Noticing Data Misuse

Everyone seems to be looking at their databases for personal information leakages.

Tax liens, mortgage papers, deeds, and other real estate-related documents are publicly available in on-line databases run by registries of deeds across the state. The Globe found documents in free databases of all but three Massachusetts counties containing the names and Social Security numbers of Massachusetts residents....

Although registers of deeds said that they are unaware of cases in which criminals used information from their databases maliciously, the information contained in the documents would be more than enough to steal an identity and open new lines of credit....

Isn't that part of the problem, though? It's easy to say "we haven't seen any cases of fraud using our information," because there's rarely a way to tell where information comes from. The recent epidemic of public leaks comes from people noticing the leak process, not the effects of the leaks. So everyone thinks their data practices are good, because there have never been any documented abuses stemming from leaks of their data, and everyone is fooling themselves.

Posted on July 5, 2005 at 8:47 AM • 13 Comments

Comments

Davi OttenheimerJuly 5, 2005 10:46 AM

Too true. False negatives can be far worse than false positives. This is one of the main issues with "honey pot" strategies.

Unfortunately (to abuse an analogy) achieving anomaly-detection in a complex environment implies a level of forestry wisdom that is virtually impossible. Most have just realized that those little distributed IT saplings they planted are now huge overgrown trees. Very few are poised to synthesize the mountains of application and system log data and analyze it to find unauthorized access.

Moreover, I have found very few administrators encouraged to achieve true proficiency in system availability with regard to behavior monitoring and reporting. Intense pressure from management usually favors rapid and disruptive change that brings new functionality to bear on a schedule completely divorced from even a simple risk management lifecycle.

Mike SherwoodJuly 5, 2005 11:13 AM

It's still cost effective for companies to do very little to protect this information. Without ID thieves coming clean with how they got the information, it's hard to tie to to any of these companies individually.

I think this needs to be started in our civil courts where the burden of proof is lower than criminal courts. It would be interesting to see the outcome of holding these companies liable for the damage done to people's lives. I've got copies of my credit report showing that Choice Point requested my credit file. They are able to do this without my permission or previous knowledge and I'm sure they don't keep track of everyone who has access to this information. They're not going to come clean about their practices, but they would have a hard time refusing to answer subpoenas. The burden of proof is convincing 12 people who couldn't get out of jury duty that a company with only their own greed as a motive to collect the information was negligent and that substantially contributed to harm sufferred by an individual. If that's not good enough, it's much easier to make a similar argument against any company who grants credit without verifying identities.

Tom DolbyJuly 5, 2005 11:33 AM

Take a look at the wording of new bills put forward by the politicians; they conveniently leave themselves out of most of their proposals related to improper dissemination of private information. I've tried to have some of my documents at the county clerk's office modified to remove unnecessary private information. After multiple phone calls to anyone and everyone they could think of to pass me to in their building, someone finally said that you would have to get a court order to have the document changed. No one could ever tell me what court's jurisdiction this falls under or any procedures to even find out. One of the employees even asked me to call her back and tell her if I found out how to accomplish the feat, since she had no idea how it could be done. It all makes you feel so warm and fuzzy.

Davi OttenheimerJuly 5, 2005 12:47 PM

The first reaction in IT to regulators/auditors is to claim the implementation of a new control. The next audit should therefore require proof that the control is functioning.

Sarbanes-Oxley audits have been known to go something like this:

Auditor -- "How do you detect leaks that could lead to fraud using your information?"

IT -- "We are in process of rolling out a the new Anti-fraud 3000 Enterprise Software that gives automated detection and reporting with stunning accuracy. It is a huge effort and scheduled to be operational about two months from now (after you leave us alone)."

So IT departments are being pressured to assess larger business risks and plan compliant controls for the near term, but it is not yet clear how courts measure accountability.

Does an organization have to prove that detective controls are working (on an ongoing basis) in order to meet regulatory compliance? Who defines adequacy?

The Economist quote from a Stanford Business professor indicates shareholders should play a role: "The ability to guard customer data is the key to market value, which the board is responsible for on behalf of shareholders".

http://www.economist.com/printedition/displayStory.cfm?story_id=4112390

The Economist also notes that the FTC's law suit against BJ's was due to "'unfair practice that violated federal law.' The firm collected too much data, kept it too long, did not encrypt it, lacked password protections and left its wireless network open."

The result seems to be that it will no longer be up to organizations to decide for themselves that their "data practices are good".

To this end, federal as well as state laws (e.g. California's AB1950) will very soon require some variation of industry-based definitions of "reasonable" or "appropriate security measures".

Senator Barbara Boxer's latest testimony (Commerce, Science and Transportation Committee, Full Committee Hearing on Identity Theft, June 16, 2005) includes the typical justification for this kind of proactive approach:

"According to a 2003 FTC study, over a period of 1 year, nearly 10 million Americans were victims of identity theft. Losses to business and financial institutions were nearly $48 billion and consumer victims reported an additional $5 billion in out-of-pocket expenses."

Her Comprehensive Identity Theft Prevention Act (S. 768) proposes an Office of Identity Theft in the FTC with SB1386-like breach notification at the federal-level. And just like SB1386, the really tough questions will come long before a breach is discovered -- what is "reasonable" security (confidentiality AND integrity).

Joseph MilnerJuly 5, 2005 2:30 PM

I'm not a legal expert, so I may be saying something utterly stupid, but why don't we offer plea arrangements for criminals if they identify where they got the information? I'm sure a criminal facing sentencing would be only too happy to tell how he got his info in exchange for some leniency...

raoul endresJuly 5, 2005 5:31 PM

The problem in the US seems to be largely that the onus is on the wrong party. In most cases, it's up to the victim to prove they incurred damages through ID theft. This needs to be reveresed - data collectors need to show their data has not been compromised.

Forget about trying to sue once damage has been done; it needs to come earlier, as soon as it becomes apparent the data has (likely) been compromised.

Thomas SprinkmeierJuly 5, 2005 7:16 PM

@raoul,

"data collectors need to show their data has not been compromised."

How do you know/prove which of the many data collectors have your data?

I think it's time for a sin tax, like on alcohol and tobacco. These data collectors are creating a net harm to scociety. There should be a tax on every database record, and every request should come with a health warning "WARNING: The information contained in this document was gatherd by an industry that is enabling criminals, maybe even terrorists, to harm your way of life"

raoul endresJuly 5, 2005 8:14 PM

@Thomas

in the EU for example, companies typically need to register yourself when they keep data. They also need to show how you protect that data.

You don't need to do anything - they need to prove that they are compliant.

another_bruceJuly 6, 2005 12:05 AM

too much data in registries of deeds? have i got a fix for that! somebody comb those registries for the most powerful and influential people who have transferred property recently...
harvest their social security numbers and all the other accessible data about them...
send it to them in a plain brown wrapper. tell them you're not an identity thief, but the next guy who accesses this material could be, and you expect immediate action on this issue or else you will sell it to whoever offers money (perfectly legal, just like choicepoint does).
for extra credit, you can make copies of these dossiers and leave them in the men's rooms of your favorite taverns. have fun!

VanceJuly 6, 2005 1:15 AM

"somebody comb those registries for the most powerful and influential people who have transferred property recently..."

Well of course we can't have that (http://www.post-gazette.com/pg/05161/519511.stm).

Thomas SprinkmeierJuly 6, 2005 2:01 AM

@raoul

I was thinking about the mechanics of the claim.

My ID is stolen
I suffer loss
I want to claim against the people who leaked my data.
How do I identify who has my data?

Do I claim against every data collection agency and ask them to prove they a) don't have my data or b) are 'compliant'?

If a), how do I know they didn't just wipe out my records? At the time my claim comes in the potential liability of having my data is much greater than the potential benefit of retaining it.

if b), how do I know that 'compliant' means "didn't cause the leak"?

Ulrich BocheJuly 6, 2005 9:13 AM

I think the main problem with ID theft in the US is that it is very easy for anyone to open a bank or credit card account or initiate other sensitive processes with information that is more or less publicly available. Attempts to thwart ID theft by trying to protect this kind of information (e.g. the SSN) are futile. To reduce ID theft, it would be necessary to control each sensitive process itself by introducing stricter authentication requirements.

In Germany, you cannot open a credit card or bank account without either appearing in person at a branch showing your (government-issued) identity card or passport or by using a service called "Post-Ident" where you go to a Post Office where they verify your ID and fill in a form that they send back to the requesting bank.

Of course, this process is not in the interest of the banking and credit card industries as it makes opening a new account more difficult, but it is required by a German law against money laundering.

Up to now, ID theft is not a real problem here. However, on eBay.de where "Post-Ident" is optional (it makes you a "verified user"), ID theft and fraud are rampant.
--
Ulrich Boche

RSJuly 12, 2005 12:26 PM

It seems to me that the ID theft issue could be decreased dramatically by disallowing the use of a social security as a password, something it was never intended to be. The information tying people, their addresses and socials, etc. is not going to go away; what could change the equation is if one needed to use a PIN, similar to what one uses as at an ATM, for every transaction.

Why isn't this being done? Because it would cost financial institutions money to re-configure certain systems? Or am I missing something?

Thoughts?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..