[wordup] Privacy Guru Tells All
Adam Shand
adam at personaltelco.net
Sat Aug 25 17:45:26 EDT 2001
Via: The Eristocracy <Eristocracy at merrymeet.com>
From: http://www.usnews.com/usnews/issue/010625/tech/privacy.htm
Date: Thu, 21 Jun 2001 17:54:47 -0400
From: dana hawkins <dhawkins at usnews.com>
Subject: privacy guru tells all
a hotel shares lists of movie titles--including pornos--and the names of
the customers who rent them, a chatroom for disgruntled workers sells the
names of "anonymous" participants to their employers, and a drug company
hires telemarketers who search the patient database for sport...in this
week's magazine, larry ponemon, the country's former premier privacy
auditor, blows the whistle on companies like these that just don't care
about your privacy.
and here's the link to my webpage, with dozens of stories in the areas of
workplace, financial, internet, and medical privacy:
http://www.usnews.com/usnews/nycu/tech/teprivacy.htm
as always, please let me know if you want your name removed from this list.
best,
dana
6/25/01
Gospel of privacy guru: Bewary; assume the worst
By Dana Hawkins
Larry Ponemon is the ultimate privacy insider. Formerly the nation's
premier auditor of corporate online privacy policies, he has uncovered
hundreds of breaches. Ponemon, frustrated with how often clients ignored
the audit results, recently left Pricewaterhouse-Coopers and is forming a
privacy and technology consulting firm. U.S. News asked him to share his
war stories:
Which audit surprised you the most?
Probably the national hotel chain that shares lists of movie titles -
including pornos - rented by its customers. While the name of the movie
isn't on the bill, it is included in the customer profile. I saw one that
said Debbie Does Dallas Again - right there with the customer's name.
These data are shared with their many affiliates, including other hotels
and restaurants. If you have a history of watching porn in their hotels,
you may notice that they're offering you a greater porn selection, geared
toward your tastes. As far as I know, they never fixed it.
What, exactly, are customer profiles, and how accurate are they?
Customer profiles look like a big data dump: your name, address, where you
shop online and offline, your purchases, an estimate of your income, your
surfing history, and more. There's an 85 percent error rate in customer
profiles. That's huge. One of our clients was a national diagnostics
laboratory that sells the results of medical tests - blood work, biopsies,
DNA screens. From the results, they try to determine your healthcare
needs. Say you don't have AIDS but are taking a drug that's also used to
treat it. They could incorrectly conclude you have AIDS, put that in your
profile, and sell your data to a hospice. Their profiles were riddled with
those kinds of errors. After the audit, the CEO said: "Thanks. Great
audit." As far as I know, they continued doing the same thing.
Did the audits ever spark change?
Occasionally. A major pharmaceutical company hired telemarketers to call
patients at home to remind them to get their prescriptions refilled. We
discovered their employees were looking up people they knew for sport. One
woman discovered that her baby sitter took antidepressants. She panicked
and called her husband, who called this woman's husband. The company did
the right thing and devoted a lot of resources to "anonymizer" technology
so their employees wouldn't know the name of the person they were calling.
How often did your clients post the audit results?
Of the nearly 300 audits we conducted over three years, only a handful
were ever posted. As an auditor, you reach the conclusion that it's pretty
awful out there. The invasions of privacy usually stemmed from ignorance,
although in a few cases the companies were truly evil.
Tell us about one of those.
One company we audited provides job-hunting services and also has a chat
room for disgruntled employees. In their privacy policy they said posters
were anonymous. We were shocked to learn they weren't. In fact, the
company was going to these employers and saying: "Your workers are whining
on our site. Do you want to hire us to track them for you?" One of the
employees got so frustrated she went into the chat room and posted:
"Warning: Your data is being tracked and sold!" It was an absolute breach
of consumer trust. We wrote a scathing audit. Of course, they never posted
it, and we didn't hear back from them.
Which of your clients impressed you?
The travel Web site Expedia.com. We identified their problems; they
changed the way they did business, and posted our audit. There's an
incredible amount of data in your travel profile. So they improved
security and created a sophisticated way to anonymize data. Web browsing
activity tells you a lot, so they chose not to collect it - even though
it's invaluable. They spent millions because they understand their
business strategy depends upon consumer trust and loyalty.
What's the bottom line for consumers?
Most companies don't take privacy seriously. The general view is: Collect
as much data as you can, as quietly as possible. It's dirt-cheap to store,
and you never know when it'll come in handy. I still use the Internet, but
I'm more cautious. I won't share any medical data or do financial planning
online. I'll use my credit card only if I think the privacy policy is
reasonable, but I assume the worst.
Dana Hawkins, Senior Editor
U.S. News & World Report
1050 Thomas Jefferson St.,
NW Washington, D.C. 20007
(202) 955-2338, dhawkins at usnews.com
www.usnews.com/usnews/nycu/tech/teprivacy.htm
More information about the wordup
mailing list