The two main issues with database privacy are the actual security of
the database itself and the legal and ethical implications of what can/should
be stored on the databases in the first place.
When a carder by the handle "Maxus" broke into CD Universe's database records
and gained access to over 250,000 credit card numbers from customers (link),
the first thing everyone wanted to know was HOW. A single lapse in database
security can doom an e-company to almost immediate failure and yet it seems
we hear about events such as this happening all the time.
Database Security is integral in keeping our information private, regardless
of who is maintaining the database itself. By far the most common break
in security is the presence of plain-text log and/or data files on public
web servers. The solution to this problem is relatively simple, either
don't keep logs or use encryption. While encryption
is beyond the scope of this topic, it can be used to effectively hinder
the efforts of wouldbe cyber criminals. Another critical area that must
be monitored are the administrators and users of the database. As in this
case where a DEA Agent
was found to have been selling information to various parties, all the
encryption and frontend security means nothing if any user can have unchecked
access to sensitive information. Keeping a checks and balances system on
the users and administrators much the way a bank keeps tabs on its tellers
is a necessary and effective means to keeping information safe and private.
The other and much more publicized area of database privacy is in the content
that is availible for public use. This is divided up into two areas, data
driven for marketing, and data driven for public records.
The first people to take unfair advantage of technology in business are
a company can find and archive to their databases loads of personal information
about the visitors to their companies and or client's websites. This is
where the waters get muddy, because often the users have no idea that their
identities, habits and buying records are being recorded and stored. The
real problems with this come when these companies, in an attempt to add
extra sources of revenue, start to sell this information to other companies.
This is what happened in the cases of Verisign
(formerly Network Solutions) and even moreso with the DoubleClick
corporation. The nail in the coffin that makes this entire practice so
upsetting and angering to the average Joe, is the extreme difficulty in
being "opted out" of inclusion into these databases. Also getting removed
from any lists a user has been added to can be a wild goose chase of neverending
Just by spending a few minutes and possibly a few dollars on sites like
peoplefind one can get to nearly
anyone in the US and abroad. The ease with which a malicious person can
assume someone's identity both online and in real life can be startling.
Most people don't even realize that their names, home telephone numbers
and home addresses are already probably populated on several public records
search databases across the web. Often times the reason it is so easy to
find information is not the fault of the subject of the search. Companies
often use very powerful information as the key to customer records, such
as a person's social security number or the use of a drivers license number.
All of this information once obtained can be used quickly and often unchecked
to assume the identity of a person. A hacker by the name Kevin Mitnick
has written several articles on the ease with which one can obtain all
the details of a person's life from public online databases (The Register).