Outsourcing to an Indian Jail

This doesn't seem like the best idea:

Authorities in the southern Indian state of Andhra Pradesh are planning to set up an outsourcing unit in a jail.

The unit will employ 200 educated convicts who will handle back office operations like data entry, and process and transmit information.

It's not necessarily a bad idea, as long as misusable information isn't being handled by the criminals.

The unit, which is expected to undertake back-office work for banks, will work round the clock with three shifts of 70 staff each.

Okay, definitely a bad idea.

Working in the unit will also be financially rewarding for the prisoners.

I'll bet.

Posted on May 18, 2010 at 7:29 AM • 73 Comments

Comments

JohnTMay 18, 2010 7:46 AM

Back in the late 70s the US used convict labor too. One project was for the Dept of Agriculture, and involved disbursing payments. I believe there were other programs as well, and the Bureau of Prisons sought to expand these programs, mostly software projects written in COBOL.

At the same time a number of states had prison programming programs. They pushed a bill in Congress to allow interstate commerce for state prison written programs. I don't know if the bill ever made it into law.

We have been there and done that ourselves.

Chris PuttickMay 18, 2010 7:57 AM

Now call me particularly cynical, but isn't there a reasonable chance that "educated convicts" are the ones who were convicted of white collar crimes in the first place? You know, crimes like bank fraud, sale of confidential information, ...

CoreyMay 18, 2010 8:03 AM

According to the great philosopher Tyler Durden, as long as the expected cost savings are greater than the expected value of the ensuing lawsuits, it's a good business idea.

JuergenMay 18, 2010 8:11 AM

Sounds like they ripped off the idea from the SciFi novel "Daemon" - in which a privatized Texas prison runs a telemarketing callcenter.

StevenMay 18, 2010 8:20 AM

From a Hitler Downfall parody:

You outsourced our data to a ISP whose servers are in Leningrad!!!!!

(quote from memory; YouTube has suppressed the video :(

Chris 2May 18, 2010 8:33 AM

@Chris Puttick

That was my thought as well, just what we need, people convicted of fraud doing data entries for banks.

What could possibly go wrong?

BF SkinnerMay 18, 2010 8:43 AM

So if I was conducting a security assessment and found that not only did people not have background screens by they were drawn exclusively from convicted criminals in prison--by design.

How do I assess "the organization establishes personnel security requirements, ..., for third-party providers"

Okay. They did establish those requirements as "only convicted felons need apply" and are okay as an organization with that. Is that control satisfied or "other" than satisfied?

People, read executives on a cost cutting binge, consistently underestimate the sensitivity and exposure helpdesks create.

This choice undercuts other supporting controls that deter misbehavior. Threat of retaliation/sanctions "including criminal prosecution."

And just what will the Thursday afternoon riot putting the facility on lockdown do to my avaliability?

HJohnMay 18, 2010 8:45 AM

I bet the common defense won't fly: "we were not aware of anything is his background that would indicate we could not trust him."

freedomofeverythingMay 18, 2010 8:56 AM

This assumes that all criminals are identity thieves regardless of their crime, and it also kind of implies that people in jails lack individuality. They're still human beings.

The guy who's in there for starting a drunken brawl is no more likely to steal your identity than somebody who actually works for a bank is - perhaps even less likely, since they have firsthand knowledge of the punishment.

With that said, I feel certain that an individual who IS likely to alter bank records will slip through the invariably woefully inadequate screening process and ruin it for everybody.

DayOwlMay 18, 2010 9:19 AM

Guess the out-sourcers are tired of paying that ridiculously high $6 per hour wage. Goes to show how cut-throat the business has become.

The Russians aren't going to like this.

mcbMay 18, 2010 10:06 AM

At least the state knows their inmate workers are recovering criminals which may be more than many companies know about their employees.

It's easy to imagine the ways this sort of program can go wrong, but is there any way to make this sort of idea go right and provide the right sort of convict (ironically probably not a "white collar" crook) a chance to prepare for a honest job in the information economy?

AppSecMay 18, 2010 10:20 AM

In later news:

Prison Guards are now convicted of using PII data collected by prisoners as prisoners are given privileges based on information collected.


Is that a bit cynical?

Clive RobinsonMay 18, 2010 10:24 AM

Now call me an old **** (fill in your own choice), BUT does it matter who they are outsourcing to?

The simple fact is not just the data is outside of judicial control, it's also money being taken out of the home economy and being dumped in a competing economy at a very sensitive time for no benifit to the home economy.

Now depending on who you belive the "churn rate" could be 10:1, which means every dollar you put abroad has the effect of removing ten dollars from the home economy and putting the equivalent of ten dollars in the competing economy...

So simplisticaly the damage outsourcing abroad does is 100 times what the dollar value appears...

Brandioch ConnerMay 18, 2010 10:24 AM

@freedomofeverything
"This assumes that all criminals are identity thieves regardless of their crime, and it also kind of implies that people in jails lack individuality."

Nope. Just that they have more direct access to people who ARE "identity thieves".

And those "identity thieves" can coach them on on the specifics of collecting information that can be used in future fraud attempts.

And the future victims are contacting them. How much easier can it be?

Look at all the information you disclose on a regular tech support call.

MuffinMay 18, 2010 10:38 AM

I agree with @freedomofeverything; it really depends on what the people in question actually did.

We all like to adopt a black-and-white kind of view where there's criminals (who're evil, never up to anything good, and never ever to be trusted with anything) and Normal People(tm), who're the exact opposite, but reality comes in shades of grey.

That said, outsourcing the handling of sensitive banking information sounds like a bad idea no matter to who it's being done.

BF SkinnerMay 18, 2010 11:00 AM

@Clive "...now call me..."
Okay. You're an old fart.

My basic question on information remains "Is information about me MY information"

The only advantage to developing other nations economy's is to reduce the amount of foreign aid required (though after Greece that isn't a given) but more importantly to create and open markets where trade can flourish. Classic liberalism I know but I am in the US.

I think the presumption is that advanced economy's are more stable and unwilling to go to war over resources.

It seems what we've done is create a series of dependencies that are self reinforcing/exploiting and set a series of dominos just waiting to fall.

DilbertMay 18, 2010 11:14 AM

@freedomofeverything
No, this is all about risk. When you outsource your data management to known criminals you're introducing a high level of risk.

HJohnMay 18, 2010 11:17 AM

Outsourcing in general is a fun topic.

A few points:
* Jobs that affect security, business or national, should never be outsourced.
* Help desk functions appear simple, but should never be outsourced. It grants one access to customer information and they can reset passwords. The risks of identity fraud and embezzlement are obvious.
* Blackmail is another possibility. In 2003 or 2004 I believe, a woman in Pakistan doing clerical work for a medical center threatened to post patients' confidential files on the Internet unless she was paid money. She sent an e-mail with actual patients' records attached to show she was serious.

On the flip side, some outsourcing is feasible, safe and reasonable. Contracts and confidentiality agreements have to be durable, and it is essential they be enforceable. I don't believe for one second that everyone overseas is untrustworthy and means us harm. Likewise, I don't believe that about every local vendor either--but I'm still careful about what I trust them with since I have less control than I do over my own staff.

And, as I've mentioned above, one must consider not only the legal liability but also the customer backlash. In other words, if you think your customers may flip if the learn who you are outsourcing to, maybe you shouldn't oursource to them.

Not really anonymousMay 18, 2010 11:24 AM

"I think the presumption is that advanced economy's are more stable and unwilling to go to war over resources."
I don't think that is the case. The US has a large military force spread across the globe. This isn't to provide defence against invasion, but to provide cheap access to resources.
Countries don't go to war for plunder much any more. Typically you destroy the conquered nations' economy (at great expense to you) and there isn't much to plunder in the end.

freedomofeverythingMay 18, 2010 11:35 AM

@Dilbert & Brandioch

I take issue with the Good vs Evil tone that people assume with this subject. The idea that the world is made of up Criminals (people who always break the law) and Non-Criminals (people who never break the law) is fundamentally flawed.

What I perceive to be the issue here isn't that prison work programs present a higher risk to data security than normal users of these systems, but rather that society wants to look down its collective nose at people who have broken laws.

In the article linked above it's stated that prisoners are routinely searched to ensure they aren't carrying data out of the center. Can you offer me the same guarantee of all bank employees?

At any rate, we are at much greater risk of software vulnerabilities that enable cyberattackers to steal vast databases of personal information than we are of some creep stealing single accounts, who is then searched, found out, and punished.

John WatersMay 18, 2010 11:35 AM

We need tax breaks for companies that hire US citizens in the US and tax penalties for companies relying on offshore and H1-B "talent".


Of course our government is a little too immersed in foreign preference to make this anything but a pipe dream.

AppSecMay 18, 2010 11:57 AM

@freedomofeverything:

Unless you can wipe their minds, they will always have access to data.

And they are in prison and their for are criminals. While they can be reformed (to a certain degree), the fact is they have yet to pay back their debt to society by completing their sentence.

And for the record: that last statement does not mean I don't think they should be able to learn, work, or what have you -- I just think the access to data and systems they have nededs to be allotted very carefully.

John N.May 18, 2010 12:00 PM

On the up side, at least we can assume that the physical security is better than average.

freedomofeverythingMay 18, 2010 12:20 PM

@AppSec

Barring people with eidetic memory variants, memorizing long strings of numbers (SSNs, account numbers, addresses) after viewing them only once is not something the human brain is made to do - much less trying to learn the account details of multiple individuals, keep them distinct, and then somehow relay them to an external resource without writing it down.

And the "they're in prison, they MUST be criminals" mentality is exactly what I'm talking about - it's a logical disconnect. The reason for their imprisonment is much more important than their mere presence there (for the sake of argument I'll ignore such things as false convictions).

A diligent screening process is an essential part of this program, however - a hacker convicted of mass identity theft should quite rightly not be allowed to be involved, but the risk of some random non-information-related criminal suddenly metamorphosing into an account-draining master conman are pretty laughable.

As said by the great Terry Pratchett: "You have to consider the psychology of the individual."

Brandioch ConnerMay 18, 2010 12:56 PM

@freedomofeverything
"I take issue with the Good vs Evil tone that people assume with this subject."

No. It is a matter of security.

"What I perceive to be the issue here isn't that prison work programs present a higher risk to data security than normal users of these systems, but rather that society wants to look down its collective nose at people who have broken laws."

No. It is a matter of security.

"In the article linked above it's stated that prisoners are routinely searched to ensure they aren't carrying data out of the center."

It is in their heads. They only have to memorize it long enough to get past security.

"At any rate, we are at much greater risk of software vulnerabilities that enable cyberattackers to steal vast databases of personal information than we are of some creep stealing single accounts, who is then searched, found out, and punished."

Except, as noted above, they cannot search for the data he has memorized. Therefore he cannot be "found out" and will not be "punished".

It is about the security.

freedomofeverythingMay 18, 2010 1:19 PM

@Brandioch

No, it is about people. Specifically, it is about the people pressing the keys.

It is also about trust. As in, 'how much do you trust the people pressing the keys?'

Technological security being equal in both locations (the bank office and the prison will likely have governance policies stating what security measures must be present on both machines), the only difference is the people, and assuming that all jail inmates are Evil isn't good security; just profiling.

Do you instantly trust the minimum wage data entry person being employed at the bank branch more than you trust a prison industry data entry person? Why? What assurances do you have that the former isn't doing exactly what you're afraid the latter might be doing, and what measures are in place to keep it from happening at the branch? I can guarantee body searches aren't on the list.

"It is in their heads. They only have to memorize it long enough to get past security."

This is kind of a silly thing to worry about. You're at similar or greater risk of having your information stolen by a crooked restaurant waiter or a guy with an ATM sniffer; the prison data entry guy memorizing your personal data is pretty far down the list.

mcbMay 18, 2010 1:30 PM

@ HJohn

"Jobs that affect security, business or national, should never be outsourced."

Whence cometh your certitude HJohn? Physical and logical security have been outsourced effectively, efficiently, and defensibly; the former for a couple centuries, the latter for many decades.

Brandioch ConnerMay 18, 2010 1:32 PM

@freedomofeverything
"No, it is about people."

And without any people, there would not be any need for security.

"Technological security being equal in both locations (the bank office and the prison will likely have governance policies stating what security measures must be present on both machines), the only difference is the people, and assuming that all jail inmates are Evil isn't good security; just profiling."

That's one HUGE assumption.

And profiling is part of security.

And no one (except you) is saying that anyone is "evil".

"This is kind of a silly thing to worry about."

No. It is a flaw in their security model.

freedomofeverythingMay 18, 2010 1:45 PM

@Brandioch

If the technological security in the prison data center isn't up to snuff, that has nothing to do with the prisoner at the keyboard and is indicative of a larger comms security problem.

And the word "Evil" was chosen simply to highlight the prejudice in the situation: that people view prison inmates as categorically worse than non-inmates despite having no evidence. Presence in a prison is enough to certify ill intent.

Having a good memory is a security flaw? To enforce against this flaw you would have to make sure that nobody ever lays eyes or ears on private information: no phone conversations, no cameras near pin entry pads, no public conversations, no forms filled out within eyeshot of anyone ever.

The very act of giving your information to another living being is an unavoidable security risk. And a life without risk is no life.

freedomofeverythingMay 18, 2010 1:52 PM

I meant that literally: the only people that have no risk are the dead.

HJohnMay 18, 2010 1:56 PM

@HJohn: "Jobs that affect security, business or national, should never be outsourced.
@mcb: "Whence cometh your certitude HJohn? Physical and logical security have been outsourced effectively, efficiently, and defensibly; the former for a couple centuries, the latter for many decades."
____________

I almost said "seldom" but changed it to "never".

The reason I almost said "seldom" is because some things have been outsourced well. The reason I decided to go with "never" is because security has a tendency to result in scope creep. Once a process is declared "secure," it tends to start covering levels of security it was never designed to handle (as there are new functions, layoffs, downsizing, etc.).

"Never" is extreme, I understand.

Another person who advised me (and colleagues) about never outsourcing security was Gordon Smith, President and CEO of Canaudit. I regard Gordon and his opinions as highly as I regard Bruce.

Fair question, though. "Never" is a pretty strong word.

Brandioch ConnerMay 18, 2010 2:04 PM

@freedomofeverything
"If the technological security in the prison data center isn't up to snuff, that has nothing to do with the prisoner at the keyboard and is indicative of a larger comms security problem."

No. That is part of their security model as well.

"And the word "Evil" was chosen simply to highlight the prejudice in the situation: that people view prison inmates as categorically worse than non-inmates despite having no evidence."

There is no prejudice. It is statistics. Statistically, the prisoners are more likely to have committed the crimes that they were convicted of than the people who have not been convicted.

"Having a good memory is a security flaw?"

No. Hiring criminals to handle customer information that can be memorized is the security flaw.

"And a life without risk is no life."

And who said that this was about no risk?

Read Bruce's work on "Attack Trees". There is always a risk.

The key is to reduce the risk.

Statistically, this plan increases the risk. That is why it is a problem.

HJohnMay 18, 2010 2:09 PM

@freedomofeverything: " that people view prison inmates as categorically worse than non-inmates despite having no evidence."
___________

So, someone being caught, investigated, charged, tried, and convicted by a jury in a court of law is not evidence that they may be less trustworthy than a non-inmate?

Granted, there is no shortage of untrustworthy people with no record, and I have no doubt that there are people in prison who could be trusted.

That said....

What better criteria to measure someone's trustworthiness than by their own record of behavior?

freedomofeverythingMay 18, 2010 2:15 PM

@Brandioch

Which is where the screening process begins to matter. The point I'm trying to make is that this program could work if your selection process is stringent enough to weed out those individuals who are most likely to take advantage of this system and have a strong enough deterrent against those who do.

As you say, it's all about risk reduction. The banks are increasing risk to decrease costs - but many of the arguments against this system rest on the basis of "criminals are all bad. Furthermore, they are all bad in the same way." The increase in risk can be managed, if one is careful.

Of course it's statistically true that people in jails are more likely to commit crimes than people not in jail. There's nothing to contest there.

freedomofeverythingMay 18, 2010 2:28 PM

@HJohn

The temptation here is to give in to popular opinion and assume that all individuals convicted of a crime are bad in the same way. You as an end user have no evidence that a company-employed data entrist is less prone to steal your data than a given prison industry entrist.

The point is that the individual's history is vastly more important than the fact that he's in prison on an unrelated charge.

Brandioch ConnerMay 18, 2010 2:37 PM

@freedomofeverything
"Which is where the screening process begins to matter. The point I'm trying to make is that this program could work if your selection process is stringent enough to weed out those individuals who are most likely to take advantage of this system and have a strong enough deterrent against those who do."

As has been shown in study after study, deterrents do not work. Deterrents are not effective at preventing crime.

Which leaves you with sorting out people who are less likely to commit a crime with that data than THE AVERAGE OF THE NON-CRIMINAL POPULATION.

Which is kind of difficult given that you're starting with a population that has, statistically, already set themselves on the opposite side of that.

Therefore, this plan INCREASES the risk and reduces security.

"The increase in risk can be managed, if one is careful."

Which adds complexity and complexity causes problems with security.

We have now arrived at the point in this discussion where the requirements are a screening process that is better than the process already used and a security model that is better than the one already used.

All to be able to hire less trusted workers.

When the simple solution is to not hire the less trusted workers. That way the the improved screening process (should it exist) will result in security improvements. The same with the security model.

freedomofeverythingMay 18, 2010 2:52 PM

@Brandioch

We're delving into the greater problem of "what do you do with criminals?"

I think these programs are good things to have. I think rehabilitation and learning a trade is a great thing for that segment of criminals motivated by necessity, and nixing them on account of some addressable security concerns is a net loss to our society.

Brandioch ConnerMay 18, 2010 3:05 PM

@freedomofeverything
"We're delving into the greater problem of "what do you do with criminals?""

No. This is about security.

mcbMay 18, 2010 3:08 PM

@ HJohn

"Another person who advised me (and colleagues) about never outsourcing security was Gordon Smith, President and CEO of Canaudit. I regard Gordon and his opinions as highly..."

Canaudit http://www.canaudit.com/ is a consulting firm that offers security services. Perhaps our (me, you, Mr. Smith) definitions of security differ?

HJohnMay 18, 2010 3:16 PM

@freedomofeverything

Let me also add that restriction of sensitive information is the norm, not the exception, and certainly not punishment.

It isn't an innocent until proven guilty proposition. It is a restricted until proven that the odds of one being trustworthy are high. It doesn't mean there is no risk with them, nor does it mean there is no chance that someone denied access is trustworthy.

Even if a criminal is proven to be trustworthy in a certain area, the cost of customer backlash is probably too high to justify the cost.

freedomofeverythingMay 18, 2010 3:40 PM

@Brandioch

That's not a counterpoint. That's ctrl-c ctrl-v.

@HJohn

That's a sensible position, fear of customer backlash. I wish it didn't have to be that way, but that's the best argument against it I've heard - not that criminals are bad, but that your customers might believe criminals are bad and withdraw their business.

Whether it's true or not isn't something you can debate with your patrons; you have to respond to their fears.

I understand the principle of least possible permissions, but cost cutting is a powerful motivator. The societal bonus (I feel) is a plus.

JBMay 18, 2010 3:49 PM

@HJohn

You forgot to mention the second part of restricting sensitive information -- the need to know. Most operations dealing with sensitive info will restrict sensitive information even for people they've cleared unless that person needs to know the information to do their job, so withholding sensitive info isn't a punishment even for non-cleared individuals. Of course, I kind of doubt anybody's going to clear someone who's currently incarcerated.

HJohnMay 18, 2010 3:52 PM

@freedomofeverything: "That's a sensible position, fear of customer backlash."
__________

When it comes to customers (or voters, or evaluators, or bosses, or almost anything), perception often affects outcome more than reality even if the perception is wrong.

Brandioch ConnerMay 18, 2010 3:58 PM

@freedomofeverything
"That's not a counterpoint. That's ctrl-c ctrl-v."

You were off on a tangent. The discussion is not about occupational rehabilitation of criminals.

The discussion is about security.

freedomofeverythingMay 18, 2010 4:14 PM

@Brandioch

So say that instead.

But discussions have this way of wending back and forth, and the security portion of the discussion is pretty much covered - yes it's a risk, but it can be mitigated; it's sub-optimal but cost cutting makes it somewhat more desirable than it would otherwise be.

Brandioch ConnerMay 18, 2010 5:05 PM

@freedomofeverything
"But discussions have this way of wending back and forth, and the security portion of the discussion is pretty much covered - yes it's a risk, but it can be mitigated; it's sub-optimal but cost cutting makes it somewhat more desirable than it would otherwise be."

You have yet to show that it could be mitigated and achieve the same result as the methods employed right now to reject people with a criminal background.

freedomofeverythingMay 18, 2010 5:28 PM

@Brandioch

Only if you don't give up preconceived notions of prison residence as a universal marker of badness.

Anyway.

Dumbledore dies.

Brandioch ConnerMay 18, 2010 5:48 PM

@freedomofeverything
"Only if you don't give up preconceived notions of prison residence as a universal marker of badness."

Well, at least you've dropped "evil". Although "badness" is not an improvement.

And, again, statistically, the people in prison ARE more likely to commit crimes than the people who are NOT in prison.

And so the thread begins again.

There is a difference between a "population" and an "individual". But until you can demonstrate the ability to PREDICT behaviour, the statistics of the population are all anyone has available.

AC2May 19, 2010 1:15 AM

Phew 52 comments in 10.5 hrs....

Brandioch seems to have setup a keyboard shortcut for "No. This is about security." :-)

Anyways its a dumb idea.. Is it any coincidence that the two key men (CEO and CFO) who masterminded the Satyam scam are currently lodged in the same jail? Methinks not!!

But more interestingly what kind of work can cons do on computers that will develop their job skills in something more in-demand and well-paying than making steel furniture... Clearly back-office work for any institution that deals with confidential/ sensitive info is a bad idea.

Heard about some US prison that handled ticket booking ops...

Nick PMay 19, 2010 1:39 AM

@ AC2

Indeed. It seems Brandioch was successfully lured in by a troll. The guy is probably getting off on every rebuttal. ;)

As for the topic, the idea is certainly insane. Companies whose cost-cutting and risk management led them to outsource to prisoners are unlikely to show more quality in the areas of internal controls, monitoring, selection, and network/system/application/data security.

There's only one class of "trusted" systems whose requirements allow untrusted people to build & distribute them: A1/EAL7. Average cost is over $10 million for tiny, limited systems. And this company wants us to think they can pull the same thing off on an Indian budget using the least trustworthy individuals in the country?

For once, just hiring Americans seems like a better deal. ;)

CraigMay 19, 2010 4:11 AM

Whom ever wrote this business plan definitely has a background in sales, as they seem to be able to sell anything, and are not thinking security?

Why do banks try so hard to diminish our trust?

AC2May 19, 2010 5:28 AM

@Craig

"Whom ever wrote this business plan definitely has a background in sales, as they seem to be able to sell anything, and are not thinking security"

Indeed, but to quote Albert Spangler/ Moist von Lipwig "You've got to know how to sell the sizzle if you want to sell the sausage"...

bob (the original bob)May 19, 2010 9:47 AM

Do we have any indication that the average prisoner in India has a lower work ethic/moral standard than the average Indian commercial outsource worker NOT in jail?

Or for that matter lower than that of the average US Airline CEO, Televangelist or Congressperson?

paulMay 19, 2010 10:21 AM

Surely there's enough data in India for prisoners to do their learning with local resources?

What strikes me about this is that the only motivation seems to be cost, ie that the prisoners can be paid less than other populations one might outsource to. And that does not speak well to the rest of the associated process.

EgbertMay 19, 2010 10:55 AM

@Chris 2

"That was my thought as well, just what we need, people convicted of fraud doing data entries for banks."

It could be worse, banks could be run by people who haven't been convicted of fraud.

Clive RobinsonMay 19, 2010 11:49 AM

@ BF Skinner,

"Your an old fart"

Only after lunch on "Has bean in Tusedays" down at the local Darby & Joan Club ;)

With regards your question,

"Is information about me MY information"

The unfortunate answer ranges from 'it depends' to 'not at all'.

In the UK and Europe some information (ie that, that you have kept secret) is yours as well as some aggregates of personal information that might be used to identify you or things about you (ie medical info).

In the US it basicaly boils down to only that information that you keep secret, otherwise it belongs to who ever collects it. which is a bit of an anomaly as if I have two peoples data it becomes a "work" and I get copyright over it (go figure)...

In other parts of the world there is no protection of the data other than either "breach of contract" or maybe "theft from an employer" if the employer can show direct loss. either of which gets you a slap on the wrist and reentry into the job market again...

Sadly recent work shows the notion of converting PII to non PII by anonymizing it, is in reality just a hand waving gesture. Even very moderate data sets (hashed surname and DOB or place of birth) have you nailed cold.

McCoy PauleyMay 19, 2010 11:50 AM

Throw somebody with a brain into prison. Give him crappy food and no intellectual stimulation. Tell him he can work for 3 cents an hour and put the money into his canteen account to buy slightly less crappy food at super-inflated prices. Profit obscenely from his labor, profit obscenely from his hunger, and tell John Citizen that you're "rehabilitating" him. This is the business model of the future for good ol' America, too. Ah, never mind, go back to sleep. Everything's just dandy. The chocolate ration is up to -3 grams.

Peter E RRetepMay 19, 2010 3:00 PM

I used to ask Help Desk people where they were when I would call them, just to be real persons, and for many years the credit card answering services have often been answered by persons in prison. {I'd ask about the weather, not why they were in.}

A lot of what is being said above misses the essential point:

the data streams they work on come from everywhere -
not just in-state. Mine were mostly out-of-state at the odd hours.

If they are good or not by inclination, who controls their environment? Missionaries or *criminals*?
It's not only about what they want to do, but what they can be presured/induced to do.

I have often wondered about this problem set.

So outsourcing American prisons to Indiam or Other Prisons
[Hello, This is Moe [in Kabul]? How may I assist you?]
is it better [more secure - meaning communications are isolated] or worse?

Clive RobinsonMay 19, 2010 4:04 PM

@ Peter E RRetep,

(Have you typoed your palindrome?)

With regard to,

"is it better [... ....] or worse?"

It depends on the actual threat model.

For instance it is known that some Indian call center workers passed details on to criminals. In some cases it appears by memorising the appropriate details to avoid "search" issues.

It is equaly as likley for criminals in India the US or any other place you care to name to develop this memory ability to similar levels..

Thus you need to consider the "down stream" issues of how does "Marvin memory man" pass on the details and how does he get the rewards of doing so.

That is "the means" and "the motive" are not difficult to imagine it's "the opportunity" to prosper by them which is difficult to envision.

Thus it is at this point at which it becomes just guess work for me (as the only time I've stayed in a prison was in Sweden long after it had been converted to a successful hotel). And I think you can take it as read I'm not going to go into an active prison without a lot of persuasion even in the name of research ;)

What we do know is that there is a thriving drugs culture in most prisons so we know that people have worked out "the opportunity" aspect.

I would say that on balance I would regard a "home prison" as being safer than an "away prisson" simply because of the bad publicity angle.

That is a US Prison is likley to have some concern as to it's "political" image with US citizens, however I can not see a foreign prison caring a fig aboujt what US citizens think as long as the revenue stream is protected....

Pat CahalanMay 19, 2010 5:48 PM

> You as an end user have no evidence that
> a company-employed data entrist is less
> prone to steal your data than a given prison
> industry entrist.

That's a flatly ridiculous statement. I will agree that the evidence is not as clear-cut as many people may assume on first glance, but the conclusion is not that you have "no" evidence, just that you have evidence with limited utility.

Clive RobinsonMay 19, 2010 11:29 PM

@ Pat Calahan,

"... just that you have evidence with limited utility"

I'm not sure I would agree with you.

Financial and other organisations have reputations to protect thus they tend to be considerably less than forthcoming about the "who" "what" or "why" of publicaly "known security breaches" and mute at best on non public security breaches.

For Joe Average who has not had their details missapropriated and used to their harm, they will see a system that works the way the publicity says it should. It is only when they are harmed and can trace it back that they might have some evidence. But it is only a single data point and in the same way "a swallow does not make a summer" it does not give a trend or a probability etc.

Joe average would normally only get other data points if a Journo picked up on the story and had a dig aroud and published their findings in a way that was open to objective analysis.

It is thus a case of "no evidence" for Joe Average not because the evidence does not exist but either they do not know it exists or they cannot get access to the evidence.

ikeMay 19, 2010 11:53 PM

"It's not necessarily a bad idea, as long as misuable information isn't being handled by the criminals."

Does that leave anything?

NotThePointMay 20, 2010 7:02 PM

@freedomofeverything

How about paying someone good money who has not yet shown they are untrustworthy in the first place?

Getting incarcerated for a crime, removing your freedom, is a pretty big punishment. It generally means that you are not trusted. Even when you leave prison you are forever under suspicion.

I guess my issue here is... if I couldn't get a job at a bank because I was in prison in the first place how are they supposed to say it's okay to work for a bank if I'm *still* in prison?

NotThePointMay 20, 2010 7:18 PM

However . . .

I seem to remember that during the old wars they used "computers" (the people type, not electronic) to decode ciphers.

They had to do it in such a way that no one person would know what the other was doing or working on (so they wouldn't decipher the whole thing then go tell someone).

It seems to me they could obfuscate the data entry in such a way to make it meaningless to any one person (or even several people who could compare notes).

But what would be the cost of setting up such a system and how do you make sure the correct oversight in involved?

Military is hardly always business oriented and can justify extra expense for the case of secrecy.

ArunMay 20, 2010 11:11 PM

I think, its not a bad idea.

The risk exists in the current BPO structure also, as there is no proper employee check, or for that matter, i believe there is no mitigation strategy involved any where.

As against the potential risk, you need to look at those people who are educated, and still locked up in jails. This might be a potential break for them to live up and show that the bad phase is over in their life and they are ready to be socialized.

If people are put up in jail, with the expectation that they will change over time, then i would welcome this decision as this would only help them.
Or else, if one had committed a crime, and he is considered always a criminal, then there might be a serious consideration we need to put on the judiciary system overall.

The only risk i see is a lot of criminals at one place, having a lot of data in hand. But to mitigate this, we can evolve with a strategy, like people in the same cell/tower wont be having access to the same files or so. (random calls etc)

SShahMay 24, 2010 11:53 PM

That's interesting. I wonder if they'll be paid wages or something. At least, it takes their mind off negative stuff and they can be productive. So, when their sentence is done and they're ready to face the world anew, they have new skills to help them get a job.

tuxgirlMay 25, 2010 11:37 AM

I will agree that not everyone in prison is likely to be an identity thief, *but* they are people in a sensitive situation. I don't know what the conditions are in India's prisons, but my guess is that the guards have some control over "privileges" and the quality of life of the inmates. There is likely little to no recourse for an inmate that is being treated unfairly. That makes this a prime situation for a corrupt guard to take advantage of the prisoners, bullying/blackmailing/bribing a few that they know might be malleable into skimming data. Yes, it's hard to remember the data if you're not allowed paper and if you're being watched, but if the guard is in on it, it suddenly becomes much easier.

twMay 30, 2010 9:53 AM

Has anyone considered that if prison labor is free, that less people might end up being free?
If the only things I need to do financial industry recruiting involves the use of a police officer and a crooked judge - what's the deterrent?

JeffKJune 2, 2010 12:57 PM

There are plenty of criminals who would pose little increased risk over the general population. Picture a typical habitual drunk-driver: a high-functioning alcoholic that can't grasp how impaired he gets when drinking. Yeah, he's a criminal, he puts people at risk, he's dangerous.

That doesn't mean he has any particular interest in committing fraud, extortion, or identity theft.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..