Misplacing the Blame in Personal Identity Thefts

Really good article:

In a recent dissection of the connection between gaming and violence, the term "folk devil" was used to describe something that can be labeled dangerous in order to assign blame in a case where the causes are complex and unclear. The new paper suggests that hackers have become the folk devils of computer security, stating that "even though the campaign against hackers has successfully cast them as the primary culprits to blame for insecurity in cyberspace, it is not clear that constructing this target for blame has improved the security of personal digital records."

Part of this argument is based on the contention that many of the criminal groups that engage in illicit access to records are culturally distinct from the hacker community and that the hacker community proper is composed of a number of subcultures, some of which may access personal data without distributing it.

But, even if a more liberal definition of hacker is allowed, they still account for far less than half of the data losses. The report states that "60 percent of the incidents involve missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online."

Those figures come from analyzing the data while eliminating a single event, the compromise of 1.6 billion records at Axciom. The Axciom data loss is informative, as it reveals how what could be categorized as a hack involves institutional negligence. The records stolen from the company were taken by an employee that had access to Axciom servers in order to upload data. That employee gained download access because Axciom set the same passwords for both types of access.

Posted on March 23, 2007 at 10:29 AM • 18 Comments

Comments

Mike SherwoodMarch 23, 2007 11:02 AM

The best targets for this kind of information (the companies that keep large databases of personal information) have the least accountability for any harm caused through their negligence. That leads to a disincentive for anyone to improve the situation.

The majority of people who collect this information use it for marketing purposes. The goals of the marketing organizations are focused on acquiring customers. Data security isn't even an afterthought in these organizations.

aikimarkMarch 23, 2007 11:54 AM

Those evil-doers are certainly to blame. When fighting this evil, you are either with us or against us.

Hackers, crackers, and users constitute an axis of evil. That means they are armed with axes to hack away at our security doors in order to steal our identities.

jammitMarch 23, 2007 12:06 PM

I have nothing much to add, except I've used "scapegoat" instead of "folk devil". I figured folk devil is just the new word.

dragonfrogMarch 23, 2007 1:32 PM

I'm assuming "folk devil" is from the German "Volksteufel", which is an old expression.

Means something like the same as a scapegoat, except that the original scapegoat was a physical goat that could have the blame for some action or event symbolically attached to it, and then be killed as ritual atonement.

Bryan FeirMarch 23, 2007 1:57 PM

So I guess the subtle distinction is that a 'scapegoat' exists to formally take the blame for something and be punished for it, while the 'folk devil' exists to remove the blame from someone else so that they won't be punished. The difference being that there's no real expectation of the folk devil ever being called to task, as it may not physically exist.

RogerMarch 23, 2007 6:04 PM

The term "folk devil" does come from German "Volksteufel", but has been used in English translation by sociologists since the 1970s:

http://en.wikipedia.org/wiki/Folk_devil

It is obviously somewhat similar in meaning to "scapegoat", but there are differences. A scapegoat is a person or group maliciously, falsely or inflatedly blamed for some actual problems, the usual implication being that another bears the real blame. When "folk devil" is used, the implication is that a network of folklore and urban legend has surrounded the victim. As a result the victim is blamed not only for real problems caused by others but fanciful ones arising from the folkloric framework, and even a general miasma of evil with no specific problem identified.

DutcherMarch 23, 2007 6:18 PM

Isn't this like saying "Muggers blamed for lost wallets"? Without a correlation of damages to incidents, this data doesn't seem particularly interesting for a threat assessment point of view.

shimmershadeMarch 23, 2007 8:53 PM

Given the much broader veil of secrecy now, and the dependency of the US government on private firms whose very contract details are classified, I fear that there could be large data losses that will not be disclosed to the public. An affected citizen might wonder, Who let my personal data get out, and find that no answer is forthcoming.

the other GregMarch 24, 2007 4:10 AM

"An affected citizen might wonder, Who let my personal data get out, and find that no answer is forthcoming."

Indeed, it will become a felony to ask.

FrancoisMarch 24, 2007 6:20 PM

@Dutcher:
True. Criminal or malicious activity should only be one category of many. A situation where a mugger steals your wallet carries a much higher risk than a situation where you simply misplace your wallet (and may find it the next day). I wonder how much real damage results from criminal activity as opposed to simple negligence.

Jeremy PollackMarch 25, 2007 11:40 AM

It's kinda silly to blame the hackers.

When designing a system, you have to assume that any security holes left open will eventually be exploited. That's the law of the jungle.

The real question how much resources you're willing to devote to making your system more secure. If you decide that a countermeasure isn't worth the tradeoff in time and resources, that's your call. If someone then compromises your security, you have nobody to blame but yourself.

Mark ReinertsonMarch 26, 2007 10:06 AM

On one hand, you can "blame the victim" by simply stating (truthfully) that all too often users GIVE away access to confidential systems and data.
On the other, you can show that access controls and policies simply aren't being utilized in a logical fashion.
On the third hand (What? You don't have a third hand?), it's the criminals.
It's a hybrid problem that requires multiple layers of solutions.
But, as we all know, that tends to cost money.
How much security are you comfortable with compared to how much security a corporation is willing to provide?
Even more importanly, how much security are you willing to demand?

www.securityrants.com

peterMarch 28, 2007 12:53 PM

It's just like that there Iranium.
Everyone knows Iranium is a NuCooler Weapon of Mass Distrustion.

So lets blame them coding-addiicted hackers, crackers, and users Would you want coding addicts doing stuff that changes your life?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..