RSSIs your privacy anyone's priority?
By Angela Gunn | Published May 6, 2009, 5:59 PM
So I'm launching a security column on the anniversary of the Hindenberg disaster. Seems right.
Speaking of things that blow up and embarrass political figures: Did you enjoy the excitement recently when a Fordham law-school class tested Supreme Court Justice Antonin Scalia's assertion that consumers don't really need more personal-privacy protections? If you missed it, Joel Reidenberg's class went online to see how much free, publicly available information it could turn up on the justice, who has stated previously that he doesn't see a need for greater legal protections for privacy.
The class did well, compiling a 15-page dossier that includes Scalia's home phone number and address, the value of that home, his favorite food and movies, his wife's e-mail address, and photos of his grandchildren. In response, Scalia told the Above The Law blog that "It is not a rare phenomenon that what is legal may also be quite irresponsible. That appears in the First Amendment context all the time. What can be said often should not be said. Prof. Reidenberg's exercise is an example of perfectly legal, abominably poor judgment. Since he was not teaching a course in judgment, I presume he felt no responsibility to display any."
Feisty little thing, isn't he? Only problem is, he obviously doesn't get out much -- not out to the real world, anyway, where as security folk know it's hard enough to get civilians to refrain from doing stuff that's actively forbidden, let alone the stuff that merely shows abominably poor judgment.
The problem with calling the dossier assignment an exercise in poor judgment is exactly the same problem security folk have when trying to get users to do their bidding, or that people like me have when I'm trying to explain to Mom why she shouldn't click on every single link she gets in AOL Mail: One person's poor judgment is another person's differing set of priorities.
By Professor Reidenberg's lights, this has been a damn fine course of action: On the debit side, one panty-bunched Supreme; on the credit side, an effective classroom project and a great jump-start to the PII debate. The problem now of course is finding a debate hall big enough to accommodate everyone who's got an opinion on the matter.
Ask the Virginia Prescription Monitoring Program hacker if he feels okay with his data-collection priorities; go back in time a couple of weeks and ask the security crew on that project how they feel about their own risk assessment; ask the person responsible for that department's budget how s/he feels about their allotment. And so on. (You could maybe also ask one of the eight million patients whose data was allegedly snatched, but who ever does? Justice Scalia may feel sorely put-upon, but in fact he's lucky anyone bothered to get his opinion at all.)
This is a security column, not (most weeks) a tech-policy-and-law column; we'll be getting into HIPAA and FISMA and other alphabet soup now and then, but let's assume for now that we'll do so to get at the tech angle(s) on the matter. In that case, what's the lesson from the lesson? Smart security folk already know that information that goes online stays online -- as does information that goes on paper, into a credit-card database, through your cable-TV remote control... if it's outside your head, it's probably beyond your control. The law can't fix that; it can only declare that we the people, collectively, place a priority on not gathering it for purposes unknown, or curating it in ways that make its originators see red.
Hi everyone; thanks for commenting on this first Lockdown. I'm glad you're here.
high privacy, I wish it were that easy, but that's just one vector along with personal information escapes one's control. For instance, last week I got a mailing from my cable provider telling me that the City of Seattle now requires that they offer me a way to *not* have information about my viewing habits, along with my name and address and whatnot, sold to third parties. I love this town for making sure I can put a stop to that, but should I even have to tell the cable company not to sell that data? No. Really, just no.
One of the security topics I'm watching pretty carefully right now -- it was nearly this week's column, in fact, but I had to get the words "Scalia" and "panty-bunched" out of my head (sorry about that, morriscox) -- involves another nasty loophole that needs closing and is about to get closing, though I'll bet you a quarter someone going to be made a very public bad example over it. (Because that's how we get the word out to stubborn executives that WE ARE NOT KIDDING ABOUT THIS PRIVACY STUFF.)
The topic is healthcare, and the loophole was a big gap in the current patient-privacy regulations (HIPAA) that allowed your information to be sold to third parties -- for instance, a wigmaker could buy a list of ladies who have recently started chemo. (Crass example but quite possible.) The stimulus package has some structures in place for closing that up, but I suspect it's not going to be a smooth process. More on that later!
Score: 0
|What scares me is that with the right "legal" justification, a government agency can just snag a bunch of your personal information that a third party company has been gathering on you and so many others. If they do this enough times, well, they can build a nifty little dossier about you... and it would be all nice and legal, as current laws make it illegal for them to set out to do that kind of gathering on their own, but private enterprise is doing all that work for them. I should also note that I am not now, nor have I ever worn a tinfoil hat.
Score: 1
|unfortuantely, the right to privacy is no longer a right of passage in america.
the only privacy that protects americans is that behind closed doors of their homes.
and though no one has xray vision to what occurs inside the "privacy" of one's home,
any business or governmental entity can pretty much figure out what is happening on the inside by monitoring what you are buyng/subscribing/calling/browsing for on the outside.
Score: 0
|I do not understand this obsession with privacy online. Come on, if you do not want people to share whatever details you would like to hide, just DON’T put it up on the multifarious sites you visit! Go for a high privacy search engine and just refuse to fill in the hundreds of forms they ask you. It’s that simple. So far as Scalia is concerned, who cares what he thinks? Maybe his linen is all clean and he doesn’t mind airing them in public!. For those people who do not want their secrets exposed, just steer clear of those damned forms!
www.aafter.com
Score: 0
|Panty-bunched? Do tell.
Score: 0
|What information do you want to protect? I think that is the first discussion needed.
My phone number is published, my sister's is not. Different standard of what is considered private.
Score: 0
|i think what needs to be protected are social security numbers.
the ssn's should not be for "anything" other than for social security.
once business's got access to this federal issued number, it opened the doors wide opened for identity theft.
not only did the business's pass/share/sell the ssn's among the other business's, bankruptrf business's would leave all kinds of paperwork in or near a dumpster, "filled" with personal information.
in conclusion, identity theft is what happens when government sides with business's over the rights of honest and hardworking citizens that pay their taxes faithfully and plays by the book.
Score: 0
|we should have publicly available all the information we want to make public.
if there's any information we want to keep private that should remain so, and should be illegal for anyone to bypass our decision.
if we decide to allow access to certain private data to someone, that person should automatically be under a non-disclosure agreement.
Score: 1
|The public needs to be alerted to the fact that they would be in much less danger of identity theft if our laws on privacy were strengthened. Unfortunately, the massive lobbying forces aligned against that make it unlikely to ever happen.
Europe's data privacy laws are a good start, but there has been next-to-no effort to enforce them. That may be partly due to the fact that they are so difficult to enforce, but it also comes from lack of public interest.
Perhaps the computerization of medical records will provide some media attention; without putting control of data entirely in the hands of the patients with double-key encryption, it is bound to be wide open to errors and hacking exposing all kinds of data. With this being a "Big Government" project, there will be more scrutiny than on your credit card company, search engine or credit bureau selling on sensitive data about you.
Or maybe we just need to get used to a world without privacy. It appears that the generation who are teenagers now already see that as a given.
Score: 1
|scalia is a republican at heart with the do as i say and not as i do morality.
i think america should have a national celebration on the day that the highest ranking hypocrite leaves the bench.
Score: -1
|He happends to be one of the best justices to have ever sat on that bench. Unlike the idiots on the left that actually look to other countries to help decide cases (Justice Souter).
Score: -1
|