There are plenty of reasons to be outraged about the recent revelation that Alex Rodriguez tested positive for steroid use. But the one that gets me is this: Supposedly anonymous data, which was supposedly destroyed, has instead been splashed all over the newspapers.
Maybe you missed that particular angle. But to my mind it’s one worrisome symptom of a problem that’s about to get a whole lot worse: database privacy violations.
This could have serious implications for government initiatives such as the online health records programs.
Take another example: While not a data breach, the names, addresses and locations of donors supporting the passage of California’s Proposition 8 bill were posted on the Web, enabling opponents to send death threats.
Then there’s Google’s privacy policy: all information — including searches, online applications and e-mail sent to gmail accounts — is routinely data-mined.
Now there’s a school of thought that says that if you’re dong nothing wrong, you shouldn’t care about privacy. As then-Sun CEO Scott McNealy is reported to have said in 1999, “You have zero privacy anyway. Get over it.”
And you can argue that because steroid use is illegal, the political donations of over a certain amount are public information, and Google use is strictly voluntary, neither A-Rod nor the anti-8 donors nor Google users have anything to complain about.
That’s one way of looking at things, but it’s not the only one.
For example, the new stimulus package also includes funding for computerizing health records. On the surface, this sounds wonderful — effective online records could streamline healthcare delivery and reduce the chances for mistakes.
The catch? Although everyone agrees that privacy is essential in healthcare, the efforts of privacy advocates are overwhelmingly focused on controlling privacy at the application layer — ensuring that the wrong folks can’t gain access to records.
That’s pretty weak. I was speaking with the CISO at a major healthcare organization last week. This person paints a dark picture of what’s going to happen once the databases are connected, “Health information exchanges will almost certainly melt down.” Look forward to having your medical records — and those of your nearest and dearest — all over the Web.
The bottom line: Any time you connect databases together via the net, there’s a significant risk of privacy violations.
Why should IT executives care? For one thing, data center outsourcing is all about exposing databases. Make sure you fully understand the privacy policy not just of the outsourcer, but of the country in which you’re doing business. For instance, it’s pretty tricky to locate sites in the Far East with acceptable privacy policies.
And keep an eye on employees’ use of services such as Google and Facebook. Any corporate information sent to a Google account — or stored in a Google application — is essentially public.
Finally, don’t limit your privacy efforts to applications and networks. It’s all about the databases.