I used to deal with large quantities of data that was given to different agencies as part of data sharing for intelligence purposes. Seldom did the people receiving that data protect it as well as the originator, even though there were requirements to do so. We could complain; we could encourage better safeguards. But, a common theme was a response somewhat like this: "When you gave that data to me, it became mine, and I decide how to protect it." As a practical matter, the owner of the data has to enforce requirements for protection or that statement becomes true.
Now comes a Motherboard story that describes how a third party vendor was able to track a phone using data it got from a national carrier. The data had been sold twice and was in the hands of companies violating the privacy policy of the carrier. It could have been sold 10 times for all the carrier knew, each time to another vendor who had no data protection requirements or the understanding of who owned that data.
The Federal government and the business community have allowed data protection policies to erode by sharing data under currently authorized procedures that are, in the words of Motherboard, unregulated. I'm wondering why it took a warrant to get this kind of data to track a terrorist and a third-party vendor can just buy the data and do the same thing. The carriers are playing both ends against the middle on this, requiring warrants before sharing data, but selling that data to third parties. Somehow, we can see the flaw in allowing that kind of policy to survive.
No comments:
Post a Comment