Eye on the Carriers By Johna Till Johnson, Network World, 08/28/06

No doubt about it, AOL screwed up big time. The company's online posting of consumer search records resulted in the Electronic Frontier Foundation and the World Privacy Forum filing separate complaints with the U.S. Federal Trade Commission. And AOL recently fired the CTO and two other employees for causing the breach.

But AOL's loss could ultimately prove to be good news for the rest of us - if the screw-up serves to launch a wholesale, nationwide review of provider privacy policies. Such a discussion is long overdue.

The problem, as I've mentioned before, is that there's no consistent definition of what comprises confidential information. Nor do we have a consensus on the circumstances under which it should be revealed, and to whom.

As a consequence, providers are going soft on privacy. Take AT&T: Earlier this summer, the company reworked its privacy policy. It now reserves the right to disclose its business records - including contact data (customer name, address, phone number and e-mail address), transactions (online purchases and possibly even searches), service charges, the hardware and software used, and Social Security numbers and/or credit card information, passwords and user names.

Under what circumstances can this be disclosed? Basically, whenever AT&T feels like it. Specifically, the company says it will disclose this information in order to protect its legitimate business interests, safeguard others or respond to legal process.

I don't know about you, but that doesn't sound like a privacy policy to me - more like an exposure policy. There are those who say privacy's an outdated right in this era of airplane bombers and terrorist conspiracies, and only evildoers keep secrets. (Hey guys: How about we post your prescription for hemorrhoid cream on the bulletin board at work? Hmm, didn't think so.)

Here's the thing. Insisting on a consistent definition of privacy doesn't necessarily entail handing the country over to Osama Bin Laden on a silver platter.

We need to rationalize the current patchwork quilt of laws and policies to establish three things: 1. What information is considered confidential? Searches? VoIP calls? E-mails? Account information? Calling patterns?). 2. Under what circumstances can this data be revealed to third parties, including government agencies? 3. What is the legal process required to authorize a provider to reveal this information?

Today, tapping voice calls requires warrants, but tapping VoIP calls doesn't. That's nuts unless the goal is to keep terrorists, pedophiles and the Mafia on rotary phones. And as we all know, the courts are hotly debating whether or not warrants are required for calling-pattern analysis.

With all due respect to the judicial branch, this is something that legislators - not judges - ought to be sorting out. So here's my suggestion: Citizens, write your lawmakers demanding that they put a full discussion of privacy on the docket starting this fall. Vote your beliefs. And hold your providers fully accountable for having a real privacy policy.

The alternative? Get used to reading your (and your company's) confidential data on the Web.