We leave a lot of tell-tail vapor trails as we come and go to the cloud. So do companies we do business with. Details about us lodge in Web sites we visit and at many organizations we never heard of. Many of us are used it and don't mind. Some of us get concerned, but don't have any sure way to avoid it other than staying off the Internet. And sooner or later, you will probably share your personal data with characters you'd rather not know. It happened to me, twice. My credit card was hacked from a newspaper I subscribed to and from a national retail chain's "secure" servers. Make that "at least twice."

It seems that the Internet is a place where everyone knows your name. Where did our privacy go and when will we get it back?

If you are like most people, you don't think about this much, perhaps deliberately, because at some level you realize that if you really knew how insecure data is on Internet-connected systems it would ruin your day. Kind of like getting a DNA test that might say you'll get dementia. You don't want to go there.

So, what are the chances that a company or organization leaks significant quantities of private data in some way or another? A February 2010 report (1 MB PDF) from the Ponemon Institute described how companies and users regard breaches of personal data. Ponemon polled 5,500 company managers in 19 countries. It also polled 15,000 adults in the same 19 countries. The results are not very comforting.

For example, seventy percent of both groups surveyed felt that organizations are obligated to secure consumers' information and take responsibility if they divulge it. That's not bad, but one wonders what the other 30% believe.

Given that the volume of digital data is doubling every 18 months or so, it's a pretty sure bet that more private information will go astray all the time, but how? According to Ponemon, 37% of all data breaches were due to malicious acts by employees (24%) or by criminals breaking and entering (13%). Technical glitches and business process failures accounted for 57%, and human negligence for 35% of the breaches. In a way, it's comforting that most incidents were caused by system or human failure, and that attacks by cyber-criminals accounted for a small percentage of incidents.

Drilling down reveals a surprising lack of concern about many rampant privacy abuses. Look at the findings that this chart displays.



Only identity theft seems to raise serious concern, and that on the part of organizations, not individuals (52% v. 26%, or twice as many). Less than one quarter of either group seems to worry about six of the ten issues: spam, stalking/spying, marketing abuses, malware/spyware, or even stolen assets. This nonchalance indicates to me that nobody cares much about bad things until they happen to them, personally or institutionally.

The survey also shows that people adjust their privacy dial according to the activities the engage in. Security of their medical records tops the list, but still, less than half of respondents seemed to care. Not only that, less than a quarter of them worried about leaking banking data, and only three out of one hundred had qualms about data being mined from their social networking activity, as you see in the next chart. That's pretty surprising. But then, here I am telling you this for all to see.



I see three possible explanations for why people are not more worried about their privacy, and they can all be true at once:

• They don't get upset when personal data about them is leaked
• They don't have an informed understanding of threats to their personal data
• They trust Web sites and institutions to safeguard personal data

Once something bad happens to your data, you can pay a service to cleanse it from the Web and buff your reputation. However, such services can charge thousands of dollars. They don't guarantee their effectiveness, and may pass on your information to subsidiaries that proceed to exploit it, especially once you are no longer a client. Assume that once your data is released into the wild, it becomes feral.

Additional federal oversight might help, and it may be on the way.

In March, the Federal Trade Commission released a major study that examined these issues and made legislative and regulatory recommendations. Get their report, Protecting Consumer Privacy in an Era of Rapid Change, on the FTC Web site. In the eyes of certain industry advocates, some of its conclusions are misguided, especially in the areas known as do-not-track, opt-in and right-to-know. They worry about strict privacy killing eCommerce. Perhaps they feel consumer abuse is intrinsic to a healthy economy.

A month before the FTC report, the White House announced it would file a Consumer Privacy Bill of Rights, to provide "a baseline of clear protections for consumers and greater certainty for businesses." Consumer personal data would be protected through greater transparency on the part of organizations that collect and store it. The bill would require organizations to limit information they collect to only what they need, secure the data adequately, use it only as they originally described, and to give consumers access to their data and opportunity to correct incorrect information.

See this White House fact sheet for more details. The Commerce Department has been charged with identifying best practices and formulating codes of conduct that the administration can send to Congress as proposed legislation. Follow and contribute to the discussion through the Web site of the lead agency, the National Telecommunications and Information Administration (NTIA).

New privacy laws may turn out to be anemic, hard to enforce, or too little too late. But at least there's a national framework on the table for improving the situation. And if you have had a problem, let the FTC know about it.

By Geoff Dutton

Top image via