Fixing the Web's trust issues

Every time you turn around another company is reporting a serious data breach. Last week it was the LastPass online password management service that lost some e-mail addresses and master passwords, as CNET's Seth Rosenblatt reported in The Download Blog.

A couple of weeks before that, hackers broke into the servers of German software maker Ashampoo and made off with many of its customers' e-mail addresses; Elinor Mills provides details of the attack in her InSecurity Complex blog.

But these losses pale in comparison to the data breaches reported last month by e-mail service provider Epsilon and the ongoing saga of Sony's PlayStation Network. Erica Ogg examines the most recent attack on Sony's PSN in her Circuit Breaker blog.

Data protections are a long way off
The torrent of data losses hasn't escaped the attention of the U.S. government. It's a coincidence that the Obama Administration released its National Strategy for Trusted Identities in Cyberspace (NSTIC) report (PDF) in the midst of this recent string of breaches.

NSTIC is a noble effort that calls for creation of private trusted authorities to serve as go-betweens when consumers interact with Web services. The theory is that consumers will trust a third party with their private data, and the third party will assure the online vendor of the customer's authenticity.

The obvious question is who will pay to establish and maintain this proposed Identity Ecosystem?

The federal government's participation in the NSTIC is outlined in the 2009 Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance (PDF). NSTIC builds on the eight Fair Information Practice Principles (FIPPs): transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing.

As stated in the NSTIC:

[O]rganizations will collect and distribute only the information necessary to the transaction, maintain appropriate safeguards on that information, and be responsive and accountable to individuals' privacy expectations. In circumstances where individuals make choices regarding the use of their data (such as to restrict particular uses), those choices will be automatically applied to all parties with whom that individual interacts.

Consistent with the FIPPs-based approach, the Identity Ecosystem will include limits on the length of time organizations can retain personal information and will require them to provide individuals with appropriate opportunities to access, correct, and delete it. The Identity Ecosystem will also require organizations to maintain auditable records regarding the use and protection of personal information.

Although individuals will retain the right to exchange their personal information in return for services they value, these protections will ensure that the default behavior of Identity Ecosystem providers is to:

Limit the collection and transmission of information to the minimum necessary to fulfill the transaction's purpose and related legal requirements;

Limit the use of the individual's data that is collected and transmitted to specified purposes;

Limit the retention of data to the time necessary for providing and administering the services to the individual end-user for which the data was collected, except as otherwise required by law;

Provide concise, meaningful, timely, and easy-to-understand notice to end-users on how providers collect, use, disseminate, and maintain personal information;

Minimize data aggregation and linkages across transactions;

Provide appropriate mechanisms to allow individuals to access, correct, and delete personal information;

Establish accuracy standards for data used in identity assurance solutions;

Protect, transfer at the individual's request, and securely destroy information when terminating business operations or overall participation in the Identity Ecosystem;

Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and

Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused.

Tension between users' privacy and vendors' profits
Information is money to companies that operate online, and the more personal the information they can collect from their customers, the more valuable it is. That's why Web services have little incentive to restrict the amount or type of information they collect.

The U.S. Congress is addressing online privacy concerns by working on Do Not Track and other privacy-protecting legislation. In her Media Decoder blog on The New York Times site, Tanzina Vega describes two separate pending bills: the Do Not Track Online Act of 2011 proposed by Sen. John Rockefeller (D-W.V.) and the Do Not Track Kids Act of 2011 sponsored by Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas).

These bills come on the heels of the bipartisan Commercial Privacy Bill of Rights Act of 2011 sponsored by Sens. John Kerry of Massachusetts and John McCain of Arizona.

It's no surprise that Google, Facebook, and other top Web companies oppose the Do Not Track legislation and are likely to balk at many of the provisions set out in the NSTIC.

In the absence of a compelling reason to adopt privacy protections, organizations will continue to collect information about the people they interact with online without their knowledge or informed consent. And despite the companies' assurances that they anonymize and otherwise safeguard their customers' private data, breaches will continue to occur.

Our best defense is to assume that Web services can't be trusted with our personal information and act accordingly. (My previous post explained how to avoid sharing personal info online.)

After all, it's unlikely online vendors will voluntarily adopt privacy-protection practices, and we certainly can't wait for the cavalry to arrive.