Privacy process as a problem

By Scott Bradner, Network World |  Business

I ran into Federal Trade Commission Commissioner Mozelle Thompson at a recent conference. After he politely admonished me for something I said during an earlier panel session, we talked about Internet privacy, which had been one of the panel topics. He pointed out that process problems were likely to be a bigger threat to Internet privacy than bad technology or invasive policies.

It doesn't matter how protective a Web site's privacy policy is if the site operator has bad backroom procedures. A perfect example is CD Universe, which managed to give out a few hundred thousand credit card numbers to some hacker due to poor system security. The company's public privacy statement was rendered irrelevant by bad system management.

Then there is the FBI, which got a formal independent review done of its Carnivore "lawful intercept" system by the IIT Research Institute. Steve Bellovin, Matt Blaze, Dave Farber, Peter Neumann and Eugene Spafford have just published a review of the review.

Among other things, this team complained of an "inadequate discussion of audit and logging." They went on to say: "We were disappointed that more attention was not paid to operational and 'systems' issues. It is simply not possible to draw meaningful conclusions about isolated pieces of software without also considering the computing, networking and user environment under which they are running."

More and more personal data is being put online. This includes increasingly sensitive data, such as healthcare and corporate personnel information. This data joins the evermore complete history of your buying habits and a running log of your exact location.

Such data is being exchanged between organizations. This exchange is sometimes just what you want (letting the emergency room know of your medical allergies) and sometimes not (letting every vendor of frilly undergarments know that you once bought a frilly undergarment for someone).

But when data is moved, it does not take with it a way to ensure that the new holder of the data is willing to abide by the rules under which the data was collected. Even if the new data holder is willing to abide by the rules, the data holder's internal processes may not be up to the task.

In the future, the firms that know how to properly handle data, including maintaining accurate and complete logs of who has access to the data, are the ones consumers will trust and will be successful. Unfortunately, there is little way that an individual can know who is doing this right -- except to find out the hard way that someone is not.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness