It's not a privacy 'breach' when information about you is out there already

By Rob Pegoraro
Sunday, November 14, 2010; G03

Facebook and Google have been in the news for the wrong reasons lately.

The social network is in the doghouse for the misuse of some users' data by applications it installed on their pages. The Web-services giant earned itself multiple government investigations - including an inquiry launched by the Federal Communications Commission on Wednesday - for collecting data from people's wireless networks as part of its Street View mapping project.

Both of these episodes show that we need to upgrade how we think about privacy online - starting with the vocabulary we use.

The Facebook and Google issues have both been called "breaches." But they're not. The information at stake in each case was already public by any meaningful definition. It would have remained public no matter how good or evil the two companies had been.

In Facebook's case, the data consisted of the basic parameters of people's accounts: Their name, picture, gender and networks, all of which Facebook already makes public to all of the 500-million-plus users on the site. Unless you change its default settings or you're younger than 18, that information is also visible to anybody online.

Facebook's own rules prohibit applications from using these data for their own purposes, and the Palo Alto, Calif., company has since cracked down on app developers and banned one data broker from doing business on the site.

But if you're on Facebook, your basic identity remains as visible to everybody else on the site as before - in the same way the White Pages broadcast your identity to anybody who still gets the phone book.

If you want to be angry about all that, don't gripe about evil app developers or Web coding by Facebook that made it too easy for them to capture this data. You should blame the site for its default settings.

Unfortunately, without an effective competitor for Facebook, your only viable protest against its defaults besides closing your account is to post misleading public information in your profile.

(Disclaimer: Post Co. Chairman Donald E. Graham sits on Facebook's board of directors. You may also see this item get promoted on Facebook by the Post, as the paper markets itself extensively on the site.)

In Google's case, the problem began with people leaving their wireless networks unencrypted. People have been neglecting to take this simple step since the arrival of consumer-grade WiFi routers, either because they're confused about its necessity (see the puzzled questions about it in this 2004 chat transcript) or because most routers' hideous configuration interfaces make it too difficult to activate strong "WPA" encryption.

For example, this summer, Wired noted that Jane Harman (D.-Calif.), chairman of a House subcommittee on intelligence, information sharing and terrorism risk assessment, had left her District residence's wireless networks open.

If your WiFi is open, anybody can read your traffic at will. That's why Google itself began encrypting the logins of Gmail users years ago, a measure that ensures that an eavesdropper will pick up gibberish instead of usernames and passwords.

The Street View engineers - who wanted to build a database of WiFi hot spots for Google's location-based mobile services that would replace Skyhook Wireless's comparable service - didn't show the same level of foresight as Gmail's developers.

As Google explains it, they simply forgot to scrub data collected by the Mountain View, Calif., firm's Street View cars of anything beyond wireless networks' names and hardware addresses.

That's a dumb mistake, made dumber by Google's slow realization of it. The company is right to pronounce itself "mortified" by its conduct.

But if you think that your unsecured WiFi's privacy issues ended with Google's surrender, you are a fool. The people you need to worry about don't drive around neighborhoods in cars equipped with bulky camera rigs, and they won't apologize for eavesdropping because they'll be too busy logging into your accounts.

Don't get mad at Google in that scenario - save your anger for WiFi vendors who can't be bothered to make it easy and obvious to encrypt your network. Then direct it toward Web operators who don't automatically encrypt your login - or, in the case of sensitive financial sites, your entire session.

I'm not saying that nobody has any privacy anymore or that I place unlimited trust in Facebook, Google and their ilk. I don't. But when Congress is considering possible legislation, we need to focus on serious problems.

A real privacy breach doesn't involve a remix or collection of data that's already out there for anybody to see - even if using the words "hack" or "breach" in a headline makes the story that much juicier.

A real breach exposes private information you tried to keep confidential, in ways that risk the loss of money or security or otherwise fairly earn the adjective "Orwellian."

If you, like my wife, have ever received one of those letters from a credit bureau offering a year of free credit monitoring to make up for a leak of your financial data, you know what I'm talking about.

At the same time, information about ourselves is the currency we spend to get free services. You need not spend more than $50 a year to get an ad-free Web-mail service, but few of us bother - even if that earns us extra marketing attention later on. That's how things happen off-line as well: We open credit-card accounts and join store membership programs and don't pretend to be surprised by the additional junk mail that shows up afterward.

This is the business we have chosen, and we might as well get good at it. To forget where the foul lines are properly placed is a breach of our own responsibility.

Living with technology, or trying to?

© 2010 The Washington Post Company