One Step Forward, Two Steps Back

It's always good to see increased public awareness on an issue, particularly one which can have a profound effect on our lives.  Privacy is just such an issue.  Over the years, the public has witnessed just how fragile that privacy is and how poorly protected it continues to be.  But knowing this isn't nearly enough.  Action needs to be taken.  And the propaganda we continue to be fed needs to be rejected out of hand.

You would have to be almost completely cut off from the world to have missed some of the most grievous privacy invasions that have taken place recently.  This doesn't even take into account the wish list of our governments who want the ability to snoop at will and in secrecy.  We're talking about the normal course of business where our private records are open to unauthorized persons, bandied about, traded, sold, lost, and otherwise treated without the respect and care they deserve and in violation of the trust we have bestowed upon these entities.

Of course, watching the mass media report these very same stories you might be guided to the conclusion that this is all the fault of hackers - as usual.  After all, who else would invade your privacy, steal your identity, and flout the law?  Certainly not our nation's largest (((corporations))).  Let's probe a little deeper and see for ourselves.

In February, a data collection company called ChoicePoint (self-described as "the premier provider of decision-making intelligence to businesses and government") revealed that it had sold the private information of 145,000 people to a company that had no business having this information.  The irony is quite bitter.  Here we have a company with ten billion records that is responsible for running background checks on just about every American citizen and somehow they weren't able to figure out that the company they were doing business with was fraudulent.

In March, LexisNexis reported that 310,000 people had their driver's license numbers and Social Security numbers compromised through a subsidiary known as (((Seisint Inc.)))  It seems that unauthorized accounts were created in the name of various law enforcement agencies and the whole thing wasn't even uncovered until the perpetrator's parents turned him in.

The banking world has been especially hard hit by security lapses involving its customers.  Bank of America lost backup tapes with data on 1.2 million federal employees in February.  Citigroup managed to top this in June by losing tapes with the records of 3.9 million of its customers.  Wachovia employees were implicated in a fraud scheme that involved the records of nearly 700,000 customers.  And these are only some of the reported cases.  In fact, most of these cases would never have been known to the public if the companies themselves hadn't come forward.

Oddly enough, only one state (California) required consumers be notified when their confidential records were given to unauthorized entities.  (Other states are now in the process of passing their own such laws.)  This relatively recent law (2003) may be the reason why so many incidents are being reported which leads one to wonder just how many haven't been over the years.

When you take into account the fact that these companies think nothing of sharing this data with call centers all over the world, regularly ship unencrypted copies of all of their databases through commercial shippers, and basically sell their customers' information to anyone willing to pay, it's a wonder there's any semblance of privacy left at all.

Then of course you have your generic screw-ups where phenomenally stupid things happen due to the people in charge not having a clue.  The victim is almost always another bit of privacy.

There was an incident involving at least six universities, including Stanford and M.I.T., where information on the status of prospective students' applications was actually made available online.  To anyone in the world.  And rather than focus attention on the deplorable security practices that made such a thing possible in the first place, the schools decided to make a big show of rejecting any applicants suspected of using this method to investigate their status.  We would expect this kind of treatment if the applicants had actually managed to break into a computer to get this info.  Or even if they had been the ones to figure it out.  But these were people who simply checked a website that had material about them publicly available!  Whether they were just curious about their own status or merely checking to see if such a thing was actually wide open to the public, they were hardly the reason why it happened nor were they engaged in any behavior of a clearly dishonest nature.  Pretending a problem doesn't exist seems to be the preferred method of dealing with such things in the eyes of our leading universities.  It's little wonder so many carry those values on to their respective professions.

In another incident, more than 100 students at the University of Kansas got an email telling them that they had failed a class and were in danger of having their financial aid revoked.  Every email address was listed in the CC: field meaning anyone getting this letter knew the names and email addresses of everyone else who shared their status.  As far as we know, no action was taken against the people responsible for this gross intrusion into people's lives.  Clearly there were individuals who were untrained in handling confidential matters who were given access to private records which they shouldn't have been anywhere near.  There's nothing to indicate that this sort of thing is at all unusual, based on the many similar stories circulating.

But this kind of sloppiness and gross negligence is only part of the story.  The deliberate intrusions by those who are unaccountable are orders of magnitude worse.

Relatively few of us know that FedEx has been permitting federal authorities to peruse its databases and view all kinds of information on who's sending packages where, how they're paying for it, and more - all without those little things called warrants.  "Our guys just love it," one senior customs official was quoted as saying.  It was almost three years ago that Operation TIPS (Terrorism Information and Prevention System) was abandoned because of a public outcry against its Orwellian vision of utility workers, drivers, and delivery people being organized into "watchers" who would be on the lookout for any kind of suspicious activity or persons that they came across in their daily routines.  With this level of cooperation by FedEx, the same vision is achieved while bypassing all of the legalities involved in government.  The (((Department of Justice))) has praised FedEx for "passing along information about publicly observed aberrant behavior."  So anything abnormal is now to be considered potentially dangerous.  What an enlightened approach.

Airlines have also been caught turning over all kinds of information on its passengers to the government without any legal reason for having to do so.  Schools too are being encouraged to hand over their previously confidential records.  And libraries are increasingly coming under pressure to reveal information on who is reading what to the authorities.  Fortunately many librarians have a very keen sense of the value of our privacy and have been doing everything in their power to subvert and expose these wanton displays of intimidation and abuse of process.  But that hasn't been enough to stop libraries like one in Naperville, Illinois from recently installing fingerprint scanners for Internet access control.

Apart from the terror threat, the equally nebulous "hacker threat" is used most often to justify draconian measures or to shift blame away from those who are really responsible.  News reports define the threat as "hackers who want to get access to your credit card numbers" and never "companies, organizations, and governments that intrude upon your privacy by trading your personal information, leaving it unprotected, and examining aspects of your life that are none of their business."

One of the more absurd stories that was circulating all over the place in May accused "hackers" of "holding computers hostage" by somehow encrypting victims' hard drives and demanding money in exchange for the key.  We have yet to hear of a single instance where something like this actually happened.  It seems to be more of a theoretical scenario which might work in a TV series but doesn't have much of a chance in real life.  Let's set aside the clear fact that this has got absolutely nothing to do with hacking.  The process of encrypting all of these files by simply having someone visit a website and then somehow coordinating both the decryption and the transfer of money without somehow being traced is pretty farfetched once you start to actually think about it.  Yet this story was front page news as the latest hacker threat.  Meanwhile the true threats were given far less attention, if any at all.

Such stories will always pop up because they're an easy way to get ratings and readers.  While we need to always challenge misinformation whenever it appears, we need to also steer attention towards the real threats and not let the perpetrators get away with their deeds.

Perhaps it's time to demonstrate how easily private information can be obtained by focusing on those who have been so remiss in their responsibilities insofar as protecting our privacy.  All kinds of documents exist online with information that really has no business in the public domain.  Social Security numbers are completely unprotected, unlisted phone numbers are passed around from banks to telemarketers, and "mistakes" like the ones mentioned above are occurring in ever increasing numbers.  So why not target the corporate boards, the executives, and the politicians and make their private information as easily accessible as they make ours?  If it's legal to have our Social Security numbers publicly displayed, then why should elected officials get to have theirs crossed out in public documents?  That's just one of many examples of how some people are more equal than others.

So far, the only reactions to the problem that we've seen involve a combination of marketing new products and blaming anyone who uncovers the weaknesses.  Nothing new there.  The sad fact remains that if we don't take action, our privacy will continue to mean less and less.  There's nothing in it for the powers that be since they can just sell new products to "protect" us and create an element of fear that will lend itself to passing whatever new bit of legislation strikes their fancy.  Expect a push for mandatory identity cards that will "protect your identity" from the evil people who wish to steal it.  Get ready to buy insurance policies to protect your privacy from the very same companies that compromise it in the first place.  And expect not to collect a dime from the true identity thieves - those who turn your life into a commodity to be bought and sold; they will be sure to cover their asses admirably and turn the attention to the small time crooks as the cause of the problem.

It's great to be aware of what's been going on.  But that's only the first step.  Now it's time to demand accountability and take back an important piece of our lives.