FC: Interview with cynical privacy auditor, from U.S. News & WR

[Declan McCullagh <declan () well com>]

---

Date: Thu, 21 Jun 2001 17:54:47 -0400
To: declan () mail well com
From: dana hawkins <dhawkins () usnews com>
Subject: privacy guru tells all

a hotel shares lists of movie titles--including pornos--and the names of 
the customers who rent them, a chatroom for disgruntled workers sells the 
names of "anonymous" participants to their employers, and a drug company 
hires telemarketers who search the patient database for sport...in this 
week's magazine, larry ponemon, the country's former premier privacy 
auditor, blows the whistle on companies like these that just don't care 
about your privacy.

here's the link:
http://www.usnews.com/usnews/issue/010625/tech/privacy.htm
(you'll find the actual text at the end of this email.)

and here's the link to my webpage, with dozens of stories in the areas of 
workplace, finanacial, internet, and medical privacy:
http://www.usnews.com/usnews/nycu/tech/teprivacy.htm

as always, please let me know if you want your name removed from this list.

best,
dana

6/25/01
Gospel of privacy guru: Be
wary; assume the worst

By Dana Hawkins

Larry Ponemon is the ultimate privacy insider. Formerly the
nation's premier auditor of corporate online privacy
policies, he has uncovered hundreds of breaches.
Ponemon, frustrated with how often clients ignored the audit
results, recently left Pricewaterhouse- Coopers and is
forming a privacy and technology consulting firm. U.S.
News asked him to share his war stories:

Which audit surprised you the most?

Probably the national hotel chain that shares lists of movie
titles­including pornos­rented by its customers. While the
name of the movie isn't on the bill, it is included in the customer profile. I
saw one that said Debbie Does Dallas Again­right there
with the customer's name. These data are shared with their
many affiliates, including other hotels and restaurants. If you
have a history of watching porn in their hotels, you may notice
that they're offering you a greater porn selection, geared
toward your tastes. As far as I know, they never fixed it.

What, exactly, are customer profiles, and how accurate
are they?

Customer profiles look like a big data dump: your name,
address, where you shop online and offline, your purchases,
an estimate of your income, your surfing history, and more.
There's an 85 percent error rate in customer profiles. That's
huge. One of our clients was a national diagnostics
laboratory that sells the results of medical tests­blood work,
biopsies, DNA screens. From the results, they try to
determine your healthcare needs. Say you don't have AIDS
but are taking a drug that's also used to treat it. They could
incorrectly conclude you have AIDS, put that in your profile,
and sell your data to a hospice. Their profiles were riddled
with those kinds of errors. After the audit, the CEO said:
"Thanks. Great audit." As far as I know, they continued doing
the same thing.

Did the audits ever spark change?

Occasionally. A major pharmaceutical company hired
telemarketers to call patients at home to remind them to get
their prescriptions refilled. We discovered their employees
were looking up people they knew for sport. One woman
discovered that her baby sitter took antidepressants. She
panicked and called her husband, who called this woman's
husband. The company did the right thing and devoted a lot
of resources to "anonymizer" technology so their employees
wouldn't know the name of the person they were calling.

How often did your clients post the audit results?

Of the nearly 300 audits we conducted over three years, only
a handful were ever posted. As an auditor, you reach the
conclusion that it's pretty awful out there. The invasions of
privacy usually stemmed from ignorance, although in a few
cases the companies were truly evil.

Tell us about one of those.

One company we audited provides job-hunting services and
also has a chat room for disgruntled employees. In their
privacy policy they said posters were anonymous. We were
shocked to learn they weren't. In fact, the company was going
to these employers and saying: "Your workers are whining on
our site. Do you want to hire us to track them for you?" One
of the employees got so frustrated she went into the chat
room and posted: "Warning: Your data is being tracked and
sold!" It was an absolute breach of consumer trust. We wrote
a scathing audit. Of course, they never posted it, and we
didn't hear back from them.

Which of your clients impressed you?

The travel Web site Expedia.com. We identified their
problems; they changed the way they did business, and
posted our audit. There's an incredible amount of data in
your travel profile. So they improved security and created a
sophisticated way to anonymize data. Web browsing activity
tells you a lot, so they chose not to collect it­even though it's
invaluable. They spent millions because they understand
their business strategy depends upon consumer trust and
loyalty.

What's the bottom line for consumers?

Most companies don't take privacy seriously. The general
view is: Collect as much data as you can, as quietly as
possible. It's dirt-cheap to store, and you never know when
it'll come in handy. I still use the Internet, but I'm more
cautious. I won't share any medical data or do financial
planning online. I'll use my credit card only if I think the privacy
policy is reasonable, but I assume the worst.








Dana Hawkins, Senior Editor
U.S. News & World Report
1050 Thomas Jefferson St., NW
Washington, D.C. 20007
(202) 955-2338, dhawkins () usnews com
www.usnews.com/usnews/nycu/tech/teprivacy.htm




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------