Photo

It’s hard out there for a paranoid cybersecurity reporter

I’ve covered enough breaches, identity thefts, cybercrime and worse, to know it’s a terrible idea to hand over my personal data — even something as seemingly innocuous as my birthday or email address — to a store clerk, or a strange login page on the Internet.

But it’s getting hard to resist. I was in the middle of buying a swimsuit recently when the sweet lady behind the boutique counter asked me for my email address. I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.

“We won’t spam you or anything,” she said, perplexed. “We just need it for our database.”

I knew then that the conversation was headed into a whole lot of awkward, as it had dozens of times before. The fact is, a boutique doesn’t need my email address so I can buy a swimsuit. The hotel I stayed in recently didn’t need my birth date, or my home address, or my driver’s license number, before I could check in. And Target doesn’t need to store your debit card PIN.

After news of Target’s breach first broke last month, a reader emailed complaining that after a recent purchase at a Target store in San Francisco, she was asked for her driver’s license after her credit card was authorized. “I gave it to her thinking she was only going to look at it, however she immediately scanned it through her register. I was a bit shocked and asked why she did that. She said it is always done but ‘Don’t worry, it is secure.'”

That, we now know, is absurd.

There is a temptation to think that major retailers like Target– and now Neiman Marcus— are more secure because they have more cash to spend on security. It’s the same assumption users made thinking Snapchat was secure because it magically makes selfies disappear, or that LinkedIn knew how to protect data because it likes to talk up big data, or that Adobe could protect our passwords.

Actually, I take that back: Compromised Adobe PDF files have been used in far too many cyberattacks to mention here.

The point is that no company is secure. None of them. Not when they are up against an increasingly sophisticated, elusive enemy. But the problem is not just retailers, or technology companies or hackers, it’s us.

We regularly hand over data simply because we’re politely asked. We don’t read privacy policies, or ask companies whether our email addresses and passwords will be “salted” or “hashed,” encrypted with long or short keys, or whether those keys will be stored on separate systems from the ones they can unscramble. We don’t challenge major credit card companies to hurry up and adopt smart-chip credit cards. And we don’t stop doing business with companies that don’t take data protection seriously.

So we’ll all feign shock that the Target breach did not just affect 40 million people as it previously reported, but well over one-third of America’s adult population. And then, in a few days, we will likely go back to politely handing over our email addresses and birth dates.

But for now, the sweet lady at the boutique just has this: privacyreporter@stopaskingme.com.