (EPIC), a Washington, D.C.-based privacy advocacy group, found that while none explicitly required users to disclose personal information, 24% surreptitiously placed so-called "cookies" on the users' hard drives. That's techno-slang for a feature that secretly logs your activity at Websites, providing marketers with a map of your interests and online purchases. Says EPIC's director, Marc Rotenberg: "What makes the Internet so problematic is that it's so difficult to tell when personal data is being collected or how it is being used."

The most visible result of all this consumer surveillance, on and off the Net, is the avalanche of junk solicitations and telemarketing calls Americans receive. Last year, there were 720 direct-mail offers for every U.S. household. Increasingly, junk mail is saturating the Internet as well, where the same dollar it would cost to send one direct-mail solicitation now buys 10,000 e-mails.

If you're a Netizen, you know why these unwanted e-mails, dubbed spam, are considered four-letter words. Not only are they time consuming and potentially costly to delete, they often contain fraudulent content and phony return addresses. A sample of messages forwarded to consumer advocate Ram Avrahami earlier this year found that more than a third of such unsolicited e-mails involve suspicious moneymaking schemes.

For now, you have no legal right to see or correct information about you housed in any marketing database. Nor is it easy to get dropped from marketing lists. True, the Direct Marketing Association, a trade association, has an "opt out" list that notifies DMA members which consumers wish to be taken off their mailing lists. But 44% of Americans don't know they have this option, according to the 1996 Equifax/Harris Consumer Privacy Poll. Moreover, companies don't have to tell them. And many of the worst offenders are, naturally, not DMA members.

Spammers often punish those who try to opt out of getting unsolicited e-mail by "flaming" them--sending them nasty messages online, sometimes in overwhelming numbers. Just ask David Aronson, a Dulles, Va. software engineer and outspoken spam critic. On top of the 20-odd spams he receives at work and home on an average day, Aronson showed MONEY a stream of filthy, utterly unprintable flames from someone who described himself as a "gay atheist commie spammer." Warns Aronson: "Never, ever reply directly to spammers. It tells them your e-mail address is valid. They will sell it, and you'll get more spam."

HOW TO PROTECT YOURSELF

--Cut down on unsolicited mailings by putting your name on DMA's free opt-out list, known as the Mail Preference Service. Write to DMA at P.O. Box 9008, Farmingdale, N.Y. 11735. You can also choose to take yourself off only selected lists by notifying marketer Polk (800-635-5522 or www.polk.com).

--Before shopping the Net, consider signing up with a free opt-out Internet service like Junkbusters (www.junkbusters.com). It takes users off unwanted e-mail lists and provides software that blocks ads, crunches cookies and prevents the release of sensitive information like your e-mail address.

--If you don't want a Website to know where else you've been on the Net, get rid of your "cookies" manually by going to the "Find" feature on your computer, typing in cookies and then deleting the cookies text file. You may then have to reregister at some sites, though.

CHILDREN'S PRIVACY

Marketing information about kids is now a hot commodity and for good reason. Children under 18 spend more than $80 billion a year and influence another $160 billion of their parents' purchases, according to the Center for Media Education, a watchdog group focusing on children's issues. As a result, marketers have grown ingenious at developing games, contests and free merchandise offers to pry information from your kids about their interests and buying habits. "The sale of personal information about children is a relatively new threat to privacy that many parents are not aware of," says Rep. Bob Franks (R-N.J.), who has introduced legislation to limit its collection and sale. "Every time you sign your child up for a birthday club or enter your child's name in a school directory, you could be putting him at risk."

Some children's advocates worry that controls on kids' lists are far too lax. Last year, for example, a CBS-TV reporter posing as the wife of Richard Allen Davis, then on trial for the abduction and murder of 12-year-old Polly Klaas, was able to obtain a list of the names, sex, address and phone numbers of 5,500 California children from Metromail by using a fake name, mailing address and disconnected cellular-phone number--and for only $277 cash on delivery. Metromail says it no longer sells mailing lists of children. But others do. For 8.5[cents] a name and a copy of the script you'll use to sell your product to kids, one Tucson company, for example, will give you as many as 8 million children under 17 sorted by name, sex, age and city.

Many parents would be appalled to learn of the insidious methods some merchandisers now use to get information about their kids online, where 4 million kids under 17 troll each year. A recent University of Texas study of 51 commercial Websites found that 39% requested personal information from children and 24% used "cookies" to gather e-mail addresses and information about users clicking from page to page on a site. What we are seeing, says Shelley Pasnik, director of children's policy for the Center for Media Education, is a "powerful digital data collection machine, designed to extract enormous amounts of personal information from children on a routine basis."

Take the popular Nickelodeon Website. Here children are offered "tons of prizes" to fill out an entry form requesting their e-mail address, real name, gender and street address. The sweepstakes form, which is optional, then asks questions such as: Do you have any animals? Do you like to paint or draw? Do you like collecting (stamps, comics, coins and the like)? Nickelodeon says it does not sell any kids' information. At the Colgate Kids World site, the Tooth Fairy herself promises personalized e-mail in exchange for the kid's name and age. A statement attached to Colgate's Tooth Fairy's promise alerts kids that communications with the Tooth Fairy are "nonconfidential" and that the information can be used "for any purpose whatsoever." Further, a Colgate spokesman says the company does not use the information for marketing. Warns Dr. Michael Brody, a child psychiatrist with the American Academy of Child and Adolescent Psychiatry: "Young children will listen to authority, especially when it's coming from strong comic characters."

Children's activists are pushing Franks' bill, which would ban any sale, purchase or exchange of personal information about children on or off the Internet without parental consent. They also favor guidelines banning companies from sending unsolicited commercial e-mails to kids. Says Franks: "I think we have enough laws named after dead children in America. It's time for government to take prudent and responsible action to avert another tragedy."

HOW TO PROTECT YOUR KIDS

--Instruct your children never to give out personal information in surveys, contests or on the Internet, particularly in chat rooms.

--Consider buying filtering software like Net Nanny ($39.95), Cybersitter ($39.95) and Cyberpatrol ($29.95), which lets parents choose the Websites their children can or cannot visit.

--Don't put an Internet-connected computer in your child's bedroom, where he or she can log on unchaperoned. The family that surfs together surfs safely.

WORKPLACE PRIVACY

You probably realize that very little of what you do in your office is just your business. But what will astound you is how naked you really are in there. Since 1990, the number of people subject to electronic surveillance at work has increased from about 8 million to more than 20 million, says the American Civil Liberties Union. Employers eavesdrop on some 5 billion phone calls every year, or more than 9,512 a minute, says the Communications Workers of America. In addition, 36% of companies with e-mail periodically snoop in their employees' messages, according to a study by the Society for Human Resource Management.

Other growing threats at the office: hidden cameras in locker rooms and offices, drug and genetic testing, and so-called active badges--employee ID cards embedded with microprocessors that let an employer track a worker's movements into and out of secured areas. Such high-tech surveillance tools can help employers measure productivity and uncover misdeeds. But for some employees, they amount to spying, plain and simple.

Ask Gail Nelson, 46, a secretary and computer counselor at Massachusetts' Salem State College for the past 10 years. In what college officials say was an effort to discover someone who was entering Nelson's workplace after hours, the school secretly videotaped her and her colleagues during the day. Nelson says this included taping her when she changed her clothes before walking home. "I'm outraged," says Nelson, who will soon file a suit against the college for invasion of privacy. The college maintains the camera was pointed at the front door, so it would not have photographed Nelson changing. In addition, school officials say they had the right to install the camera to protect the office.

Advanced computer technology has made it much easier for companies to amass thick personnel files on employees too. "Most employers collect considerable amounts of irrelevant information on employees, including rumors," says University of Illinois professor Linowes. In his privacy study of 300 companies, Linowes turned up the following disturbing facts: Nearly half the firms surveyed collect information on employees without informing them, 38% do not even tell them the types of records that are kept, and 44% don't explain how the records are used.

Personnel files can't just keep you from getting a promotion or hanging on to your job. They can also affect your ability to acquire credit, buy a house or a car or rent an apartment. Linowes' study found that 70% of employers disclose personal information to credit grantors without a subpoena or employee consent, 47% give information to landlords, and 37% will share your secrets with government agencies from the Justice Department to the Internal Revenue Service. Says Linowes: "Many employers think supplying the government with information is their patriotic duty."

HOW TO PROTECT YOURSELF

--Watch everything you say, do and, especially, e-mail at the office. Warns Cliff Palefsky, co-chairman of the privacy committee of the National Employment Lawyers Association: "Presume that you are being eavesdropped on or observed in everything you do at work."

--If you feel you are being blackballed by potential employers, spend the $30 to $100 or so necessary for a background check on yourself by calling an investigative service listed in your phone book. At least then you can identify and begin to address the problem.

--If your company offers an Employee Assistance Program, before talking to a counselor, find out whether the information will be shared with your employer. Says Sandra Nye, a Chicago privacy lawyer: "In some cases, it is definitely best to seek outside counseling."

WHAT SHOULD BE DONE

While the privacy genie is out of the bottle, Washington and private businesses need to work hard to minimize the biggest threats you face. One positive sign: The Worldwide Web Consortium, a global industry group, is now developing tools that would enable your Internet browser to match your personal privacy preferences with the actual practices of the sites you wish to visit, blocking entry to those that don't meet your standards. In addition, however, the following five actions are warranted.

Congress and the President should enact into law:

--The bill sponsored by Sens. Dianne Feinstein (D-Calif.) and Charles Grassley (R-Iowa) prohibiting the buying and selling of Social Security numbers without the individual's written consent. The bill would also make it illegal for credit bureaus to sell personal identifiers, including mothers' maiden names, birth dates, unlisted phone numbers and Social Security numbers.

--Patient privacy legislation like that introduced by Rep. Gary Condit (D-Calif.) that would establish new confidentiality rules and ensure that all patients have access to their medical records and the right to correct them. Also worthwhile: a proposal by Rep. Louise Slaughter (D-N.Y.) prohibiting health insurers from discrimination based on genetic information.

--The bill proposed by Rep. Franks banning list brokers, Internet merchants and direct marketers from selling information they collect about children without parental consent.

Companies should do the following:

--Direct marketers ought to adopt guidelines requiring them to clearly disclose to consumers what information they are collecting and how they will use it, giving people the chance to correct errors and keep themselves off marketing lists.

--All businesses should fully disclose to employees the kinds of records they maintain about them and give them access to the records. They should also tell employees what kind of electronic surveillance they are under at work.

If, within a year, industry self-regulation doesn't raise confidence about privacy protection by consumers and workers, Congress and the President should enact a Privacy Bill of Rights, such as that proposed by White House consumer affairs chief Leslie Byrne, which would give every citizen the right to see his or her files and correct any that are wrong. Says Byrne: "Americans still hold a very strong belief in the right to be left alone." Ironically, to keep Big Brother at bay, they may need some help from the government.

REPORTER ASSOCIATES: Brian Clark and Erin McNeece