Is It Impossible to Protect Your Privacy?

Individuals might treasure their personal data like Social Security and credit-card numbers, but identity thieves can buy them cheap and in bulk online.

Credit-card numbers can now go for as little as 40 cents each. A matching name, Social Security number, address, and date of birth cost just $2.00, according to security experts.

Even as the incidences of identity theft reach record highs, the government and private institutions continue to collect record amounts of personal, private data.

And despite all of the rules, regulations, and software innovations in place to ensure that information doesn't fall into the wrong hands, it does, and regularly.

In just the past month, State Department employees were disciplined for snooping through presidential candidates' passport files, and hospital workers have been charged with selling the personal information of tens of thousands of patients as well as rifling through the patient records of top stars. And in Hollywood a private detective to the stars is accused of bribing police and telephone company officials so he could scour their confidential databases.

Then there's the Internal Revenue Service. A week before tax day, its inspector general warned that the computer systems that contain the private tax returns of every taxpayer in America are vulnerable to disgruntled employees and hackers.

The problem, say security experts, is that the world's ability to collect data has far outstripped its ability to protect it.

"Lots of organizations and institutions, governmental and private both, are really good at collecting data, but don't have the practices and technologies in place to make sure [they're] well housed and secure," says Jim Harper, a security expert at the libertarian CATO Institute in Washington. "That's why people are able to dip into databases they shouldn't dip into."

So what's a privacy-conscious person to do? Cut up all credit cards and use just cash? Forgo a passport and foreign travel?

"The only real protection the public can have in this arena is to deny the government the information in the first place," says Tim Sparapani, senior legislative counsel at the American Civil Liberties Union. "Despite all of the bells and whistles, the government has proven itself to be miserably poor at controlling and limiting access to the information that it's gathered about the public."

It's not that the government doesn't try. There are reams of regulations that people with access to confidential information are sworn to follow. Agencies such as the Department of Homeland Security have their own privacy offices that spawn their own committees which study and address both the regulatory and technological ways of protecting all the information that government has in its databases.

But as history has shown, there are the genuinely malicious among us, and even the most meticulous people can err. The recent dust-up over contract employees peering into the passport files of the presidential contenders was blamed on "imprudent curiosity."

Still, two workers were fired and another was disciplined. The inspector general of the State Department is investigating the incidents. It includes a thorough "review of the internal control processes and other aspects of managing the passport data," according to a spokesman for the inspector general. That should be completed by the end of May.

In the meantime, privacy experts like Mr. Harper see a "glimmer" of hope in the incident. First, that it was discovered, since many such incidents go unnoticed, security experts say. Second, that the State Department had digital "flags" on the files of prominent people that alerted superiors when their data were accessed by an unauthorized person.

Harper says such "flags" should be on everyone's files, not just those of important people, so that the government can keep an accurate record, called an "audit log" on the files. "That's a very small, but important, protection, and … it will be recognized soon enough as standard operating procedure," he says. "If you hold personally identifiable data, then you'll have audit logs so you can have records of who accessed it and when."