/ 5 May 2011

When bad things happen to good data

Your data is not safe. While you sit in that chair reading this article, you are sending tiny snippets of information about what you're reading.

Your data is not safe. Right now, while you sit in that chair reading this article, you are sending tiny snippets of information about what you’re reading, how long you’re reading it for and even how old your computer is. And if you store anything online — photos, documents, your credit card details — somewhere out there is a spotty 17-year-old hacker scheming about how to get hold of it. Time to panic, right?

Wrong. What’s truly extraordinary about the internet is how little of our data has been compromised over the years. As a planet we are generating it in the hundreds of petabytes (that’s a million gigabytes) every day of the year. This data is stored on hundreds of millions of servers, shepherded by armies of geeks.

But those armies are tiny by comparison with the legions of malice and thievery intent on getting hold of any and all useful (or even useless) data. Sony found that out to its detriment when, just before Easter weekend, it had to shut down its PlayStation Network (PSN) — an online gaming platform for its celebrated line of games consoles.

It soon emerged that nearly 77-million customer accounts had been compromised and that thousands of credit card details had probably been stolen. Sony only made matters worse by first delaying the announcement and then denying credit card details were at risk. Tell that to the Australian gamer who is now $2 000 in the red thanks to the hack.

As if that wasn’t bad enough, it appears Sony now has been hacked again, this time via its Sony Online Entertainment (SOE) network — another gaming platform. At least Sony appears to have learned its lesson and notified the world about the problem early, confirming that details of over 12 700 credit cards have been stolen.

But it denies that this is a second attack, claiming that the theft is part of the original intrusion to the PSN, which shares infrastructure with SOE (a fact, incidentally, that it had vehemently denied just a week ago).

Two solid facts have emerged from all this. First, Sony is not good at online security — at least not as good as it needs to be. Second, Sony is terrible at PR and disaster management. Denying your customers (and the press) information only makes things much worse, as does telling half truths.

Even when these global corporations can be trusted with our data — like hundreds of millions of us do with Apple — they still let us down by collecting data they shouldn’t. Late in April it emerged, in a forest of exclamation marks, that Apple had been “tracking” people for months via their iPhones.

The conspiracy theorists went into high gear, accusing Apple of collusion with shadowy government forces and general megalomania. The reality appears to be much more mundane. The iPhone collects the data to better allow the growing number of location-aware applications to be more useful to the phone’s owner. This includes things like making its built-in GPS system more accurate.

The fact that data has been stored on the phone since September 2010 seems to be as a result of an oversight. Apple has moved quickly to release a software update for the iPhone that clears out the data file regularly, and has denied that personal data was ever used to track its customers.

Should we believe Apple? Since it now makes more profit than Microsoft, I think it’s doing just fine without stealing its customer’s private data. And given how many hundreds of millions of credit cards it safeguards in its iTunes service, we should assume it knows a fair amount about its customers already.

Shrill commentators like to characterise these events as an “us versus them” battle between good, honest, ordinary folk and careless (or evil) mega-corporations. In reality it’s more like a messy compromise between our demand for convenience and the dizzying pace of innovation.

It would be much safer to never store credit card details online, but few customers are willing to enter their details every time they use a service. It would be nice to know that your iPhone never stored any private data about you, but that would mean turning off its email, web browsing and contacts features — not to mention thousands of apps that need personal details to function.

Yes, your data is not safe, but then life is inherently not safe. Giving your credit card details to Sony or Apple is about as safe as flying on a commercial airliner. Every now and again, one falls out of the sky. Yet we keep flying, since driving from Cape Town to Los Angeles is a bit of a schlep. And you can always choose to live off the grid, just as you can choose to avoid air travel.

Does that mean that Sony, Apple and their peers should be let off the hook? Absolutely not. They have a duty of care to all their customers, and should be held accountable for their mistakes. But we tend to impute malice too easily, and that makes it hard to separate honest mistakes from true misdeeds. Turning down the volume would make the whole debate a lot more productive.