Internet Alchemy

I spotted this today, a group of people upset by the ease by which their personal information can be accessed. This information was already available to the public but distributed across many locations and physical formats:

“Who knew it was going to get posted on the Web? It’s shocking,” said one House Democratic chief of staff, who requested anonymity to discuss her personal finances. “Now that anybody can look it up on the Web, I don’t know if I like it anymore.”

Her forms for 2006, which were filed last spring, included her home address and 32 pages of detailed statements about bank accounts under the name of her husband and daughter. That prompted her to raise concerns about identity theft at a chiefs of staff meeting in March.

These people are upset but their anger is misdirected. The problem isn’t that this is private information, after all these are government employees being held to account. Nor is the Web to blame for making this information trivial to access. The blame squarely lies with the ease with which having access to this information can be used to commit fraud. The reaction though is a startling illustration of how the banking industry has subtly shifted responsibility for financial security from themselves to their customers. They use the phrase “identity theft” like it’s our fault! They should be focusing on fraud prevention rather than throwing up smokescreens.

The Web opens and connects enormous quantities of data from all over the world and, as the Semantic Web gains momentum, we’ll see more connections and exposure of many more types and sources of data. Hiding this data from other people isn’t an option. Taking control of your own data and having the tools and services that let you find out where and why it’s being used is. But we should also expect every organization to accept responsibility for fraud prevention and guarding their customers against abuse. Pretending it’s someone else’s fault is just abdication of that responsibility.

A new report from Privacy International puts Google at the bottom of the pile:

In the closing days of our research we received a copy of supplemental material relating to a complaint to the Federal Trade Commission concerning the pending merger between Google and DoubleClick. This material, submitted by the Electronic Privacy Information Center (EPIC) and coupled with a submission to the FTC from the New York State Consumer Protection Board, provided additional weight for our assessment that Google has created the most onerous privacy environment on the Internet. The Board expressed concern that these profiles expose consumers to the risk of disclosure of their data to third-parties, as well as public disclosure as evidence in litigation or through data breaches. The EPIC submission set out a detailed analysis of Google’s existing data practices, most of which fell well short of the standard that consumers might expect. During the course of our research the Article 29 Working Group of European privacy regulators also expressed concern at the scale of Google’s activities, and requested detailed information from the company.

The report lays it on Google, but they’re not the only poor performers. In fact, no company received the top “Privacy-friendly and privacy enhancing” rating. The BBC, eBay and last.fm managed the second best “Generally privacy-aware but in need of improvement” but the rest of the pack fell far short of having a convincing and trustworthy story on privacy.