What Is True/Slant?
275+ knowledgeable contributors.
Reporting and insight on news of the moment.
Follow them and join the news conversation.

Jun. 14 2010 - 10:09 am | 191 views | 2 recommendations | 5 comments

Is it time for a ‘Department of Homeland Privacy’?

Many companies these days have chief privacy officers. (Though Google notably doesn’t — instead having three non-chief privacy people. And Facebook’s CPO position has been open since Chris Kelly left to run for California AG — he lost.) So what do chief privacy officers do?

Well, when security is breached and the email addresses of 114,000 of its users are exposed, a company’s CPO sends out apologies. On Sunday night, AT&T Chief Privacy Officer Dorothy Attwood emailed iPad users to say “our bad,” but then she went on to say, “Actually, it was the hackers’ bad.”

Boy Genius Report has a copy of the apologetic email, but wonders why it took Attwood so long to send it — six whole days!

While email addresses were obtained by the hackers, Attwood contends that the hackers were unable to access more critical things such as account passwords, AT&T’s network, or user’s iPads. Attwood also said that as soon as AT&T learnt of the hack on June 7th, it took swift action to prevent any further unauthorized exposure of customer email addresses” and patched up the hole which made the hack possible “within hours.” Of course this raises the whole question as to why it took AT&T six days to notify its customers that hackers had gained control of some of their personal information, but we imagine the FBI’s investigation into the matter might help clear some things up. You know, that or the surely dozens of lawsuits that are going to be filed over the matter.

via AT&T sends out apology emails to iPad 3G customers in wake of security breach « Boy Genius Report.

This is all very exciting, in part because the email addresses exposed belonged to some high-profile peeps. (Tangentially: While embarrassing, this has been great advertising for the iPad. It seems like everyone who’s anyone was on the list of “breach victims,” from unnamed high-ranking members of the military — causing the FBI to get involved — to White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson. I’m sure Ashton Kutcher must be on the list somewhere. Who needs to pay for celebrity endorsements when you can just inadequately protect privacy and get them via news coverage?)

Yes, the FBI is involved, but likely not to crack down on Apple and AT&T. They’re going after the hackers, who so easily cracked the iPad security system (Diagram explaining the hack from the WSJ here.)

So is this a big deal? One of the “victims” says no:

New York City Mayor Michael Bloomberg’s email address was among those released. “It shouldn’t be pretty hard to figure out my email address,” the mayor said Thursday. “To me, it wasn’t that big a deal.”

via FBI Opens Probe of iPad Breach – WSJ.com.

And blogger Dave Courbanou at Var Guy agrees:

[S]ecurity is a serious issue, and any breach of security in a company that contains sensitive and private information is inexcusable. In that respect, shame on AT&T. At least they confessed and fixed it. But should we all be up in arms? Take this situation as a cautionary tale and relax in the fact that far more personal data wasn’t exposed. That doesn’t mean AT&T gets a free pass, but everyone (especially the media) needs to calm down. More people have your e-mail address than you think. Why do you think you get spam in the first place?

via AT&T iPad Security Breach: Big Deal? | The VAR Guy.

Yes, it is concerning that the breach happened. Hewlett-Packard’s general counsel recently sounded a call for tech companies to get serious about privacy. He warns that companies are creating an “erosion of trust” from customers.

One problem is that the only problem is with customers. When privacy lapses happen, the onus is on customers to file class action suits to punish companies (Ahem, Facebook and Beacon). When banking and health companies are careless with our data, they usually run afoul of state laws and face fines. But there are rarely fines imposed on tech companies when information is exposed, despite all the information they have on us.

The question is: do they have truly personal information? An email address is personal, but not in a way that harms us, at least in the way the law governs this now. Laws around security breaches have a set list of compromising personal information. They usually include:

(a) SSN;

(b) driver’s license number or other unique identification number created or collected by a government body;

(c) financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

(d) unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;

(e) medical information; or

(f) health insurance information.

Email addresses and Facebook photo albums aren’t considered personal in an against-the-law-for-exposing-them kind of way. And historically, we’re kind of used to our addresses getting passed around. Even worse: our home addresses. A few years back, I gave my sister a subscription to The New Yorker. The person I talked to on the phone misspelled her name. Soon thereafter, she started getting junk mail and subscription offers from a plethora of companies, all addressed to the misspelled version of her name. So it was obvious who had passed along her information.

When it comes down to it, exposed email addresses aren’t a big deal. But the fact that the power of tech giants AT&T and Apple combined can’t prevent a hack is worrisome.

Maybe these privacy kerfuffles should result in more than just an “erosion of trust.” Is it time for a Department of Homeland Privacy?

And can the Department make it easier to keep magazine companies from exposing our information too?


One T/S Member Comment Called Out, 5 Total Comments
Post your comment »
  1. collapse expand

    I think third party privacy certifications like the ones that TRUSTe offers will become more prevalent and increase transparency in a companies use of your information. A Government effort would be useful, but a universal standard for storing personal information online needs to be established.

    Thanks for the post, I enjoyed it!

  2. collapse expand

    It truly is amazing how the bad guys can stay ahead after all this time, I am starting to wonder if they will ever really loose- and I use the WOT for whatever it is worth, can’t hurt, but is only good for where I go, it is not a defense against someone moving on me.


  3. collapse expand

    I’d prefer that those of us concerned about privacy not get as uptight and submissive as those concerned about terrorism. I think it’s time for a Department of Homeland Doug’s Preferences.

Log in for notification options
Comments RSS

Post Your Comment

You must be logged in to post a comment

Log in with your True/Slant account.

Previously logged in with Facebook?

Create an account to join True/Slant now.

Facebook users:
Create T/S account with Facebook

My T/S Activity Feed


    About Me

    I am a writer, reporter, editor and blogger. I'm an editor at Above The Law, where I blog about lawyers, judges, law firms and the legal industry. Here at True/Slant, I write about our changing notions of privacy.

    If you have story ideas or tips, e-mail me at kashhill@trueslant.com. I've hung out in quite a few newsrooms over the last few years. Currently, I can be found in Breaking Media's Nolita office. In the past, I've been found in midtown Manhattan at The Week Magazine, in Hong Kong at the International Herald Tribune, and in D.C. at the National Press Foundation and the Washington Examiner.

    I have few illusions about privacy -- feel free to follow me on Twitter: kashhill. Or friend me on Facebook... though I might put you on limited profile.

    See my profile »
    Followers: 401
    Contributor Since: March 2009
    Location:New York, NY

    What I'm Up To

    • Staying Above The Law


      Over at Above The Law, I write about lawyers, law firms, judges and the legal industry.

      We especially like “colorful news.” (Yes, that’s a euphemism for gossip.)

      Check out the site here and my stuff here.


    • Writing with real ink

      While most of my writing occurs online at Above The Law and True/Slant, I do occasionally venture into the world of print.  These are some of the magazines and newspapers that I’ve written for:

      The Washington Post

      Washingtonian Magazine

      Time Out New York

      The Orange County Register

      The Washington Examiner

    • Recent projects

      washingtonian issue for tsThe latest (and longest) “real ink” project: the cover story for Washingtonian Magazine’s December issue.

      While I’m usually a writer and reporter, I’m sometimes asked to play pundit. In November, the New York Times asked me to write a mini op-ed for its Room for Debate blog. In December, BBC radio asked me to talk about Mark Zuckerberg and Facebook privacy settings for its Newshour (19:00 minute mark), based on this True/Slant post.

    • +O
    • +O
    • +O