A recent posting on Slashdot mentions an article about a bank accidentally sending customer data to some unknown gmail account. The bank is suing to get that account disabled and to get the owner's personal information. Most of the people on Slashdot just seem to be moaning and complaining. So I posted the following idea:
Why can't the courts in these cases set up third-party intermediaries to receive the information that the plaintiffs are asking for (such as someone's personally-identifying information) and then have all communications go through that intermediary? This is just the same as e-mails from Craig's List users going through Craig's List instead of directly between the users. It could even be a system where no human ever sees the information. Instead it could be encrypted such that no one would ever be able to dig it out. Then the plaintiff could contact the individual and they could carry on a conversation and straighten things out, without the individual's individual identifying information ever being disclosed.
Perhaps what we need is a government sponsored but publicly run (and open-source developed) central system to provide this service. It would have to be open source so that anyone could check to make sure that the system didn't have any back doors.
Without a system like this, then the technique used by this bank could become a powerful tool to do an end-run around privacy laws. If I want to find out the personal information about someone, or even shut down their e-mail accounts or all of their internet access, all I have to do is claim to have accidentally sent them private information about someone else. Heck, I could just make up bogus info and send it to the individual. Who would know, because that info would be kept sealed "for the privacy of the people in the list."
The contents of this post is Copyright © 2009 by Grant Sheridan Robertson.