March 21, 2008 at 5:13 PM ET
If you think the State Department passport privacy debacle is an oddity, it isn’t. Data voyeurism is actually a sign of the times. Low-level employees at government agencies and private companies browse personal information for sport all the time. Outside of the occasional public flogging, little has been done to stop this unnerving practice.
It now appears no candidate will win extra sympathy points for the passport privacy invasion at the State Department, because all of them have been victims. It's too early to know if any of the culprits saw data that could have hurt any of the candidates politically, but that matters little. In fact, let's give all those involved the benefit of the doubt, and say this was merely a database joy ride. The real question is this:
If the State Department can't protect presidential candidates' personal information, how can anyone protect ours?
Data voyeurism stories can be found across the news spectrum. Hospital workers caught browsing celebrities' medical records; cops caught checking out cute women by running their license plate numbers. Computer security expert Avivah Litan, a consultant at Gartner, said most firms don't go to great lengths to keep employees away from such data.
"When I saw this article the first thing that crossed my mind was that this kind of thing happens all the time," she said. "It's not uncommon at all kinds of organizations. It brings up the question of how private our data is. It's not."
Didn't need the data
The State Department incident could have been something much more serious than a computerized peep show. These data thieves could have been looking for information, like Social Security numbers, to commit identity theft. Identity thieves often begin their crimes by obtaining data stolen by employees. One study conducted several years ago by Michigan State University researcher Judy Collins found that in most cases of ID theft traced to an employee, that the employee did not need access to the victim's data to do his or her job.
In other words, there were lax or no internal controls.
Privacy consultant Larry Ponemon recently completed a survey of security professionals about the lack of internal data controls, and his results were alarming: 78 percent said employees at their company have too much access to data, and 69 percent said access rules were poorly enforced. The longer an employee stays at a firm and changes jobs, and the more often that firm changes systems, the more difficult it is manage database access rules.
“Even at the most sophisticated companies, identity management is often an Achilles' heel,” he said.
Litan says things don't have to work this way. Employees' access to databases with personal information should be strictly limited. Instead, many workers have blanket permission to look at everything.
"It's called identity access management, or access controls,” she said. “No one has to see that information unless they have privileged access."
Either the State Department had no such access rules to data belonging to Sens. Barack Obama, Hillary Clinton and John McCain – which would be crazy, since they are surrounded every day by men in black suits sporting concealed weapons and wireless ear pieces -- or someone with high-access privileges was involved in the data snooping. Both prospects are disturbing. And both could easily happen to you.
Now, which candidate will be the first to support a new, comprehensive privacy law?