Sharing Personal Information is a Choice Only You Should Make

One of the more disturbing happenings in a world increasingly conscious of privacy violations occurred in the days before Mother's Day for me.

What should have been a routine shopping spree for a well-deserved mother turned into another case of one thing that is very wrong today.

I approached the counter of a small storefront looking to purchase a gift certificate for what is apparently considered a medical procedure: a deep cleansing facial.

The usual question was asked if it was my first visit, and then the name and birthday of the gift recipient.

Now, it's clear that a quick lookup of current customers was in order to determine if the gift recipient had been there before, but it is rare today to find identical names. US society has diversified to the point that stereotypical "common" names like "Mary Jones" or "John Smith" are rare and far between.

But fine, if you need a date of birth with the full name to do a lookup, so be it. Granted it wasn't my birthday they were asking.

The full name and birthday, a combination that is probably more than unique enough for a small office to distinguish between customers for overpriced deep-cleansing facials prompted no matches. I'm sure the name would have been sufficient.

Then I was asked for my birthday.

Now why would anyone purchasing a gift certificate for a deep-cleansing facial need to provide their date of birth? And I'm not just anyone, I'm one of the very long-time paranoids whose credit card purchases are indistinguishable from some midwestern John or Mary Smith, assuming they actually exist and follow a clean lifestyle.

For all other purchases, I prefer cash.

The line was crossed, and I descended into attack mode.

"Why would you need my date of birth? I'm purchasing a gift certificate."

The unfortunate target for my assault deftly moved into defensive mode, drenched in an incredulous look shared by the others behind the counter.

"We're a medical office."

Bad answer, try again please.

"But what is the utility of having my date of birth? Why are you collecting PII that has absolutely no use for you?"

I stammered for a second, and carefully stated "personally identifiable information" in a sloppy usage of verbal parenthesis.

"This computer," they said pointing to something under the counter that could have been an ice cream machine for all I knew, "is secure."

My knee-jerk reaction was to chuckle, but it wasn't going to get me a gift certificate and the gift certificate recipient was going to get a big red mark next to their name on this super secure computer. I had no doubt that information would find its way into an anonymous Pastebin in no time flat.

That computer is secure? They had to be joking. How many small storefronts, regulated by HIPAA as they were or not, have computers even vaguely secure? Even the NSA is hesitant to make such a bold statement about their desktop computers.

"I've been in privacy for a very long time, and I really don't know why you would collect data like that no matter how secure your computer is. What use is it?"

The sidestep was elegant, and as I was asked my cell phone number, they quickly said "And I'll just leave your cell phone blank."

Apparently I was getting somewhere. Or more likely, they moved to the path of least resistance.

I ultimately left this small medical office with the gift card, substantially poorer than before, but maybe, just maybe I had gotten through to them. Maybe someone else would question such pointless PII requests and push back, and maybe that person is part of an enlightening wave of privacy consciousness.

Maybe there is an Easter Bunny, but it's at least a comforting thought.

As data breaches provoke "ho-hums" and comments like "oh, yes, do you mean there was another data breach after last month's?", it's high time to start asking a simple basic question.

Collecting, transmitting and storing personal data has become a compulsive activity. It's done for the sake of it. It's often completely unnecessary in relation to the core functions of web sites, customer service, and in so many other places where it appears.

When that data is compromised, as it will very possibly happen, it will just be lost in the torrent of data breach news mentions we hear, and it will be unlikely that anyone will notify us.

And the issue saturates for much business activity today.

How much web site user analytic data flows around the internet into big buckets never to be looked at by the organization that actually enabled that third party collector on their web site.

We need to measure collection against the original purpose. That extra data is cheap to collect, but it becomes expensive to the targeted users if it's compromised.

Needless to say, the pink elephant in the room is the way that all data is monetized, which is the driving force behind the "collect everything and often" ways of the word.

Maybe we can start the push back by not providing unnecessary PII when it comes to Mother's Day?

George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives in creating unorthodox solutions to ordinary problems.