Shostack + Friends Blog Archive


The Open Society Paradox: Companies Have Privacy, You Don't

For those who, during the ChoicePoint outcry, (see Secondary Screening) were critical of me for not supporting a notification law for companies who maintain databases of personal information I point you to a couple of facts. First, today’s news that tapes with the sensitive data of 4 million Americans are missing is just the latest in a huge string of cases of data being stolen from companies. When do we get to a point when these notifications cover so many millions of Americans and happen so frequently that people ignore them and therefore don’t justify the cost of a notification law?

So writes Dennis Bailey in “Notification Nonsense.” But what he doesn’t explain is why someone in favor of openness would favor allowing companies to make these mistakes in private. With greater openness, consumers could better judge what companies they want to patronize. So why oppose openness here?

4 comments on "The Open Society Paradox: Companies Have Privacy, You Don't"

  • “don’t justify the cost of a notification law”
    What are the social costs of a notification law? Does it trigger any innefficiencies at all?
    If people ignore notices of lost data (and it’s not clear what the most cost-effective thing to do upon recieving notice is) then notification at least imposes a (small) cost on the company. It also establishes a record to track truly irresponsible firms for [reputation/market signaling/liability] reasons.
    In fact, the only potential social cost I can come up with is that widespread notice might tempt some judge to establish lower standards in a civil action.

  • Adam says:

    I believe he’s talking about a fiscal cost, not a social one.

  • matt b says:

    Perhaps notification should be “pull” rather than “push”, like filing for a credit report (“privacy report”?). However, instances where there is evidence that personal information has been maliciously used should definitely require notification.
    I completely agree that receiving enough of these would make anyone either aloof or overly paranoid.

  • I appreciate Emergent Chaos trying to make sure I’m consistent in my positions by pointing out that opposing notification laws seems to represent an anti-openness view.
    For one, we both come from different starting points. Just as the courts have pointed out, I believe that once your personal information is given to a third party, you no longer have control over it.
    Even if you had some say over it, as some specific laws have been written to allow to happen (e.g., GLBA) I believe that security measures are ultimately going to fail and information is going to make its way into the hands of thieves as long as it is valuable.
    Lastly, since personal information isn’t just controlled by a few large data aggregators, but thousands of companies in this country and many more overseas, any effort to secure or control (regulate) information will never be comprehensive enough or even possible.
    With all that said, I believe that the notification law would be a costly regulation that would provide very little value in solving the identity theft problem. For this I quote Bruce Schneier:
    “As more of these events occur, the press is less likely to report them. When there’s less noise in the press, there’s less public shaming. And when there’s less public shaming, the amount of money companies are willing to spend to avoid it goes down.”
    “This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won’t be reported.”
    “The notification of individuals also has an attenuation effect. I know people in California who have a dozen notices about the loss of their personal data. When no identity theft follows, people start believing that it isn’t really a problem.”

Comments are closed.