Sunday, October 07, 2007

How safe is your personal data in the hands of Web-based vendors?

An article in The New York Times by Denise Caruso entitled "Securing Very Important Data: Your Own" illustrates the benefits and downsides of sharing personal data on the Web:

This type of sensitive, sometimes proprietary information was once locked up on hard drives or in file cabinets far away from anything resembling a global or even a local distribution network. Yet none of the users flocking to these services seem perturbed that they have relinquished personal control over this data to companies that, even with the best of intentions, may not be able to keep it safe.

The incidence of data theft -- from wallets to data breaches, computer viruses or Dumpster diving -- is soaring. This year alone, the security of nearly 77 million Americans' records has been breached, according to the Identity Theft Resource Center in San Diego, nearly a fourfold increase over 2006.

Governments around the world are passing and enforcing laws that increasingly hold businesses financially accountable for avoidable data losses. Just last month, the TJX Companies, which owns T.J. Maxx, Marshalls and other retail stores, made a settlement offer, subject to court approval, to victims of a huge data breach, in which 45.7 million customers' credit- and debit-card data was exposed to identity thieves.

As a result, some security experts are starting to ask whether the "identity data-for-services" business model, which is the engine for virtually all e-commerce companies, is a fair trade -- not just for consumers, but for business as well.

In response, they are coming up with new protocols and frameworks for collecting, using and governing identity data. Given that virtually all businesses today collect and use these kinds of data, they aim to shift the status quo in ways that could help companies both improve their reputations with customers and avoid the mounting legal liabilities that now face companies that lose control of customer data.

"The myth is that companies have to know all this information about you in order to do business with you," said Drummond Reed, vice president for infrastructure at Parity Communications, an identity technology company in Needham, Mass. "But from a liability perspective, the less I know about my customers the better."

Parity is sponsoring a number of open software projects to shift more control to the users whose identity data is at risk. One of the most intriguing is called the CloudTripper Project, which is developing a way for individuals to "take their data with them" as they traverse the Web, just as they keep their wallets and checkbooks with them as they move around in the real world.

My own solution is to propose a research effort for something I refer to as The Consumer-Centric Knowledge Web. Cobbling together an ad-hoc approach in a piecemeal fashion is likely to cause more harm than good. OTOH, the more ad-hoc efforts that go forward and highlight the inherent problems in this area, the quicker people will warm up to the need for a hard-core research effort such as I have proposed.

-- Jack Krupansky