IT security firm hired to investigate DDoS attacks on PayPal finds someone’s Skype username on IRC. Skype happens to be one of the firm’s other clients, so said firm drops an email to Skype asking for the personal information behind the username. Skype complies happily, and the personal information is handed over to the police. No warrants or court orders involved. Skype may have broken Dutch and EU privay laws in doing this.
Basically, if you trust any of the firms you hand info to not to do it… you’re just hoping that trust never gets put to the test.
Sure, informal requests based on inter-company networks like this are a privacy threat you almost never hear about… but I suspect they’re much more common than the legal, court-ordered variety, and a far greater threat to privacy. If a firm will hand out your info to anyone who they’re “friends” with, there’s ~zero protection to make sure the person asking isn’t trying to do you harm (as long as nobody gets sued, or the press hears about it).
At one point a few years back I was looking into getting a PI license. It’s absurd how much private information gets exchanged on a “hey buddy” basis in the grey areas of the law or (often) in flagrant contravention of it.
The problem is the people handing out information on the sly often aren’t the people at the top making the decisions. (Though there’s a lot the decision-makers can do to keep this from happening — like decentralizing data storage to design for privacy, and making everyone accountable for what they do.)
It may just as well be the data-entry person who gets chocolates every week from the guy who asks for favors every once in a while.
“Joep Gommers, senior director of global research at the Dutch IT security firm iSIGHT Partners, was hired by PayPal to investigate the attacks. Through an instant messaging channel, he found out that Dutch citizens were involved in the attacks and unearthed the pseudonym of a 16-year-old boy.
Gommers contacted Skype, another of his firm’s clients, and asked them for the suspect’s account data. Meanwhile, he wrote an e-mail to several Dutch authorities, saying: “Hey, I will have login information soon – but not yet.”
The police file notes that Skype handed over the suspect’s personal information, such as his user name, real name, e-mail adresses and the home address used for payment. That address could be matched and verified with municipal records.
Skype distributed the information voluntary, without a court order, as would usually be required.[…]
Gerrit-Jan Zwenne, a professor of Law and Information Society in Leiden and a lawyer at Bird & Bird in The Hague, says the sequence of events surprised him.
“You would imagine that subscriber data aren’t simply handed over. They have to be provided when the police has a valid demand or court order, but not in any other case.”
He says he is unsure whether Dutch telecom and privacy laws allow a company like Skype to provide a company with user details without a court order. “You can also wonder whether police can use that information if it was acquired this way,” he said.
A spokesman for Skype, which was recently acquired by Microsoft, says the company takes its customers’ privacy very seriously. “It is our policy not to provide customer data unless we are served with valid request from legal authorities, or when legally required to do so, or in the event of a threat to physical safety,” the spokesperson said.
The company says it is reviewing how personal information came into the hands of a private firm.”