Thursday, May 31, 2007

Is the Web Built on a Lack of Privacy?

There are some interesting observations in this TimesOnline article triggered by a BlueCross privacy breach: The web is built on a lack of privacy. The writer is Jonathan Weber, the founder and editor in chief of NewWest.Net, a regional news service focused on the Rocky Mountain West in the United States. As co-founder and editor in chief of the Industry Standard, Mr. Weber is no stranger to the vagaries of the digital age. I'm sure many of us share his righteous indignation:

A few weeks ago I got a letter from Empire Blue Cross, my one-time health insurer, explaining that there had been an unfortunate incident regarding my personal information (and that of my wife and children too, as it turned out). The letter explained at some length how the company had rigorous policies to insure the confidentiality of patient information, requiring that such information be encrypted and so forth. But the company didn't take the trouble to ensure that it's high-minded – and legally required – policy was actually being implemented, and a CD containing unencrypted personal information on many people, including me, had gone missing.
(To digress from privacy for a moment, this letter sounds like it was written by the same BlueCross hack that penned a recent letter to my wife and I informing us that, as a result of cost savings, increased efficiency, and improvements in health care, our monthly premium was being increased by 20%.)

Weber goes on to muse about the potentials for abuse now that so much data about us is stored somewhere out there, by somebody over whom we have scant control (often somebodies who themselves have less than complete control). Yet at the same time, it is our willingness to share information about ourselves that has enable many features of the web, not least of which is the amazing amount of valuable content that is dished up for free (where 'free' equals 'in return for knowledge about the person accessing the infrormation').


The extent to which people accept, or feel comfortable with, this state of affairs varies greatly, as you might expect (particularly if you have listened to my podcast on The Privacy Meter--plug, shameless plug). This is reflected in the comments on the article which display a range of privacy attitudes. They include the infamous quote from Scott McNealy, founder of Sun Microsystems: "You have no privacy. Get over it." (Note: This quote is almost always used out of context but has become a handy verbal marker, serving as everything from a rallying cry or portent of end times, depending upon the quoter's point of view).

The fact is, this stuff is complicated. Some people are more 'open' about their lives than others but you can be very 'open' and still object to careless handling of your data. On the other hand, some people who like their right to privacy have a tendency to confuse it with a right to anonymity, which gets even less of a mention in the Constitution and Bill of Rights than privacy.

There is also a non-trivial socio-economic element to choices about personal privacy. Some people can afford to let the world know all about them without fear of the economic consequences. As someone well-established in his profession, I don't see that much harm would come to me from announcing to the world that I am gay (I am not) but other people fear, sometimes with very real justification, that they will be discriminated against if some of their private choices are made public. The U.S. military's "Don't ask, don't tell" policy towards homosexuality would seem to be a case in point. (During the first 1o years of this policy some 10,000 members of the armed forces were discharged for being homosexual--suggesting that the policy's intent, respect for the privacy of military personnel, was somehow not met).

The whole area of medical privacy, which is where this post started, is a massively complex can of worms. Suppose I present myself to my doctor with a huge bruise on my leg. If the 'fact' that this bruise was caused by me skydiving (it was not) gets into 'the system,' then the cost of various insurance policies involving me could go even higher (yes, there is a data bank somewhere that stores information on your lifestyle and yes, insurance companies do consult it). In other words, if you're Bruce Willis and command $20 million per movie, you can do and say just about anything you like and not care who knows it. The rest of the world needs, for economic reasons, to be, to varying degrees, more circumspect.

Bilking the Elderly, With a Corporate Assist

Wonder why the American public has a dim view of corporate America? Read this article: Bilking the Elderly, With a Corporate Assist. First appeared in the New York Times.

Big name data firms doing business with crooks who target the elderly. And some banks less than eager to put a stop to abuses. Why aren't the privacy police all over this?

Sunday, May 20, 2007

Get Your Privacy News Here!

Looking to stay current with privacy news? I thought it might be useful to list some of the sources I find helpful:

Privacy.org
Privacy Digest
Privacy section of Network World
ComputerWorld's privacy section

Ray Everett-Church's Privacy Clue
Electronic Privacy Information Center (EPIC)
DM News

Yes, the DM in the last entry does stand for Direct Marketing and I am aware that some privacy purists consider direct marketing people to be the enemy, but even if you think that way--which I don't--doesn't it make sense to know how the enemy sees things?

p.s. You can also get daily privacy headlines at PrivacyForBusiness.com.

Friday, May 18, 2007

TJX: Data breach damage $25 million and counting

Here is a pretty good reason to make sure your company is doing a good job of protecting customer data: TJX: Data breach damage $25 million and counting.

That's right, according to SearchSecurity, the bottom line for TJX Companies Inc. took a big hit in the first quarter of 2007, thanks to a $12 million charge tied to the security breach that exposed at least 45.7 million credit and debit card holders to identity fraud. In total, the breach has cost the company about $25 million to date. And that doesn't include the cost of customers who decided to shop elsewhere.