Risks of Third-Party Data

Bruce Schneier
Inside Risks 179, Communications of the ACM, Vol. 48, No. 5
May 2005

Reports are coming in torrents. Criminals are known to have downloaded personal credit information of over 145,000 Americans from ChoicePoint's network. Hackers took over one of Lexis Nexis' databases, gaining access to personal files of 32,000 people. Bank of America Corp. lost computer data tapes that contained personal information on 1.2 million federal employees, including members of the U.S. Senate. A hacker downloaded the names, Social Security numbers, voicemail and SMS messages, and photos of 400 T-Mobile customers, and probably had access to all of their 16.3 million U.S. customers. In a separate incident, Paris Hilton's phone book and SMS messages were hacked and distributed on the Internet.

The risks of third-party data -- personal data being held by others -- are twofold: the privacy risk and impersonation leading to fraud (popularly called "identity theft"). Identity theft is the fastest-growing crime in the U.S. A criminal collects enough personal data on someone to impersonate him to banks, credit card companies, and other financial institutions, then racks up debt in the person's name, collects the cash, and disappears. The victim is left holding the bag, often having to spend years clearing his name. Total losses in 2003: $53 billion.

People have been told to be careful: not to give out personal financial information, to shred their trash, to be cautious when doing business online. But criminal tactics have evolved, and many of these precautions are useless. Why steal identities one at a time, when you can steal them by the tens of thousands?

The problem is that security of much of our data is no longer under our control. This is new. A dozen years ago, if someone wanted to look through your mail, he had to break into your house. Now he can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your house; now it's on a computer owned by a telephone company. Your financial accounts are on websites protected only by passwords; your credit history is stored -- and sold -- by companies you don't even know exist. Lists of books you buy, and the books you browse, are stored in the computers of online booksellers. Your affinity card allows your supermarket to know what foods you like. Others now control data that used to be under your direct control.

We have no choice but to trust these companies with our security and privacy, even though they have little incentive to protect them. Neither ChoicePoint, Lexis Nexis, Bank of America, nor T-Mobile bears the costs of identity theft or privacy violations. The only reason we know about most of these incidents at all is a California law mandating public disclosure when certain personal information about California residents is leaked. (In fact, ChoicePoint arrived at its 145,000 figure because they didn't look back further than the California law mandated.)

The effectiveness of the California law is based on public shaming. If companies suffer bad press for their lousy security, they'll spend money improving it. But it'll be security designed to protect their reputations from bad PR, not security designed to protect customer privacy. Even this will work only temporarily: as these incidents become more common, the public becomes inured, and the incentive to avoid shaming goes down.

This loss of control over our data has other effects, too. Our protections against police abuse have been severely watered down. The courts have ruled that the police can search your data without a warrant, as long as others hold that data. The police need a warrant to read the e-mail on your computer, but they don't need one to read it off the backup tapes at your ISP. According to the Supreme Court, that's not a search as defined by the 4th Amendment.

This isn't a technology problem; it's a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant -- even though it occurred at the phone company switching office -- the Supreme Court must recognize that reading e-mail at an ISP is no different.

earlier essay: Is Two-Factor Authentication Too Little, Too Late?
later essay: Attack Trends: 2004 and 2005
categories: Laws and Regulations, National Security Policy, Privacy and Surveillance
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..