The year 2005 was not only the year of the Rooster; it was also the year of privacy invasion and ID theft. On thinking about the last year, news flashes such as “ChoicePoint data theft widens to 145,000 people“, “Stolen laptop puts 98,000 at risk of ID theft” (UC Berkley), “Personal info on 310,000 people possibly stolen, 10 times more than what was disclosed last month” (Siesent), comes to mind.

This past year, more than 152 security breaches exposed at least 57.7 million Americans to ID theft ( 1 ) and privacy invasions, which suitably makes “privacy” the biggest concern of generic internet population, businesses and governing bodies. The result: legislatures being passed by the government and billions of dollars being invested by businesses to confirm to these legislatures. More than fifty bills were introduced in the first session of the 107th Congress to regulate online privacy, resulting in a national cost of complying to be approximately US$9-36 billion (Hahn 2001). With so much at stake it becomes important to measure not only the economic cost of privacy per person, but also the trade offs (for example convenience and rewards) that lure people to succumb and provide PII to organizations.

A peek into sociological research regarding user behavior clearly indicates that individuals perform a privacy calculus, assessing the cost and benefit of providing information ( 2 ). The calculus depends on factors such as self-ego, environmental stimuli, and interpersonal relationships (Laufer and Wolfe 1977; Stone and Stone 1990).

Studies indicate a huge deficit between the compliance expenditure and the net worth of privacy. This deficit may be owing to limited user awareness and the fact that privacy concerns are usually traded for environmental stimuli such as rewards and convenience.

Read the rest of this entry »

That is the question that this blog post pontificates. According to a recent study by the Privacy Rights Clearinghouse, of 113 data breaches since February 2005, 55 of them took place at colleges, universities, and university-affiliated medical centers. A list of data breaches for 2005 have been posted by Neo Scale here, but a few noteworthy ones are Stanford University, UC-Berkeley, and Carnegie Mellon University.

One of the primary reasons cited for the disproportionate number of data breaches at universities is the decentralized environment — data being spread out in various locations on campus which makes it difficult to control the access to the data. To a degree, this doesn’t seem very intuitive and certainly contrary to the old saying ‘don’t put all your eggs in one basket’. Centralization not only serves as an even more enticing target for would-be hackers, but it also means the result of a successful breakin would be even more catastrophic. However, centralization is more cost effective, as it requires organizations to procure less hardware which results in cost savings.

Decentralization, on the other hand, means that if there were a breakin, consumers/students are less likely to have their information compromised. However, decentralization also means that it is possible that there are multiple copies of a person’s information floating around. The preferable and more secure approach is not entirely clear.

It seems that the largest problem facing decentralized environments is accountability, management, and standards. What can be done about this? Certainly, formalized, comprehensive privacy and security policies would be a step in the right direction. Adherence to these policies is essential. And continued research efforts into technologies and techniques to combat intrusions.

A full article on the Privacy Clearinghouse study can be found here on the UCSD Guardian Online.

A recent survey found that protecting the privacy of consumer information is actually good for business. We’ve been preaching this message for years, but it seems that someone has actually provided some hard evidence. By protecting consumer information, businesses experience less downtime from security breaches and less defections from customers.

Read more here.

Wow. Stephen O’Grady, from the analyst firm RedMonk is on the Board of Advisors for The Privacy Place and yet is humble enough not to have mentioned his recent paper “SOA Meets Compliance: Compliance Oriented Architecture.” But I happened to stumble across it as I was doing google searches on compliance technology.

The opening teaser in O’Grady’s Paper states is:

Leveraging IT to enhance business processes with transactional transparency is a necessary response to corporate governance scandals. Building the

The NSF (National Science Foundation) is funding a project, entitled “Surveillance, Analysis and Modeling of Chatroom Communities “.

From the award abstract, it appears as though the researchers intend to develop an automated surveillance system that will collect data in Internet chatrooms to discover hidden groups in which possible terrorist activities might be discussed. The system would automatically determine who is chatting with whom as well as specific topics that are being discussed in chatrooms by specific chat room participants. Unfortunately, the abstract does not mention how the PIs will investigate the social impact of such technologies; nor does it mention how this technology may or may not violate the privacy of innocent chatroom participants.

As researchers it is critical for us to consider the broader impacts of our work on society, especially when creating technologies that can further erode what little remaining privacy public citizens can still claim.