Data breaches aren't scaring off many customers, despite risks

SAN FRANCISCO - Week after week, thieves break into corporate computer systems to steal customer lists, email addresses and credit card numbers. Large data breaches get overshadowed by even larger ones.

Yet people are turning over personal information to online retailers, social networks and other services in growing numbers. The point at which people lose trust in the websites they deal with appears further away than ever before, if it exists at all, as shopping, socializing and gaming online becomes deeply embedded in modern life.

People have come to accept that sharing information is the price of a meaningful, connected life online – even if they don’t like it.

“We are clearly schizophrenic about this technology,” said Jim Dempsey, an expert on Internet privacy at the Center for Democracy & Technology. “We love it, we use it, we expect it to work, and we’ve woven it into our daily lives, professionally, socially and personally. But we really don’t trust it, and we do get upset when our data is lost or stolen.”

Companies collecting the personal details have little incentive to offer the best privacy protections. So far, people haven’t demanded that companies do better by walking away from their gadgets, online retailers or social networks.

The Federal Trade Commission is urging Web browser makers to build “Do Not Track” tools to let consumers stop advertisers from studying their online activity in order to target pitches. The Commerce Department has called on Congress to adopt ground rules for companies that collect consumer data online for marketing. Several lawmakers have introduced privacy bills.

Information that distinguishes one faceless Internet surfer from another is so valuable that companies have been hurt when they limit what they collect.

Yahoo Inc., for example, will soon keep logs on people’s searches for 18 months, the same amount of time as Google Inc. That’s a reversal of its vow in late 2008 to strip out personally identifiable details after 90 days. In making an industry-leading privacy pledge, Yahoo said it became less competitive in offering personalized services enabled by long-term tracking.

Companies also face lawsuits and penalties by promising more than they can deliver. If companies are vague, their biggest risk is bad publicity when a hacking attack or a technical error exposes customers’ information.

The number of records exposed in data breaches is staggering – more than half a billion in the past six years, according to the Privacy Rights Clearinghouse.

At the same time, people are sharing more online. More than half a billion people are on Facebook, and billions of people search Google and Yahoo each month and accept tracking data files known as cookies. The Pew Internet & American Life Project found that 61 percent of adult Internet users in the U.S. have used social networks, up from less than a third in 2008.

The dependence on technology explains why the reputations of technology companies are remarkably resilient, even after embarrassing breaches.

For example, hackers last year uncovered a security hole on AT&T Inc.’s website and exposed the email addresses of more than 100,000 iPad owners who had signed up for AT&T’s wireless Internet service. At that point, Apple had sold more than 2 million iPads. Despite the breach, the company sold some 17 million more iPads since then.

Apple’s disclosure came a day after Sony Corp. said a hacker may have stolen credit card numbers and other valuable information on the 77 million players using its PlayStation online gaming network. That would make it one of the biggest known credit card breaches.

“Sadly, the consumer can do absolutely nothing to protect themselves,” said Bruce Schneier, a prominent security blogger and chief security technology officer at the British telecommunications operator BT. “When you give your data to someone else, you are forced to trust them.”

If you say no, he said, “that’ll mean living in a cave in the woods.”