January 02, 2001, 3:25 PM — I ran into Federal Trade Commission Commissioner Mozelle Thompson at a recent conference. After he politely admonished me for something I said during an earlier panel session, we talked about Internet privacy, which had been one of the panel topics. He pointed out that process problems were likely to be a bigger threat to Internet privacy than bad technology or invasive policies.
It doesn't matter how protective a Web site's privacy policy is if the site operator has bad backroom procedures. A perfect example is CD Universe, which managed to give out a few hundred thousand credit card numbers to some hacker due to poor system security. The company's public privacy statement was rendered irrelevant by bad system management.
Then there is the FBI, which got a formal independent review done of its Carnivore "lawful intercept" system by the IIT Research Institute. Steve Bellovin, Matt Blaze, Dave Farber, Peter Neumann and Eugene Spafford have just published a review of the review.
Among other things, this team complained of an "inadequate discussion of audit and logging." They went on to say: "We were disappointed that more attention was not paid to operational and 'systems' issues. It is simply not possible to draw meaningful conclusions about isolated pieces of software without also considering the computing, networking and user environment under which they are running."
More and more personal data is being put online. This includes increasingly sensitive data, such as healthcare and corporate personnel information. This data joins the evermore complete history of your buying habits and a running log of your exact location.
Such data is being exchanged between organizations. This exchange is sometimes just what you want (letting the emergency room know of your medical allergies) and sometimes not (letting every vendor of frilly undergarments know that you once bought a frilly undergarment for someone).
But when data is moved, it does not take with it a way to ensure that the new holder of the data is willing to abide by the rules under which the data was collected. Even if the new data holder is willing to abide by the rules, the data holder's internal processes may not be up to the task.
In the future, the firms that know how to properly handle data, including maintaining accurate and complete logs of who has access to the data, are the ones consumers will trust and will be successful. Unfortunately, there is little way that an individual can know who is doing this right -- except to find out the hard way that someone is not.
Maybe government regulations requiring regular process audits of companies handling data are needed. But unless there are significant consequences for sloppiness, I doubt much will happen to protect my online data. Not a good holiday message, but something to think about as you make all those onlinepurchases.
Disclaimer: I cannot even take a guess at how many times Harvard had tried to get its internal data handling procedures correct, but the above observation is mine alone.
