Emergent Chaos

Choicepoint, March 29-31

• Alacrablog discusses a Morgan Stanley research report:

  Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers.

  There's also an interesting post rounding up the SIA Anti-Money Laundering conference.
• The Atlanta Business Journal reports that the Georgia House has passed a notification law.
• Choicepoint may be developing an access system, according to a March 31 AP story that's only been picked up by the Kansas City Star (bugmenot has logins):

  "You will receive the reports that we have on you," Don McGuffey, the firm's vice president for data acquisition, told the state's Senate's Banking, Finance and Insurance Committee on Wednesday.

  It doesn't seem that they'll be moving towards the right of correction. Rather, you need to convince whoever reported bad data to correct it, and they will update Choicepoint. (Based on past evidence.) Compare this to credit reporting agencies, who have to include your corrections or disputes. Michael Zimmer has comments as well.
• Bruce Schneier quotes a Register article:

  Sadly, Congress's response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.

  For this reason, it's literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry.

• and Mark Earnest makes a similar point.
• Finally, today's Two Minutes Hate Irony is brought to you by "Ayn Rand is my Homegirl," carrying a press release from

  Executive Alliance, Inc., the premier provider of leadership-recognition forums, today announced that it has named the Distinguished Panel of Judges for the first annual Information Security Executive of the Year (ISE) Midwest Awards(TM) 2005

  The judges panel includes:

  Rich Baich, Chief Information Security Officer Winner of the 2004 ISE in Georgia Award™ ChoicePoint ... Leo Cronin, Senior Director, Information Security Finalist of the 2004 ISE National Awards™ LexisNexis Group

  Apparently, UC Berkeley doesn't have a CSO.

My Choicepoint posts all show up the Choicepoint category archive.

"Public Availability of Private Information"

Screendiscussion makes a case for criminal records searching as an adjunct to a background check:

One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty unique, but if someone has been cursed with a common name then look out.

...
While it makes sense to curb identify theft by not providing a person’s name, date of birth and Social Security Number to the general public, in practice it’s a double-edged sword. Identity theft is limited, but it also means that an employer has to deal with how to use the information in deciding whether or not to make a job offer. There have been plenty of situations where a person wasn’t offered a job because of faulty information retrieved in a background check, and this newer practice doesn’t help things much.

I think the problem with this is that it's a self-fulfilling prophesy: As national criminal background checks become possible, for liability-avoidance, they become mandatory. As they become mandatory, more and more data is made public. But they'll never be perfect. So should we be going in that direction, or choosing to keep background checks expensive, so that employers are less tempted to perform them?

Three Times is Enemy Action

With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they're not to be trusted; students have no choice but to provide that information; government action is called for.

P2P, Filenames

The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names ("2 yo getting raped during diaper change"). He doesn't download any files, but takes this as evidence for his title.

I don't want to defend such sick behavior, but there are some things worth thinking about. First, are these files what they purport to be? That is, are they child porn, or are they trojan horses carrying spyware or viruses? (They could also be 5 minutes of someone screaming "You sick, sick bastard! Go get help!") Second, are they being distributed by law enforcement or investigative agencies, who log every search and transfer?

So, it's pretty quick and easy to come up with interpretations of the evidence that aren't "P2P Provides Safe Haven For Pedophiles." I have no interest in downloading such files to test the "alternate content" theories. An interesting test would be to run such searches, and dig into the IP addresses sharing such files. Maybe they are law enforcement?

Optimism about the Future

I was talking to someone about a New York Times story "U.S. Is Examining a Plan to Bolster the Rights of Detainees." The story contains the line:

Those changes include strengthening the rights of defendants, establishing more independent judges to lead the panels and barring confessions obtained by torture, the officials said.

I made a snide comment about just including those confessions in the secret evidence that we won't show defense attorneys. He commented that it's actually a step forward, and he's right. I am deeply saddened that the United States is taking a step forward to exclude torture-derived evidence, but glad that things are heading back towards normal.

The pessimist in me says that there are liberties that we'll never regain. The banking system is probably a permanently tied to "know thy customer" rules. Air travel will never again be as easy as it was. Tourism will never get back to where it was. The psychological intrusiveness of measures chosen for the US Visit program deter visitors from coming to the US. Even if you think the program is useful, it could have been better implemented. Poor choices include fingerprinting vs other biometrics such as hand geometry which aren't associated with criminality, and the extensive secondary uses of data, so that it continues to track you through your entire life, not just your entry and exit to the US.

We don't know what great things might have happened with the liberty that we've lost. We've chosen to accept fear over hope. To allow fear and pessimism to infect our thinking. I'll try to do better. To laugh at the fearmongers, rather than cry. To pursue happiness.

Choicepoint, March 27-28

• EPIC has obtained documents which...

  ... reveal that Choicepoint proposed the sale of detailed personal information to the Bureau for law enforcement purposes. The documents show an extraordinary range of data sources, including e-mail registration, cookies, spyware, employment screening reports, motor vehicle records, drug screening results, professional licensing, Social Security Numbers, wireless phones records, and calling card data. One memo also discussed the availability of information on Europeans, Latin Americans, Asians, and Africans.

  (Via McGeek) Choicepoint, meanwhile denies that this is against the law, but not that the offer was on the table.
• Hank Asher, founder of Database Technologies (involved in the Florida voting scandal) and later Seisent, makers of MATRIX, has settled five lawsuits with various companies, including Choicepoint, according to this mysterious press release. Some lists of motions are online. (Thanks N!) South Florida Business Journal has an article:

  "A big part of why I settled the case is it would take three, four, five years to litigate," Asher said. "I don't know how much will be left of them [ChoicePoint]."

• Former Wal-Mart director Thomas Coughlin, who has resigned after improprieties, remains in charge of Choicepoint's Audit committee, according to the Atlanta Journal Constitution.

The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

Emergent Predictions

1. By the end of 2005, we will have had a month with at least 30 disclosures of serious security breaches, making private information about people available.
2. At least 10 of these breaches will involve data which organizations are required by law to store and protect.
3. This will cause a set of Congressional hearings, in which the current data retention standards will be questioned. No reduction in government-mandated data collection will result.

Watch Lists: Juan Carlos Merida

Juan Carlos Merida is an unusual victim of the watch lists. He knows why he's on one. As the New York Times reports, while a volunteer at the Airman Flight School, he gave rides to lots of students. The students he gave rides to included Zacarias Moussaoui, who is currently awaiting trial on suspicion of being a part of the Sept 11th attacks.

But even knowing why he's on the lists isn't helping him clear his name.

Update: Michael Froomkin caught a detail I skimmed over, and it's implications in "The Insidious Effects of Security State Blacklists."

I've discussed the concept of watch lists before.

RFID Kills

The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it.

Want to see if there are more Americans on the right or left side of the plaza? No problem. Uncle Sam is helping the terrorists. There is no good reason for this. Canada, Germany, the Netherlands and Britain have all opposed this. The technical term for these chips is RFID, but really, they're just small radios that invite thugs and terrorists to attack you as you travel abroad. If we need electronic chips in passports, they don't need to include radios. I've never even seen anyone make an argument for the radios.

I've covered this in RFID Passport data won't be encrypted and The Open Passport, and in small bits have pointed to articles by Ian Grigg and Ryan Singel.

Bill Scannell has set up a web site to make it easy to send your comments to Uncle Sam. Take five minutes and tell them: No RFID chips in passports. They don't make sense, and RFID Kills.

Microsoft Security Lifecycle

Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security.

Slag all you want, but I don't see a lot of other vendors doing this. And now, if you need leverage to get buy in, you can either say, "We should emulate Microsoft..." or "Even Microsoft does..." It's a win. Thanks for making it available.

Framing Effects & Law Reviews

Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it's just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr saying:

Fun, Entertaining, Clever, and Short: Believe it or not, that's a description of a forthcoming law review article. Yes, a law review article. Check out The Perfect Crime, by law prof Brian C. Kalt, forthcoming in the Georgetown Law Journal. It clocks in at 22 amusing double-spaced pages...

Yes, in law review-world, that's short. In my world, this is slightly fun, mildly entertaining, clever in a sort of self-referentially post-modern fashion and short, at slightly over 22 words.

Small Bits: Long tunnels, Marburg virus, Cyber Cons

• Iraqi prisoners have dug a 200m tunnel out of one of the US run prisons in Iraq. The BBC has pictures.
• The Marburg is spreading in Angola. Marburg is an Ebola-like heamorraghic agent. Some analysis.
• Charles Cooper has some commentary ranting about the state of the information security industry at cnet:

  It's tempting to become cynical about so sensitive a subject, but the blunt truth is that Americans care more about the ultimate outcome of "American Idol" than they do about repairing the nation's IT infrastructure. Outside of the confines of the security nerds who live and breathe this stuff, most folks are bored silly by the subject.

• If you're not bored silly by this stuff, Not Bad for a Cubicle has a nice post on The Costs of Keeping Data. If you're responsible for security programs, you should read what he says about your costs and risks.

Lying to Congress, Murdering Prisoners Now Legal

Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. "Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency's actions."

In other news, the Pentagon will ignore the recommendation of the Army Criminal Investigation Command to try the soldiers responsible for the deaths of detainees. Michael Froomkin has commentary.

Next up, sending prisoners to Egypt, and then seven or eight other things.

Choicepoint, March 24/25

• The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches.
• Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart: "A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards."
• [Choicepoint CEO] Derek Smith has apparently received threats via fax, according to TV station WXIA Atlanta. Here's a cheat sheet for you:
  • Denying his job application because of a Texas criminal record: Entertaining.
  • Sending him Nigerian spam from a Kinko's in LA: Self-referentially ironically cool.
  • Sending threats: Not cool.
• Scott Berinato has a column at CSO Magazine calling this the Waterloo of information security. (Is there a permalink to that column?)
• The Christian Science Monitor has an editorial entitled "Locking Out Identity Thieves." The subtitle is "Why are data collectors blocking efforts to require notice of a security breach?"

  One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that's a small price to pay for privacy and a more secure online identity.

The best way to see all my Choicepoint posts is probably the category archive for Choicepoint. [Update: added Berinato column, 2: Identified Smith]

Security In a Changing Nation

Screendiscussion responds to my comments about "Three Privacy Breaches" in Security In a Changing Nation. He sums up his argument as "Why? The reason is that we, as a nation, have become extremely security conscious in the past few years." I think this is only partially correct. I suspect that this is part of it. Perhaps that consciousness also entails an understanding that no one is perfect? That the attacker only needs to win once? That a cover-up is a worse sin than a mistake?

I suspect its the last bit: We're coming to see security mistakes as mistakes, that will happen. I think we need to start designing systems with that in mind.

Small Bits of Chaos: Anonymity, Citizenship

• Ed Felten summarizes Wendy Seltzer's comments on the NYT "Open Wifi is evil" article: "anonymous sources claim anonymity is evil."
• The Department of Citizenship amends their terms and conditions. (Via Michael Froomkin.)

Discretionary Disclosure

A man who pleaded guilty to hacking into an Arkansas data company's computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison.

Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August.

Baas was a systems administrator for Market Intelligence Group, which had an agreement to analyze data for Acxiom Corp., of Little Rock, Ark., when he exceeded his authorized access and downloaded encrypted password files, prosecutors said.

In a plea agreement, Baas admitted that he stole the data between January 2001 and January 2003 and stored it on computer disks at his home, prosecutors said. On Wednesday, U.S. District Judge Susan Dlott sentenced Baas to 45 months in prison.

Acxiom's clients include credit card issuers, banks, auto manufacturers, telecommunications companies and retailers. Baas bragged to other hackers that he had the files, but didn't share them with anyone, prosecutors said.

According to Robert O'Harrow's "No Place to Hide," pp72, the company chose not to notify: "A company official said that the information was simply not that sensitive and 'did not meet a threshold that would require customer notification.'" (Update: Try this Google Print link.)

Acxiom's data would be covered under California law, the new laws that a number of states are putting in place after Choicepoint, but not the FDIC, FRB, or OCC regulations that have been put forth.

Disclosure Laws & Regulations

Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators.

A brief digression: The new guidelines seem to make sense, but it's difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options.

For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans -- but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards.

Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let's assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they're willing to take and companies could experiment. Because that process doesn't exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It's difficult to know whether that security "level" is the best one for consumers.

I'll suggest that the new rules don't go far enough. As the Washington Post story (archived here) explains: "If the organization determines that misuse is unlikely, it need not report the breach to its customers." So CheapDiscountBank might have one criteria for determination, while BankSuperSecure has another. But consumers won't be able to compare those. As the regulation says "It also should generally describe what the institution has done to protect the customers' information from further unauthorized access." Generally describe? How can I assess a general description? (A non expert consumer might have difficulty, but could turn to Consumer Reports, or other trusted sources, for advice.)

Also, federally mandated "know thy customer" regulations require banks to gather, authenticate, and store everything an ID thief needs to go about their business. SuperSecureBank might promise to throw away all the non-essential data, so that they can't have a breach. SuperSecure could thus lower their costs and increase their security. It's too bad that a mere $50 billion in annual losses doesn't prompt a review of how we've organized the regulatory regime.

"A Unified Theory of VC Suckage"

Brad Feld pointed to an essay by Paul Graham, entitled "A Unified Theory of VC Suckage." (VC is short for venture capitalist, the folks who invest in certain types of startup companies.)

I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to me as complaining that users didn't read the reference manual. Of course VCs were jerks. How could it be otherwise?

But I realize now that they're not intrinsically jerks. VCs are like car salesmen or petty bureaucrats: the nature of their work turns them into jerks.

What I really like about Paul's essay is that it talks about some of the economic pressures on VC funds, and how those pressures get pushed to startups.

This is a strange thing for a startup guy to say, but I have a lot of sympathy for venture capitalists. In some ways, a VC fund is like a startup. You have some guys who know something about business. They go out looking for money. If they get the money, they have 10 years to make good on it. I'm might get pilloried for this next sentence, by people who skim through why I'm saying it: Unlike a startup, most VC have relatively little in the way of compelling advantages. That's not to say that investors are indistinguishable, only that it's even harder for a VC firm to create, maintain, and communicate a compelling advantage over the other firms.

Most investors don't get to build disruptive technology. They get slight first mover advantages. Most VC are in cutthroat competition with other VC for the ability to put cash into a few good companies, and a lot of 'maybes.' A good investor brings good strategic advice, and a big rolodex, and a willingness to work for you. Well, so does that other fund. Compare to a startup which can get a strong first mover advantage, building, say, a database that's 10 times faster, or with six signed customers in the fortune 500.

So I think, to extend Paul's economic analysis of why investors and startups clash, it goes back to the limited partners who invest in venture capital funds, and the way they need to behave.

As a side comment, Rick Segal asks:

And what is this issue with a liquidity event. Why is that evil? What's wrong with making some coin, selling companies, IPOs, mergers, whatever. I've yet to see anybody, Paul included, to give me a compelling reason why this aspect of venture capital means we all suck. 

Let me start by reiterate that I don't buy the suckage claim. At the same time, there are businesses which may look like VC-fundable businesses, and, to everyone's surprise, turn out to be organic growth sorts of businesses. For these companies, who need to contort to give their investors an exit, the liquidity requirement can suck. If the investors and CFO are good, I think there are usually options, such as a management-lead leveraged buyout, converting equity to debt, and giving the cash to the investors. But, really, the issue is that VC firms are on a ten year schedule, and that creates pressure on the startups to be on (at most) a 5-6 year schedule. If you don't know this going in -- if you're starting a startup to build a great business like your grandparents did -- then you can find a world of hurt.

"What Would Gandhi do?"

"What would Gandhi do?" is the title of a soul-searching post by Joi Ito about positioning. It reminded me of a passage in William Shirer's memoir of his time with Gandhi. I'd like to quote the passage, which ends chapter 11, and then add some comments. The context is Gandhi's visit to England, and in particular, his visit to the Lancashire mills, which were suffering from an Indian boycott on English cloth. Gandhi visited the mills to find allies and support for his goal of Indian independence.

Gandhi was too tactful to mention--to the workers or the employers--a strong impression he had gained after three days in Lancashire. It would have amazed them, I think. But he remarked on it to me the last day in Manchester. He was taken back he said, by the backwardness of Lancashire's cotton industries.

"I'm no mechanic," he smiled, "but I've seen enough up here in three days to show me that the English are using antiquated machinery. It probably explains there inability to compete with other countries. The machinery in the Bombay and Ahmedabad mills is one hundred percent more efficient."

So, when it came to searching for allies, Gandhi did not feel compelled to say everything he thought. He was truthful, and had someone thought to ask, he probably would have answered honestly. So I think pulling back from offending your audience so much that they close their ears is a fine thing.

At the same time, sometimes you may not be able to be diplomatic. I think we agree that over the next decade, copyright is likely to change dramatically. Innovative publishers like Baen books and O'Reilly are experimenting with new models. If a publisher wishes to call Baen and O'Reilly's experiments 'disgusting,' they're free to do so. (Well, they may have a fiduciary duty to their shareholders to figure out how likely a change in copyright law is, and how they'd handle it if it happens, but they can still call it disgusting.)

Earlier in the chapter, Shirer discusses how, at the London conference on India, Gandhi ignored the wishes of the rest of the delegation, and announced that Britain should take on India's national debt. He did this because he thought it was right, and important. I suppose to sum up my reading of Gandhi, consider if what you're saying needs to be said. If something needs to be said, don't be afraid to speak the truth.

Three Privacy Breaches

"DMV hopes to reassure clients about security."

The DMV on Wednesday will send out letters describing the incident and new driver's licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV.

"Audit: State voter system left information vulnerable:"

The state elections and technology departments agreed that the systems were vulnerable, but they told the Office of the Auditor General they are not aware of any time information in the Digital Driver's License System and the Qualified Voter File was compromised.

...
"We identified numerous and, in some cases, very significant vulnerabilities in the configuration of the QVF operating system and database that preclude management from preventing or detecting unauthorized access," auditors said in their report.

and finally: INTERNATIONAL STUDENT FILES: UNLV server accessed:

University of Nevada, Las Vegas computer analysts were conducting a routine security check on network activity when they found a hacker accessing the Student and Exchange Visitor Information System, also known as SEVIS.

The two things that all of these stories have in common is that last year they'd have been swept under the rug, and that they all involve government computer systems being breached.

(All courtesy of Internet Security News.)

Small Bits: Hell, TSA, Insurance, Mutual Funds, Telephone Privacy

Asteroid analyzes Sisyphean volunteers and the modern condition in a brilliant essay. It just goes to show, the Greeks really did invent everything.

Robert Poole and Jim Harper debate the TSA in "Transportation Security Aggravation" at Reason.

Tyler Hamilton looks at two schemes to cut your auto insurance premiums by monitoring your driving, and their privacy implications.

The Wall Street Journal reports that some mutual funds are disclosing their customer information in SEC filings. The funds in question have strange share structures that cause small investors to be disclosed. (If that link doesn't work, try dkgroup.)

Dave Evans points to Date Number, a targeted privacy service for those concerned about stalkers.

Posted by adam on March 23, 2005 at 11:59 AM in Air Travel , Amusements , Economics , Privacy . You can: search Technorati.

Bookmark this post:

Choicepoint, March 22/23

• The Daily Caveat rounds up the five shareholder lawsuits against Choicepoint.
• The Atlanta Business Journal has an article on Choicepoint's executive compensation.
• Kim Zetter at Wired has a 3 page story on Choicepoint's Checks Under Fire.
• CNN reports that only 11% of id theft occurs online.

  Well, actually, there might be some methodological problems. It's hard to tell, since the survey costs $1,500. First, consumers often have mistaken information about security issues. Second, its not clear if this was a survey of consumers who had suffered ID theft, or if second-hand data was accepted. No comparison to FTC data is provided.

  The telephone survey of 4,000 consumers was done by the Better Business Bureau, and funded by eMarketer online. I called Sheila Adkins, CBBB's Associate Director, Public Affairs, but have not heard back., who called back, and gave me other folks to talk to. Not yet sure if I'll track this down for analysis.

• LiberalDesert writes about how the Social Security administration has better customer service than the big three credit agencies.
• Finally, today's Two Minutes Hate, while not really Choicepoint related, comes to you from ... Freedom is Slavery. How could I argue with MinTrue?

The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

Those Exemplars of Ethics at the UN

Read this transcript about former UN Oil-for-Food program lead, Benon Sevan. Apparently the UN is paying his legal fees.

Question: The other question was a follow-up to a story in the New York Sun today. The United Nations has been paying Benon Sevan’s legal fees. Is this appropriate? Is this normal practice? And why did the United Nations not announce this?

Spokesman: Indeed -- well, first of all, we haven’t paid for anything yet. But it is true that the Secretary-General decided, in principle, to reimburse Mr. Sevan for what we called “reasonable legal fees” as determined by the United Nations for services in connection with his appearance before the Volcker Commission. The payment of these fees was to be made on a strictly exceptional basis, for the purposes of facilitating the work of the Commission.

Electronic Voyeurism

Jason Young has a great, thoughtful post at Blog*on*nymity:

Like other nations, Canada has moved to adopt criminal sanctions for electronic voyeurism, a social problem that has become acute with the availability of cheap and inobtrusive surveillance technologies. The legislative efforts are welcome and yet I cannot help but wonder if we are missing the forest for the trees.

...
Privacy is a mutable value and can mean many different things. It can represent distinct legal interests as well as broader social ones. Our respect and disdain for privacy – our own and that of others – alters the nature of our relationships to one another and also the very fabric of the community. Legal sanctions for voyeurism seek to mitigate the personal harms and protect individual interests, and to some degree they will do so, but they are ill-suited to address the social harms or protect the social value of privacy.

How Many Home Pages?

I was trying to enter someone's web address into Apple's Address book recently. Unfortunately, Apple believes that you have a home page. This is at odds with almost all the other fields in Address Book. You can have lots of phone numbers. A profusion of email addresses. And one home page.

Me? I have a longstanding personal home page. I have this blog. I have a side consulting business. I have a personal journal. If I was working for a company, I'd have a corporate page. That's five. Ooh, I have a page at Flickr, too, to share photos. So six. Unless you ask Address Book.

But dig those nice green plus signs. You have to figure, it would be pretty easy to add that to the other fields that are there.

Now, admittedly, I may be a little extreme in having six web pages one might call my home page. But I think that two or three (personal, professional, blog) is no longer unusual, especially amongst the Mac's new target audience of tech executives. So come on Apple! Let's have more home pages.

Choicepoint, March 21

• Businessweek has an editorial, saying strong regulation is unlikely, but credit freezes, mandatory disclosure, and liability for breaches should come. (I'd argue that liability for inaccuracy, creating a duty to the subjects of a database should also be considered a floor for a new law.)
• EPIC has written to the FTC, critiquing their testimony. (Via Consumeraffairs.com.
• It seems that Choicepoint owns Rapsheets.com, the company providing back-end data for investigate-your-date company true.com. (From the Desert Dispatch, via Kathryn Lord. Note that Choicepoint also has a bad habit of reporting erroneous criminal histories.
• In the fallout department, IRBSearch has taken to truncating SSNs, according to The Daily Caveat, a PI blog.
• Bob Sullivan at MSNBC turns a skeptical eye towards ID theft insurance and monitoring services.
• Screendiscussion has some thoughtful and interesting discussion of background check related issues. His writing style resonates with me more than many of the other PI and screening industry folks who've blogs that I've come across.

The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

Small Bits: Caller-ID, FBI Lies, Intel Reform, and GCC

Wired is carrying a Reuters story blaming VOIP systems for security flaws. The claim is that VOIP, by allowing everyone to set their caller id string, is causing security problems. This is false. These security problems have existed and have been exploited for a long time. For banks, or anyone else to rely on caller id when the provider accepts no liability, is an accident waiting to happen. And now it has. Don't blame VOIP. Blame the financial services companies who have placed their convenience over your security.

Ed Hasbrouck has a long article on the FBI's grubbing around in personal data:

Once again, the question comes down to whether the TSA was incompetent or lying: Was the TSA actually unfamiliar with the FBI's analysis of the content of PNR data, even as the TSA was devising massive, and massively intrusive, systems highly dependent on what such data might contain? Or was the TSA actually aware, from its familiarity with at least the structure of the FBI data set, that PNR's invariably contain personally identifiable information on people other than passengers, in the form of the required unique agent sine?

These folks would be a lot more trustworthy if they could be relied on to get basic facts right in their public statements.

Speaking of trustworthy, the Economist has an article on intelligence agency reforms.

Lastly, GCC4 has a new feature, mudflap, for debugging pointers and some stack/heap issues. The slashdot discussion has some good bits.

Posted by adam on March 21, 2005 at 10:30 AM in Security , Usability . You can: search Technorati.

Bookmark this post:

Kyrgystani Democracy

The BBC is reporting that

Opposition demonstrators in Kyrgyzstan have taken control of a town, as protests continue a week after the second round of disputed elections. In Jalal-Abad, a police station was set on fire, and protesters took control of the airport to prevent reinforcements being flown in. Protesters say President Askar Akayev's party used fraud to win the elections.

Response to Solove & Hoofnagle

As I mentioned previously, Daniel Solove and Chris Hoofnagle have written a paper on "A Model Privacy Regime." This post makes a lot more sense if you've read their paper. I've read through it, and think that it's pretty good. My responses to specific sections are below. First I'd like to comment on the free speech critique of data protection law.

A number of smart people (for example, Jim Harper writing on Politech) critique the drag on innovation that such a regime entails. I'm very sympathetic to this critique. I'd like to suggest that the regime only kicks in when there is government issued, certified, or verified data involved. That is, if you want my (government issued) social security number to link records, or my drivers license to certify my name, or you check against a list of voters, then you're taking advantage of the threats of penalties the government applies. It becomes harder for me to protect my anonymity. If, like supermarket discount cards, I can use any name I want, then I see no need for generalized privacy law. Such a balance would encourage companies to offer deposits as an alternative to credit. (I've written about why this is good business practice in the past.)

That said, onto specific responses to their model law:

1. Universal Notice: Why require only informing the FTC? If you're putting me at risk by storing information about me, why shouldn't you notify me directly? Yes, this would impose a startup cost on new information brokerages. Today, those costs are borne by victims of ID theft. Let's assign those costs where they belong.
2. Meaningful Informed Consent: I like this. Let's be specific, and say that informed consent requires knowing what data is going to whom. Again, notification to effected individuals, not just the FTC.
3. One Stop Stopping: Others have criticized the one step opt-out, but I'd suggest that the right mechanism is to never sell, share, or transfer personal data without associated privacy information.
4. I have no comment on individual credit management.
5. Access and Accuracy: Current rights of access are not very effective at getting credit reports fixed, as Bennett discusses in Congressional testimony. Companies who trumpet how much data they can store ought to store where the data comes from, so that they can remove false statements that come from ID theft.
6. Secure Identification: This is a hard problem.
7. Disclosure: Actually, the first incident came to light because of reporting by David Colker and Joseph Menn regarding criminal prosecutions, not 1386, which was passed after that incident.
8. Social Security Numbers: As I suggest above, make the data protection regime kick in whenever a business chooses to use an SSN.
9. Public records: There is a clear tension here, which the authors admit to.
10. Background checks: I have very mixed feelings about background checks. On the one hand, there are people whose references I wish had been more forthcoming. Clearly, laws that require disclosure of who said what in a reference check are acting as a drag on a much needed part of the hiring process. (About a month ago, I was at dinner with friends, and failures of that process, and venting about it, and the lawsuits that have followed, took up half the dinner.) On the other, many of these checks are full of bad data. I'd like to see economics kick in here, and perhaps one way to do that would be to tax background checks at some high rate, with proceeds going to those unfairly denied jobs based on botched checks.

Choicepoint, March 20

• Susan Kuchinskas writes "No Security in SSNs?" for Internetnews.

  Credit bureaus and information brokers will doubtless lobby Congress, saying changes to the rules will hurt their business. But Solove said their voices might not carry as much weight as they used to.

  "They had their chance. They weakened the legislation, and, as a result, more than 10 million citizens are victims of identity theft every year," Solove said. "They got what they wanted, and it didn't work."

• Right Justified wants to know if Choicepoint is building their fingerprint database when you go for a concealed carry permit.
• The Wisconsin State Journal has a profile of Jay and Linday Foley, who run the ID Theft Resource Center.
• CAR Report (computer assisted reporting) comments that journalists are going to lose easy access to social security numbers, saying "I rarely read or hear a story on this issue in which someone points out that access to SSNs makes it much easier for journalists to report on crime, corruption and mismanagement."
• Finally, today's Two Minutes Hate comes to you from Plastic Noodle.

My Choicepoint posts now have a category archive (all posts on a single page), or you can pick and choose.

Small Bits: Avoid Brink's, Code Metrics, Privacy Regs, Blackstone

• Ed Foster writes about Brink's contract provisions with contracts that don't go month to month, but year to year when you try to leave.

  Brink's is fully within their right to write such contracts, and I'm free to suggest that you should consider shopping elsewhere. (Via Dan Gillmor.)

• Mark Miller suggests a new code metric, having earlier complained about other metrics.
• The FDIC may be nationalizing notification laws for banks, according to this Arizona Republic article. So lets see, you'll need to notify if its California, Georgia, Mass, or Connecticut citizens, or if you're a bank...Maybe it's time for some Federal legislation, requiring disclosure if you lose control of non-public personal information?
• Blackstone's Commentaries on the Laws of England are online. (Via Volokh.)

Choicepoint, March 19

• Not In Chicago Anymore comments on Handling of Credit Related Information, and some of the possible repercussions of new law.
• Ryan Singel at Secondary Screening points out in "Popcorn, popcorn" that (Choicepoint Vice President) McGuffey testified under oath that he told (CPS President) Doug Curling about the investigation in November, which would mean that Curling knew about the issue as he sold his company's stock. I don't know enough securities law to know if he should or could have stopped selling based on that non-public information, if he got it after he filed the plan.
• Jim Horning points to a USACM public policy blog post in "Momentum Turns Toward Privacy Protection."
• According to research firm Financial Insights, 6% of respondents to their survey had switched banks in an attempt to reduce their risk of being a victim of ID Theft. Reported in Information Week.

  I must admit, I've considered doing this, but it's such a pain to find a bank that keeps everything on paper these days.

• Westlaw will constrain some access to social security numbers, according to lots of stories, including Cnet.

  Pundits predict the imminent collapse of civilization, and a doubling of mortgage interest rates as US businesses fail to adapt.

• Your PI News hopes that backsplash from Choicepoint's errors won't crush the PI industry in "Public Thoughts on Privacy."
• Random Fate has a long post on accountability, the growth of bad laws, and incidentally, Choicepoint, entitled "For whose benefit is the law and the government?"
• Finally, today's Two Minutes Hate comes to you from The Samuel Taylor Coleridge Foundation blog, in "You're Only A Commodity..."

My Choicepoint posts now have a category archive, or you can see them listed in this roundup post.

Screening the Open Society Paradox

If you've been enjoying the Chaos-Paradox spat, Ryan Singel's Paradox Still a Paradox is not to be missed:

But when it comes to big data brokers that compile dossiers on Americans and list marketing firms that enhance their lists with data bought from data brokers, Bailey thinks they should be immune from the return gaze, because it might cost companies money to comply.

Nevermind that the data can cost people a possible job, a place to live, or, in the case of Amy Boyer or a woman fleeing an abuser, her life.

Bad advice on SSNs

Bad advice on use of social security numbers abounds, often in technical documentation. Credit goes to reader Jonathan Conway for digging many these out. There are a few very common errors which we can find, thank to Jonathan's research:

1. Social security numbers are un-changing. No, they are not. Victims of identity theft, domestic abuse, or other crimes can get new numbers. See here.
2. Each person only has one social security number. If a person can get a new social security number, and databases are not designed with that in mind, it is entirely possible that someone has two numbers, and that those numbers are different in different databases. Given the security reasons for new numbers, you should never link numbers together.

Other reasons SSNs make bad database keys include

1. The lack of a checksum/check digit makes it easy to mis-enter a SSN. If you do this, given that there are 300 million Americans, and a billion possible numbers, you have a roughly 1 in 3 chance of entering an issued SSN for someone else.
2. The difficulty of validating a provided SSN if it's not provided for employment purposes.
3. Privacy issues. The SSN should be protected.
4. Federal laws which apply to the private sector include GLB (summary) and HIPAA (summary). The FTC has enforced GLB, and HIPAA enforcement is probably coming soon.
5. State laws such as California's SB1386 and AB1950 (PDF) (summary). California law also allows a customer to request that your ongoing use of a SSN be changed, if your use is in violation of these new laws. While these only apply to California today, I expect these laws to spread, and they are centered not on businesses, but on California residents.
6. SSNs are under the control of an external entity, and subject to change. Do you want your database keys under someone else's control?
7. Most people in the world are not Americans, and don't have a social security number. Some other countries' national ID number may also be 9 digits, and will likely overlap.

The final sort of issue is a more subtle one. It is the casual use of the SSN in samples, examples, and documentation, with no mention that this is, at best, a questionable idea. Such uses lead to discussions of the form: "Well, I was just copying the sample code. If it's a bad idea, why is it in the docs?"

Some examples of advice that should be revised from vendors, after the jump.

• Oracle

  In Oracle 9i daily features:

  For example, a type inheritance hierarchy with PERSON_T and STUDENT_T types can be created in the database as follows,
  CREATE TYPE Person_T (SSN NUMBER,

  or the sample code:

  This model has a Person object which is the super type with attributes which are common to all persons such as SSN, Name, Dateofbirth, sex and Address.

  Neither page calls out the issues with SSNs. In an explicitly international example, this Powerpoint claims that all countries have social security numbers. It never explains why they are collected, or how they are used.

  To be fair to Oracle, newer documentation such as this security manual do discuss the SSN as sensitive information, but that approach needs to spread through the company.

  However, in Using Oracle HRMS: The Fundamentals, we find:

  Select the method of creating identifying numbers for employees and applicants. The choices are: " Automatic number generation " Manual entry " Automatic use of the national identifier (for example, the social security number in the US, and the NI number in the UK). This option is available for employees only.

  I believe that use of SSN as an employee number is forbidden in California under SB 168.

• Sybase

  In this Transact-SQL User's Guide, Sybase notices that duplicate SSNs could exist, but give no advice on solving it:

  On the other hand, a unique index on a column holding social security numbers is a good idea. Uniqueness is a characteristic of the data--each person has a different social security number. Furthermore, a unique index serves as an integrity check. For instance, a duplicate social security number probably reflects some kind of error in data entry or on the part of the government.

  In the System Management Guide Clinical Gateway 2.3, the schema's storage of SSN and drivers license number passes without comment. The book has no mention of the word privacy. It does return hits for HIPAA, but the links don't seem to take me anywhere useful.

  Another careless and carefree examples using social security numbers is here.

• Informix

  There are very few hits, all are upwards for 4 years old. It seems that IBM is effectively purging the meme. (Same for DB2. I'll do another post shortly with more on good advice.)

  (Interestingly, Google, given a query such as informix ssn site:www-306.ibm.com will highlight the words social security, even if SSN does not appear in the text.)

• HP's ALLBASE/SQL Database Administration Guide Chapter 2. Logical Design suggests:

  Another consideration is that the key must be unique. It can either be a unique single column value or a unique combination. In addition to being unique, a hash key should be non-volatile, that is, not subject to frequent update. Since you cannot use the UPDATE statement with a hash key column, you must do a DELETE followed by an INSERT when a key modification is necessary.

  An integer key such as a social security number is ideal.

However, vendors aren't the only ones to blame:

• O'Reilly's OnRamp The "Key" to Good SQL by John Paul Ashenfelter

  The only way to make sure that each record in a given database table has a unique value is to designate a database field to contain a value that is unique across all of the records in that table. In some cases, you may choose an existing field in the database which you are guaranteed will be unique -- a social security number would work for a U.S. citizen and an ISBN would work for a book.

• SQL Essentials book by David Gallardo

  This is commonly the case, especially when we use an identification number of some kind to identify each record uniquely. In some cases, the items in the tables have a unique number already associated with them that make a good key—for individuals in the United States, a Social Security number is sometimes used in this way. (From the sample chapter online)

• Illinois State University, University Policies, Procedures, and Guidelines

  8.2.3 USE OF SOCIAL SECURITY NUMBERS BY ILLINOIS STATE UNIVERSITY
  Additionally, the social security number is widely used as a "guaranteed ID" between agencies, such as other higher education institutions, test services, Illinois State University's Retirement System, Central Management Services, and criminal records. By the spring of 1972, Illinois State University had identified the social security number as the internal individual unique identifier for all person-related databases.

  [Major motivation, but a stupid one and it shows how long the problem's history is.]

Choicepoint, March 18

• ChoicePoint's data bonanza lures thieves , in the Atlanta Journal Constitution.
• The Q Speaks asks what have we wrought in "ID theft writ large"
• In another example of what we have wrought, "the Fairfax County's School Board awarded a contract Thursday night to ChoicePoint, Inc., for testing student athletes and bus drivers for drug and alcohol use." (Story in "The Connection newspaper.)"

  Regardless of if you think this testing is a good idea, the students whose names, addresses, and social security numbers will be sent to Choicepoint have no say in the matter. The bus drivers might quit, but what are the students to do? Drop out of school?

• Fear of ID theft is on the rise, according to the Ponemon institute, according to a story in GlobeTechnology.
• Finally, today's Two Minutes Hate comes to you from ... Now I'm Pissed.

Colleges and SSNs

For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet:

Dunn said [Boston] college will also purge individuals' Social Security numbers from all of its records in the future. He said schools have long used the identifiers to keep track of people in a number of ways but noted that increasing concerns over the security of computing systems used to store the information have caused the college and others to review the policy.

or see "Chico State computer system attacked by hackers" in the Chico Enterprise Record (Sacramento, CA):

More than 59,000 people connected to Chico State University will be contacted for what officials are calling the largest computer hacking incident the college has seen.

Notifications to anyone whose personal information was compromised were going out Tuesday, said Joe Wills, director of public affairs at the university.

That list includes current and former Chico State faculty and staff members. But the majority are students, since the server hackers targeted held the names and Social Security numbers of current, former and prospective students.

The easiest way to avoid this sort of story about your business is to not collect such data. Financial aid may cause you to need the SSNs of current students. Why on Earth do you need the SSN of a prospective student? Why do you need to maintain the SSN of an alumni? (If there are legal reasons, now would be a great time to get Congress to change them.)

Chris Allen and Socializing

Chris Allen has been doing a series of posts on the sizes of social groups, what factors can make groups work and not work, and related bits, like the use of software to help manage groups of friends.

His latest post is Dunbar, Altruistic Punishment, and Meta-Moderation. It concludes:

In summary this research offers me another widget for my social software toolbox: in any group process look for the commons, allow participants to participate in identifing defectors; determine what the costs are for such identification (which may be as simple as requiring some attention or charging for such punishment); and encourage participation in the common good by punishing those who do not participate in seeking out defectors.

I hope Chris doesn't punish me for saying that I don't have a lot to add, but I enjoyed reading this.

Small Bits: Simson, Maoists, and a £219m Heist Attempt

• Simson Garfinkel has won a Neal award for his writing for CSO. Congratulations! (His latest column is on Skype.)
• Whiskey Bar has a comparison between Maoists and American Conservatives in Scenes From the Cultural Revolution.
• Willie Sutton finds the Internet, according to this news.com story.

  Israeli police are investigating with British forces an attempted robbery of 219 million pounds, or $421.2 million, at the London offices of the Japanese bank Sumitomo.

  A gang hacked into computers at Sumitomo in October and attempted to transfer the cash to 10 accounts around the world, the Israeli fraud squad said on Thursday.

Choicepoint, March 17

• Choicepoint's 10K warns of danger to profits. (AJC) The full filing is about a megabyte; Yahoo has excerpts.
• Kip Esquire at A Stitch in Haste offers practical advice to Choicepoint on how to make an apology sound sincere in Linkfest -- Special "While You Were Out" Edition.
• Daniel Munz transcribes more of the Senate hearings, at Reason #329,439 To Love Chuck Schumer.
• Rite Wing TechnoPagan makes the point that bad regulation can be useful as a threat in his post on "Security by Clouseau – ChoicePoint." Smith and Sanford were both clearly aware of this at yesterday's hearings. Too bad they didn't act on it earlier by asking to be treated like credit agencies.
• Finally, today's Two Minutes Hate comes to you via "42."

Small Bits of Chaos: Emergent Value, My Sister Libertarianism, Sullivan on Privacy

• Justin Mason has a post on Open APIs, Open Source, And Giving Away The Crown Jewels. I talked about very similar issues in Emergent Uses of Technology a few days ago.
• Jim Henley has a great essay on "The Citizen or the Police"

  Nobody worth performing the Heimlich Maneuver on is going to tell the police they saw their sister smoking pot. Am I okay with my sister going to jail if she sells some pills or her favors? Do I think my sister or brother should be dragged into court if she drains her field or he hires too many people of the wrong color? No. So I have no business supporting a regime that subjects other people’s siblings to those things. Would I have to agree that if my sister drowned my niece, or my brother defrauded credit card companies or my mother burned down her building for the insurance, that they should be subject to arrest and imprisonment. Yes, I’m afraid.

  (via Reason's Hit and Run.)
• Andrew Sullivan has written Alone - On A Stage about the evolution of privacy, and its relation to freedom. [Update: D'oh! Samablog emailed this to me.]

Google Makes It Look Easy

Google Labs has done an OSX Dock style home page. It's pretty cool. What makes it cool is not the graphical style it presents, but the brilliance of the icon design. If you know what services Google offers, the icon makes sense. (I had to mouse over local, video and options to see what they were.) Once you see the name, the icon makes sense. Compare this to other programs you use. Do you know what all the toolbar icons mean? I usually close toolbars because I don't find them helpful enough to trade for the screen real estate.

How did this happen? Did it spring fully-formed from the head of Zeus? Possibly. Google has a lot of smart folks working for them, except for the guy who did this. So it could have sprung full form. Far more likely, however, is that they did a prototype, tested it, refined it, tested it more, and finally, having iterated, honed and evolved the icons, released it.

This is no easier than Fred Astaire's dancing, or Charlie Chaplains pratfalls, or Micheal Jordan playing so hard his feet bled. The brilliance is that after all that effort, they make it look easy. [Update: At the GoogleBlog, Chikai Ohazama writes:

I gave it to a few friends in the company, who gave it to their friends, some posted it on their blogs, others sent it around on mailing lists, and it eventually made its way to Marissa Mayer, who liked it enough to say, when do you want to put it up on Labs? So after some spit and polish from some enthusiastic Googlers and the keen eye of the UI team, Google X is here.

an elegant description of a process. They even make it sound easy.]

You can find other bits of awe at at Google here, and some dissatisfaction here.

Finally, I want to apologize. I got this link from SteveC. a blog I read, and then lost track of which one I try hard to credit sources, and get annoyed when others don't. If you posted this before me, and think it was you, let me know.

DHS Planning Better

Cryptome publishes "Homeland Security Council: 15 Attack Scenarios", "DHS Universal Task List v.2.0", and "DHS Target Capabilities List v.1.0." It looks like a well executed set of planning docs. Some quotes from the New York Times:

The agency's objective is not to scare the public, officials said, and they have no credible intelligence that such attacks are planned. The department did not intend to release the document publicly, but a draft of it was inadvertently posted on a Hawaii state government Web site.

"We live in a world of finite resources, whether they be personnel or funding," said Matt A. Mayer, acting executive director of the Office of State and Local Government Coordination and Preparedness at the Homeland Security Department, which is in charge of the effort.

...
"We live in a world of finite resources, whether they be personnel or funding," said Matt A. Mayer, acting executive director of the Office of State and Local Government Coordination and Preparedness at the Homeland Security Department, which is in charge of the effort.

>...
Michael Chertoff, the new secretary of homeland security, has made it clear that this risk-based planning will be a central theme of his tenure, saying that the nation must do a better job of identifying the greatest threats and then move aggressively to deal with them.

...
"There's risk everywhere; risk is a part of life," Mr. Chertoff said in testimony before the Senate last week. "I think one thing I've tried to be clear in saying is we will not eliminate every risk."

It sounds like the government's response to these threats is maturing dramatically.

Lessig on Academic Publishing

Academic publishing is an interesting racket. An academic, probably paid by government grants, writes a paper. They submit this paper to various venues, in the hopes of getting it published. The people who review the paper are volunteers, paid in prestige. The paper is then put into a volume costing gobs of money, which goes to the owners of the presses, and ensures that the article is available in libraries and archives.

Larry Lessig has just announced that he will no longer transfer copyright to any publication venue that doesn't allow at least a Creative Commons Attribution-Noncommercial license.

It's a great stance, and I'm going to give serious consideration to making the same a condition of my participation in program committees. I don't have nearly Larry's prestige, but I think it's a fine baseline to take.

Choicepoint, March 16

• The House Energy and Commerce committee held hearings. Thanks to Ryan Singel for letting me know they were webcast. Payments News points to the written testimonies of Choicepoint and LexisNexis

  ``Let me begin by offering an apology on behalf of our company and my own personal apology to those consumers whose information may have been accessed by the criminals whose fraudulent activity ChoicePoint failed to prevent.'' Smith said.

  ...
  ``What we're hearing today is an industry still in denial, still doesn't recognize how many Americans value their privacy and are hoping to ride out this standard without having Congress make the changes necessary,'' said Markey.

  And what a convoluted apology! How about "to those Americans who are worried about identity theft because we made a mistake?"
• Hearing coverage from: Declan McCullagh (CNET), Bob Sullivan (MSNBC), or Ryan Singel (Secondary Screening).
• During the hearing, Mr. Kurt P. Sanford, President and CEO, U.S. Corporate and Federal Government Markets, LexisNexis, mentioned a form that allows special classes of people (law enforcement officers, public officials whose job carries a threat of imminent harm; victims of identity theft; or those who "are at risk of physical harm.") to get out of the databases. However, that form is not only obscure, in that you have to know that LN offers such a thing, the form is hard to find. It's here.
• The Contracts Blog posts a bunch of contracts that may interest you. (Actually, he posted this way back in February, but I'd missed it.)
• PI News and Information sees the risk to their profession, and also carries a press release from the National Council of Investigation and Security Services.
• Finally, today's Two Minutes Hate comes to you from Congressman Ed Markey (.doc) or listen to the mp3.

My previous Choicepoint coverage includes roundups and analysis.

My Categories Suck

The categories I've set for this blog are non-functional. I have 16 categories, of which maybe 4 are ever exclusive.

Do you look at my categorization of posts? Do you look at the category archives? Should I create a new set of categories? If so, what? (mmm, Choicepoint! Not.) Should I abandon categories and go to tagging? If so, what Movable Type/MarsEdit add-on should I use?

Choicepoint, March 15

• The LA Times has more on what happened, and Choicepoint's controls.
• A great many people feel that this is a compelling story. I enjoyed reading the spouter inn.
• Finally, today's Two Minutes Hate comes to you from Futurismic.

I've been covering Choicepoint issues since the scandal broke.

"Taxation Ventage"

Justin Mason has a great rant, titled "taxation ventage."

In the US, every worker is required to prepare and file their own taxes, in detail. Nowhere outside of India can do bureaucracy quite like the US, as far as I can tell -- even the brits have embraced simplicity to a greater degree -- so this is no trivial undertaking; however, they do have a few outs, if you're eligible.

...
All I can say is, no wonder quite a few US citizens seem to think that government involvement is something to be minimized if at all possible. There are alternatives though -- I'd happily take an Ireland-style 'nanny state' which will compute my tax liabilities for me if I so choose.

(Just as an aside, one of the main benefits of the 1986 tax reform was to eliminate quite a bit of this drek that accretes as various groups lobby for this or that bit of preference in the tax code.)

Choicepoint Roundup, March 14

• Omari Norman takes issue with the term identity theft. It's a good point. Paul Syverson has pointed out that correct terms are "fraud," "misrepresentation" and "libel," but those don't seem to have caught on.
• This ABC News story about how Americans think there's too much government secrecy doesn't relate directly to Choicepoint, except the government outsources lots of things to secretive companies to protect those activities from Freedom of Information Act requests, or other forms of government oversight.
• Cagle's professional cartoon index on Slate has a series of editorial cartoons on Identity Theft. (From Pipeda, via Privacy Digest.)
• This Palm Beach Post article discusses the unfortunate tension between open records, which are important to a democracy, and privacy, which is important to a democracy.
• And finally, today's Two Minutes Hate is brought to you by Bushout, who suggests that Harley Sorenson has been fired for speaking against Choicepoint.

  In unrelated news, Adam Shostack will no longer be writing for this blog.

I've collected my previous Choicepoint coverage.

Privacy and Background Checks

In a comment, Axinar writes:

Is it reasonable for an employer to know whether or not a potential employee has a history of violence or theft? Well, probably. And with our liability situation the way it is, generally any company with deep pockets is virtually REQUIRED to run background checks because if an employee "goes postal" and discovery reveals that person has a previous background of violence that the company could have found out but didn't, that company can be sued out of existence.

This tension is challenging. The quality of records maintained is low. We know that people have been denied jobs because of bad records. At the same time, as an employer, I'm concerned about doing the right thing for my employees and for my shareholders.

I am generally not fond of technological solutions to social problems. That said, I think one important way forward comes to us via the work of Stefan Brands. In his book, Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy ," Stefan describes ways that a job applicant can take certified records from a company, say Lexis Nexis, and present parts of them to a potential employer. The cryptographic math is brilliant. If you don't believe me, ask his thesis advisors, Ron Rivest and Adi Shamir. I could present a statement of the form "Adam Shostack has no criminal record in the United States, signed, LN" or "Adam Shostack has no record of criminal violence in the United States."

Important facets of this include that the statement is signed by some certifying party, that the exact statements made are under my control, and that I can only make statements the certifier is ok with. At the same time, because I'm in the middle, I can see what statements the certifier accepts. So if there's a problem, I can correct it, or sensitize the reader of the statement that I believe there's a problem.

(I worked with Stefan at Zero-Knowledge, and one of my biggest regrets is that we didn't get further in promoting his technologies.)

[Update: Don't miss Not Bad for A Cubicle's post on this. Wish I'd said all that.]

What to do, What to do?

Over at Open Society Paradox, Dennis Bailey challenges me:

Emergent Chaos documents some problems but ends with a personal slam against ChoicePoint's CEO. [Ed Note: Technically, we call that the "middle," not the end.] What would Emergent Chaos have us do? Should we follow the Fair Information Practices and allow 300 million citizens to be able to verify their data? This may be manageable when you are talking about a single company. But what about the thousands upon thousands of companies that are holding personal data? What would be the cost for companies to start complying with new privacy regulations that would allow individuals to verify their data in company databases?

It's a fair question, and I suppose the first question is "Who is us?" I've been deeply ambivalent about new laws. However, given what Choicepoint is now facing, I think that pursuing a Fair Information Practices driven approach, and pushing for their industry to do the same, may be one of the few ways that they can stave off legislation. But if us is the American people, it seems to me that 145,000 angry citizens have called their legislators and said "What are you going to do about this?" Unless the industry acts, and acts credibly, then there will be new laws. Not because of the blogosphere, but because of the democratic process in action.

What would the cost be? Its another good question. But what are the costs of not allowing access? It's jobs denied, homes not bought, cars not financed, because of inaccuracies in the database.

I actually really don't get this argument, coming from a fellow who talks about a need for a more open society. How are we going to have openness with closed databases?

Now instead of the Choicepoints of the world having to verify the data of a few thousand businesses, now they have to verify the identity of millions of individuals who are asking for access to personal information. For an identity thief this becomes a false identity paradise.

This argument has been raised against every privacy law ever passed. I'm not aware of any company, anywhere, having exited their business because of an inability to solve it. These companies have lots and lots of data about you, and can use it to ensure that (for example) only someone living at your address can get your records.

Or take the notification law. Does this really solve the problem? How many companies have their databases violated without even knowing about it? Would it make a dent in the number of cases of identity theft?

It's about openness. It really does help people if they can get a jump on ID theft quickly. It may not prevent the crime, but it can limit the damage very substantially.

I'm working on a longer post about other things that can be done. It turns out there are some interesting opportunities.

Emergent Uses of Technology

I love navel gazing. I try not to expose my readers to too much of it, but this post by Seth Schoen at EFF's Deep Links captures the spirit I think about when talking about emergent chaos:

The Business Models working group's mission has been based on the premise that "no system can be properly developed without first imagining & documenting every conceivable present and future way that it could be used."

By this standard, none of the most important technologies of the past century could have been "properly developed." This way of thinking reminds us of the entertainment industry leader who said that the technology marketplace ought to be "polite" and "well-mannered" (with, we imagine, every technology introduced in its appropriate year, after elaborate cross-sectoral negotiation).

Here's a contrary view: information technologies are valuable particularly because we never imagine & document all the ways they're going to be used. People, often end-users, just keep on thinking of new ones. What a pesky, untidy process this is!

The people have decided that the Business Model working group will present the People's representatives with a five year plan that will bring glory to the Dictatorship of the Proletariat and support their television viewing habits in celebration of the glorious October revolution. Decadent victims of capitalism will cry out for superior Soviet technology.

Why Choicepoint Resonates

It's now a full month since Bob Sullivan of MSNBC broke the Choicepoint story. I'd like to think back, and ask, why does this story have legs? Why are reporters still covering it?

There are a couple of important trends which combine to make this a perfect storm, attractive to editors and readers. (It's useful to understand that editors like to run stories on things their readers are familiar with. If a US paper wants to do a story on the impact of Everest climbers on Nepal, they have to devote a lot of effort to Nepal pre-Everst climbers, because Americans don't know about Nepal.)

The Choicepoint story ties into other stories and themes in a number of important ways. First is the corporate malfeasance story. We have Bernie Ebbers, Richard Scrushy, and Dennis Kozlowski on trial. We have Martha Stewart being released from jail. So no one needs a primer on corporate malfeasance. We have concerns about privacy, and our lives being out of control. We have Congressional hearings going on. Clearly, this is important!

Incidentally, it means that Choicepoint needs to take dramatic action if they'd like to have any influence on the stories. Because a story that leads "Arrogant CEO ____ sells stock as the company he built stumbles" is almost pre-written for the reporter. The CEO who's taking home more money this year than Joe Reader will make in his lifetime is a natural villain. Thus, these stories are, in a way, only incidentally about Choicepoint. They need to change that if they'd like to influence what happens to their company. Because while the stories may be incidental, the new laws won't be.

The apparent insider trading aspect of the story isn't the only bit of corporate arrogance here. There's the partial disclosures, the claims that this only hurt Californians. There's the claim that this hadn't happened before. There's the claim that Choicepoint is a victim, too. All of this arrogance combines to make a great many people want to throw bricks.

The story is about privacy concerns, but its not only people compiling data in a way that Americans are deeply ambivalent about, or the right to be left alone. It's about our ability to control our own lives. It's about trying to get a mortgage, only to discover that someone in Topeka skipped out on an apartment in your name. It's about a minister being arrested at a routine traffic stop for drug dealing warrants in New Jersey. It's about a black grandmother being refused the right to get onto an airplane because of a white skinhead who used a name that sounds like hers. He was on the FBI's most wanted list, now he's in prison, and she's still suffering. These database companies are profiting deeply while being very cavalier about data quality, and that directly affects our lives, liberties, and pursuit of happiness. All so Derek Smith can sell $13.6 million dollars of stock?

Then there are issues of fairness. Americans love thinking we have an unfair advantage, but we hate being on the flip side of that. And we were all treated to the experience of being on the waiting list. Why are Californians special here? Was I one of the 110,000? Our attorneys general had to rip into Choicepoint for us to find out. And those who did find out now face "a lifetime of vigilance" because of Choicepoint. "Who? Choicepoint." There's a deep irony in that no one had ever heard of Choicepoint before this, and that irony drives the story. Choicepoint had lots of privacy, while invading yours. This fundamental unfairness prompts lots of people to sputtering anger.

Speaking of sputtering anger, cleansing the Florida voting rolls of Democrats doesn't help. If a reporter doesn't have enough to talk about, they'll always have Florida to fill out 850 words. Voting is a big concern for the folks in Congress, which leads us to our final point.

Congressional hearings are rare events. Its not that Congress doesn't hold hearings every day of the week. They do. But there are lots more issues with angry people calling their Congressman than there are days of the week. We all understand that a Congressman's time is valuable, and they spend it on issues that are broad and important to their constituents. Most stories that a reporter covers don't have multiple hearings planned. There's a real feeling that treating Californians differently isn't what this country is about. And thus, the final reason that the story has legs is that there's real anger at Choicepoint, Seisent (Lexis Nexis) and the rest of the industry. It's not going to go away quickly.

Choicepoint Roundup, March 13

• Axiomlounge talks about public records, outsourcing, and the public records laws that cause all of this.
• Joseph Menn has a great story at the LA Times called "Did Choicepoint End Run Backfire?" Menn asks questions about the effect of Choicepoint's choices in avoiding regulation. Public Domain Progress notes is not archival quality.
• Speaking of which, the California DMV is about to audit Choicepoint's distribution of data. Anyone want to bet on what they find?
• Not Choicepoint related, but it seems that AOL may be allowed to read all your AIM messages. It's all over the blogosphere.
• Deep in the Heart of ... France seems surprised to see me, (it's ok, I can't spell, either) but doesn't understand the deep irony of me using all these public sources of data that are watching tout les mots he writes.

  (Private to DITHO...F: I don't buy that data hosting and code hosting can be separated, except in simple cases. Internet-speed round trips, measured in 10s or 100s of MS are expensive compared to secondary storage round trips, measured in high single digit MS counts or less, or main storage, measured in nanoseconds. If I need to do several iterated queries, each using data the previous query returned, the user visible wait state becomes intolerable.)

• Finally, today's Two Minutes Hate comes to you from Oh!Pinion, who compares Choicepoint's foibles to the snake oil salesmen who brought us the Pure Food and Drug Act. (That's really demeaning to the snake oil salesmen, but most of them are dead, according to a database lookup I did.)

A few other posts on Choicepoint, tracking and analyzing the story can be found in Emergent Chaos Choicepoint Posts.

More on Nevada DMV

In working on the Choicepoint roundup for tomorrow, I found Axinar pointing to this story about the Las Vegas DMV heist. Apparently, all that encryption? Err. Never mind.

But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver's licenses in Nevada, told her Thursday the information was not encrypted, and was readily accessible.

Oops.

[Update: Speaking of oops, I messed up Axinar's name, and have fixed that.]

Leaving AIM

Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy. You waive any right to inspect or approve uses of the Content or to be compensated for any such use.

From the AIM terms of Service, if you're wondering why I'm no longer available. [Update: AOL has fixed their TOS.]

Choicepoint Roundup, March 12

• Ryan Singel has interesting analysis of the FTC's Congressional testimony.
• Ellen Simon of the AP has a story about her Choicepoint and Lexis Nexis files. Hint: They're imperfect, but that won't stop them from screwing up your life. Others (nothing to see here, Scott C Smith) touch on the same theme.
• The Daily Caveat points to a new paper by George Washington University professor Daniel Solove, "A Model Regime of Privacy Protection." Sounds like a fine idea. (Actually, I suspect that he's done a better job than me, but I didn't find his paper while mulling over that post.)
• The AJC reports on ID theft insurance, and how it doesn't really help with the feelings of violation, the abrogation of responsibility by the aggregators, or the very real ways in which the victims of these crimes have no control over their lives anymore.
• Michael Adrian comments on new laws as far away as Ontario. (For the non-Canadians in the audience, a private member bill is one proposed by a member of Parliament without the support of their party. The bill is on its first reading, out of 4 or 5 hurdles.) Other laws have been proposed fairly widely across the US.
• Finally, today's Two Minutes Hate comes to you from You Will Anyway.

My obsessive Choicepoint coverage is rounded-up here.

France Imitates Art, Stalin

Boing Boing comments on a French stamp with an airbrushed picture of Sarte, sans cigarette. However, the French are way behind on this. Uncle Sam led the way in airbrushing cigarettes, but not people, out of pictures, as these two images of blues pioneer Robert Johnson show. The Honolulu Star got a great quote from a Post Office spokesdroid.

Hank Asher

Dennis Bailey at The Open Society Paradox objects to my characterization of Hank Asher, and says:

Rather than debate the merits of the program, they have to make this a personal attack on the man.

Well, let's talk about the programs. DBT, the first company Asher founded, was deeply involved in disenfranchising Florida voters. MATRIX is sorta hard to discuss. Us peons aren't allowed to know what's actually in it. We do know that when people started asking questions, Georgia and other states dropped out of the program. (You might expect Mr. Bailey, in favor of openness, to oppose secret databases.) So what can we say about it? We can presume that the data in these things is horribly inaccurate, because every time we get a glimpse, it is horribly inaccurate.

So yes, I'll attack the man who profits by creating these systems. I think secret databases are repugnant.

Privacy advocates say that if we have a more open society many people will have to wear scarlet letters because of past mistakes. One would expect that it would be liberals who would be praising a story about a man who turned from a life of crime to become a productive member of society. However, in the discussions I've seen on the net about Hank Asher, it's this same crowd who are stitching those scarlet letters. I guess turning your life around only qualifies as worthwhile as long as you do work that liberals support and obviously data mining to fight crime and terrorism doesn't qualify.

Sure. So lets look at what he did, and what the effects of what he did. He hid his past. He may have lied to the DEA and FBI, who suspected contracts with his company until they bought him out for $147m. If you think this company was doing good, it seems wrong of him to hold it hostage by refusing to leave when the main customers decide to stop doing business with him.

If you want to put your past behind you, that's fine. If you're building databases that are being used to assess criminals, then it is perhaps relevant that you were one. There's irony (and audacity) in a man who tries to prevent anyone from hiding their past, while hiding his own. He's created systems that affect millions of people, while avoiding regulation or inquiries into his own past. And then there's that nagging data accuracy question. Did he build filters into the program? Remove a few interesting links from the database?

Frank Abagnale, in contrast, has not lied about his past since serving his time. I have no problem with Frank being rehabilitated. (Friends who've employed him also say that he does great work. But they hire him knowing full well they're hiring an ex-con.)

If Mr. Asher would like to build a private investigative agency, he should expect that people will investigate him. If he'd like to run an art gallery, I'd be all in favor of letting him put his, and everyone else's, past to rest. But as a gossip-monger? He reaps what he sows.

Small Bits: ID Angel, Books and Garbage

• Latanya Sweeney has announced a new tool, Identity Angel, to crawl the web and discover if there's enough information to steal an identity.
• Stefan Brands has made the first four chapters of a book on Electronic Money available. This will be a great reference for people wanting to think about privacy and payments. I'd like to encourage Stefan to make the file available as HTML as well as PDF. (I'm fond of tth for this.)
• The New York Times has a review of The New Hows and Whys of Global Eavesdropping
• Dutch ISP XS4All is suing the Dutch government to recover the costs of the wiretapping equipment they've installed.
• In a stunning example of trusting the computer over reality, a Guardian story on computerized garbage cans ends:

  He said the microchips would help the council fend off unwarranted criticism. "We will have a confident response to customers who claim their bin may not have been emptied," he added.

(Many of these are via Dave Farber's Interesting People list.)

No Fly List: Welcome, Salman Rushdie

D Magazine is looking for a private plane to transport Salman Rushdie so he can speak at an event in Dallas. Apparently, he's been denied the ability to board a plane. Maybe someone realized he's associated with Islamic Terrorists? (Via Virginia Postrel.)

In other news, the Coalition of Airline Pilots Association has released an airline security report card.

Choicepoint Roundup, March 11

Today is the "Legislative truckroll" edition.

• The Motley Fool says:

  Barring a miracle -- or a busload of lobbyists and two truckloads of money (yeah, same difference) -- regulation looks to be inevitable at this point. ChoicePoint's breach alone might not have tipped the scales, but if many other businesses are being ransacked as well, and most importantly, if the privacy of actual senators is now at risk, I think it's safe to say that regulation is on its way.

• Ecommerce Times:

  "Specific regulation of data brokers is a hot issue, and it's going to be jumped on just like we got Sarbanes-Oxley after Enron," Penn said. "Congress tends to wait for a huge public cry before they act," and they just heard it.

• Chad @ Clearwater associates chimes in:

  Canadian and American governments should force the credit reporting industry to comply with exacting privacy standards that go well beyond PIPEDA or Safe Harbour. New legislation that regulates the credit reporting industry should also include information security standards. IT should go as far as HIPAA in setting guidelines for a privacy and information security management system.

• When the legislature met, there was so much to be said, that they'll meet again next week. Summaries at MSNBC and the Financial Times:

  A US banking regulator on Thursday detailed several instances of security breaches at banks and previewed new guidelines on when banks must tell the customers about such lapses.

• Effect Measure points out that Choicepoint is handling background checks for Taser, International. I sure do hope there's no cops in those 145,000 records, so that criminals can't get those weapons.
• No, wait! Bruce Schneier reads the 8K, and points out that it says:

  These numbers were determined by conducting searches of our databases that matched searches conducted by customers who we believe may have had unauthorized access to our information products on or after July 1, 2003, the effective date of the California notification law.

• The Atlanta Journal Constitution notes that Harry Asher is a public menace, and their editorial today calls for shutting down data warehouses. (The NetSec blog has a great roundup.)
• Twinsguy is denied a job because of Choicepoint's bad data. However, he's not angry about it; he's certainly not angry enough to lead today's Two Minutes Hate, which is brought to you by TKID.

My prior Choicepoint posts, including analysis and roundup, are all linked here.

New American Privacy Law: What Could It Say?

With recent events (Choicepoint, Bank Of America, PayMaxx, and Lexis Nexis) leading to a new privacy law for the United States, what should it say? How can we tell a good law from a bad one?

Some disclaimers: I'm not entirely in favor of a new law. There's a lot of potential for harm when you write new laws. Also, these are ideas of things to look for, depending on how "forward thinking" or "agressive" you want a new law to be. It's clearly not a proposal for a law. I don't really focus on the harms these things could do. I trust that the blogosphere will do that for me.

• Fair Information Practices form the basis of most privacy laws around the world. California has added some useful innovations, like disclosure, and a prohibition on using SSNs as identifiers, or putting them on ID cards of any sort.
• Explicit Disclosure: Require all businesses to disclose specifics of both accidental and intentional disclosure. What information about a person they transfer to whom, and why. The American people are unhappy with what's happening. The solution is not to shut us out, but to let some sunlight in.
• Is it Sectorial?: Will the law cover the data warehousing industry, as poorly defined as that is? It should not. We need a general privacy law in the US to avoid having a patchwork of laws, or a repeat of this as the next Choicepoint claims to be exempt because they're not a covered entity.

  (To not conflict with free speech rights, make the law cover anyone who relies on, or includes, government provided data (such as a drivers license or SSN). If you just have a list of people on your local softball team, you're not covered.)

• Social Security Numbers: Forbid their use as authenticators or passwords. Add substantial penalties for disclosing them.
• Fair Data Collection: Require that businesses offer a reasonable (1-2 month or less) deposit in lieu of a credit check, with the same plan as everyone else gets. Today's "poor credit" plans from cell phone providers are a rotten deal, because the company knows that their customer can't get a better one. Allow a business to petition, say, the FTC, to require larger deposits.
• Disclose Algorithms: Today, companies you've never heard of, using algorithms you're not allowed to see make decisions about your life. They've had privacy, and they've used it to invade yours. Companies like Fair Issac, who create the credit scores which have come to dominate our lives won't tell us how they work. If a company is "rating" Americans, require that they explain how they do so, so we all have a chance to get ahead. (Allow these algorithms to be patented to reduce the business impact of the disclosure.)
• Law Enforcement: When the 4th amendment was written, a person's papers contained most of their personal information, and a warrant was required to get to it. Now that the same information is stored at a host of service companies, Require a warrant to get this information out of a database. Don't exempt databases, such as the one run by Lexis-Nexis that are nominally restricted to law enforcement from the provisions of the law.

New Security Blog

I like the cynicism displayed at http://security.typepad.com/, by a squinty fellow who seems to want to remain anonymous.

What's Wrong With Lexis-Nexis?

It seems that Lexis Nexis's breach was because of bad passwords:

The incidents arose from the misappropriation by third parties of IDs and passwords from legitimate customers.

I don't mean to be snide. No, that's a lie. I do. It's 2005. You're making all this data available via a password? Are your auditors telling you that's ok? E-Trade is giving RSA tokens to customers. AOL is making them available. AOL. AOL which charges $24 a month. And then an extra $9.95 one time fee for the token, and $1.95 a month for support.

That's $1.95. As the ad says, "Less than the price of a cup of Starbucks coffee."

Now, I don't know what Lexis/Nexis charges for access to their services, but sentences like "RiskWise services are priced per transaction and is determined by transaction volume, data sources, integration and custom development" tend to cause me to think it may be a little more than $24 a month. I hate using words like negligence or culpability, or maintaining an attractive nuisance, but only because my lawyer friends tell me I keep messing up their meanings, and I know how annoyed I get when they mess up things like "mixing function" or "TCP encapsulation."

"Rendition" or Openness?

Juan Non-Volokh writes:

Ignatius notes that espionage and interrogation experts tend to doubt that torture works. As a friend with experience in that area put it to me: Torture makes people tell you what they think you want to hear, when what you want is the truth. Nonetheless, rendition may result in the torture of terrorist suspects when they are sent to countries where such methods are legal. Does this mean rendition should be prohibited? Ignatius is not so sure. (Quoting Ignatius:)

Before you make an easy judgment about rendition, you have to answer the disturbing question put to me by a former CIA official: Suppose the FBI had captured Mohamed Atta before Sept. 11, 2001. Under U.S. legal rules at the time, the man who plotted the airplane suicide attacks probably could not have been held or interrogated in the United States. Would it have made sense to "render" Atta to a place where he could have been interrogated in a way that might have prevented Sept. 11? That's not a simple question for me to answer, even as I share the conviction that torture is always and everywhere wrong.

No, it would not have made sense to send Atta off to be tortured. On Sept 10th, we did not know what he was planning. Would it make sense to arrest friends of Matthew Hale? One of them, who may have committed suicide during a traffic stop, killed Judge Lefkow's husband and mother. Before September 11th, we did not know what Atta was planning, or even if he was really up to anything more than talk.

So what to do if we'd arrested (not captured, thank you, we still believe in rule of law) Mohamed Atta? Well, perhaps instead of keeping it a secret, we could announce it. Would that have done any good? Yes. We can say that with much greater confidence than we can say his secret arrest and torture would have had an effect. In his excellent Congressional testimony (via Schneier), Thomas Blanton of the National Security Archive writes:

This occurs on page 247 and is repeated on page 276 with the footnote on page 541, quoting the interrogation of the hijackers' paymaster, Ramzi Binalshibh. Binalshibh commented that if the organizers, particularly Khalid Sheikh Mohammed, had known that the so-called 20th hijacker, Zacarias Moussaoui, had been arrested at his Minnesota flight school (he only wanted to fly, not to take off or land) on immigration charges, then Bin Ladin and KSM would have called off the 9/11 attacks.

The institutions that have evolved for dealing with those who would destroy our societies are effective. (Given that our societies are still here.) Not only are they effective, they are deeply powerful. They have allowed American ingenuity to make us one of the richest societies in the world. We should understand that when we celebrate these traditions, we inspire the world. When we abandon them, when we betray our founding principles, people around the world feel abandoned and betrayed.

Alec Muffet on ID Cards

Alec Muffet provides the best way I've seen to get people to take up National ID Cards: Loyalty points. He claims to be kidding, but I've already picked up a dozen citizenship points by turning him in for Mocking the Crown. That brings me nearly halfway to an upgraded room next time I'm in the Tower.

Choicepoint Roundup, March 10

• Harry Weber of the Associated Press is looking to talk to Choicepoint employees. Email him at hweber@ap.org He's been covering the story since it broke.
• The readers of Chief Security Officer Online have spoken, and not one opposes more disclosure laws. (As of noon, Thursday.)
• Bruce Schneier asks why Choicepoint seems to be saying "Please Regulate Me?" (I opined this in "Choicepoint's Orientation.")
• Sound Assurance claims that the $2m spent buying people credit monitoring would have been better spent on prevention. I'm not sure I buy this argument. Firstly, where to spend that money to prevent this sort of fraud? Secondly, how much to spend? It's easy to say "$2m" with hindsight. (Gordon and Loeb would say less than 37% of that, but that's another post.)
• I've posted "Financial Privacy Regulations, 5 Years Behind?" excerpting an American Banker story. If anyone asks what a new law should include, prompt implementation would be a fine start.
• Correlation Central compares the Harvard MBA and Choicepoint incident responses.
• BoingBoing picks up the Deborah Pierce story. Since Deborah is running CFP this year, expect more press on her file.
• Without Warranty has some good advice on how to invest:

  The next time you see a big headline pronouncing the latest corporate scandal, look closely at whether it's just juicy gossip or whether it affects the core of the business before deciding to buy or sell.

  For example, Choicepoint was hacked and has lots of user info stolen. Choicepoint still had the information and thus it's business remained unaffected... Choicepoint was up 11% the other day because it's still making money and people are quickly forgetting last weeks headline.

  It's solid advice, but I don't agree that the business remained unaffected. Choicepoint is on their way to getting their industry heavily regulated.
• Speaking of which, PIPEDA and Canadian Privacy posts tomorrow's Senate Banking Committee's Hearing schedule (official copy). Interestingly, for Choicepoint, it's Mr. Don McGuffey, Vice President. Was Derek too busy, or are they not letting him out in public anymore?
• Oops! Yesterday's Two Minutes hate should have been brought to you by TKIDBlog, with Truth In Advertising. And today's is brought to you by ActonUp, pointing out the big lie of Lexis Nexis claiming "No Financial Information Compromised" (Just social security numbers. I feel better too.)

My 25 prior Choicepoint posts are rounded up here.

Financial Privacy Regulations, 5 Years Behind?

The American Banker has a long story about how some regulations from GLB are now five years behind schedule:

Ironically, both bankers and consumer advocates panned the agencies when they proposed guidelines on identity theft prevention in August 2003.

The 25-page guidelines were based on Section 501 of the Gramm-Leach-Bliley Act of 1999, which required financial companies to have safeguards in place to protect nonpublic personal data.

...
Now, nearly 18 months later, the Federal Reserve Board, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, and Office of Thrift Supervision are on the verge of issuing a final version of the guidelines.

...
Regulators are also working to implement the Fair and Accurate Credit Transactions Act, a December 2003 update of the Fair Credit Reporting Act.

The agencies have polished off rules granting free credit reports and making it easier for consumers to opt out of prescreened credit offers. But the FACT Act required seven rules relating to identity theft, and only three have been completed. [None of the FACT rules would require disclosure.]

...
Legislative reform that attempts to rein in information brokers like ChoicePoint could have a spillover effect on financial services companies. For example, some lawmakers want the FTC to restrict the types of companies that may access and sell data such as Social Security numbers. Many financial institutions are also customers of these information brokers, using their reports to check the accuracy of credit applications or to verify a customer's identity.

1,700 Drivers Licenses stolen

The theft occurred early Monday in a remote industrial area, authorities said. The thieves took blank licenses and laminated covers, a digital license camera, a camera computer and a license printer.

...
"It's been pondered that this has national security interests," [police spokesman Tim] Bedwell said. "But it's easier to pass a fake ID to a teller than to use it to get on a plane and fly internationally."

He's clearly right. (Actually, he's totally off. With the possible remaining exception of Canada, you can't fly internationally with a drivers license. But you sure can fly around the US on one.)

(From the Seattle Post Intelligencer, via Qaddisin Security Blog.)

[Update: To clarify, what was stolen was everything needed to create perfect license forgeries, not the data. Also, this Las Vegas Review Journal story is a little better.]

Small Bits: How to live, drive, be identified, and stuck in a database.

• A great essay on living and working creatively by Milton Glaser (via BoingBoing)
• What it takes to get a drivers license in Germany.
• Stefan Brands On Quintessenz and the Biometric Consortium. Quintessenz is an Austrian civil liberties group that's learned about how NSA is driving the biometrics industry.
• What may be the largest database on Islamic terrorists in the world is in the hands of not the CIA, not the NSA, not MI5, not even the Mossad, but a North Carolina law firm. (Via Marginal Revolution.)

Attackers, Disclosure and Expectations

In both military or information security situations, the position of the attacker is very powerful. An attacker can choose when, where, and how to attack. Attackers are not constrained by change management committees, operational risk, or a need to make economic tradeoffs within a budget. [1] Attackers don't need to consider other work that needs doing. The attacker can set and reset their operational tempo, from very, very slow scanning and reconnaissance to very fast penetration and subversion.

If you believe people who break into computers, these advantages add up to the attacker usually being able to break into a system that they've targeted. Skilled attackers will tell you that there's no system they can't break into. (Skilled, high budget defenders have told me the same thing: that when they hire really high quality red teams, and tell them to go all out, the red teams win.)

Most people outside the computer security world don't know that; they've been told things like "We follow industry standard best practices to protect your information." A fair number of people in the computer security industry don't like to admit to the advantages that the attacker has. When you're working hard to protect your employer, or customers it really stinks to know you're offering only a partial solution, or that there are problems you know about, but can't fix for good reasons.[2]

With a new set of rules emerging around disclosure [3], such as California's SB 1386, these problems are being revealed to the public. (The PIPEDA blog has a great roundup of incidents.) In a bit of a stretch, the Sarbanes-Oxley act may also implicitly require such disclosure, as a security breach may indicate an inadequacy of controls under section 404. 1386 may be passed at a national level in the wake of recent incidents. Today, the market doesn't know how to react to such things, and sharply penalizes companies for disclosures, or for new events.

Over the next few years, the stock market will start to factor in these disclosures. There will be too many breaches reported for the smart folks to not factor in disclosure. However, consumers will be slower to understand that these breaches are regular, and may well switch suppliers when they can. The Ponemon Institute study showed that as many as 80% of consumers would switch airlines after a breach of confidentiality.[4]

So, where does this leave a company trying to make good security decisions? Since this post is already too long, I'll point to More on SSNs and Risk, which I wrote in December after the Delta Blood Bank disclosure. I'll try to write more on this topic over the next few days.

There are some footnotes attached to the extended version.

1. This is a simplification: Attackers are concerned about operational risk, that of being arrested and charged with crimes. Some are also now employed, and focused on the highest financial return on their activities.
2. Good reasons to leave open vulnerabilities include usability (I don't want to have special software installed to purchase items online), economics (the expected cost of an attack is smaller than the cost of a defense), or the unavailability of defenses (what do you do about a 600mb per second denial of service flood?)
3. Here I'm using disclosure to mean that a company needs to inform the public, or members of the public, of a breach of the company's security, not to refer to the vulnerability disclosure debate.
4. The Ponemon Institute study is admittedly a tad confusing; we only see data for consumers switching airlines, where they've also said that they trust the airline.

More on Watch Lists

To follow up to my post on Terror Suspects and Firearms, I'd like to take a moment to rail against the Kafka-esque implementation of "watch lists" in the United States.

For the FBI, or other investigative or intelligence agencies, to have lists of "interesting people" makes perfect sense. You'll always have people who you suspect are bad, who you don't have sufficient evidence to arrest. You may even have people who you do have evidence to arrest, but want to leave them free for a while to learn more. When these lists are secret and contained, they make a lot of sense.

The difficulty happens when these lists start to be partially exposed to the world, for a variety of good purposes. Keeping terrorists off an airplane? Sounds good. Keeping them from buying explosives? Sounds good. The trouble is, the process of getting on the list is easy. Have coffee with a nutjob, and boom, you're on the list. It makes perfect sense. But today, rather than having an FBI agent follow you around, ask a few questions, and forget about you, you're added to a database. When the list could be prioritized by "is this person worth following?" it worked better. But today, you're entered into a database. We don't know how big that database is. We do know, thanks to Johnnie Thomas, that you can't get out.

There's no one who wants to be responsible for taking a grandmother off the list. No one wants to be the one who took someone who later committed a crime off the list. And because storage is cheap, they don't really have to.

Now the watch list have started being used as a no-fly list. We have a suggestion that they be used to prevent people from buying guns. There's no personal judgement, or even economics of investigations to control the lists. You're in the database, you must be a bad person. A threat. A fifth columnist. Better to prevent you from being a danger to others.

But you have no way to learn why you're in the database. You have no way to learn what the database says about you. You have no way to get out of the database. Your right to due process has been discarded. Is this the country we want to live in?

Choicepoint Roundup, March 9

• Tara Wheatland has a long post Un-Spinning the ChoicePoint Scandal. (Via Personal Democracy Forum.)
• Local TV station WXIA Atlanta says ChoicePoint Management Under Fire
• Not actually Choicepoint, but DSW Shoes and Seisint, makers of the massively overhyped MATRIX database for law enforcement have both announced breaches. I wonder when the attackers are going to start inserting information, rather than taking it?
• Speaking of other breaches, PIPEDA and Canadian Privacy Law (the blog) has a great roundup of incidents since Jan 2004. He lists 39 incidents, including hacking, lost laptops, failure to shred paper, bad faxes, bad email, and others. I'll try to comment on these soon.
• Bob Sullivan has a three page article at MSNBC, "ChoicePoint files found riddled with errors."

  It's not clear prospective employers would see that part of Pierce's file as part of an employment background check.  The firm declined to answer specific questions about Pierce's report -- or to confirm its authenticity -- but said it was likely designed for law enforcement officials.

  That these files are full of errors is unsurprising. Choicepoint has no motive to produce correct information, and correcting the information costs money. Also, I'm not sure how we're supposed to have a national debate on Choicepoint's functions if they won't even tell us what's in which report.

My ongoing Choicepoint coverage is all listed here.

Terror Suspects and Firearms

The New York Times is running a somewhat alarmist article, Terror Suspects Buying Firearms, Report Finds. The report says that

At least 44 times from February 2004 to June, people whom the F.B.I. regards as known or suspected members of terrorist groups sought permission to buy or carry a gun, the investigation found.

In all but nine cases, the F.B.I. or state authorities who handled the requests allowed the applications to proceed because a check of the would-be buyer found no automatic disqualification like being a felon, an illegal immigrant or someone deemed "mentally defective," the report found.

Let's dissect this. Firstly, we don't know how large those terror suspect lists are. What we do know is that at least 80% of the people on them have never been convicted of anything: If they had been, they'd have had their right to bear arms stripped from them.

Next, its clear that terrorists do use firearms, and they're a useful tool. From terrorist attacks at Ma'alot, where PLO terrorists took over a school and murdered the children inside to modern Al Qaeda tactics which can involve a pickup or SUV penetrating a gate to allow a truckfull of explosives to be brought to a target, firearms are useful.

Firearms are not the only useful tool. I bet that a fair number of people on the terrorist watch lists got drivers licenses, and perhaps even purchased cars or trucks. Cars and trucks are also essential elements of, you know, car bombings.

In response to the report, [NJ Democratic Senator Lautenberg] also plans to ask Attorney General Alberto R. Gonzales to assess whether people listed on the F.B.I.'s terror watch list should be automatically barred from buying a gun. Such a policy would require a change in federal law.

Why don't we expand on this a little: Ban anyone on the list from buying a car. Ban them from a long list of schools where they can learn things, like how to fly a plane, drive a car, engineer a bridge. I'm confident that such people are also likely to incite to violence. Why not ban them from teaching positions, or revoke their right to free speech?

The terrorist watch lists include no due process at all. Should we limit the liberty of Americans because they're suspected of a crime? Clearly not. What the hell is wrong with these people?

Small Bits: Risk Management by Law, Domain Names, and Cats

• Not bad for a Cubicle has a good post on the credit card industry replacing their risk management efforts with bad law: Bad laws instead of good Risk Management. I like what he's saying enough that I've added him to the blogroll.
• Daring Fireball links to this article on How to Snatch a Domain Name, where a small bit of uncertainty creates an opportunity for hucksterism. This isn't enterprenuership: The problem being solved is mostly unnatural because Verisign has chosen to administer the DNS with a three hour window, rather than announcing the exact time a domain will become available.
• Boingboing points to this application of facial recognition...preventing cats from carrying animals into the house. I'm opposed to it, as I can see the day when I'll be prevented from blogging while foaming at the mouth.

Choicepoint Roundup, March 8

Today's roundup takes a different turn with more about privacy-invasive infrastructures. Also, previous scammer gets 5½ years, and Choicepoint appoints a new officer to deal with compliance and credentials.

• Deep in the Heart of ... France discusses the move to hosted applications, and ties in Choicepoint as an example of the new security issues, like avoiding linkage. I'm not sure if he's right, but its an interesting question.
• Mike Rankin talks about moving data offshore, where the victims can't regulate it.
• Humanities Research + Technology covers a Daniel Solove talk.
• Adedayo Benson, the previous Nigerian scammer, was sentenced to 5½ years in prison, according to this USA Today story.
• Choicepoint has appointed Carol DiBattiste, a former prosecutor with a long and distinguished record of government service to be the company's Chief Credentialing, Compliance and Privacy Officer.

  Choicepoint fails to get that this isn't about credentials or compliance, its about their playing fast and loose with personal information about American citizens. I'm sure Ms. DiBattiste will do great at her first two duties. However, as a longtime civil servant who's used to having her life be an open book, she'll fail miserably at number three. Which is where the real crisis is.

• Finally, today's Two Minutes Hate comes to you from...Winn Schwartau

All my prior Choicepoint posts are listed here.

Small Bits: Art, Chopsticks, Security

• Stefan Geens points to It Takes More Than Money to Buy a Hot Piece of Art.
• I Came to Japan Because of the Chopstick makes dinner plates fascinating. Thanks Rosa!
• Two shorts at AntiTerrorism & Security: The firm running airport security at SFO has been accused of cheating by a former manager. The lawsuit is covered in this SFGate article. Second, Wells Fargo's CEO is worrying about security.

Choicepoint Roundup, March 7

• Saturday's New York Times reports (thanks Alex for the pointer):

  Lt. Ronnie Williams, project director of the Southern California Identity Theft Task Force, which is investigating the ChoicePoint case, said that the breach was brought to his agency's attention in late October, and that on Nov. 23, the agency asked the company to delay notifying consumers for 30 days. But Lieutenant Williams said that ChoicePoint was free to disclose the breach as early as Jan. 1. The first public announcement from the company came on Feb. 15.

• The AJC is digging into the timelines.
• Finally, today's Two Minutes Hate comes to you from Technorati, who says no one cares anymore.

All my prior Choicepoint posts are listed here.

More on CVSS

Erik Rescorla takes note of my CVSS post, and comments that he's not sure he likes some technical aspects of the system (emphasis added):

CVSS does have a formula which gives you a complete ordering but the paper doesn't contain any real explanation for where that formula comes from. The weighting factors are pretty obviously anchor points (.25, .333, .5) so I'm guessing they were chosen by hand rather than by some kind of regression model. It's not clear, at least to me, why one would want this particular formula and weighting factors rather than some other ad hoc aggregation function or just someone's subjective assessment.

I haven't studied the CVSS scoring system to decide if I like it or not. But I do think its a big win over subjective assessment, and offers an interesting replacement for the CERT Metric. Some numerical analysis of the threat is useful if you would like a process to decide on if or when to patch. (Doing this really well, as Erik says, "requires some pretty serious econometrics." But establishing a repeatable process can use simpler math, and still provide value. But you can't have a repeatable process with subjective vulnerability assessment.)

When I was thinking a lot about patch management, and the risk tradeoffs, an objective number would have been great. We wanted to measure patch risk versus threat severity, and tie that tradeoff to the fiscal costs of interruptions as well as system MTTR and its variability.

So I'm willing to accept that CVSS is wrong, and still believe that it will be useful until replaced with something better.

(Interestingly, Ashish Arora, Ramayya Krishnan, Anand Nandkumar, Rahul Telang and Yubao Yang had a paper at last year's Econonmics of Information Security, Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis (PDF only) in which they dissect the CERT metric.)

Identity Trail

There's some great blogging at the Identity Trail conference. I wish I'd been there. Read the official blog for Friday, Saturday AM, Saturday PM, or Michael Froomkin's post.

Choicepoint Roundup, March 6

• The Atlanta Journal Constitution contains the first MSM discussion I've seen of Derek Smith losing his job over this.
• Evan Hendricks of Privacy Times has a good article in the Washington Post, discussing who owns data, how we've gotten here.
• Axel, of Balrog.de comments "that ChoicePoint does NOT state in that Form 8-K that they had been asked by LA law enforcement to postpone [notification]. Good catch!
• CreditSuit has several good posts on Credit Report Freezing laws being proposed, and points to a Consumers Union roundup of such laws.
• Finally, today's Two Minutes Hate comes to you from the Atlanta Journal-Constitution's editorial pages.

All my prior Choicepoint posts are listed here.

Economics of Fake IDs

Some states will begin using new watermark technology akin to that used on currency for drivers' licenses next year...

While the backers of these efforts say they herald the demise of the fake ID, officers on the beat have doubts.

"They find a loophole and exploit it," said Sergeant Planeta of the New York document fraud squad, which has arrested 90 people for faking documents since its formation last year. "We plug it, and they find their way around it. And it goes back and forth."

So ends a story in today's New York Times on college students forging ID cards. If you want to see a security system really tested, put it between teenagers and drinking or sex. I'll bet on the hormones.

The sad part of this is that these free riders on the ID infrastructure cause enormous collateral damage. When every college student and immigrant in the country needs a fake ID, we can't rely on them for those few things that might really benefit.