Keeping Our Private Info Private In An Online World

There were a couple of incidents this week that made me stop and think about my own personal data--and who has it. But more important than any musings about what information about me--my address or financial records or personnel records from various jobs--is stored out there is who could get their hands on it.

And it seems the answer to that question is, apparently, absolutely anyone.Just ask any of the 38,000 U.S. military veterans who had their data lost by Unisys Corp., a subcontractor for the U.S. Department of Veterans Affairs. Today those vets have to worry that their names, dates of birth, Social Security numbers, and addresses are out there somewhere unsecured and vulnerable. Has the information been sold to identity thieves? Is it in the hands of organized crime, which I'm sure could find a lot of uses for it? Only time will tell, I'm afraid.

The information was on a desktop computer in a Unisys office in Reston, Va. A hacker didn't work his way into the corporate network, breaking through firewalls and jumping onto VPN connections. Oh, no. The whole computer is missing. Somehow someone walked in and walked back out carrying a desktop machine. Now there's some tight security for yah. I'd bet money that someone even held the door open as the thief walked out with his arms loaded up with what could be a whole lot of trouble for nearly 40,000 vets.

It gets even worse when you realize that this is far from an isolated incident for the VA. In another recent case, a laptop and external drive were stolen, jeopardizing personal and financial information on about 25 million veterans, active-duty personnel, and their spouses. Two teenagers were arrested a few days ago in connection with the theft.

Now a handful of senators are calling for Veterans Affairs Secretary Jim Nicholson to resign. Senate Minority Leader Harry Reid (D-Nev.) called Nicholson's reign at the VA a threat to national security. Is this a real concern for our nation's safety? Hard for me to say. However, it's easy enough to realize that it's a serious threat to the privacy and financial stability of U.S. vets. Haven't these folks sacrificed enough? Now they find they're sacrificing their privacy as well.

And talking about sacrificing privacy easily leads us to look at AOL's blunder this past weekend. Early this week, the company admitted exposing the personal search data of 658,000 people. Spokespeople for AOL quickly released an apology, calling it a "screw-up." Well, at least they got that part right.

The information, which focused on about 20 million searches done from its AOL software over a three-month period, was available for download over the weekend on AOL's research site. The company pulled it on Sunday, but not before it was downloaded and not before raising a maelstrom of criticism from the blogosphere.

The information is being made available from a number of Web sites, and it's proving to be interesting reading for a whole lot of people, according to Ray Everett-Church, a founder of CAUCE, an anti-spam advocacy group and a principal with PrivacyClue LLC, a privacy consultancy. Ray and I talked Tuesday night, and he told me AOL says the information has been "anonymized," meaning the users' names have been stripped off. That doesn't mean there isn't enough information in there to identify a lot of users. Come on... How many of us have searched at some point for our own names just to see what's out there? What if someone did just that and then searched for information on a particularly embarrassing or personal medical condition?

I haven't trawled through the 20 million queries, but Everett-Church tells me there's information in there where a woman apparently searched for her own name, her boyfriend's name, and for information on how to keep a relationship secret. Along with the expected searches on Paris Hilton and Angelina Jolie was someone's reported search for ways to starve yourself, while another person searched for ways to kill yourself.

Anonymized or not, this is all intensely personal...and still potentially identifiable. And now it's available for download from a dozen or so sites.

"This information is all out there," says Everett-Church. "Companies are holding information on you for who knows what purpose and for who knows how long. It's catalogued, indexed, and keyword searchable."

Think about all the companies and organizations that are out there collecting data about each and every one of us...bookstores, grocery stores, employers, former employers, doctors' offices, law offices, ISPs, and even search engines. And how much of that information would you like to have posted on a Web site for easy download? Think about all the things you've done searches for over the years. Do you really want your employer to know about it? How about your neighbors, your mother, or a slew of bloggers who need fodder for their next post?

If companies are going to keep this kind of information about us, it better be protected. Data needs to be encrypted. Systems need multiple layers of security. The physical buildings housing offices, desktops, and servers need their own security. And how about running some background checks on the people entrusted to touch this data?

For us average Joes and Janes, we need to think about who we entrust with our information. Do you care that someone somewhere might know what you're Googling for? Will our local Internet cafes be clogged up with people secretly searching for information on medications, new jobs, and the criminal backgrounds of potential dates?

What do you think? How worried are you about who has your information and what they're doing with it?