Who Moved My Data?
You've been told a zillion times by now that it's a bad idea to give out your personal data online. But hell, we all do it. Those of us who are particularly wary tell ourselves we're engaging in good data hygiene by checking the privacy policies of the companies that hold our e-mail and financial records. Of course, we all know in the backs of our minds – don't we? – that privacy policies are just guidelines and not legally binding. And yet we put our faith in them. It's the same process that keeps us paying Social Security even though the government might spend all our hard-earned retirement money by the time we need it.
Plus, who wants to keep track of all their own crap? It's nicer if Gmail can index your mail, even if it fills it with ads. And that's the kind of thinking that drove so many thousands of customers to a service called PayTrust, an online bill management system that receives your bills, pays them, and balances your checkbook in the process. Instead of having a messy bill drawer full of tattered stubs, you can use PayTrust to keep all your records in neat little spreadsheets, easily accessed and searched on the web whenever you want.
Although it's scary to imagine anyone who isn't you reading all your bills and paying them, for many people the trade-off is worth it. Meaning, the hassle saved is worth the risk – and that risk, until recently, seemed minimal. PayTrust was the only entity that had access to their information, and they could sever their relationship with PayTrust and remove their data at any time.
Suddenly, PayTrust wasn't quite so trustworthy. An unknown number of "subsidiaries" might have access to information about everything from a customer's bank account and medical records to their preferred magazines and credit-card spending habits. PayTrust customers' information had been sold to Intuit without their consent and without notice – and in order to gain access to that information, they had to agree to these new, disturbing terms. It's like the textbook definition of a gross violation of privacy.
And it sounds like grounds for a lawsuit to me. I hope those PayTrust clients have consumer class action maven Ira Rothken's phone number on speed dial.
More than that, though, the PayTrust debacle is a reminder to contemplate even the most heinous possibilities when considering whether to give up giant chunks of data online. Your "trusted" company could sell out tomorrow. And your "trusted" ISP might be employing one irritating little twit who's reading your e-mail – and who will decide one day that it's time to alert someone about what he or she has read there. Not only is it technically possible that such a twit exists, but there are also no laws against that person looking at any communications taking place on his or her company's network. As long as the data is "owned" by the company that owns the network – the way your mail is owned by Google, or your bill payment records are owned by PayTrust – network operators are permitted to look at it. It may be illegal for them to disclose to anyone else what they find there, but what are the odds you'll find out when they do?
Everybody always wants a tidy answer to the problems raised by data-sharing online. Of course, there isn't one – you give up your life's details, and you take your chances. But if you're worried, don't tell people who you are online unless you absolutely have to. When The New York Times asks you to create an account, just lie. Register your web site under a fake name. Sign up for e-mail under my favorite moniker: Pseudo Nym. Make the data worthless. And fer chrissake, pay your own damn bills.