From Bruce Schneier's excellent (and free) Crypto-Gram newsletter:
http://www.schneier.com/crypto-gram-0502.html#2
T-Mobile Hack
For at least seven months last year, a hacker had access to T-Mobile's
customer network. He's known to have accessed information belonging to
400 customers -- names, Social Security numbers, voicemail messages,
SMS messages, photos -- and probably had the ability to access data
belonging to any of T-Mobile's 16.3 million U.S. customers. But in its
fervor to report on the security of cell phones, and T-Mobile in
particular, the media missed the most important point of the
story: The security of much of our data is not under our control.
This is new. A dozen years ago, if someone wanted to look through your
mail, they would have to break into your house. Now they can just
break into your ISP. Ten years ago, your voicemail was on an answering
machine in your house; now it's on a computer owned by a telephone
company. Your financial data is on websites protected only by
passwords. The list of books you browse, and the books you buy, is
stored in the computers of some online bookseller. Your affinity card
allows your supermarket to know what food you like. Data that used to
be under your direct control is now controlled by others.
We have no choice but to trust these companies with our privacy, even
though the companies have little incentive to protect that
privacy. T-Mobile suffered some bad press for its lousy security,
nothing more. It'll spend some money improving its security, but it'll
be security designed to protect its reputation from bad PR, not
security designed to protect the privacy of its customers.
This loss of control over our data has other effects, too. Our
protections against police abuse have been severely watered down. The
courts have ruled that the police can search your data without a
warrant, as long as that data is held by others. The police need a
warrant to read the e-mail on your computer; but they don't need one to
read it off the backup tapes at your ISP. According to the Supreme
Court, that's not a search as defined by the 4th Amendment.
This isn't a technology problem, it's a legal problem. The courts need
to recognize that in the information age, virtual privacy and physical
privacy don't have the same boundaries. We should be able to control
our own data, regardless of where it is stored. We should be able to
make decisions about the security and privacy of that data, and have
legal recourse should companies fail to honor those decisions. And
just as the Supreme Court eventually ruled that tapping a telephone was
a Fourth Amendment search, requiring a warrant -- even though it
occurred at the phone company switching office -- the Supreme Court
must recognize that reading e-mail at an ISP is no different.
This essay will appear in eWeek.