As reported in today’s Washington Post, an employee of investment firm Wagner Resource Group in McLean, VA, traded music or movie files late last year with other users of the online file-sharing network LimeWire while using a company computer. As a result, he inadvertently made the private files of his firm’s clients accessible on the Net.
This exposed the names, dates of birth, and social security numbers of about 2,000 clients, including Supreme Court Justice Stephen G. Breyer.
This puts into perspective the concern expressed by Peter Schaar, Germany’s data protection commissioner, quoted in another story appearing in today’s Post by Ellen Nakashima. Commenting on a new effort by the Department of Homeland Security to gain access to more private information about individuals visiting the U.S. from Europe (as well as sharing such information about American’s with EU countries), Schaar found:
no “clear rules on purpose limitation” or on the storage period. “First,” he said, “which data are of concern is not really completely clear. Second, who are the competent authorities on the U.S. side? Third, and most important, there is a lack of independent supervision in the United States over data protection.” In European states, independent privacy commissions safeguard the privacy rights of citizens, he said.
If we have social security numbers of Supreme Court Justices being accidentally shared on the Internet, I can see why he might want further assurances. The Post article points out that Schaar’s questions over which “data are of concern is not really completely clear,” may actually be addressed. Unfortunately, it is disturbing which data is to be shared. According to the news:
The agreement, which was described by two European officials, also allows for the transmission of “personal data revealing racial or ethnic origin, political opinion or religious or other beliefs, trade union membership or information concerning health and sexual life” in cases where they are “particularly relevant to the purposes of this agreement.” It defines personal data as “any information relating to an identified or identifiable natural person.”
Political opinion, trade union membership, or information concerning sexual life? This is too much. That the agreement “shall take suitable safeguards, in particular, appropriate security measures, in order to protect such data,” does not provide the convincing assurance that such information would not be accessed by the ill-intended (like the State Department employees illegally accessing passport records) or the clumsy (like the case of the investment firm above).
But such assurances seem secondary in comparison to the apparent lack of connection between someone’s sexual orientation, political affiliation, or membership in a trade union to a criminal act. I can see why such things as previous travel destinations, the purchase of a one-way ticket, or the use of a suspicious credit card would be relevant to an investigation with cause, but knowing if the traveler is gay, a Republican, or a member of the American Federation of Teachers seems too much.