Sign In

Communications of the ACM

Inside risks

Risks of Third-Party Data

Recent reports of personal information theft are coming in torrents. Criminals are known to have downloaded the personal credit information of over 145,000 individuals from ChoicePoint's network. Hackers took over one of the LexisNexis databases, gaining access to personal files of 32,000 people. Bank of America Corp. lost computer data tapes that contained personal information on 1.2 million federal employees, including members of the U.S. Senate. A hacker downloaded the names, Social Security numbers, voice mail, SMS messages, and digital photos of 400 T-Mobile customers, and probably had access to all of T-Mobile's 16.3 million U.S. customers. In a separate incident, Paris Hilton's phone book and SMS messages were hacked and distributed on the Internet.

The risks of third-party data—personal data being held by others—are twofold: the privacy risk and impersonation leading to fraud (popularly called identity theft). Identity theft is the fastest-growing crime in the U.S. A criminal collects enough personal data on someone to impersonate him to banks, credit card companies, and other financial institutions, then racks up debt in the person's name, collects the cash, and disappears. The victim often must spend years clearing his name. Total losses in 2003: $53 billion.

People have been told to be careful: not to give out personal financial information, to shred their trash, to be cautious when doing business online. But criminal tactics have evolved, and many of these precautions are useless. Why steal identities one at a time, when they can be stolen by the tens of thousands?

The problem is that security of much of our data is no longer under our control. This is new. A dozen years ago, if someone wanted to look through your mail, he had to break into your house. Now he can just break into your ISP. Ten years ago, your voice mail was on an answering machine in your house; now it's on a computer owned by a telephone company. Your financial accounts are on Web sites protected only by passwords; your credit history is stored—and sold—by companies you don't even know exist. Lists of books you buy, and the books you browse, are stored in the computers of online booksellers. Your affinity card allows your supermarket to know what foods you like. Others now control data that was once under your direct control.

We have no choice but to trust these companies with our security and privacy, even though they have little incentive to protect them. Neither ChoicePoint, LexisNexis, Bank of America, nor T-Mobile bears the costs of identity theft or privacy violations. The only reason we know about most of these incidents at all is a California law mandating public disclosure when certain personal information about California residents is leaked. (In fact, ChoicePoint arrived at its 145,000 figure because it didn't look back further than the California law mandated.)

The effectiveness of the California law is based on public shaming. If companies suffer bad press for their inept security, they'll spend money improving it. But it will be security designed to protect their reputations from bad public relations, not security designed to protect customer privacy. Even this will work only temporarily: as these incidents become more common, the public becomes inured, and the incentive to avoid shaming goes down.

This loss of control over our data has other effects, too. Our protections against police abuse have been severely diminished. The courts have ruled that the police can search your data without a warrant, as long as others hold that data. The police need a warrant to read the email on your computer, but they don't need one to read it off the backup tapes at your ISP. According to the Supreme Court, that's not a search as defined by the Fourth Amendment.

This isn't a technology problem; it's a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy don't have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data, and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant—even though it occurred at the phone company switching office—the Supreme Court must recognize that reading email at an ISP is no different.

Back to Top


Bruce Schneier is the CTO of Counterpane Internet Security, Inc., and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. More of his security writings are available at

©2005 ACM  0001-0782/05/0500  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2005 ACM, Inc.


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: