TECH BLOG
There's No Honor Among Data Privacy Thieves

The news that all three of the front-running candidates for president of the U.S. have been victims of privacy breaches at the passport office may have a silver lining.

Sure, Sens. Barack Obama, Hillary Clinton and John McCain have good reason to be irate, and their campaigns are right to bring pressure to bear on the State Department. However, these folks are used to having their backgrounds probed and poked into. There's probably nothing in their passport records that aggressive snoops haven't otherwise managed to dig up.

I'm more concerned about the massive iceberg that lies beneath this small tip -- the compromised personal information of millions of Americans who aren't famous.

For every notable whose privacy is violated due to employees' "imprudent curiosity," how many ordinary Joes and Josephines do you suppose are splayed open like helpless corpses on the autopsy table?

It's not just passport records that are at risk, needless to say.

Honor System Free-For-All

A few years ago, a candidate for mayor of Milwaukee lost his election bid after news surfaced that he was chronically late in paying his heating bills. Whether that bit of financial dirt was the killing blow to his candidacy is debatable, but what's not is the simple fact that employees at a Wisconsin utility were sticking their noses where they didn't belong.

The incident brought to light a raft of similar abuses against utility customers who weren't of interest to the media -- people like us, who would never in a million years find out someone was messing with our personal data if it weren't for the insults against those in the spotlight.

Celebrities, it's often said, must give up their expectations of privacy in exchange for the wealth and adulation they enjoy. It's difficult for me to understand how anyone could feel entitled to take a look-see at George Clooney's medical records just because he's a famous actor. Presumably, he doesn't like it, but he knows it comes with the territory. When I hear helicopters flying over my head, I think there must be a police action going on nearby. People like Clooney probably just think one of the neighbors is having a party.

The point, though, is that if it's so easy for medical personnel to get their fill of celebrities' private business, there's probably all kinds of havoc going on with the charts of us common folk that we hardly ever find out about. We may never end up on tabloid covers, but there are still plenty of inquiring people who want to know what many of us would rather keep to ourselves.

There oughtta be a law, you say? Well, that's really not the problem. There are lots of laws and regulations and policies protecting privacy. What there are too few of are processes to ensure that they're enforced.

One-Way Street

Busting into presidential candidates' passport files is nothing new. It happened to Bill Clinton in 1992. Sixteen years later, we still have a system that allows this type of intrusion to occur. Guilty parties are admonished, or at worst, they lose their jobs. Agency heads apologize. The beat goes on.

Every time I make a phone call about my personal business -- whether it's information that should be closely guarded, like medical records, or something far less sensitive, like my wireless plan -- I have to jump through a whole lot of hoops before anyone will even talk to me.

In addition to my name, address, phone number, account number, Social Security number and date of birth, I might have to provide the name of my favorite pet and the street I grew up on. Sometimes more than once. OK -- that's all for my protection. It's kind of galling, though, to realize that pretty much anyone a particular company hires can have access to the same information on a whim.

Right -- they're not supposed to. They'll be admonished if anyone finds out. If I were famous, they might even be fired.

That's really not good enough.

Processes Not Platitudes

What's needed is a system of permissions that would make it impossible for anyone to access information without a specific authorized purpose, plus detailed electronic logs that would establish who accessed a particular record, when and why.

In some cases, it might be practical and reasonable to make the names of individuals invisible to those who are allowed to access their records and to require searches by anonymous account numbers only -- I'm sure there are many data security experts who can suggest clever and workable ways to protect information from the merely curious.

In fact, many of these types of processes are already in use, but certainly not everywhere they're needed -- perhaps not where they're needed most.

Maybe the latest insults against a trio of presidential hopefuls will illuminate the widespread chinks in data privacy systems enough to goad officials in both government and private institutions to take action to protect the famous. If they do, you can be sure there will be a much-needed trickle-down effect.

Then, for every Barack, Hillary, John or George who gets a modicum of relief, millions of nobodies like us will be less vulnerable to angry exes excavating the details of our private lives -- or strangers satisfying their imprudent curiosity at our expense.

Click here to e-mail Mick Brady.