I am by nature an optimist, but I believe we're lost. Lost in what I call the "Forest of Insecurity".

What brought it home was coming across a hole in Indonesia's banking system. A pretty big hole, too: It allows anyone with a domestic bank account to look up some key details of anyone else's phone bill: their full name, the outstanding amount.

Just by entering the phone number online or at an automatic teller machine.

(I've contacted the central bank and some individual banks about this flaw, but at the time of writing have yet to receive a response.)

At best this hole makes for useful reverse telephone directory: type in a number and you can find the caller's name. And it allows you to get other people to pay your phone bill from their account.

But there's a serious downside. It means anyone can figure out who a phone number belongs to. It also means anyone can - in many cases - find out how much you owe on you phone bill.

Useful if you're a lawyer wanting to have someone declared bankrupt. Or if you're a jealous spouse trawling through cell phones to check who they belong to. If you're a good social engineer you could easily turn this information into more information - enough, I suspect, to be able to get access to the bank accounts themselves.

(And if you know a bill or customer account number, it's also possible, in many cases, to be able to find out the name of that customer and how much they owe on their utility bills, their Internet bills and some other bills they are able to pay online.)

This isn't good. Convenience is one thing, but privacy is another. How many people do you want to know how much you owe on your phone bill?

But there's a much bigger issue here. The data involved - bills, names, phone numbers - is provided to banks. No one, it seems, is policing this data to ensure that it's being used wisely. There needs to be. There need to be safeguards to make sure it's only available to those people who should be able to access it. In other words, us.

It's our data. It's information about us, and we are the*victims when the data is compromised. If we know our data is kept in one place - our bank information kept in a bank, for example - we can make a decision about whether we're happy with that.

"This bank seems to respect our privacy, and has good security measures in place, so we'll bank here," we can think. These decisions are never easy, but we can probably get enough information to sleep soundly at night.

The problem comes, however, once companies start to build pathways of data between each other - like phone companies giving their billing information to banks. It's here that we quickly get lost in that forest of insecurity.

How can I be sure all the third parties that information has been leant to are doing the same bang-up job of keeping my data safe from prying eyes? How can my bank, or my cell phone company, or whoever is doing the lending?

This is a hole in Indonesia that, hopefully, will get plugged quickly. (We have to hope so. Indonesia is rife with credit card scammers who will already have spotted this issue.)

But the problem goes deeper. As our lives go online, so we build ourselves a thicket of identities and personal information: All our photos, friends and personal foibles on Facebook, for example. Or a record of our mood swings and food pangs on twitter or Plurk.

Now in theory, this stuff is accessible only to people we've allowed it to. But already things are getting out of control.

Facebook applications, for example, can access our data - and that of our friends - in a way that is far from transparent. If you add an application you'll have to click on a button to allow it to "pull your profile information, photos, your friends' info, and other content that it requires to work."

In short,*not enough for you to know what kind of information, and what it will do with it. And your friends? Do they have any say?

And here's another path into the forest of insecurity: Nowadays, as we build more and more of ourselves online, we tire of having to re-enter data. So companies have stepped in to do it for us.

"Enter your email addresses here, and we'll go tell all your friends about this cool new application!" they say. And, because they make it easy, we do it.

Friendfeed, for example, collects together all your socializing online into one "river of news." That includes 59 different services, from your bookmarks, to the music you listen to, to what you're reading. All that information gathered together in one stream.

Another service streamlines the other end - the bit you tell friends what you're up to. It's called Ping.fm, and it lets you update your status - hungry, throwing a sickie, eloped to Lhasa - on all the social networking sites you have joined from one place.

Now this is all fun, and in theory a good thing. It makes something very complicated suddenly very simple.

But there's a catch. Well, there are several. Like the Indonesian phone bill hole, it's to do with letting our data loose in the forest. If I give lots of third parties my email address and password, how good are they going to be about keeping it safe?

And, when it comes to posting my status online, how good am I at remembering who, exactly, can read it? It's pretty simple with Facebook - which I limit to friends only - and to business networking service LinkedIn - to work people only. But what happens when I update them all with the same message, so that everyone - from my niece to a potential employer - can read it?

In short, I'm lost in the forest already. I can't remember who has access to this data. I'm frequently surprised with messages from people commenting on an update - "Hungover. Cancelling all appointments" - which I intended only for my nearest, dearest and most understanding of friends. Not someone I was supposed to have a business lunch with.

Oops.

Indonesian phone bill records. Facebook updates. Google Reader habits.* They may sound like different worlds but they're not. They're the symptoms of a serious problem we're not addressing: millions of paths of personal data that are finding their way out of our control.

And we're the ones who pay: By getting lost in a forest of insecurity we didn't know existed.

c Copyright

This article cannot be reproduced without written permission from the writer. Jeremy Wagstaff is a commentator on technology and appears regularly on the BBC World Service. He can be found online at jeremywagstaff.com or via email at jeremy@loose-wire.com

Popular

Kadin urges stability after Constitutional Court ruling

Jokowi says transition to new government to begi

BCA loan disbursement surges 17.1 percent yoy in first quarter