Do Outsiders Own Your Private Information?
|February 16, 2005||Posted by Staff under Progress Report, The Progress Report|
How Did Outsiders Come to Own Your Information?
Our Rights, Our Data
Does someone other than you own the email messages that you send or receive? How about your private bank account information? How about your borrowing habits at your local library? Should others be allowed to sell or snoop that information without your approval?
Here are portions of a recent guest essay appearing in eWeek magazine.
For at least seven months last year, a hacker had access to T-Mobile’s customer network. He is known to have accessed information belonging to at least 400 customers — names, Social Security numbers, voice mail messages, SMS messages, photos — and probably had the ability to access data belonging to any of T-Mobile’s 16.3 million U.S. customers. But in its fervor to report on the security of cell phones, and T-Mobile in particular, the media missed the most important point of the story. The security of much of our data is not under our control.
This is new. A dozen years ago, if someone wanted to look through your mail, they would have had to break into your house. Now they can just break into your ISP remotely and download millions of messages. Ten years ago, your voice mail was on an answering machine in your house; now it’s on a computer owned by a telephone company. Your financial data is on Web sites protected only by passwords. The list of books you browse, and the books you buy, is stored in the computers of some online bookseller. Your affinity card allows your supermarket to know what food you like. Data that used to be under your direct control is now controlled by others.
We have no choice but to trust these companies with our privacy, even though the companies have littleincentive to protect that privacy. T-Mobile suffered some bad press for its lousy security, nothing more. It’ll spend some money improving its security, but it’ll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers.
This loss of control over our data has other effects, too. Our protections against police abuse have severely eroded. The courts have ruled that the police can search all your data without a warrant, as long as that data is held by others. The police need a warrant to read the e-mail on your computer, but they don’ t need one to read it off the backup tapes at your ISP. The courts have affirmed many times that there’s no reasonable expectation of privacy with regard to data held by third parties.
This isn’t a technology problem; it’s a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don’t have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant — even though it occurred at the phone company switching office — the Supreme Court must recognize that reading e-mail at an ISP is no different.
Bruce Schneier is chief technology officer of Counterpane Internet Security Inc.
What’s your opinion? Tell your views to The Progress Report!