July 27, 2016

avatar

The Exxon Valdez of Privacy

Recently I moderated a panel discussion, at Princeton Reunions, about “Privacy and Security in the Digital Age”. When the discussion turned to public awareness of privacy and data leaks, one of the panelists said that the public knows about this issue but isn’t really mobilized, because we haven’t yet seen “the Exxon Valdez of privacy” – the singular, dramatic event that turns a known area of concern into a national priority.

Scott Craver has an interesting response:

An audience member asked what could possibly comprise such a monumental disaster. One panelist said, “Have you ever been a victim of credit card fraud? Well, multiply that by 500,000 people.”

This is very corporate thinking: take a loss and multiply it by a huge number. Sure that’s a nightmare scenario for a bank, but is that really a national crisis that will enrage the public? Especially since cardholders are somewhat sheltered from fraud. Also consider how many people are already victims of identity theft, and how much money it already costs. I don’t see any torches and pitchforks yet.

Here’s what I think: the “Exxon Valdez” of privacy won’t be $100 of credit card fraud multiplied by a half million people. It will instead be the worst possible privacy disruption that can befall a single individual, and it doesn’t have to happen to a half million people, or even ten thousand. The number doesn’t matter, as long as it’s big enough to be reported on CNN …

[…]

So back to the question: what is the worst, the most sensational privacy disaster that can befall an individual – that in a batch of, oh say 500-5,000 people, will terrify the general public? I’m not thinking of a disaster that is tangentially aided by a privacy loss, like a killer reading my credit card statement to find out what cafe I hang out at. I’m talking about a direct abuse of the private information being the disaster itself.

What would be the Exxon Valdez of privacy? I’m not sure. I don’t think it will just be a loss of money – Scott explained why it won’t be many small losses, and it’s hard to imagine a large loss where the privacy harm doesn’t seem incidental. So it will have to be a leak of information so sensitive as to be life-shattering. I’m not sure exactly what that is.

What do you think?

Comments

  1. avatar John Marquiss says:

    I think it will be something along the lines of a middle class family losing their home over issues directly related to identity theft and as Scott had said the story would have to had made it to a national news source with a wide audience.

    It is probably material for a completely new discussion but the way that news gets to the public and how the story is presented will have as much to do with any event being an “Exxon Valdez” level issue as the actual event itself.

  2. Ironically, there is a ‘Identity stolen, owes $1 million’ story on the front page of CNN.com right now. Doubt that will actually be the Exxon Valdez, though.

  3. The Dept. of VA laptop stolen with 22 million veteran SS#’s and more seems to have done a lot more than just make it on CNN. The person directly responsible, and his bosses have been fired, with probably more to follow.

    Will this lead to the congress passing stricter digital privacy standards for corporations? Doubt it, what are the penalties now? and who is enforcing them? Most corporations will probably do nothing more than what most might already do, and what security expert’s blogs are saying, if encryption costs $100 more, but saves data from one break-in, it’s worked, otherwise, it’s like an unused firewall. Good to have.

    Corporations I think are ahead of the curve on this one, atleast compared to the Government. My fear is that of massively aggregated data being used “badly”. I put badly in quotes because it’ll probably be legal, and unpopular if people find out about it. Like states who give away voter registration info to companies for a couple thousand dollars.

  4. my guess is that it will happen when a number of members of congress all have their personal information stolen, then used for some nefarious purpose. until it happens to you the issue seems remote and the results not very consequential. until the issue slaps congress directly in the face nothing will be done.

  5. avatar Foolish Jordan says:

    My vote is that it’ll be when someone is sent to jail because someone else stole their identity.

  6. avatar Cotillion says:

    I personally don’t care if the world knows what I do during the day. So if this Exxon-like event happened to me then it would require someone filming my whole life and publishing it to the world (although I can’t imagine anyone being interested in that) before I would get outraged.

    It may be that the market is on the ball enough to prevent a major event. I prefer that to having a giant scandal followed by oppressive and unnecessary legislation (like Enron and Sarbanes-Oxley).

  7. I think a serious breach that will gain significant attention is the leaking of someones real identity and current location in the Witness Protection Program, especially if the individual was a witness in a major organized crime case. It might not do much on the financial side, in terms of being directly responsible for sane legislation, but it will raise the public’s awareness of privacy issues.

  8. The thing is, whatever the story it must give the TV viewer the impression that it might happen to them tomorrow.

    I think this is where the $1M identity theft video on CNN falls short—it reports the case as a freak isolated incident.

    Like I said, the disaster does not have to befall a million people or even ten thousand, but enough that the public thinks it could happen to them personally.

    Xcott

  9. avatar Grant Gould says:

    I’m guessing that it will be when an identity theft manages to trigger the anti-money-laundering and anti-terrorist-financing “Know Your Customer” banking regs and lands an family of identity theft victims in Guantanamo — or gets them killed.

    It’s relatively easy to imagine the scenario — a terrorist organization might use stolen accounts to transfer money to their comrades overseas or to receive money from oversease backers, and the legitimate owners of those accounts might be suspected. Combine this with account-holders with foreign-sounding names, the current you-can-do-anything-if-you-call-them-enemy-combatants attitude, and the increasing use of SWAT teams to serve even relatively innocuous warrants and you have the makings of a real tragedy.

  10. I’m not sure there can be such a thing. People losing all their money just doesn’t make sexy reporting. And people getting killed because their identity has been stolen will lead to the wrong set of changes (e.g. even-higher-value supposedly unforgeable ID cards). Maybe if a white, christian family of five were to be bankrupted by fake debts and then their towheaded teenage children mistakenly arrested and thrown in jail to be assaulted in ways that the tabloids and networks would find titillating…

    You’ll remember that the important thing about the Exxon Valdez was that Exxon was held financially responsible for all of the losses people and other businesses suffered as a result of its negligence. I think that a similar finding by a court in a large identity-theft case or simply a case of stolen data would be far more effective than pretty much any amount of coverage. (And of course, because it would involve a loss of hundreds of millions of dollars to someone important, namely the defendant company, it would also generate huge amounts of coverage.)

  11. avatar John Hainsworth says:

    I think that a large-scale misuse of private data in a way that results in harm to young children is likely in the near future, and will probably be an “Exxon Valdez” event. I wish we could act proactively to prevent anything like this from happening, but I don’t see how.

  12. “with foreign-sounding names” – that’s a problem right there, because it means that the ordinary middle-class families John Marquiss mentioned will be able to say “I’m not at risk, I’m not like those people”. I think Scott Craver’s point about TV viewers needing to feel that it might happen to them tomorrow is quite right, and for that to work, the victims are going to have to have light skin and *not* foreign-sounding names.

  13. It’s hard to get people afraid of bureaucracy — angry or frustrated, maybe, but to really set off people’s fear buttons there needs to be a personality behind it.

    How about cute wife and kid flee abusive husband, who happens to work for a company that has privacy-sensitive data (financial institution, search engine, online music store…). Abuser peeks at the logs, finds and murders wife and kid, and all of a sudden everyone who keeps sensitive data is in the position of trying to prove to the media that they aren’t hiring potential psycho killers. Which is hard to prove.

  14. avatar Rob Simmons says:

    First I’ll propose a scenario that combines some of Matt’s (hit congress directly) and Mike’s (revealing a secret about someone’s identity) ideas. At the panel, there was also discussion of medical information, and I think it might have been even in the context of Exxon-Valdez. Imagine someone getting their hands on, say, the medical records of a D.C. area abortion clinic that, turns out, was visited . Or, if we journey to the West Wing universe because it makes a good example, imagine if a identity thief found out mid-first-season about President Bartlett’s M.S. and told Drudge Report.

    Even more disastrous, imagine if an identity thief stole massive numbers of such sensitive medical records, set up shop over the internet in Cuba or the Ukraine, and started selling people’s lifelong medical records on an auction basis. He could even offer, as a humanitarian gesture of course, to let the person whom the information was about have the last bid in order to keep their information private.

    There are a number of such possible scenarios; I think that if there were to be such an Exxon-Valdez event, it would be with medical, not financial, records. You can reclaim your identify with pain and effort, you can change your credit card numbers and your SSN is still just a number on a piece of paper, but you can’t un-reveal your secrets, and the secrets that are most likely (I would guess without thinking about it too hard) to live on a computer somewhere would be facts about your medical history.

  15. avatar Rob Simmons says:

    (edit from first paragraph, I didn’t finish the sentence: “that, turns out, was visited by the close relative of a senator or representative. That’s probably nightmare-scenerio enough, but then imagine that senator or representative was an avid opponent of abortion.”)

  16. Here’s one off-the-wall possiblity: haunting.

    Back before the tech bubble, there were companies who were into networking the home, so your Internet tablet would tell you to buy more eggs and tell you when the coffee is ready. I asked developers about security—I mean, what if someone turns on my microwave for 3 hours while I’m at work?—and I’d always get the response that “users don’t really care about security.”

    Of course, even if they didn’t care about computer security, they surely care about home security. Every house in this country has at least locks on the doors.

    Anyway, that never materialized; but we are seeing more ordinary PCs with AV capabilities like cameras and mics, people with broadband. I predict that within a few years it will become a hacker pasttime to enter someone’s house virtually, capture as much by surveillance as possible, and maybe even manifest as a “spirit” to the extent that the home network allows.

    While this does not involve loss of money or divulging of sensitive data, it would mean that someone might be watching you in your underwear as you surf the net. That might be a more concrete and creepy violation of privacy to the average person.

  17. This Exxon privacy violation has to upset people willing to be publicly upset about it.

    If the violation is immediate and wholesale, affecting all potential victims in one fell swoop, victims will enter the damage limitation mode, i.e. the last thing they want is to have the spotlight shone on themselves as one of those outed as an Aids sufferer, etc.

    If the violation is threatened in a drip-drip fashion, potential victims (or their advocates) will not want to show their hand too vigorously or risk implicitly revealing the very information they wish to remain private.

    It has to be information that even if published en masse represents just as much loss as if it were published individually.

    Perhaps something that 50% of the population get up to, but 99% would not admit to indulge in, even though accepting the 50% figure.

    I’m thinking of adultery/infidelity. The fact that everyone accepts that it is common means the mass revelation does not consequently reduce the severity of the misdemeanor (much). It also means that no finger of suspicion is necessarily directed at those who complain about the violation whether threatened or fait accompli.

    So if there’s some kind of TIA relationship analysis system in use by the Pentagon that can figure out all interpersonal relationships (in pursuit of terrorism cells, but unavoidably detecting romantic liaisons), and this analysis were accidentally published (or stolen and held to ransom), then that could be such a mega-violation event.

    The only other one I can think of would be exposure of hypocrisy, e.g. a anti-abortionists’s record of abortion revealed, etc.

    The day of reckoning approaches…

  18. avatar Brandon Shatley says:

    There’s alot of talk about legislation and Congress here, and that scares me more than identity theft ever will. We’re talking about an event that will terrify the masses, and then we’re talking about what kind of governmental action will grow from that fear. No good laws come from mass hysteria.

    Anyhow, it’s my hope that there won’t be such an Exxon Valdez for this issue. I’m hoping that, for once, people will gradually come to the common sense conclusion that they can’t just trust any company with an easily recognizable brand name. They’ll see the occasional news story about identity theft and fraud, and they’ll see that the big companies and even the government are doing a terrible job at managing their information, and they’ll pull that old free market trick and demand that the people they do business with enact stronger security measures or risk loosing them as customers. It’ll happen slowly, and some people will be stubborn about it, but eventually there will be enough little incidents that people will one-by-one demand better security, and that demand will gradually bring about a supply.

  19. “Cosa Nostra Financial Planning. The name you know. The people you trust.”

  20. I don’t think there is anything. Our society is getting fairly comfortable with transparency. The places where secrecy is still sought after are pretty much confined to big business and government. And those are places where more transparency can only be a good thing for the general public.

  21. @jes5199:
    I disagree. I think the example of medical records is an excellent one. Do you want some sleazy website operator scanning through medical records for new cancer diagnoses and posting them for the world to see? Even telling your employer exactly why you took a day of sick leave can be considerably more information than you might find acceptable to reveal. There are a lot of medical issues that people want to keep private, or to reveal in the time and manner of their choosing. Just imagine learning that a loved one has terminal cancer because it appeared online as part of a (massive or not) privacy breach.

  22. think web surfing histories, caches, and so on … imagine hacking verizon and ripping off someone’s surfing history for the last X years … then offering to make that info known (or not, for a fee of course) … there’s your valdez

    scary …

  23. I think it might also contribute if the company or office who lost your private data had no business having it in the first place.

    So, if a government office accidentally exposed your social security information, that’s bad. On the other hand if the DoJ somehow got a database of everyone who has ever purchased pornography by credit card, that would probably outrage the public a lot more, even if the data wasn’t compromised.

    Actually, that would be a possible “Valdez.” It would be a variation on Mr. Fitch’s post above. In fact, if there was a Valdez-type event, I would hope for something like this, because it could enrage the public even without the data being compromised. It would be nice if an inevitable Valdez-type event was one that could be contained and reversed.

    Xcott

  24. Judge to Chuk-e-Cheese (or McDonald’s or…) execs: Privacy leak directly responsible for convicted pedophile and killer’s terrifying crime spree in quiet suburban Kansas City; fines, possible jail time for CEO. Film at 11.

    It’s really only a question of “how soon”. Kids’ addresses and other information leaking over the ‘net after being entrusted to a familiar company with a kid-friendly image, and attracting the worst possible kind of predator, will do it if anything will.

  25. By the time it happens, there will be so much data available on all of us, that it won’t matter. It is not far from that now.

    Quite some time ago, a social health investigator got drunk in a bar in Fla, and entertained the other patrons by showing off his HIV case file. Even with that as an exemplar, I could not convince upper management at my organization to keep such data safe. “Our investigators wouldn’t do that — I know them.”

  26. avatar Don Patterson says:

    It will take a crime against a child, in which a bio-marker is the key to starting a nationwide man-hunt. The bio-marker will eventually be traced to a person whose capabilities make them clearly unlikely to have committed the crime and yet they must – due to the bio-marker – be guilty. It will combine our disgust at crimes against children with our fascination with crime scene investigation with voyueristic love of watching the misfortune or others with our terror of being on public display because of a crime we didn’t commit. So something like this:
    Brad Pitt and Angelina Jolie’s child is raped and murdered and their house plundered. There are fingerprints all over the scene of the crime. CNN is there in a heartbeat with 24-hour updates. The fingerprints are found in a nationwide fingerprint repository which collects from several sources including law enforcement and healthcare services. CNN is tracking the live progress of the investigation, a la, OJ Simpson. The fingerprint is traced to a senile elderly man on the other side of the country. The man’s face and identity are plastered all over the media. He is pilloried in the press, although it seems confusing that a man who can’t find his bedroom could have committed the crime, but the bio-marker is considered infallible. The man is jailed. Later at another crime in progress the real criminal is discovered using gloves “printed” with fake fingerprint. Elderly man has since died in jail. The orginal source of the fingerprints in the national database is lost.

  27. It could happen tomorrow. All it takes is one guy to swipe an NSA laptop and start selling whatevers on there. That creates a double problem

    1. We discover what the NSA is actually doing, which will enrage us.
    2. We now know that this data isn’t safe, and any data collected for “security” is fair prey to theft.

  28. avatar enigma_foundry says:

    I’d put it differently.

    Recall that many seem to think they have anonymity on the net, but all those internet chats are recorded somewhere, and there is a future President or Supreme Court Justice out there right now who has said some embarrassing things in a chat room somewhere, some time.

    Now, when they run for office or get nominated, it will come back to haunt them.

    The tragedy will be that excellent people will be driven away from public service, after seeing what befalls those who try to play a role in the government, and we will get what is left over….as our leaders…

  29. avatar woodland says:

    The problem is that the American public is stupid, and so is the media. There is VERY LITTLE identity theft occuring in this country. Most of what the media labels identity theft is nothing more than simple credit card fraud. Who the hell cares if credit cards get stolen and used fraudulently?

  30. There may be very little ID theft, but the potential is a lot bigger than that. There’s another embarassing leakage of information every week. It’s only a matter of time until someone moves to exploit one of them.

  31. avatar Matthew Ernest says:

    “Who the hell cares if credit cards get stolen and used fraudulently?”

    As individualy events, they’re just money. However, they all get recorded back into the mysterious databases where the original data came from.

    Charlie Stross recently worked out a bit of projection of the future of the UK National ID Card and registry (
    http://www.antipope.org/charlie/blog-static/2006/05/17#id-card-3), which has a bit that seems relevant here. Pretty much all of the proposals here so fare are about the direct concequences of true data escaping from the databases into the wild. Given some amount of true data, it is possible for false data to be reinjected back into the databases, even inadvertently, e.g. credit card fraud, giving a false identity after arrest. How much false data needs to be injected before you cannot prove who you are?

  32. i have to agree with Rob Simmons.
    the worst breach most probably will be medical wise.

    insurances breaking in medical records of hospitals to get detailed or statistical data of persons who apply for insurance and directly filtering “risk groups”.

    i know this is the case to some extend now, but when they manage to pull direct medical and psychological reports, you can get denied insurance for really stupid reasons.

    if insurance companies are doing this for like 5 years, and someone inside breaks his nda, i can see an uproar. equality going down the drain …

  33. avatar sacamano says:

    Although all these examples are horrible enough, I have a hard time believing that this will constitute an “Exxon Valdez” scenario.

    As I see it, what set EV apart was:
    * Big Money (i.c. Big Oil) as the perceived perpetrator
    * The damaged area considered to be irreplacable
    * A sudden large-scale impact
    * that triggers a response from many people’s “instincts for the common good”

    I really doubt the sudden large-scale impact and the instincts for the common good are common good, even in the cases where children are involved in horrible ways. The criminal molesting the child will probably be perceived as a person who will go to great lengths to get his kicks and that he succeeded once will make people feel sorry for the source that he stole his info from.

    Getting to politicians coud trigger a “serves him right”-response from the public. The public might react unfavorably to legislation designed to cover up dirty secrets about politicians.

    Maybe I’m just not imaginative enough.

  34. avatar sacamano says:

    That first sentence fromj the third paragraph sould read:

    “I really doubt the sudden large-scale impact and the instincts for the common good are pressing enough in the suggested cases”.

    That may still not be a correct sentence, though.

  35. Woodland says “Who the hell cares if credit cards get stolen and used fraudulently?”

    If it were mine, I’d the hell care. (But it won’t be, because I’m a credit card refusenik for various reasons, and the more the pressure from banks and vendors to get one to use for all transactions instead of perfectly good cash, cheques, and debit, and the more CC fraud I hear about, the more those reasons grow.)

  36. avatar john erickson says:

    The hypothetical “Exxon Valdez” of privacy MAY already be in progress and we simply haven’t felt the effects: we haven’t yet witnessed the full impact of the VA laptop theft. We should keep in mind that the EV case had a TV-friendly physical manifestation that is hard to replicate in the world of data; due to the physical nature of EV, the news could use over-blown superlatives like “worst ever” which is much harder in the data world. What are the oil-coated bird of privacy? Some writers above have proposed children; perhaps, but I’m not so sure.

    Assuming that we accept this quest for a privacy equivalent of EV (see below), I suggest that privacy’s EV (whether due to accident or attack) must have a more immediate and resounding effect than has been suggested above. One candidate might be a compromise of the financial services sector (esp. the credit card system), coupled with a massive denial-of-service attack (for dramatic effect). The majority of the US GDP is produced by that sector due to our dept-worship, so if you really want serious HURT, go there.

    The problem with this scenario is that the “fruit” might be too high on the tree. Data protection in the financial services sector is focused on ACCURACY and integrity, not privacy, so not only is this unlikely, but it is arguable whether it really is a privacy case — although it would be portrayed as such, and “perception is, all there is…”

    To carry the full EV impact we need to include a carnival of US Government errors. My comments above suggest WHAT to attack, but not HOW; I proposed that any great privay EV plot should include/start with a massive compromise (accidental or intentional) of the Internal Revenue Service (IRS) databases.

    Finally, at first I questioned the applicability of “EV” to privacy, but I will accept sacamano’s four-point summary of why it is important. It does trouble me that there isn’t a fifth point: that EV somehow changed the industry. Did EV change anything other than Big Oil’s messaging strategy? In the US, congress ordered (in 1989) all shippers to switch to double hulls by 2015, which they have been slow to do . The disaster didn’t stop us from using oil, and had only a superficial effect on Exxon.

    Maybe it would be more useful to ask what the ENRON or WORLDCOM of privacy might be? Did they change anything any more than EV did?

  37. Woodland, who the hell do you think pays for all the credit card fraud in this country? Consumers do–businesses absorb costs of fraudulent transactions which are then passed along to every consumer in the form of higher prices. I agree that credit card fraud shouldn’t be lumped in with real id theft, but it’s a serious problem on its own.

    If the Exxon Valdez of privacy is not the VA breach, with it’s overtones of victimized soldiers trying to fight the good fight against terrorism while “closely monitoring their credit” from the front lines, I’m not sure anything will do it.

  38. avatar Brian Srivastava says:

    Currently I’m working on a nuclear imaging grad course, (todays topic: X-ray imaging), and as part of this, it dawned on me, that I should look for studies related to smuggling guns onto airplanes, or more to the point, how it seems at every audit, of airport security in north america, x-ray imaging catches virtually none of the guns auditors try and smuggle on planes. Then I sort of pondered my last dozen or so google searches, and searches on various security websites. They probably aren’t pretty.

    I think the main challenge from all privacy rules is that many people (esspecially in the US atm it seems) are willing to say “if you’re not guilty, then you have nothing to hide”, but the problem is that any collection of personal information by the gov’t or corporations will usually be piecemeal at best.

    The other issue to consider of course, is that the public doesn’t care, if it is someone who sounds like a security threat. Every time I go to a US airport, I get a hard time. I’m a middle eastern looking man with a middle eastern sounding (actually indian, but really, does anyone in US border security know the difference?) last name, and, I’m a physicist by training. So people don’t mind that security gives me a hard time, and, recognizing the paranoia of my southern ‘friends’, I’ve come to expect it.
    The exxon valdez of privacy then, will come when 20 white women (at least one has to be a gorgeous blonde), with typical european sounding names, get rounded up and tossed in prison to be accused of something absolutely terrifying (trying to nuke washington or something for example), and have it turn out to be entirely because the government was data mining their information, and drew completely crazy conclusions based on entirely innocuous things.

    That, or the gov’t will try and make gay relationships illegal again (a fight in itself of course), and then use any trick it can find (visited any gay porn sites? Whether you wanted to or not?) to arrest you on suspicion.

  39. sacamano:

    I think the disaster would not have to strictly satisfy the same criteria as the Valdez disaster, but there are some criteria I’ve been thinking of:

    1) It has to be something easily transmitted through the media. That means it has to be both simple to explain and an irresistible story.

    2) It has to happen to ‘ordinary’ people, meaning a large number of TV viewers would consider themselves eligible to be victim N+1.

    3) It has to happen often enough that it isn’t seen as a freak one-time incident. Basically 1-4 convince the public that it is a genuine risk to them personally.

    4) The privacy violation has to carry a concrete and imminent threat of abuse. I don’t think people would be as scared by the idea that someone somewhere could exploit their medical records—versus a specific bad guy who has them, and is poised to do something bad.

    5) The privacy abuse would itself be concrete and the loss easily felt. The hypothetical I suggested was the DoJ getting a database of everyone who ever bought pornography with a credit card.

    6) Since we’re trying to predict what it will be, it has to be reasonably plausible. My hypothetical in #5 doesn’t qualify, because it’s a hypothetical. Could happen, but it is not really inevitable, so that’s not where I’d bet my money.

    So a six point test: 1) The story test, 2) The everyman test, 3) The size test, 4) The threat test, 5) The intrusiveness test, and 6) the plausibility test. Any suggestions?

    Xcott

  40. Let’s consider what made the Exxon Valdez the Exxon Valdez:

    1) Damage affects simultaneously a large number of individuals (lots of wildlife killed)
    2) It is immediately obvious to casual observers what the damage is and that there is damage (everyone understands thousands of dead/slimy animals when they’re on TV)
    3) Cleanup is costly (in dollars and reputation/branding) to a single entity (Exxon)
    4) It is preventable, but is due to hard-to-control human error, single point of failure, making it easy to assign blame to a single entity (at least it was quite convenient to point at the pilot, ignoring any controls on him that might have been missed)
    5) Many individuals who are not directly affected are morally outraged — the victims are not culpable in any conceivable way (i.e. you didn’t have to be a dead duck or live in Alaska to care and you knew those ducks were just in the wrong place at the wrong time.)

    Our current issues with data privacy do not match all of the above criteria. The recent breaches *potentially* involve millions of individuals, but the risk is distributed. Only a small fraction of individuals whose data are stolen actually experience any identity theft, and victims are perceived as somehow responsible (if they’d only taken better care of their data…). And though the cost to society of identity theft is quite high, it is distributed across many organizations and individuals. So no one with enough “power” has quite enough incentive to “Do Something About It”.

    An Exxon Valdez type of Data Privacy incident (according to the features above) would look something like:

    A data administrator at a large corporation negligently places a data file with highly sensitive data in an area with minimal access protection (feature 4). An attacker obtains the data and deliberately actively publishes it (i.e. doesn’t just steal it, but puts it in our faces), perhaps by vandalizing a very public site like cnn.com or whitehouse.gov or by placing many copies in various places around the internet, so that they are hard to find and control the spread of (feature 2). It would involve the active publishing of sensitive data for many individuals (feature 1). The corporation is involved in endless court cases for damages stemming from information exposure, as well as endless cleanup efforts involving tracking down copies of the published information and twisting arms to get them removed (feature 3). The highly sensitive data would be more effective if it involves lots of innocent cuddly things like children or ducks (feature 5), but it might be a little hard to get sensitive information about these that would make anyone feel terribly threatened or sympathetic. The most sensational sensitive data is sensational and sensitive simply because it comes with a stigma, which is often perceived as a kind of culpability of the person it pertains to. (“She was raped? What was she wearing at the time?” “He got a heart attack? He should have cut down on those donuts!”) Perhaps a list of social security numbers of people who use wheelchairs? Children in the witness protection program? Users of Ritalin?

  41. jcn: Insurances are denying medical coverage today, supposedly based on actual medical history, as I was informed by a 50-ish couple who spent a lot of time looking for affordable insurance. I presume they don’t have to break into medical databases for that.

  42. And I agree that “scary” implications of privacy breaches fall largely in the following categories:

    (1) Denial of business, and participation in aspects of society, or active persecution, based on rightful or wrongful judgement an blacklisting from true or false records. E.g. denial of insurance/credit, employers avoiding you, denial of membership in organizations, being frequently stopped/visited by police, etc.

    (2) Public embarrassment due to true or false records surfacing (related to (1)).

    (3) Financial hardship/hassles (indirectly also having (1) as consequence).

  43. avatar sacamano says:

    Xcott,

    My list of characteristics for the EV case was merely intended as an illustration of why I am not expecting an “EV of privacy”, as the EV-test is hardly applicable to privacy. The outcry – for instance – was not a result of people’s private damage. I am glad to see another set of tests, better suited for the discussion at hand.

    That said, since I have a hard time imagining a good case, can you invent a story that meets all your test criteria? I do no longer dismiss any fantastic horror scenario, for truth is stranger than fiction. Maybe we need a Michael Crichton / Tom Clancy of privacy!

  44. avatar sacamano says:

    (add Greg Bear / Vernor Vinge according to taste; stir; simmer; shudder!)

  45. I agree with previous posters that a Medical records privacy breach may tip this issue. It will have to be something affecting a huge number of mainstream Americans. Many people pride themselves on trying to be vigilant about ripping up credit card offers, protecting their financial information, etc, but the control of medical records is largely out of the hands of the general public.

  46. avatar john erickson says:

    Regarding my suggestion that the EVoP “trigger event” might be a violation of tax records, note the following news from Portland, OR:

    “…SALEM, Ore. – Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee’s unauthorized use of a computer, the Oregon Department of Revenue said Tuesday…the incident apparently occurred when an employee downloaded a contaminated file from a porn site. The ‘trojan’ program attached to the file may have sent taxpayer information back to the source when the computer was turned on again…”

  47. So someone didn’t revoke a quitting/fired employee’s login right away … and that ex-employee’s computer had spyware … maybe a big enough spotlight on this can be used to ratchet up public awareness of both the lax corporate/government privacy policy problem AND the spyware problem.

  48. Re: dmc — how about some homophobe breaks into a medical record and publishes widely a list of everyone in America that’s tested HIV-positive. Or even someone well-intentioned who wants people to be able to check a potential partner’s history like you might a used car at carfax.com. And then the chaos — incensed outraged HIV patients; a few well-publicised incidents of fear or hate crimes targeted at people that tested positive; the company whose records were stolen initially denying the info came from them, then being proven to be the source of the leak, instant major scandal…and maybe a couple conservative politicians turn out to be on the positive list for good measure…

  49. I’ve noticed that if you use gmail/google groups, ordinary (Web) searches show your gmail login in the top right corner of the page. Google is potentially already constructing search histories of their users. And users research anything they are afraid of: medical problems they may not actually have, terrorism they fear somebody else will perpetrate …

    Easy to misconstrue though. A pattern of searching for AIDS info may lead to the guess that the searcher tested HIV+. A number of searches related to terrorism may lead to speculation the searcher plans to blow something up. If even people that aren’t gay, HIV-positive terrorists realize they need to worry people will think they are …

  50. I don’t think we’ll see an Exxon Valdez of privacy, but a Watergate of privacy.

    Public awareness of privacy and data leaks will need to affect a high-profile individual, with whom everyone can identify. I envision a case where a government TLA has illegally acquired personal data from multiple sources, then uses that information to construct a false identity for a high-placed government official in order to libel or incriminate that official. This would have succeeded, except that an enterprising Woodstein also manages to acquire the same personal data, and blows the cover off the secret government ops.

    –Bob.

  51. avatar enigma_foundry says:

    To really imagine how technology can fail, and see the multiple possible failure modes, interdisciplinary thinking is required. (see C. P. Snow The Two Cultures, and remember that today we are not just Two Cultures, but maybe 30 or 40)

    So, the failure of a jet airplane is not just an extremely large accident, but the possibility of empowering small groups of people with very powerful flying bombs (thinking along a military vector)

    Another way that jet planes fail is the arrival of diseases from around the world far from their point of origin. (thinking along a public health vector)

    So, in my example (above) we have severely degraded the quality of those entering public service, due to the loss of privacy.

    This loss is very real, but it is invisible to the (seemingly) all-seeing eye of the ever present media-thus an example of the startling blindness that arises from seeming to see everything.

    In such an environment, this kind of a failure becomes as difficult to conceptualize as dissent is difficult to voice in 1984…

  52. After being financially ruined by identity theft, a whole family commits group suicide (or even better, for the maximization of media exposure, the parents poison their children before committing suicide).

    That _might_ do it. Although I gag just imagining it really might happen.

  53. I think Matt June 12 and Bob June 12 are on the right track; the US political systemn is now basically a monarchy, so the real changes will occur when a members of the royal family get broadsided.

  54. A what? It’s got decreasing upward mobility, tending toward an aristocracy, sure, but at base it’s more fascism than any other policital system I ever heard of. :P

  55. The AOL search log leak looks like a hint of things to come…

  56. What about AOL Release of Search Logs (~600K users)? It’s out there now – little bit data mining and you can find lot of nasty search strings and combine those to some family and address search.

  57. Like radioactive waste isn’t it?

    You’re very tempted to retain it for potential future value, but once stored it’s very difficult to destroy, and if it leaks out, it’ll last a very long time in the wild and will be a constant reminder of corrupt decision making processes.

    Don’t keep data on the public unless it’s inherently safe to publish.

  58. The release of “useless” information, like credit cards probably does
    not matter. They can just get regenerated, costs passed on to the consumer,
    and business as usual. Even a certain amount of publicity about any of us is probably tolerable, up to a point, what would be truly horrible, rather than just a considerable pain, would be the ability of someone to consistently steal your identity in a way that would be impossible to fix. At some point, business will truly realize the liability in maintaining personal information and look for ways for the end user (user-centricity) to interface with enterprise-centric identity approaches. This will be forced upon the stakeholders by community pressure. Simply, most people can’t imagine a world other than the one we live in. Multiple identities, some false, some limited, will be the norm.

    Think about using a credit card that doesn’t purport to identify you at all,
    just your willingness to pay.

  59. Absolutely. It’s pretty rare that any identity needs to be tied back to a human body. For commerce, identities simply need an assurance of authorisation to exchange funds and a credit rating perhaps.
    Even taxation only needs to tax the revenue obtained by an identity. The physical body in seeking any benefits due from taxation simply exercises the privileges earnt by one or more of their identities.
    Bodies only need to be identified for physical transactions (healthcare, immigration/emigration, physical crimes, etc.).

  60. We have to raise public awareness about the worsening and increasing demand of crime in our society and it includes credit card fraud. Credit card fraud on the Internet is rising even more dramatically, that’s why we have to take precautions when we are giving out confidential information over the internet or over the phone. It seems that wherever you turn we’ve always heard issues regarding our deepening economic mess. Businesses and companies are asking bailout just to keep their business afloat. The government created the $750 billion TARP program to bailout troubled financial institutions in order to stave off a possible depression. This is like how getting a payday loan in order to hold you over until your next payday can also stave off a possible depression. A string of catastrophic bank failures would just make things worse, but it seems hard to justify giving the banks funds after they use those funds to give out corporate bonuses and buy corporate jets. You don’t see people doing this with a payday loan now, do you?