Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2019
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Roger Clarke **
Revision of 24 March 2007, small rev. 15 June 2007
This page was originally developed as supporting material for:
Clarke R. (2006) 'Make Privacy a Strategic Factor - The Why and the How' Cutter IT Journal 19, 11 (October 2006) 26-31
© Xamax Consultancy Pty Ltd, 2006-07
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/DV/PrivCorp-0609.html
Handling privacy badly can do a corporation damage. This page provides several vignettes, showing instances of negative impacts on corporations resulting from bad behaviour.
In April 1990, the then very successful Lotus Corp., in a joint venture with Equifax, developed a product called Lotus MarketPlace: Households - a CD-ROM containing a vast array of consumer data. Consumer protest killed it in January 1991 (Culnan 1991, Culnan & Smith 1995, Gurak 1997).
In 1999, Intel announced that it would include a unique Processor Serial Number (PSN) in its new generation of chips. The PSN's purposes included to identify eCommerce customers.
A movement was quickly developed by Electronic Privacy Information Center (EPIC), JunkBusters and Privacy International. Spoofing Intel's 'Intel Inside' advertising campaign, it used the slogan 'Big Brother Inside'.
The company released some batches of chips into the field, but resistance grew even stronger, and much broader, even including the Chinese Government (Guangming 1999). In April 2000, the company announced that it was dropping the feature (McCullagh 2000).
Doubleclick's stock price suffered badly following revelations about its privacy-invasive practices. It was forced to abandon its plans to consolidate personal data with the clickstream data it collected online, surreptitiously and without consent (Fields & Cohen 2003).
Pharmaceutical company Eli Lilly manufactures the anti-depressant medication Prozac. On 27 July 2001, an auto-generated e-mail message included all of the recipients' e-mail addresses within the To: line of the message, thereby disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.
The blunder attracted media attention out of all apparent proportion to its small scale, because of the extreme sensitivity of the information disclosed. An ACLU complaint forced the FTC to find against the company (FTC 2002a).
As Microsoft sought to hold off gathering storms surrounding the insecurity of Windows and Office, EPIC and others forced the FTC's hand in relation to another set of the company's products.
The company was found by the FTC to have falsely represented that it employed adequate security measures in relation to its Passport and Passport Wallet services (FTC 2002b).
On 12 March 2003, Benetton and Philips Electronics jointly announced that RFID chips were to be installed in its Sisley clothing line. RFID tags enable tracking not only along the supply chain (which all parties are enthusiastic about), but also in and beyond the retail outlet. (RFID 2003. Both Benetton and Philips appear to have later withdrawn the Media Release from their sites).
The consumer action group, CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), immediately launched a Boycott Benetton campaign. On 4 April 2003, Benetton publicly retreated from its plans (Batista 2003).
"In October 2004, ChoicePoint, an Atlanta-based data services provider, discovered it mistakenly issued user accounts to Nigerians posing as a legitimate small business. The scammers potentially gained access to some 140,000 consumer records in ChoicePoint's system. ...
"By February 2005, ChoicePoint's name was splattered across the press in the first of many -- and more serious -- breaches to be revealed under newly adopted state disclosure laws. ...
"The market cap of ChoicePoint ... dropped 22% in the ensuing three months ... Until then, ChoicePoint had been growing its business at a healthy rate of more than 10% a year, but suddenly it became a household term associated with identity theft." ... (all above quotes from Gartner 2006).
A review of the debacle, written for corporate executives such as Chief Information Security Officers, is in Scalet (2005). The company was allowed to settle its liabilities at federal level with $US 15 million in penalties (FTC 2006). A later settlement with the States added a further $0.5 million to the penalties - although the legal costs would have been higher than that of course, and the negative publicity much more significant.
The impact was not felt only by the company concerned: "The U.S. Congress convened hearings on the data brokerage and credit industry's practices in managing sensitive customer data." (Gartner 2006)
To date Google has successfully exploited its status as a successful investment and its 'do no evil' mantra as shields against sceptical questioning from journalists. The honeymoon won't last forever.
In 2006, senior executives of Hewlett-Packard were deeply implicated in "questionable, and perhaps illegal, subterfuge to obtain phone records of [its own] directors and journalists". It resulted in a U.S. House of Representative Committee writing a letter to the company expressing serious concern about the company using pretexting and data brokers, and initiating Hearings (HoR 2006).
This led to the early departure of the CEO, and forced the company to issue "a statement full of apologies and attempts to restore good relations" (Darlin 2006).
The affair added further fuel to the blaze of publicity about the lack of credibility of the Boards and senior executives of major American corporations. And the inability of the courts to enforce criminal charges undermined the credibility of the law. But HP still paid the state of California $14.5 million in penalties.
Faced with an ongoing consumer revolt over unsolicited telephone calls, the US Congress finally passed the Do-Not-Call Implementation Act in March 2003. By the end of the first month of peration in October 2003, over 50 million numbers had been signed up with the US National Do-Not-Call Register, in the expectation that this would prevent marketing calls. That count more than doubled by the end of 2005. Surveys suggest about 75% of the US private subscriber-based has registered.
Some segments of business have made strenuous attempts to have the legislation overturned (but it was found by the courts to be constitutional), and to create loopholes in the Act (so far without success).
As early as November 2003, the FCC proposed to fine AT&T $780,000 for calls to 29 consumers on 78 separate occasions after those consumers had requested that AT&T not call them again (FCC 2003). Miscreants during 2004-05 included American Express, and Dynasty Mortgage which committed 70 violations @ $11,000 each (FCC 2007).
During 2006, DirecTV, a major supplier of satellite TVwas fined $100,000, a commercial book club, a Doubleday affiliate, forfeited $680,000, and Credit Foundation of America paid nearly $1 million for making deceptive prerecorded calls (Smith 2007).
Regulatory action is hotting up in spam and spyware as well, with the FTC forcing companies that install spyware on unsuspecting users' computers to forfeit more than $6.5 million (Smith 2007).
The UK Financial Services Authority (FSA) fined Nationwide Building Society [[sterling]]980,000 for failing to have effective systems and controls to manage its information security risks. The failings came to light following the theft of a laptop from a Nationwide employee's home last year" (FSA 2007).
In the early 2000s, there was a long succession of media stories about leaks of personal data from company databases, primarily in the USA. For one example, see ChoicePoint above. Many involved credit-card details and other data useful for identity fraud. The US Government added fuel to that particular fire by referring to the risks as being to 'identity theft' (whose consequences are severe, but which is uncommon) rather than 'identity fraud' (which has been commonplace for years, long before the Internet, and indeed long before the intrinsically insecure credit-card facility was invented).
There is evidence that these breaches impact share prices, although usually less spectacularly than occurred with ChoicePoint (Campbell et al. 2003, Telang & Wattal 2005, Acquisti et al. 2006). Despite that evidence, however, many corporations and industry associations fail to take appropriate actions to improve the security of personal data.
The Californian legislature responded in 2003, by passing a Security Breach Notification Law (originally SB 1386, which can be found in California Civil Code Sections 1798.29 and 1798.82). This requires that California consumers be notified when sensitive personal data about them is illegitimately obtained from a server or database (Givens 2003).
"To September 2006, ..., 34 states have passed information breach notification laws similar to California's" (Gartner 2006). The ripple effect has not been restricted to the USA, with the Australian Privacy Commissioner announcing that she was recommending that such a law be passed in Australia (Miller 2006).
Acquisti A., Friedman A. & Telang R. (2006) 'Is There a Cost to Privacy Breaches? An Event Study' Proc. Fifth Workshop on the Economics of Information Security, 2006, Cambridge, UK, at http://weis2006.econinfosec.org/docs/40.pdf
Batista E. (2003) ''Step Back' for Wireless ID Tech?' Wired News, 8 April 2003, at http://www.wired.com/news/wireless/0,1382,58385,00.html
California Civil Code Sections 1798.29 and 1798.82, Available from http://www.leginfo.ca.gov/calaw.html
Campbell K., Gordon L., Loeb M. & Zhou L. (2003) 'The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market' Journal of Computer Security 11, 3 (Mar 2003) 431-448
Clarke R. (2006) 'Google's Gauntlets' Computer Law & Security Report 22, 4 (July-August 2006) 287-297, at http://www.rogerclarke.com/II/Gurgle0604.html
Culnan M.J. (1991) 'The Lessons of the Lotus MarketPlace: Implications for Consumer Privacy in the 1990's' Proc. 1st Conf. on Computers, Privacy and Freedom, Computing Professionals for Social Responsibility, 1991, at http://www.cpsr.org/prevsite/conferences/cfp91/culnan.html
Culnan M.J. & Smith H.J. (1995) 'Lotus Marketplace: Households...Managing Information Privacy Concerns' in Johnson D.G. & Nissenbaum H. (Eds.) 'Computer Ethics and Social Values', Prentice Hall, 1995
Darlin D. (2006) 'Embattled H.P. Chairwoman to Step Down' The New York Times, 12 September 2006, at http://www.nytimes.com/2006/09/12/business/13hewlettcnd.html?ei=5087&en=f932c7413ca7c72d&ex=1173672000&adxnnl=1&adxnnlx=1158090415-IwqEQTFE8ny1LUZfmgqV1A&excamp=GGBUhpnews
FCC (2007) 'Annual Report on the National Do-Not-Call Registry - 2005' Federal Communications Commission, January 2007, at http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-07-279A1.pdf
Fields T.D. & Cohen J. (2003) 'Case Study: Doubleclick Inc.' Harvard Business School Case Study 9-103-016, 2003
FSA (2007) 'FSA fines Nationwide [[sterling]]980,000 for information security lapses', Financial Services Authority, London, FSA/PN/021/2007, 14 February 2007, at http://www.fsa.gov.uk/pages/Library/Communication/PR/2007/021.shtml
FTC (2002a) 'Eli Lilly Settles FTC Charges Concerning Security Breach' Federal Trade Commission, 18 January 2002, at http://www.ftc.gov/opa/2002/01/elililly.htm
FTC (2002b) 'Microsoft Settles FTC Charges Alleging False Security and Privacy Promises' Federal Trade Commission, 8 August 2002, at http://www.ftc.gov/opa/2002/08/microsoft.htm
FTC (2006) 'ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress' Federal Trade Commission, 26 January 2006, at http://www.ftc.gov/opa/2006/01/choicepoint.htm
Gartner (2006) 'Case Study: ChoicePoint Incident Leads to Improved Security, Others Must Follow' Gartner G001142771, 19 September 2006
Givens B. (2003) 'California Security Breach Notification Law Goes into Effect July 1, 2003' Privacy Rights Clearinghouse, 23 June 2003, at http://www.privacyrights.org/ar/SecurityBreach.htm
Guangming (1999) 'Ministry of Information Industry (MII) Advises Government Agencies on Prudent Use of PIII' Guangming Daily, 30 June 1999, at http://jya.com/cn-p3-peril.htm
Gurak L.J. (1997) 'Persuasion and Privacy in Cyberspace : The Online Protests over Lotus Marketplace and the Clipper Chip' Yale University Press, 1997
HoR (2006) Letter to Hewlett-Packard, Committee on Energy and Commerce, U.S. House of Representatives, 11 September 2006, at http://www.nytimes.com/packages/pdf/business/20060913_HEWLETT/HPLetter.pdf
McCullagh D. (2000) 'Intel Nixes Chip-Tracking ID' Wired News, 27 April 2000, at http://www.wired.com/news/politics/0,1283,35950,00.html
Miller N. (2006) 'Data leaks under review' The Sydney Morning Herald, Next Section, 8 August 2006, at http://www.smh.com.au/news/security/data-leaks-under-review/2006/08/07/1154802814975.html
PRC (2004) 'Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail' Privacy Rights Clearinghouse, 6 April 2004, at http://www.privacyrights.org/ar/GmailLetter.htm
RFID (2003) '' RFID Journal, 12 March 2003, at http://www.rfidjournal.com/article/articleprint/344/-1/1/%20
Scalet S.D. (2005) 'The Five Most Shocking Things About the ChoicePoint Debacle' CSO, May 2005, at http://www.csoonline.com/read/050105/choicepoint.html
Smith R.E. (2007) 'FTC Says It's Gonna Cost Ya', Forbes Commentary, 20 March 2007, at http://www.forbes.com/opinions/2007/03/19/ftc-privacy-fines-oped-cx_res_0320privacy.html
Telang R. & Wattal S. (2005) 'Impact of Software Vulnerability Announcements on the Market Value of Software Vendors -- an Empirical Investigation' Proc. Fourth Workshop on the Economics of Information Security, 2005, Cambridge, MA, at http://infosecon.net/workshop/pdf/telang_wattal.pdf
Thanks to Ari Schwarz at CDT in Washington DC, Lee Bygrave in Oslo, Anna Johnston in Sydney, Beth Givens in San Diego, Jason Catlett in New York, Mary Culnan in Boston, Ross Anderson in Cambridge UK, Stephan Engberg in Copenhagen, Robert Ellis Smith of Privacy Journal in Providence RI, and to you for sending me additional leads and references.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 60 million in early 2019.
Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 27 September 2006 - Last Amended: 15 June 2007 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/PrivCorp-0609.html