Saturday, May 7, 2011

There’s No Data Sheriff on the Wild Web
By NICK BILTON
Published: May 7, 2011

A company suffers a catastrophic attack on its servers. Gone are names, e-mail addresses, home phone numbers, passwords, credit card numbers.
Enlarge This Image
Kiyoshi Ota/Getty Images

Related

Sony Says PlayStation Hacker Got Personal Data (April 27, 2011)

Everything ends up in the hands of hackers. What federal law covers such a breach of consumers’ privacy?

None.

This lack of federal oversight has incensed privacy advocates for years. But the last several months have been an online consumer’s worst nightmare.

About two weeks ago, hackers dived into Sony’s PlayStation 3 game system, resulting in the loss of up to 77 million customers’ personal and private information and over 12 million credit and debit card numbers.

Epsilon, an e-mail marketing company, lost millions of customers’ e-mail addresses to hackers in early April; Apple, Google and Microsoft have all been quietly collecting location data about mobile customers without their knowledge. And last year, AT&T was attacked through a bug in its iPad software, resulting in the loss of 100,000 customer e-mail addresses.

Each company was blamed for failing to properly protect consumer information. But for redress, consumers must rely on states, and serious punishment or fines rarely happen.

“There needs to be new legislation and new laws need to be adopted” to protect the public, said Senator Richard Blumenthal, Democrat of Connecticut, who has been pressing Sony to answer questions about its data breach and what the company did to avoid it. “Companies need to be held accountable and need to pay significantly when private and confidential information is imperiled.”

But how? Privacy experts say that Congress should pass legislation regulating companies if they collect certain types of information. If such laws existed today, they say, Sony could be held responsible for failing to properly protect the data by employing up-to-date security on its systems.

Or at the very least, companies would be forced to update their security systems. In underground online forums last week, hackers said Sony’s servers were severely outdated and infiltrating them was relatively easy.

Eugene Spafford, a security expert and professor at Purdue University, told a House subcommittee last week that computer security experts had been aware for months that the PlayStation’s Web servers were outdated and that the company’s network lacked sufficient security — which he said Sony must have also known.

But Professor Spafford does not see any new legislation in the near future that would force companies to take security more seriously.

“Over the last five years there have been several bills that have been introduced through committees but never made it all the way through Congress,” he said in an interview. “Companies tend to fight the bills, saying it would be too expensive or onerous to implement better security.”

Technology also has a way of advancing far ahead of the law.

In many instances, the data being collected goes beyond basic personal information. Facebook, for example, logs billions of its users’ actions each month, including the photos uploaded, each word of a status update and which friends people connect with on the site. The data is used to deliver highly personalized advertising. It is estimated that the company will serve up over a trillion of the ads this year. And yet no outside oversight exists to monitor the company’s use of this data, or its practices to protect it.

Christina Gagnier, a lawyer specializing in privacy and copyright, said the privacy bills being discussed by lawmakers addressed some of the data collection by companies like Facebook, but could be outdated before they pass Congress.

“I’m afraid that the legislation on the table right now isn’t going to forecast what coming privacy issues are going to look like in the next couple of years,” she said. “Mobile, location and data storage will be a big issue in future privacy debates, and I don’t think lawmakers are looking forward to what’s next.”

Ms. Gagnier also fears that judges would be unable to decipher new laws.

She cited a case heard in the Supreme Court last year, involving a police officer in California who was using a department-issued pager.

During the hearing, Chief Justice John G. Roberts Jr. asked how text messaging works. If two messages are sent simultaneously, he asked, does one get a “busy signal”?
A version of this article appeared in print on May 8, 2011, on page WK2 of the New York edition with the headline: There’s No Data Sheriff on the Wild Web.

http://www.nytimes.com/2011/05/08/weekinreview/08bilton.html?ref=technology

No comments:

Post a Comment