‘I ended a recent Breach Statistics post with “I start to wonder if the corporations and public entities of the world have already effectively wiped out personal privacy.” It was just a thowaway idea that had popped into my head, but the more I thought about it over the next couple of days, the more it bothered me. It is probably because that idea was germinating while reading a series of news events during the past couple of weeks made me grasp the sheer momentum of privacy erosion that is going on. It is happening now, with little incentive for the parties involved to change their behavior, and there is seemingly little we can do about it.

A Business Perspective

Rich posted a blog entry on “YouTube, Viacom, And Why You Should Fear Google More Than The Government” on this topic as well. Technically I disagree with Rich in one regard, that being to have a degree of fear for all parties involved as Viacom, Google and the US government are in essence deriving value at the expense of individual privacy. I think this really ties in as companies like Google have strong financial incentives to store as much data on people- both at the aggregate and the personal level- as they can.

And it’s not just Google, but most Internet companies. Think about Amazon’s business model and their use of statistics and behavior profiling to alter the shopping experience (and pricing) for each visitor to their web site. My takeaway from Rich’s post was “The government has a plethora of mechanisms to track our activity”, and it is starting to look as if the biggest is the records created and maintained by corporations. Corporate entities are now the third party data harvester, and government entities act as the aggregator. While we like to think that we don’t live in a world that does such things, there are reasons to believe that this form of data management had a deciding factor in the 2000 presidential election with Database Technologies/Choicepoint. We already know that domestic spying is a reality.

Over the weekend I was catching up on some reading, going over some articles about how the government has provided immunity to telecom companies for providing data to the government. If that is not an incentive to continue data collection without regard for confidentiality, a “get out of jail free” card if you will, I don’t know what is.

I also got a chance to watch the SuperNova video on Privacy and Security in the Network Age. Bruce Schneier’s comments in the first 10 minutes are pretty powerful. He has been evolving this line of thought over many years and he has really honed the content into a very compelling story. His example about facial recognition software, storage essentially being free, and with ubiquitous cameras is fairly startling when you realize everything you do in a public place could be recorded. Can you imagine having your entire four years at high school filmed, like it or not, and stored forever? Or if someone harvested your worst 5 minutes of driving on film over the last decade? Bruce is exactly right that this conversation is not about our security, but the entire effort is about control and policy enforcement. And it is not the government that is operating the cameras; it is businesses and institutions that make money with the collected data. With business that harvest data now seemingly immune to prosecution for privacy rights violations, there are no “checks and balances” to keep them from pursing this- rather they are financially motivated to do so. From cameras on the freeway to Google, there are always people willing to pay for surveillance data. They are not financially incentivized to care about privacy per se; unless it becomes a major PR nightmare and affects their core business, it is not going to happen.

My intention with the post was not to get all political, but rather to point out that businesses which collect data need some incentive to keep that consumer information confidential. I don’t think there is a legitimate business motivator right now. CA1386 and associated legislation is not a deterrent. Businesses make their money by collecting information, analyzing it, and then presenting new information based upon what they have previously collected. Many companies’ entire business models are predicated upon successfully doing this. The collection of sensitive and personally identifiable information is part of daily operation. Leakage is part of the business risk. But other than a competitive advantage, do they have any motivation to keep the data safe or to protect privacy? We have seen billions of records stolen, leaked or willfully provided, and yet there is little change in corporate activity in regards to privacy.

So I guess what scares me the most about all this is that I see little incentive for firms to protect individual privacy, and that lack of privacy is supported- and taken advantage of- backed by government. Our government is not only going to approve of the collection of personal data, it is going to benefit from it. This is why I see the problem accelerating. The US government has basically found a way to outsource the costs and risks of surveillance. They are not going to complain about mis-use of your sensitive data as they are saving billions of dollars by using data collected by corporations.

There are a couple of other angles to this I want to cover, but I will get to those in another post.