A catastrophic leak at a major data-gathering organization could have an impact as profound as any oil spill
Imagine you’re head of a company whose stock in trade is mining one of the world’s most valuable resources. You’ve just struck a rich new cache. The potential for profit is huge. Then, all of a sudden, disaster strikes. Maybe your equipment failed. Maybe your technology had some unforeseen flaw. Maybe it was human error. Whatever the cause, in an instant that promising new profit center has become a liability, and what was once a valuable commodity has become a dangerous contaminant, gushing out of your control at an alarming rate. The collateral damage will be huge, and the effects of the leak will linger for years to come.
It’s a nightmare scenario to keep oil executives up at night, particularly in the wake of the April 20 explosion at BP’s Deepwater Horizon platform in the Gulf of Mexico. BP has yet to gain control of that underwater gusher, and the eventual cost — in terms both economic and environmental — is incalculable.
But oil isn’t the only industry whose execs should be losing sleep. We refer to modern American society as an “information economy,” and rightly so. Google has built a fortune harvesting “the world’s information,” and competitors — including Facebook, MySpace, and Microsoft — all seek to do the same. Increasingly there is value in data, and the digital revolution has made it possible to amass vast data sets like no other time in history.
Yet data, like oil, is dangerous. Even seemingly benign applications of data mining can have broad implications for personal privacy. Should the owners of these new data stores lose control of their assets, in the wrong hands they could have profound impact on the economy and society at large. Unfortunately, the lure of potential profits in the information economy, combined with the apparent ease with which data can be gathered and a lack of regulation, creates a climate of recklessness in which a “data spill” of the scale of the Deepwater Horizon incident seems not just likely, but inevitable.
There will be bits
In the weeks since news of BP’s oil catastrophe developed, both Facebook and Google have come under fire for their data management practices. Facebook faces a lawsuit filed by the Electronic Privacy Information Center (EPIC) and 14 other consumer protection groups that alleges that the company’s ever-shifting privacy policies violate user expectations and may constitute deceptive trade practices. Google, on the other hand, was called to task for snooping packets from unsecured Wi-Fi networks as its Google Street View mapping trucks rolled through neighborhoods; it now also faces a class-action lawsuit.
In a sense, each of these incidents is the opposite of a data leak. They’re more the digital equivalent of slant drilling, in which overambitious companies grab more than they’re entitled to. Google’s meek apology was that it had been unaware of the extent of its wireless data-gathering and that none of the data was used in Google products. But whether or not Google’s ignorance of its actions and their potential consequences is feigned, it is still evidence that today’s information-gathering behemoths may not have such tight control over their data stockpiles as they’d like us to believe.
Even more troubling are the attitudes exhibited by these companies’ leaders. Google CEO Eric Schmidt once cavalierly dismissed users’ privacy concerns, saying, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” And while 26-year-old Facebook CEO Mark Zuckerberg has publicly rationalized the issue, claiming “people have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people,” in private he has been considerably more blunt. In an IM exchange, a 19-year-old Zuckerberg described the users who had trusted his service with their emails, pictures, and addresses as “dumb fucks.”
These men’s casual indifference to the concerns of the public is reminiscent of the robber barons of old. John D. Rockefeller once said, “Next to doing the right thing, the most important thing is to let people know you’re doing the right thing.” Yet no matter how much Schmidt and Zuckerberg insist the public are content to accept privacy on Google and Facebook’s terms, growing public outcry over these companies’ practices says otherwise. As their hunger for more data leads them to search ever farther and drill ever deeper, it seems only a matter of time before something goes wrong.
Disaster waiting to happen?
Just how likely is it that one of these companies could experience a data leak on the scale of a Gulf oil disaster in the near future? As we’ve seen in recent years, online security remains far from perfect. Security service provider Veracode claims nearly 60 percent of applications fail its first-round security tests, and there’s little reason to exclude social networks. According to one study, social networking companies have an 82 percent chance of having “unresolved high, critical, or urgent flaws” in their Websites.
In fact, leaks have already happened. In January, Google mistakenly emailed potentially sensitive business data to customers of its Local Business Center service. In April, VeriSign’s iDefense division reported that someone calling himself Kirllos was offering 1.5 million Facebook accounts and passwords for sale on an underground hacking forum. It seems that, as in the oil business, a certain amount of leakage is a fact of life for data-centric businesses.
So far these incidents seem relatively minor, owing in large part to their limited scope and the nature of the data that was leaked. But as companies gather ever more individually identifiable data and cross-reference these databases in new and more innovative ways, the potential for a major catastrophe grows. And just as it would be impossible to present BP with a bill to account for the full environmental impact of the Deepwater Horizon disaster, the true cost of a major data leak would be hard to gauge. The economic impact of identity theft, phishing, fraud, and corporate espionage often goes unreported and, thus, unaccounted for. Yet for the individuals and businesses affected, the damage can be profound and long-lasting.
Some analysts argue that because of the potential liability a major leak would incur, data-centric businesses will naturally make security a priority. Sure enough, Facebook says it is beefing up its security through a combination of technological and legal measures. But as long as these companies see their databases as core business assets, both for internal use and to hire out to others, there is always potential for data to leak into the wrong hands. Last week, a characteristically glib Eric Schmidt told attendees of Google’s annual Zeitgeist Forum in Europe that “what really matters is actual harm,” not the potential for harm. The question is, who gets to define what is harmful and what is legitimate business practice?
So far, government has declined to take on that role. Tech companies have shown a remarkable ability to dodge regulation in the United States, and Europe’s attempts to reign in Google’s data-gathering practices seem largely toothless. That raises the unpleasant prospect that government and the public will likely be left holding the bag after a major data leak occurs — and, as in the case of the Gulf oil disaster, there may be little they can do to mitigate the damage.