Editor’s Note: Bruce Schneier is a security technologist and the chief technology officer of Co3 Systems. The opinions expressed in this commentary are solely those of the author.
Story highlights
Uber is under investigation for spying on riders without their permission
Bruce Schneier: Increasingly, employees of companies can look at our private data
Even the federal trade commission can ask companies to increase standards of security
Schneier: Corporate collection of our data has long outpaced the laws protecting us
In the Internet age, we have no choice but to entrust our data with private companies: e-mail providers, service providers, retailers, and so on.
We realize that this data is at risk from hackers. But there’s another risk as well: the employees of the companies who are holding our data for us.
In the early years of Facebook, employees had a master password that enabled them to view anything they wanted in any account. NSA employees occasionally snoop on their friends and partners. The agency even has a name for it: LOVEINT. And well before the Internet, people with access to police or medical records occasionally used that power to look up either famous people or people they knew.
The latest company accused of allowing this sort of thing is Uber, the Internet car-ride service. The company is under investigation for spying on riders without their permission. Called the “god view,” some Uber employees are able to see who is using the service and where they’re going – and used this at least once in 2011 as a party trick to show off the service. A senior executive also suggested the company should hire people to dig up dirt on their critics, making their database of people’s rides even more “useful.”
None of us wants to be stalked – whether it’s from looking at our location data, our medical data, our emails and texts, or anything else – by friends or strangers who have access due to their jobs. Unfortunately, there are few rules protecting us.
Government employees are prohibited from looking at our data, although none of the NSA LOVEINT creeps were ever prosecuted. The HIPAA law protects the privacy of our medical records, but we have nothing to protect most of our other information.
Your Facebook and Uber data are only protected by company culture. There’s nothing in their license agreements that you clicked “agree” to but didn’t read that prevents those companies from violating your privacy.
This needs to change. Corporate databases containing our data should be secured from everyone who doesn’t need access for their work. Voyeurs who peek at our data without a legitimate reason should be punished.
There are audit technologies that can detect this sort of thing, and they should be required. As long as we have to give our data to companies and government agencies, we need assurances that our privacy will be protected.
Moreover, we need legal limits on what can be done with our data. Companies are starting to analyze our personal data and publish the results, sometimes in an effort to get positive press. And while it may be fun for Uber to publish data on riders heading off to one-night stands and hookups with prostitutes (Uber recently deleted both posts), or for OKCupid to publish their users’ sexual preferences and habits, this is very intimate information.
Were Uber or OKCupid a university, this analysis would have to be approved by an ethics board entrusted with protecting the subjects’ privacy. Private companies’ research isn’t overseen in any way, meaning that no one reviews this research with an eye towards protecting the subjects.
Making these changes doesn’t require an act of Congress. It’s something that the Federal Trade Commission can do under the auspices of consumer protection. As long as companies are collecting and storing our data, they need to be held to standards of security and professionalism.
The general problem of our data being accessible won’t go away. There are huge benefits in putting your data in the cloud, and that’s not going to change. Companies like Google and Facebook need to be able to work on the computers and networks that contain your data, so engineers will need access. Unless your data on these other computers is encrypted – and in many cases it will never be because that renders it useless – interested people will be able to access your personal information.
We’re now living in a world where a lot of intimate data is stored in some third-party database somewhere – the emails and texts we send and receive, our location data from our cell phones, the things we purchase, the Web pages we look at, and the search terms we use. This data is bought and sold, and used to manipulate us with personalized advertising.
But there’s something extra-creepy about people using it to stalk us or analyze our lifestyles. Corporate collection of our data has long outpaced the laws protecting us. We need to rewrite those laws for the information age.
Read CNNOpinion’s new Flipboard magazine