Is it time for a ‘Department of Homeland Privacy’?
Many companies these days have chief privacy officers. (Though Google notably doesn’t — instead having three non-chief privacy people. And Facebook’s CPO position has been open since Chris Kelly left to run for California AG — he lost.) So what do chief privacy officers do?
Well, when security is breached and the email addresses of 114,000 of its users are exposed, a company’s CPO sends out apologies. On Sunday night, AT&T Chief Privacy Officer Dorothy Attwood emailed iPad users to say “our bad,” but then she went on to say, “Actually, it was the hackers’ bad.”
Boy Genius Report has a copy of the apologetic email, but wonders why it took Attwood so long to send it — six whole days!
While email addresses were obtained by the hackers, Attwood contends that the hackers were unable to access more critical things such as account passwords, AT&T’s network, or user’s iPads. Attwood also said that as soon as AT&T learnt of the hack on June 7th, it took swift action to prevent any further unauthorized exposure of customer email addresses” and patched up the hole which made the hack possible “within hours.” Of course this raises the whole question as to why it took AT&T six days to notify its customers that hackers had gained control of some of their personal information, but we imagine the FBI’s investigation into the matter might help clear some things up. You know, that or the surely dozens of lawsuits that are going to be filed over the matter.
This is all very exciting, in part because the email addresses exposed belonged to some high-profile peeps. (Tangentially: While embarrassing, this has been great advertising for the iPad. It seems like everyone who’s anyone was on the list of “breach victims,” from unnamed high-ranking members of the military — causing the FBI to get involved — to White House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York Times CEO Janet Robinson. I’m sure Ashton Kutcher must be on the list somewhere. Who needs to pay for celebrity endorsements when you can just inadequately protect privacy and get them via news coverage?)
Yes, the FBI is involved, but likely not to crack down on Apple and AT&T. They’re going after the hackers, who so easily cracked the iPad security system (Diagram explaining the hack from the WSJ here.)
So is this a big deal? One of the “victims” says no:
New York City Mayor Michael Bloomberg’s email address was among those released. “It shouldn’t be pretty hard to figure out my email address,” the mayor said Thursday. “To me, it wasn’t that big a deal.”
And blogger Dave Courbanou at Var Guy agrees:
[S]ecurity is a serious issue, and any breach of security in a company that contains sensitive and private information is inexcusable. In that respect, shame on AT&T. At least they confessed and fixed it. But should we all be up in arms? Take this situation as a cautionary tale and relax in the fact that far more personal data wasn’t exposed. That doesn’t mean AT&T gets a free pass, but everyone (especially the media) needs to calm down. More people have your e-mail address than you think. Why do you think you get spam in the first place?
Yes, it is concerning that the breach happened. Hewlett-Packard’s general counsel recently sounded a call for tech companies to get serious about privacy. He warns that companies are creating an “erosion of trust” from customers.
One problem is that the only problem is with customers. When privacy lapses happen, the onus is on customers to file class action suits to punish companies (Ahem, Facebook and Beacon). When banking and health companies are careless with our data, they usually run afoul of state laws and face fines. But there are rarely fines imposed on tech companies when information is exposed, despite all the information they have on us.
The question is: do they have truly personal information? An email address is personal, but not in a way that harms us, at least in the way the law governs this now. Laws around security breaches have a set list of compromising personal information. They usually include:
(b) driver’s license number or other unique identification number created or collected by a government body;
(c) financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
(d) unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
(e) medical information; or
(f) health insurance information.
Email addresses and Facebook photo albums aren’t considered personal in an against-the-law-for-exposing-them kind of way. And historically, we’re kind of used to our addresses getting passed around. Even worse: our home addresses. A few years back, I gave my sister a subscription to The New Yorker. The person I talked to on the phone misspelled her name. Soon thereafter, she started getting junk mail and subscription offers from a plethora of companies, all addressed to the misspelled version of her name. So it was obvious who had passed along her information.
When it comes down to it, exposed email addresses aren’t a big deal. But the fact that the power of tech giants AT&T and Apple combined can’t prevent a hack is worrisome.
Maybe these privacy kerfuffles should result in more than just an “erosion of trust.” Is it time for a Department of Homeland Privacy?
And can the Department make it easier to keep magazine companies from exposing our information too?