Are we ready for a true data disaster?

A catastrophic leak at a major data-gathering organization could have an impact as profound as any oil spill

1 2 Page 2
Page 2 of 2

Even more troubling are the attitudes exhibited by these companies' leaders. Google CEO Eric Schmidt once cavalierly dismissed users' privacy concerns, saying, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." And while 26-year-old Facebook CEO Mark Zuckerberg has publicly rationalized the issue, claiming "people have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people," in private he has been considerably more blunt. In an IM exchange, a 19-year-old Zuckerberg described the users who had trusted his service with their emails, pictures, and addresses as "dumb fucks."

These men's casual indifference to the concerns of the public is reminiscent of the robber barons of old. John D. Rockefeller once said, "Next to doing the right thing, the most important thing is to let people know you're doing the right thing." Yet no matter how much Schmidt and Zuckerberg insist the public are content to accept privacy on Google and Facebook's terms, growing public outcry over these companies' practices says otherwise. As their hunger for more data leads them to search ever farther and drill ever deeper, it seems only a matter of time before something goes wrong.

Disaster waiting to happen?
Just how likely is it that one of these companies could experience a data leak on the scale of a Gulf oil disaster in the near future? As we've seen in recent years, online security remains far from perfect. Security service provider Veracode claims nearly 60 percent of applications fail its first-round security tests, and there's little reason to exclude social networks. According to one study, social networking companies have an 82 percent chance of having "unresolved high, critical, or urgent flaws" in their Websites.

In fact, leaks have already happened. In January, Google mistakenly emailed potentially sensitive business data to customers of its Local Business Center service. In April, VeriSign's iDefense division reported that someone calling himself Kirllos was offering 1.5 million Facebook accounts and passwords for sale on an underground hacking forum. It seems that, as in the oil business, a certain amount of leakage is a fact of life for data-centric businesses.

So far these incidents seem relatively minor, owing in large part to their limited scope and the nature of the data that was leaked. But as companies gather ever more individually identifiable data and cross-reference these databases in new and more innovative ways, the potential for a major catastrophe grows. And just as it would be impossible to present BP with a bill to account for the full environmental impact of the Deepwater Horizon disaster, the true cost of a major data leak would be hard to gauge. The economic impact of identity theft, phishing, fraud, and corporate espionage often goes unreported and, thus, unaccounted for. Yet for the individuals and businesses affected, the damage can be profound and long-lasting.

Some analysts argue that because of the potential liability a major leak would incur, data-centric businesses will naturally make security a priority. Sure enough, Facebook says it is beefing up its security through a combination of technological and legal measures. But as long as these companies see their databases as core business assets, both for internal use and to hire out to others, there is always potential for data to leak into the wrong hands. Last week, a characteristically glib Eric Schmidt told attendees of Google's annual Zeitgeist Forum in Europe that "what really matters is actual harm," not the potential for harm. The question is, who gets to define what is harmful and what is legitimate business practice?

So far, government has declined to take on that role. Tech companies have shown a remarkable ability to dodge regulation in the United States, and Europe's attempts to reign in Google's data-gathering practices seem largely toothless. That raises the unpleasant prospect that government and the public will likely be left holding the bag after a major data leak occurs -- and, as in the case of the Gulf oil disaster, there may be little they can do to mitigate the damage.

This article, "Are we ready for a true data disaster?," originally appeared at Read more of Neil McAllister's Fatal Exception blog and follow the latest news in software development and security at

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2