For at least seven months last year, a hacker had access to T-Mobiles customer network. He is known to have accessed information belonging to 400 customers—names, Social Security numbers, voice mail messages, SMS messages, photos—and probably had the ability to access data belonging to any of T-Mobiles 16.3 million U.S. customers. But in its fervor to report on the security of cell phones, and T-Mobile in particular, the media missed the most important point of the story: The security of much of our data is not under our control.
This is new. A dozen years ago, if someone wanted to look through your mail, they would have had to break into your house. Now they can just break into your ISP. Ten years ago, your voice mail was on an answering machine in your house; now its on a computer owned by a telephone company. Your financial data is on Web sites protected only by passwords. The list of books you browse, and the books you buy, is stored in the computers of some online bookseller. Your affinity card allows your supermarket to know what food you like. Data that used to be under your direct control is now controlled by others.
We have no choice but to trust these companies with our privacy, even though the companies have little incentive to protect that privacy. T-Mobile suffered some bad press for its lousy security, nothing more. Itll spend some money improving its security, but itll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers.
This loss of control over our data has other effects, too. Our protections against police abuse have severely eroded. The courts have ruled that the police can search your data without a warrant, as long as that data is held by others. The police need a warrant to read the e-mail on your computer, but they dont need one to read it off the backup tapes at your ISP. The courts have affirmed many times that theres no reasonable expectation of privacy with regard to data held by third parties.
This isnt a technology problem; its a legal problem. The courts need to recognize that in the information age, virtual privacy and physical privacy dont have the same boundaries. We should be able to control our own data, regardless of where it is stored. We should be able to make decisions about the security and privacy of that data and have legal recourse should companies fail to honor those decisions. And just as the Supreme Court eventually ruled that tapping a telephone was a Fourth Amendment search, requiring a warrant—even though it occurred at the phone company switching office—the Supreme Court must recognize that reading e-mail at an ISP is no different.
Bruce Schneier is chief technology officer of Counterpane Internet Security Inc. Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to firstname.lastname@example.org.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.