<<< Date Index >>>     <<< Thread Index >>>

[IP] more on LAST TIME I USE HOTELS.COM djf Ernst & Young laptop loss exposes 243,000 Hotels.com customers





Begin forwarded message:

From: Peter Capek <capek@xxxxxxxx>
Date: June 2, 2006 8:42:39 PM EDT
To: dave@xxxxxxxxxx
Subject: Re: [IP] more on LAST TIME I USE HOTELS.COM djf Ernst & Young laptop loss exposes 243,000 Hotels.com customers

On 6/2/06, Phil Kos PhilK@xxxxxxxxxxx> wrote:

It might be satisfying to merely stop dealing with Hotels.com as you
stated, but real damage has been done; so I wouldn't feel that it was
sufficient.  And it's also problematic, because all companies are
vulnerable to such breaches by their partners, and all companies have
partnerships like this; so it's not like there are any real
alternatives.

To me, the problem seems to be that we are frequently forced to agree
to these transitive trust relationships without any corresponding
reverse transitive responsibility.  When we trust a company we're
explicitly doing business with, we implicitly trust the partners they
explicitly do business with, yet we ourselves have no leverage over
those companies.  I find this not only unsatisfying, but downright
disturbing -- to the extent that I choose not to participate in many
commercial activities because of it, and only rarely give out
personal information to anyone, for anything (usually only when
required by law, or necessary to obtain critical services).

...

Mr. Stewart makes an interesting point (if I read him correctly) --
that the fault is truly E&Y's, but because of consolidation in their
industry, there are virtually no alternatives to E&Y, so Hotels.com
is essentially helpless to improve the situation, and punitive
actions against them are therefore misguided.  However, this is
perhaps the most deeply unsatisfying piece of the whole puzzle.  Can
this really be as good as it gets?  If so, why do we trust any of
these companies with ANYTHING?  Are we all really at the mercy of the
weakest links, with no hope for improvement?

I think this analysis is largely correct. And while I agree that those who promise to protect my information, and those with whom the do business, need to be held to their commitments (as they will most surely hold me to mine), for me the most important aspect of this problem is narrower. I wouldn't much care if someone knows my SSN if that SSN weren't also, effectively, the password for committing identity theft against me. Not just for the next year, when I might be graciously granted credit monitoring service,
but for the rest of my life.

Twelve states have passed law granting their residents the right, as I understand it, to "lock" their identity at the credit bureaus, effectively preventing any new credit lines from being opened. This certainly imposes an inconvenience on the person who choses to use it, but does give a certain peace of mind. My state (NY) is not one of the twelve, but
I plan to try to lock my identity in this way nonetheless.

I find it somewhat ironic that, while millions of people are actual victims of identity theft, and all of us are potential (indeed, perhaps even likely, in light of recent events) victims of identity theft, our esteemed Attorney General has focused on not on protecting our information, but on forcing the collection of even more data, which I fear will, once again, be inadequately protected and would be better off not collected in the first place.

                   Peter Capek

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/