Friday, May 1, 2009

Bruce Scheier Asks (and answers as best one can): "Do You Know Where Your Data Is?"

Whether the issue is security breaches and identity theft, financial privacy and the banking lobby, e-health records, or cloud computing technologies, certainly one question that each can force the consumer to ponder is "Where is my data?"!

This year I've delved a bit into cloud-based documents (i.e. Gmail, Google Docs, Google Calendar, Picasa, and Google Desktop) and how they can be shared with unauthorized users (which lead to the Electronic Privacy Information Center urging the Federal Trade Commission to investigate Google's cloud security promises).

I've also focused quite a bit of attention on the continued efforts by the banking industry to overturn the nation's strongest consumer privacy protections - which gave Californians the right to stop banks and other financial institutions from sharing their personal information, including with “affiliates”.

I've also tackled issues like the sharing (and selling) of personal prescription records by third party marketers and drug companies, legislation that deals with identity theft, and a host of other "where is my data?" related topics.

With all this said, check out this outstanding op-ed in the Wall Street Journal entitled "Do You Know Where Your Data Is?" by privacy expert Bruce Schneier, chief security technology officer of BT and author of "Applied Cryptography" and "Beyond Fear" - among others (and he sits on the board of the Electronic Privacy Information Center).

Schneier expertly connects the dots for us:

Do you know what your data did last night? Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns.

There's a basic consumer protection principle at work here, and it's the concept of "unfair and deceptive" trade practices. Basically, a company shouldn't be able to say one thing and do another: sell used goods as new, lie on ingredients lists, advertise prices that aren't generally available, claim features that don't exist, and so on.

RealAge's privacy policy doesn't mention anything about selling data to drug companies, but buried in its 2,400 words, it does say that "we will share your personal data with third parties to fulfill the services that you have asked us to provide to you." They maintain that when you join the website, you consent to receiving pharmaceutical company spam. But since that isn't spelled out, it's not really informed consent. That's deceptive.

Cloud computing is another technology where users entrust their data to service providers., Gmail, and Google Docs are examples; your data isn't on your computer -- it's out in the "cloud" somewhere -- and you access it from your web browser. Cloud computing has significant benefits for customers and huge profit potential for providers. It's one of the fastest growing IT market segments -- 69% of Americans now use some sort of cloud computing services -- but the business is rife with shady, if not outright deceptive, advertising.


Facebook isn't much better. Its plainly written (and not legally binding) Statement of Principles contains an admirable set of goals, but its denser and more legalistic Statement of Rights and Responsibilities undermines a lot of it. One research group who studies these documents called it democracy theater: Facebook wants the appearance of involving users in governance, without the messiness of actually having to do so. Deceptive.

These issues are not identical. RealAge is hiding what it does with your data. Google is trying to both assure you that your data is safe and duck any responsibility when it's not. Facebook wants to market a democracy but run a dictatorship. But they all involve trying to deceive the customer.


For markets to work, consumers need to be able to make informed buying decisions. They need to understand both the costs and benefits of the products and services they buy. Allowing sellers to manipulate the market by outright lying, or even by hiding vital information, about their products breaks capitalism -- and that's why the government has to step in to ensure markets work smoothly.

Click here to read the rest of the article.

No comments: