Within days of the attacks on Sept. 11, 2001, politicians, social scientists and anyone else who could find a microphone was repeating a line that would soon become a mantra: Americans will have to make some sacrifices in the name of greater security and safety. Viewed now through the prism of privacy, that looks like the understatement of the century. Americans have surrendered virtually all of their privacy and have gotten nothing but wave after wave of new attacks and threats in return.
Ten years ago, privacy was just starting to become a major concern and a defined discipline. Chief privacy officers could have held their annual convention in an elevator, and while many Web sites had privacy policies in place, they were primitive and mostly impenetrable for non-lawyers. For most regular Internet users, if they thought of privacy at all, it was likely in the context of email addresses being sold to spammers or whether their Social Security numbers were used as identifiers. Identity theft–in the form of scammers opening new credit accounts in other peoples’ names and running up big tabs–was the major threat.
In retrospect, those were the good old days. The problems we faced then seem downright quaint in comparison to the complete disaster that online privacy has become. In 2001, no one had ever heard of ChoicePoint, Heartland Payment Systems or even the term data breach. Now, a decade later, people are wishing they’d never heard of any of them.
The concept of privacy is a thoroughly modern one. As recently as 150 years ago, most people lived in small towns and villages, surrounded by their extended families and groups of neighbors who had, like them, lived in the same area for generations. Everyone knew each other’s business and most people ever traveled more than a few miles from their hometowns. The only expectation of privacy was in one’s own home, with the door closed and the shutters pulled. Everything else was considered public business.
That changed dramatically during the late nineteenth and twentieth century, as people began moving around the country with the advent of reliable rail transportation, followed by mass-produced affordable cars. People had the means to travel at will and anyone who grew weary of people knowing every detail of her life–or needed to leave some bad memories behind–could pick up and move a few states away and start a new life.
At the same time, immigrants flooded the U.S. from all over the world, and many of them kept to themselves or formed tightly knit communities and were careful around outsiders and anyone they didn’t know. Their business was their own. As the century wore on and the U.S. became a crowded, urban society with everything available all the time and anyone just a phone call away, a new definition of privacy began to emerge: the right to be left alone.
And then the Internet happened.
Suddenly, not only was anyone else on earth easily accessible, so was anything you wanted to know about them. Need to know what your old college roommate is up to? Look him up on Alta Vista. There’s his home address, maybe his phone number and the name of his employer. Looking for some info on that weird lump on your neck? Google it. Check the symptoms for lymphoma. It’s all there, just a couple of clicks away. There’s free email, free videos, free music, huge discounts on anything you’re looking to buy, sites that will collect and organize all of your data for you, mobile apps that show you nearby restaurants or dry cleaners or bookshops. Pretty great.
There’s only one small catch: Every move you make online and, with the advent of location-aware mobile apps, in real life, is being tracked. All of those free services and discounted products and great apps are simply delivery vehicles for ads and the tracking mechanisms that go along with them.
In case you haven’t figured it out by now, you are the product.
All of that painstakingly collected data that retailers, health care companies, government agencies and ad networks are mining so carefully to deliver products that you never knew you wanted is sitting in millions of databases scattered around the Internet. And of course, they’re being mined not just by the companies and organizations that own them, but also by attackers looking for data they can repackage for sale or use in highly targeted phishing attacks or other ventures.
The data revolution has been dream for attackers. Just as dot-com era start-ups engaged in a billion-dollar race to zero, building inane Web-based businesses before ever thinking about a business model, the current generation of data aggregators and warehousers have been gobbling up terabyte after terabyte of data with little thought given to the security of that information. Security is hard and it’s expensive and the savvy organizations know that while a data breach may be embarrassing, it’s a temporary distraction.
Consumers have proven to have quite a short memory on these events, and precious few have done any lasting damage to the businesses involved. And regulators and lawmakers have shown themselves to have no stomach whatsoever for punishment or meaningful sanctions. Far better then, for a business to go on collecting, mining and selling whatever data they can. No need to worry about consequences that may never surface.
For virtually all of human history, each of us has had nearly complete control over what the world knew of us. The changes of the last 10 years have altered that forever, and not for the good.