Insiders Debate Chances of Big Personal Data Spill

Ask companies tracking information on online users about personal data privacy, and you’re bound to hear them rattle off the term “Non-PII” in a matter of seconds. Because most of these online data trackers gather only non-personally-identifiable information, they insist Web users are safe from privacy breaches, even if the information collected through their systems is exposed. Some wonder, however, about the chances of these non-PII data being paired with personal information and exploited through Web-based applications, spyware, or sheer neglect.

One of the biggest threats to online privacy “is the ability to link data on everyone in a behavioral targeting database with personal information about the user,” said Dr. Larry Ponemon, founder and chairman of The Ponemon Institute, a research and consulting outfit that provides guidance to third-party technology companies on improving data privacy and security.

Ponemon said he’s seen some spyware applications capable of matching personal information to data stored in a cookie. Many tracking and ad targeting technologies employ cookies placed on user’s computers to pick up data on their online interactions.

“At the end of the day non-PII is not necessarily secure,” he said, adding there is “definitely” a threat of a significant personal data spill in the online ad technology world.

“If [non-PII] data is spilled, will someone be able to put the parts together and expose somebody?” said Richard Purcell, CEO of Corporate Privacy Group, pointing to AOL’s publication in August of search data found to reveal personally-identifiable information when inspected. The incident, he continued, “gives us a pretty clear indication that people can be identified through non-PII information.”

Roy Shkedi, founder and CEO of behavioral targeting firm AlmondNet agrees there’s a potential for a major personal data leak affecting businesses like his. “Will I be touched? The answer is definitely ‘yes,’ ” said Shkedi. “If there is some company out there that does something bad it could impact the entire industry.”
Shkedi isn’t worried about the vulnerability of the data AlmondNet collects and stores on cookies placed on tens of millions of users’ machines. Not only does the technology discard information of “no commercial value,” Shkedi said the cookies are impenetrable because they’re encrypted.

He also questions the likelihood spyware would be created to decrypt information stored in cookies when it could more easily tap into information warehoused in a user’s Outlook files or elsewhere on the hard drive.
Realizing privacy concerns of Web users, the targeting firm allows them to easily opt-out of its tracking and targeting system; it also brands all the ads it serves, linking them to a page explaining what the technology does. “I’m not waiting for the blow out,” said Shkedi. “The reason I do it is I want to wake up in the morning and look in the mirror and feel good about myself.”

Behavioral targeting company Tacoda has also begun serving ads to users explaining the purpose of its technology and linking to an opt-out page. “When it comes out that some company violated the law…we want to make sure people know Tacoda is different,” said the firm’s Chairman Dave Morgan. He told ClickZ News last week he expects a “blow up” over privacy concerns to hit the behavioral targeting industry.
Alan Chapell, president of privacy consulting firm Chapell and Associates, noted enhancing notice and choice for consumers doesn’t put companies collecting online user data at less risk of data breach. “My experience in the industry is that there are significant procedural, methodological and operational flaws that create security risks, and I think you can make that statement in many instances.”

According to Morgan, the information gleaned by Tacoda is stored by its site publisher partners. He worries about the potential for seemingly-benign applications such as the ones allowing users to alter the background images of their MySpace pages, to facilitate a breach of personal data. Such applications, he believes, can scrape personal data from social networking site pages. “What would happen if that was all made very public? I don’t think people would like it,” he said.

“Pairing [personal data] with stuff that’s in our data warehouse that would be extraordinarily difficult, and I mean that in the Japanese sense: it would be impossible,” said Bill Gossman, CEO of behavioral targeting firm Revenue Science. Cookies the company places on user’s computers have identifiers that are linked to one or more associated identifiers, creating multiple barriers between the cookie and the data stored on a user.

“If there is a [personal data spill], there will be a significant legal challenge to the amount of data that is being retained,” said Corporate Privacy Group’s Purcell, who thinks many companies hold on to too much consumer data for too long. Some firms “don’t know why they need it; they just know they might need it someday,” he added.

The idea that companies store a surfeit of data for an excessive period of time is “a fallacy,” said Jim Sterne, president of Web marketing consultancy Target Marketing and president of the Web Analytics Association. “The fact I can keep track of you on my Web site doesn’t instantly mean I will use [your data] for nefarious purposes,” he continued.

Consultant Ponemon sees the good, the bad and the ugly at firms he’s counseled on data privacy and security. “Some companies realize that their entire company is at stake and take it seriously,” he said. “But I’ve also seen operations where a lot of the data [storage] has been like the equivalent of a sweatshop operation.”