privacy over the years

 In 2012, Nordstrom began using tracking technology to track their shoppers visiting their stores. The practice became common among other retailers and caused concern among customers.


Our privacy is a right that has been taken away – and taken back – several times over the years. As we celebrate our 10 Years of Privacy, we created this timeline to show you who’s collecting, intercepting, and abusing your data. But it also serves to show you the changes to laws and technology that have appeared in response, to try and raise awareness and preserve privacy. In other words, it’s about how privacy is constantly being threatened from some new angle, and how technology has adapted to try to fight back.

The goal of this timeline is to highlight several privacy moments from the last century; from tracking technologies and security flaws to key figures shaping the future of privacy. Some of the privacy events that you know about might not be in this list.


  • 1917: the US enters WWI and Congress passes the Espionage Act, which makes it a crime for any person to convey information intended to interfere with the war effort or to promote the success of the country’s enemies. This is the act under which Chelsea Manning and Edward Snowden were charged.
  • 1918: The Sedition Act expands the Espionage Act, making it a crime to criticize the government, the flag, or the armed forces during wartime even if it does not impede the war effort.
  • 1920: the Sedition Act is repealed.
  • 1935: Social security numbers are introduced to track individuals for social security purposes. Today, these numbers are used as a nearly universal identification in the US.
  • 1939: Codebreakers at Bletchley Park begin working to decrypt Axis military codes, such as Enigma, during World War II.
  • 1973: the first RFID device is patented by Mario Cardullo.
  • 1981: American Airlines launches its Frequent Flier loyalty program. Recently, grocery store loyalty cards have been criticized for creating profiles of their customers based on their purchases.


  • 1990: Tim Berners-Lee creates the first web server and the first web browser, WorldWideWeb
  • 1991: the final party line in Woodbury, Connecticut is discontinued. Telephone party lines, a local telephone line shared by many subscribers, had been in service since 1800s, particularly in rural areas. These lines offered no privacy.
  • 1991: Phil Zimmerman creates Pretty Good Privacy (PGP), an encryption and decryption program commonly used to protect email and other electronic data.
  • 1993: NCSA releases Mosaic, the first browser to include images and text on the same page. This triggers a huge increase in popularity for the Web
  • 1993: BellSouth debuts the Simon Personal Communicator, a cell phone that could send and receive faxes and emails. It is the forerunner to the modern smartphone.
  • 1995: the FBI begins using Stingray devices somewhere around this time. A Stingray is a cell phone surveillance device which mimics a cell tower and forces nearby cell phones to connect to it.
  • 1995: Netscape, a popular web browser, releases version 2.0 of SSL, a cryptographic protocol that helps keep communications over a computer network secure by using symmetric cryptography.
  • 2000: The US Congress passes the TREAD (Transportation, Recall, Enhancement, Accountability and Documentation) Act in response to the high rate of tire failure on Ford Explorers. This act mandates that car makers implant RFID chips into tires from the 2004 model year on, so they can be tracked and recalled if there’s a problem.
  • 2001: The Advanced Encryption Standard (AES), also known as Rijndael, is established by the National Institute of Standards and Technology as a specification for the encryption of electronic data.
  • April 29, 2005: Safari 2.0 offers “Private Browsing”, which disables web browsing history and web caching
  • December 2005: The New York Times reveals that the NSA has conducted warrantless wiretapping of US citizens since 2001.
  • December 2005: One week after its previous NSA revelations, the New York Times also reveals that the NSA has been tapping directly into domestic telephone and internet traffic by collecting data from from the “internet backbone”, i.e. major internet cables and switches. These cables carry approximately 80% of the world’s telecommunications. This same program is revealed to continue operating under the name “Upstream” by Edward Snowden in 2013.


  • March 2006: SpiderOak founded.
  • 2006: Room 614A, a telecommunications interception facility operated by AT&T for the NSA, is revealed by former AT&T technician Mark Klein. The facility began operation in 2003.
  • 2006: the LAPD receives a grant from the Department of Homeland Security to buy and use Stingray devices for “regional terrorism investigation”. A Stingray is a cell phone surveillance device which mimics a cell tower and forces nearby cell phones to connect to it.
  • December 2006: The Tor Project is founded to maintain Tor. Tor is free software that allows anonymous online communication using encrypted relays.
  • 2007: the NSA launches PRISM after the passage of the Protect America Act. PRISM collects the private communications of users of Microsoft, Yahoo, Facebook, Google, Apple, and more companies: when the NSA has a court-approved search term, it receives unencrypted data matching that search term directly from these companies’ servers.
  • March 2008: Google acquires DoubleClick, a company which uses HTTP cookies to track users as they travel from website to website and record which commercial advertisements they view and select while browsing.
  • September 2008: Fitbit releases the Tracker, a wearable device which recorded and logged steps taken, distance traveled, calories burned, activity intensity and sleep.
  • December 11, 2008: Google Chrome 1.0 offers Incognito Mode, a private browsing feature which prevents the browser from permanently storing any history information or cookies from the websites visited.
  • 2008: The FISA Amendments Act of 2008 is passed. This act modifies the original to Foreign Intelligence Surveillance act of 1978 to immunize private companies from legal action when they cooperate with U.S. government agencies in intelligence collection.
  • June 2009: Tails, a Debian-based operating system designed for privacy and anonymity, is released.


  • 2010: The EFF publishes Panopticlick, a tool that shows you whether you can be uniquely identified by browser fingerprinting. According to the EFF: “Browser fingerprinting” is a method of tracking web browsers by the configuration and settings information they make visible to websites, rather than traditional tracking methods such as IP addresses and unique cookies. Browser fingerprinting is both difficult to detect and and extremely difficult to thwart.”
  • December 2010: Microsoft announces that the next version of Internet Explorer will offer a Do Not Track feature. Do Not Track requests that a web application disable tracking for individual users. All other major browsers quickly follow.
  • June 2011: Fitbit is criticized for its website’s default activity-sharing settings, which made all data from its users available to view publicly. In response, Fitbit changes user data to be private by default.
  • 2011: Two “supercookies” are found on Microsoft’s website. Supercookies are information tracking devices stored on your computer in locations separate from normal cookies. For example, some of these cookies are stored in a little known Adobe Flash plug-in. They are much harder to get rid of and do not expire on their own.
  • 2012: Approximately 71 percent of all US police departments use some form of Automatic Number Plate Recognition (ANPR), technology that reads license plate numbers. In 2013 the ACLU released a report showing that police departments have used ANPR to collect and maintain a huge database of motorists’ location information, retaining data on innocent drivers for years.
  • 2012: Nordstrom tracks the movements of shoppers within its stores by following the WiFi signals of their smart phones.
  • 2013: Nomi Technologies, a company specializing in technology that allows retailers to track movement of customers through their stores, collects information about 9 million mobile devices in the first months of 2013. This information was collected without consumers’ consent, collecting and tracking the MAC addresses of consumers’ mobile devices both inside and nearby the stores.
  • 2013: Open Whisper Systems founded by Moxie Marlinspike. They maintain Signal, an encrypted voice and chat app that is also free and open source.
  • April 15, 2013: Google starts selling a prototype of Glass, an optical display resembling a pair of glasses which users interact with through voice commands. Glass has received huge amounts of criticism over privacy and safety concerns, primarily because it is easy to film others without them being aware of it.
  • April 25 – July 19, 2013: Verizon hands over the telephone records of millions of its US customers to the NSA. The data includes the numbers of both parties on a call, the location of each party during the call, and the time and duration of the call.
  • June 2013: Edward Snowden reveals thousands of classified NSA documents to Glenn Greenwald and Laura Poitras. The contents of these documents, in particular the revelation of the NSA obtaining phone records of US citizens, are initially published in the The Guardian and the Washington Post
  • October 2014: Fitbit releases the Charge HR, a device which records heartbeats in addition to past features such as pace, distance, and elevation.
  • February 16, 2016: Apple publishes an open letter to their customers to let them know that they opposed demands from the FBI to install encryption backdoors in their technology.
  • April 8, 2016: Leaked Burr-Feinstein bill proposes a requirement for manufacturers and tech companies to weaken encryption to comply with law enforcement.
  • April 27, 2016: The General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The regulation was adopted on this day. It becomes enforceable from May 25, 2018, after a two-year transition period.
  • October 3, 2016: Google unveils Google Assistant, a voice-activated personal assistant program, marking the entry of the Internet giant into the “smart” computerized assistant marketplace. Google joins Amazon’s Alexa, Siri from Apple and Cortana from Microsoft.
  • April 3, 2017: President Trump signed into law a resolution that repealed protections requiring Internet service providers to get users’ permission before collecting and sharing data. These protections — which had not yet gone into effect — were approved by the Federal Communications Commission in the final days of the Obama administration.
  • September 7, 2017: If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of people in the UK and Canada too.
    On this day, Equifax officially alerts the public about the cybersecurity incident and provides a dedicated website for consumers to check if they were affected. Later on that night, the company also issues a statement saying the three executives “had no knowledge that an intrusion had occurred at the time they sold their shares.”

If you are interested in more privacy-related timelines, visit the EFF’s Domestic Spying timeline.