--- Date: Thu, 21 Jun 2001 17:54:47 -0400 To: declanat_private From: dana hawkins <dhawkinsat_private> Subject: privacy guru tells all a hotel shares lists of movie titles--including pornos--and the names of the customers who rent them, a chatroom for disgruntled workers sells the names of "anonymous" participants to their employers, and a drug company hires telemarketers who search the patient database for sport...in this week's magazine, larry ponemon, the country's former premier privacy auditor, blows the whistle on companies like these that just don't care about your privacy. here's the link: http://www.usnews.com/usnews/issue/010625/tech/privacy.htm (you'll find the actual text at the end of this email.) and here's the link to my webpage, with dozens of stories in the areas of workplace, finanacial, internet, and medical privacy: http://www.usnews.com/usnews/nycu/tech/teprivacy.htm as always, please let me know if you want your name removed from this list. best, dana 6/25/01 Gospel of privacy guru: Be wary; assume the worst By Dana Hawkins Larry Ponemon is the ultimate privacy insider. Formerly the nation's premier auditor of corporate online privacy policies, he has uncovered hundreds of breaches. Ponemon, frustrated with how often clients ignored the audit results, recently left Pricewaterhouse- Coopers and is forming a privacy and technology consulting firm. U.S. News asked him to share his war stories: Which audit surprised you the most? Probably the national hotel chain that shares lists of movie titlesincluding pornosrented by its customers. While the name of the movie isn't on the bill, it is included in the customer profile. I saw one that said Debbie Does Dallas Againright there with the customer's name. These data are shared with their many affiliates, including other hotels and restaurants. If you have a history of watching porn in their hotels, you may notice that they're offering you a greater porn selection, geared toward your tastes. As far as I know, they never fixed it. What, exactly, are customer profiles, and how accurate are they? Customer profiles look like a big data dump: your name, address, where you shop online and offline, your purchases, an estimate of your income, your surfing history, and more. There's an 85 percent error rate in customer profiles. That's huge. One of our clients was a national diagnostics laboratory that sells the results of medical testsblood work, biopsies, DNA screens. From the results, they try to determine your healthcare needs. Say you don't have AIDS but are taking a drug that's also used to treat it. They could incorrectly conclude you have AIDS, put that in your profile, and sell your data to a hospice. Their profiles were riddled with those kinds of errors. After the audit, the CEO said: "Thanks. Great audit." As far as I know, they continued doing the same thing. Did the audits ever spark change? Occasionally. A major pharmaceutical company hired telemarketers to call patients at home to remind them to get their prescriptions refilled. We discovered their employees were looking up people they knew for sport. One woman discovered that her baby sitter took antidepressants. She panicked and called her husband, who called this woman's husband. The company did the right thing and devoted a lot of resources to "anonymizer" technology so their employees wouldn't know the name of the person they were calling. How often did your clients post the audit results? Of the nearly 300 audits we conducted over three years, only a handful were ever posted. As an auditor, you reach the conclusion that it's pretty awful out there. The invasions of privacy usually stemmed from ignorance, although in a few cases the companies were truly evil. Tell us about one of those. One company we audited provides job-hunting services and also has a chat room for disgruntled employees. In their privacy policy they said posters were anonymous. We were shocked to learn they weren't. In fact, the company was going to these employers and saying: "Your workers are whining on our site. Do you want to hire us to track them for you?" One of the employees got so frustrated she went into the chat room and posted: "Warning: Your data is being tracked and sold!" It was an absolute breach of consumer trust. We wrote a scathing audit. Of course, they never posted it, and we didn't hear back from them. Which of your clients impressed you? The travel Web site Expedia.com. We identified their problems; they changed the way they did business, and posted our audit. There's an incredible amount of data in your travel profile. So they improved security and created a sophisticated way to anonymize data. Web browsing activity tells you a lot, so they chose not to collect iteven though it's invaluable. They spent millions because they understand their business strategy depends upon consumer trust and loyalty. What's the bottom line for consumers? Most companies don't take privacy seriously. The general view is: Collect as much data as you can, as quietly as possible. It's dirt-cheap to store, and you never know when it'll come in handy. I still use the Internet, but I'm more cautious. I won't share any medical data or do financial planning online. I'll use my credit card only if I think the privacy policy is reasonable, but I assume the worst. Dana Hawkins, Senior Editor U.S. News & World Report 1050 Thomas Jefferson St., NW Washington, D.C. 20007 (202) 955-2338, dhawkinsat_private www.usnews.com/usnews/nycu/tech/teprivacy.htm ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jun 23 2001 - 12:02:17 PDT