By Martin Bosworth
Last month the Associated Press cast a harsh light on a dark secret of many big public industries–that workers have far too much access to personal data of customers, and misuse and abuse it accordingly
Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse. The WE Energies database includes credit and banking information, payment histories, Social Security numbers, addresses, phone numbers, and energy usage. In some cases, it even includes income and medical information. Experts say some companies do little to stop such abuses even though they could lead to identity theft, stalking and other privacy invasions. And companies that uncover violations can keep them quiet because in many cases it is not illegal to snoop, only to use the data for crimes.
This ties in with findings from a new report by Chris Hoofnagle, formerly with the Electronic Privacy Information Center (EPIC) and senior fellow for the Berkeley Center for Law and Technology. Hoofnagle analyzed data compiled from the FTC’s consumer fraud complaint list and found that the world’s biggest banks and telecom companies are the largest trouble spots for cases of identity theft and fraud:
The report, compiled from 88,000 complaints filed with the FTC over three months in 2006, shows that major banks and telecommunications companies accounted for a much larger portion of the filed complaints than other industries, and that telecommunications companies lacked a standard of measuring the complaints.
There’s a deeply sad irony in the fact that telecom companies who have done all they could to enable the Bush regime’s illegal surveillance agenda on Americans and are fighting with each other over who’ll get to police the Internet are also the least capable of actually protecting the data they collect with such feverish intensity. But this is a common truth typical of all of these surveillance and data mining programs–putting all of these vast troves of data together in one place only makes it all the easier for unscrupulous employees or smart thieves to abuse it. No security system can ever perfectly account for the unpredictability and capriciousness of human experience–witness this awesome Washington City Paper story about a young petty thief who was able to fool workers at the Nuclear Regulatory Commission into thinking she worked there, using her access to make off with goods and cash. Social engineering and psychological foibles trump data security every time.
And we, as consumers and citizens, are still kept in the dark over how our data is being sold, resold, used, and misused. When Lexis-Nexis’ corporate parent Reed Elsevier announced last month that it would buy infamous data broker ChoicePoint, were privacy advocates given a chance to scrutinize the deal? Will it be given any more oversight than a rubber stamp of approval from the FTC or the Department of Justice? And more importantly, what will this new information broker juggernaut do with the data it collects, besides sell it to the highest bidder? Will it train its employees in ethical conduct and ensure that they only have access to the data they need at any given time?
These are questions that need answering, if we’re to prevent more cases of these data treasure troves being pilfered and plundered for profit.