Was Scott McNealy right?
Luther Martin, chief security architect, Voltage Security
"You have zero privacy anyway. Get over it."
– Scott McNealy
Scott McNealy made his famous comment about privacy in the digital age at an event launching Sun Microsystems's Jini technology back in January 25, 1999. His comment immediately drew angry comments from privacy advocates. Some claimed that they were "astonished" that he could say that we don't have privacy any more. Others called his comment "irresponsible." It's probably more telling, however, that nobody actually said that he was wrong. Perhaps they knew better. It might be a good day to think about this.
Privacy may be an admirable goal, but it's not clear that people really want it. People claim that they want privacy, but their behavior doesn't always support this claim. People may say that they want to keep their shopping habits private, but will shop at on-line retailers that keep a record every click of the mouse they make and every web page they view.
On the bright side, it's not clear that the companies who get our private information actually do much with it. Online giant Amazon.com has been logging everything that I do on their website for several years now and still feels compelled to recommend things that aren't even remotely related to anything that I've ever bought from them or would ever consider buying from them. Sometimes their recommendations can almost be entertaining. Almost all of what I've bought from Amazon.com over the past several years has been books, electronics or software. Despite this history, they still feel the need to recommend that I look at women's underwear on a fairly regular basis, and the fact that they continue to recommend it after I still haven't looked at or purchased any of the underwear that they've recommended makes me wonder exactly how well they're using all of that data that they've collected.
The real and serious threat to privacy is probably from the underground economy of cybercriminals who steal huge amounts of personal information and resell it to other criminals who then use it to commit all sorts of fraud. Based on interviews with McNealy after his controversial comment on privacy, it certainly looks like he was thinking about the case that Amazon.com represents. In this case, he's probably right. You really don't have any privacy when you do on-line shopping, but there's probably not much harm that results from that particular loss of privacy. The convenience that you gain and money that you save from shopping online probably makes up for the privacy that you give up to do it.
Back in 1999, however, cybercriminals weren't as numerous or as well organized as they are today, so it's unlikely that McNealy was thinking about the threat that they represent. The data that cybercriminals are after is the data that they can make money from. Today, that limits the valuable data to things like credit card numbers, bank account numbers, and ATM PINs. There's a huge market in this type of information, and there's so much of this information available that the law of supply and demand has dramatically reduced its value to cybercriminals. Data that might have been worth $20 to them a few years ago can now be worth as little as $1. And because cybercriminals are determined and well equipped adversaries, they seem to succeed fairly often. The recent data breach at Heartland Payment Systems is just the latest example of this.
Because the financial fraud that results from the misuse of the data that's compromised in data breaches is now a real a significant cost to the financial services industry, it's now worth taking privacy seriously. In the past, the worst that you might suffer from your privacy being compromised was being shown recommendations for products that you had absolutely no interest in. Today, the stakes are much higher. So although McNealy's comment about getting over the lack of privacy might have made sense in 1999, 10 years later, it probably doesn't. Instead of just accepting that fact that it has been hard to keep any significant level of privacy on-line, it's now time for businesses that handle sensitive data to get serious about protecting it. That won't be cheap or easy, but it's a step that they need to take.
Luther Martin is chief security architect at Palo Alto, Calif.-based Voltage Security, where he has been involved in key projects, such as porting Voltage's identity-based encryption technology to several wireless platforms. He is author of a new book on identity-based encryption (IBE); the IETF standards on IBE algorithms and their use in encrypted email; and numerous reports and articles on varied information security and risk management topics. He can be reached at email@example.com.