I attended an extremely interesting auction in London back in April – yes, so interesting that 2 months later, it is still worth blogging about. Up for bidding include fresh credit card data and life insurance records. Extremely sensitive and private data, possibly worth a lot of moolah could be yours to own. But unfortunately, this mock auction was just part of a presentation at InfoSec 2010.

The ‘auctioneer’ got the audience very engaged in the bidding process and together with the panel of privacy experts, succeeded in demonstrating the existence of different perceptions to the value of data. The audience were equipped with some snazzy device to lock in the monetary amount they think the items were worth. The huge gap between the highest and lowest bids is evidence to how differently people have defined the value for each lot. Here were the 10 Lots up for auction and some of issues brought up during the discussion:

Lot 1: Fresh Credit Card data
Lot 2: Cure for flu
Lot 3: Personal family portraits / photographs
Lot 4: Life insurance records (inclusive of medical data records)
Lot 5: Customer database of UK high street retailer
Lot 6: Completed high school application forms for south east london (children data)
Lot 7: Copies of mobile phone bills for 500,000 customers
Lot 8: Credit records from a leading credit rating agency
Lot 9: All your deleted emails
Lot 10: The audit trail that lands your CEO in jail

It was quite exciting to see the amount that people were bidding for in each lot and even more fascinating to hear the reasons to why they think the data was worth that amount. For example, I would imagine that fresh credit card data would be worth a few million dollars in the black market. But this is not necessarily so as it depends on the quality of the data. There is a possibility that only a small percentage of those numbers are valid.

How much are your personal family photographs worth to you? And how would this have differed if you were famous celebrity? How much would you have bid for to keep those photographs from the hands of the tabloids? If you were working for a newspaper, how much would those photographs be worth to you? Is it worth so much even if those photographs were acquired illegitimately? And if you know that obtaining the photographs might not give you the negatives to those photos, would you still submit a high bid for it?

Lot 5 give some interesting discussion as well (considering it was near UK election time). The issue of reputation of businesses was brought up and how this serves as an incentive for a business to protect their client’s data. This incentive might be lacking in government entities to protect their people’s data. Of course they may have other incentives to do so.

With more detailed mobile phone bills (as compared to back in the day), it is possible to infer relationships and obtain other phone numbers. What if (once again) you are famous celebrity? One might possibly infer other celebrity’s mobile number from a copy of your phone bill. Is the convenience of replacing a credit card over that of replacing a personal phone number determine the worth of a credit card over a mobile phone number?

So, how much would you have bid and why?

Here’s a link if you want to read more about the mock auction.