[ Features Index | Silicon Valley | Metroactive Home | Archives ]

Techsploits Who Moved My Data? By Annalee Newitz YOU'VE BEEN told a zillion times by now that it's a bad idea to give out your personal data online. But hell, we all do it. Those of us who are particularly wary tell ourselves that we're engaging in good data hygiene by checking the privacy policies of the companies who hold our email and financial records. We all know in the backs of our minds that privacy policies are just guidelines and not legally binding, but we put our faith in them. It's the same process that keeps us paying Social Security even though the government might spend all our hard-earned retirement money by the time we need it. Plus, who wants to keep track of all their own crap? It's nicer if g-mail can index all your mail, even if they fill it with ads. That's the kind of thinking that drove so many thousands of customers to a service called PayTrust, an online bill-management system that receives your bills and pays them—and balances your checkbook in the process. Instead of having a messy bill drawer full of tattered stubs, you can use PayTrust to keep all your records in neat little spreadsheets, easily accessed and searched on the web whenever you want. Although it's scary to imagine anyone who isn't you reading all your bills and paying them, for many people the trade-off is worth it. The hassle saved is worth the risk—and that risk, until recently, seemed minimal. PayTrust was the only entity that had access to their information, and they could sever their relationship with PayTrust and remove their data at any time. But then, a couple of weeks ago, PayTrust customers discovered that financial software giant Intuit had bought PayTrust and all of their personal information. One morning, PayTrust customers were confronted with a new log-in screen that told them that if they wanted access to the service, they had to click through Intuit's terms of service. Clicking through meant tacit acceptance of all Intuit's rules. And one of those rules had to do with a new privacy policy: Intuit reserves the right to share customer's transaction information with Intuit's "subsidiaries," all of whom have different privacy policies than Intuit. Suddenly, PayTrust wasn't quite so trustworthy. An unknown number of "subsidiaries" might have access to information about everything from customers' bank accounts and medical records to their preferred magazines and credit-card spending habits. PayTrust customers' information had been sold to Intuit without their consent and without notice—and in order to gain access to that information, they had to agree to these new, disturbing terms. It's like the textbook definition of a gross violation of privacy. And it sounds like grounds for a lawsuit to me. I hope those PayTrust clients have consumer class-action maven Ira Rothken's phone number on speed dial. More than that, though, the PayTrust debacle is a reminder to contemplate even the most heinous possibilities when considering whether to give up giant chunks of data online. Your "trusted" company could sell out tomorrow. And your "trusted" ISP might be employing one irritating little twit who's reading your email and who will decide one day that it's time to alert someone about what they've read there. Not only is it technically possible that such a twit could exist, but there are no laws against him or her looking at any communications taking place on their networks. As long as that data is "owned" by the network—the way your email is owned by Google or your bill payment records are owned by PayTrust—network operators are permitted to look at it. It may be illegal for them to disclose to anyone else what they find there, but what are the odds you'll find out when they do? Everybody always wants a tidy answer to the problems raised by data-sharing online. Of course, there isn't one—you give up your life's details and you take your chances. But if you're worried, don't tell people who you are online unless you absolutely have to. When The New York Times asks you to create an account, just lie. Register your website under a fake name. Sign up for email under my favorite moniker: Pseudo Nym. Make the data worthless. And ferchrissake, pay your own damn bills. Annalee Newitz ([email protected]) is a surly media nerd who sits down once a month with pen and paper and checkbook and goes analog on your ass. Send a letter to the editor about this story to letters@metronews.com. [ Silicon Valley | Metroactive Home | Archives ]