Guest blog: Is Netflix being sloppy with personal data?

"Accusations that an internet scheme by Netflix could expose personal information about participants are being questioned by guest blogger and Sophos senior security analyst Carole Theriault. Over to you Carole…Carole Theriault

Carole Theriault
Here I am at Virus Bulletin 2009 in Geneva. The conference has only just kicked off, but numerous chats with fellow attendees has confirmed to me that the security industry is most definitely attuned to the dilemma which exists between using the full power of the internet and the potential to lose sensitive data, either through negligence or theft.

This issue was brought home to me yesterday when I read an article entitled “New ‘Irresponsible’ Netflix Contest May Violate Customer Privacy”. Something about the article’s content really annoyed me. So I did a little digging.

Netflix, for those who have been living in the deepest, most remote caves to wait out the economic monsoon, is an online film rental outfit.

Since 2006, Netflix has rather cleverly made full use of the tech community by hosting competitions to improve the accuracy of its movie recommendation algorithm. And, as thanks, they offer a million bucks to the winning team… so, um, let’s say that that is quite an incentive to take part and put in a bit of sweat equity.

Netflix prize webpage

So far, so good. Except Paul Ohm of the University of Colorado Law School has voiced his opinion that Netflix are flirting with data infringement – and huge fines – by releasing some of the data they collected.

It seems that Netflix will publish, gender, age and zip code is enough for someone’s film preferences to be narrowed down to a few hundred people. Well, I say, hold the front page. Honestly – is this really enough to stifle the innovation, community and competitive fun that Netflix are offering online users?

Now, I don’t pretend to know as much about this topic as Paul Ohm, but, for someone so concerned, both professionally and personally, about data privacy, Professor Ohm certainly does advertise a lot of personal information about himself, his location and his credentials on his home page.

And, for those who are interested, you can even find his mobile phone numbers and entire academic history.

Granted, Professor Ohm has published this info himself, which is different from Netflix’s approach. But, it just seems to me that there is a balance to be struck.

We need to consider the risks posed by an action and weigh it against the benefits gained. Netflix are being collaborative and open about wanting to improve their technology. They put the greatest teams on a pedestal, and incorporate their findings, which makes the Netflix site better for customers.

I am willing to forego the cost of someone being able to reverse engineer the data and then attempt to isolate me amongst hundreds of my neighbours to find out my personal movie tastes for this. Are you?

You should be. After all, many of us reveal a lot more than our favourite films (just like Professor Ohm) on the web via our personal websites, job sites, social networking sites, dating sites, community sites, school sites, and so on.

All I am saying is perhaps some of us should just get a grip.