Discretionary Disclosure

A man who pleaded guilty to hacking into an Arkansas data company’s computer system and stealing personal identification files was sentenced Wednesday to nearly four years in federal prison.

Daniel J. Baas, 26, of suburban Milford, entered his plea in December 2003, after being indicted that August.

Baas was a systems administrator for Market Intelligence Group, which had an agreement to analyze data for Acxiom Corp., of Little Rock, Ark., when he exceeded his authorized access and downloaded encrypted password files, prosecutors said.

In a plea agreement, Baas admitted that he stole the data between January 2001 and January 2003 and stored it on computer disks at his home, prosecutors said. On Wednesday, U.S. District Judge Susan Dlott sentenced Baas to 45 months in prison.

Acxiom’s clients include credit card issuers, banks, auto manufacturers, telecommunications companies and retailers. Baas bragged to other hackers that he had the files, but didn’t share them with anyone, prosecutors said.

According to Robert O’Harrow’s “No Place to Hide,” pp72, the company chose not to notify: “A company official said that the information was simply not that sensitive and ‘did not meet a threshold that would require customer notification.'” (Update: Try this Google Print link.)

Acxiom’s data would be covered under California law, the new laws that a number of states are putting in place after Choicepoint, but not the FDIC, FRB, or OCC regulations that have been put forth.

Disclosure Laws & Regulations

Declan McCullagh writes about new rules requiring banks to disclose breaches, as promulgated by an alphabet soup of federal regulators.

A brief digression: The new guidelines seem to make sense, but it’s difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options.

For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans — but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards.

Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let’s assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they’re willing to take and companies could experiment. Because that process doesn’t exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It’s difficult to know whether that security “level” is the best one for consumers.

I’ll suggest that the new rules don’t go far enough. As the Washington Post story (archived here) explains: “If the organization
determines that misuse is unlikely, it need not report the breach to its
” So CheapDiscountBank might have one criteria for determination, while BankSuperSecure has another. But consumers won’t be able to compare those. As the regulation says “It also should generally describe what the institution has done to protect the customers’ information from further unauthorized access.” Generally describe? How can I assess a general description? (A non expert consumer might have difficulty, but could turn to Consumer Reports, or other trusted sources, for advice.)

Also, federally mandated “know thy customer” regulations require banks to gather, authenticate, and store everything an ID thief needs to go about their business. SuperSecureBank might promise to throw away all the non-essential data, so that they can’t have a breach. SuperSecure could thus lower their costs and increase their security. It’s too bad that a mere $50 billion in annual losses doesn’t prompt a review of how we’ve organized the regulatory regime.

“A Unified Theory of VC Suckage”

Brad Feld pointed to an essay by Paul Graham, entitled “A Unified Theory of VC Suckage.” (VC is short for venture capitalist, the folks who invest in certain types of startup companies.)

I used to take it for granted that VCs were like this. Complaining that VCs were jerks used to seem as naive to me as complaining that users didn’t read the reference manual. Of course VCs were jerks. How could it be otherwise?

But I realize now that they’re not intrinsically jerks. VCs are like car salesmen or petty bureaucrats: the nature of their work turns them into jerks.

What I really like about Paul’s essay is that it talks about some of the economic pressures on VC funds, and how those pressures get pushed to startups.

This is a strange thing for a startup guy to say, but I have a lot of sympathy for venture capitalists. In some ways, a VC fund is like a startup. You have some guys who know something about business. They go out looking for money. If they get the money, they have 10 years to make good on it. I’m might get pilloried for this next sentence, by people who skim through why I’m saying it: Unlike a startup, most VC have relatively little in the way of compelling advantages. That’s not to say that investors are indistinguishable, only that it’s even harder for a VC firm to create, maintain, and communicate a compelling advantage over the other firms.

Most investors don’t get to build disruptive technology. They get slight first mover advantages. Most VC are in cutthroat competition with other VC for the ability to put cash into a few good companies, and a lot of ‘maybes.’ A good investor brings good strategic advice, and a big rolodex, and a willingness to work for you. Well, so does that other fund. Compare to a startup which can get a strong first mover advantage, building, say, a database that’s 10 times faster, or with six signed customers in the fortune 500.

So I think, to extend Paul’s economic analysis of why investors and startups clash, it goes back to the limited partners who invest in venture capital funds, and the way they need to behave.

As a side comment, Rick Segal asks:

And what is this issue with a liquidity event. Why is that evil? What’s wrong with making some coin, selling companies, IPOs, mergers, whatever. I’ve yet to see anybody, Paul included, to give me a compelling reason why this aspect of venture capital means we all suck. 

Let me start by reiterate that I don’t buy the suckage claim. At the same time, there are businesses which may look like VC-fundable businesses, and, to everyone’s surprise, turn out to be organic growth sorts of businesses. For these companies, who need to contort to give their investors an exit, the liquidity requirement can suck. If the investors and CFO are good, I think there are usually options, such as a management-lead leveraged buyout, converting equity to debt, and giving the cash to the investors. But, really, the issue is that VC firms are on a ten year schedule, and that creates pressure on the startups to be on (at most) a 5-6 year schedule. If you don’t know this going in — if you’re starting a startup to build a great business like your grandparents did — then you can find a world of hurt.

“What Would Gandhi do?”

What would Gandhi do?” is the title of a soul-searching post by Joi Ito about positioning. It reminded me of a passage in William Shirer’s memoir of his time with Gandhi. I’d like to quote the passage, which ends chapter 11, and then add some comments. The context is Gandhi’s visit to England, and in particular, his visit to the Lancashire mills, which were suffering from an Indian boycott on English cloth. Gandhi visited the mills to find allies and support for his goal of Indian independence.

Gandhi was too tactful to mention–to the workers or the employers–a strong impression he had gained after three days in Lancashire. It would have amazed them, I think. But he remarked on it to me the last day in Manchester. He was taken back he said, by the backwardness of Lancashire’s cotton industries.

“I’m no mechanic,” he smiled, “but I’ve seen enough up here in three days to show me that the English are using antiquated machinery. It probably explains there inability to compete with other countries. The machinery in the Bombay and Ahmedabad mills is one hundred percent more efficient.”

So, when it came to searching for allies, Gandhi did not feel compelled to say everything he thought. He was truthful, and had someone thought to ask, he probably would have answered honestly. So I think pulling back from offending your audience so much that they close their ears is a fine thing.

At the same time, sometimes you may not be able to be diplomatic. I think we agree that over the next decade, copyright is likely to change dramatically. Innovative publishers like Baen books and O’Reilly are experimenting with new models. If a publisher wishes to call Baen and O’Reilly’s experiments ‘disgusting,’ they’re free to do so. (Well, they may have a fiduciary duty to their shareholders to figure out how likely a change in copyright law is, and how they’d handle it if it happens, but they can still call it disgusting.)

Earlier in the chapter, Shirer discusses how, at the London conference on India, Gandhi ignored the wishes of the rest of the delegation, and announced that Britain should take on India’s national debt. He did this because he thought it was right, and important. I suppose to sum up my reading of Gandhi, consider if what you’re saying needs to be said. If something needs to be said, don’t be afraid to speak the truth.

Three Privacy Breaches

DMV hopes to reassure clients about security.”

The DMV on Wednesday will send out letters describing the incident and new driver’s licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV.

Audit: State voter system left information vulnerable:”

The state elections and technology departments agreed that the systems were vulnerable, but they told the Office of the Auditor General they are not aware of any time information in the Digital Driver’s License System and the Qualified Voter File was compromised.

“We identified numerous and, in some cases, very significant vulnerabilities in the configuration of the QVF operating system and database that preclude management from preventing or detecting unauthorized access,” auditors said in their report.

and finally: INTERNATIONAL STUDENT FILES: UNLV server accessed:

University of Nevada, Las Vegas computer analysts were conducting a routine security check on network activity when they found a hacker accessing the Student and Exchange Visitor Information System, also known as SEVIS.

The two things that all of these stories have in common is that last year they’d have been swept under the rug, and that they all involve government computer systems being breached.

(All courtesy of Internet Security News.)

Small Bits: Hell, TSA, Insurance, Mutual Funds, Telephone Privacy

  • Asteroid analyzes Sisyphean volunteers and the modern condition in a brilliant essay. It just goes to show, the Greeks really did invent everything.
  • Robert Poole and Jim Harper debate the TSA in “Transportation Security Aggravation” at Reason.
  • Tyler Hamilton looks at two schemes to cut your auto insurance premiums by monitoring your driving, and their privacy implications.
  • The Wall Street Journal reports that some mutual funds are disclosing their customer information in SEC filings. The funds in question have strange share structures that cause small investors to be disclosed. (If that link doesn’t work, try dkgroup.)
  • Dave Evans points to Date Number, a targeted privacy service for those concerned about stalkers.
  • Choicepoint, March 22/23

    • The Daily Caveat rounds up the five shareholder lawsuits against Choicepoint.
    • The Atlanta Business Journal has an article on Choicepoint’s executive compensation.
    • Kim Zetter at Wired has a 3 page story on Choicepoint’s Checks Under Fire.
    • CNN reports that only 11% of id theft occurs online.

      Well, actually, there might be some methodological problems. It’s hard to tell, since the survey costs $1,500. First, consumers often have mistaken information about security issues. Second, its not clear if this was a survey of consumers who had suffered ID theft, or if second-hand data was accepted. No comparison to FTC data is provided.

      The telephone survey of 4,000 consumers was done by the Better Business Bureau, and funded by eMarketer online. I called Sheila Adkins, CBBB’s Associate Director, Public Affairs, but have not heard back., who called back, and gave me other folks to talk to. Not yet sure if I’ll track this down for analysis.

    • LiberalDesert writes about how the Social Security administration has better customer service than the big three credit agencies.
    • Finally, today’s Two Minutes Hate, while not really Choicepoint related, comes to you from … Freedom is Slavery. How could I argue with MinTrue?

    The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

    Those Exemplars of Ethics at the UN

    Read this transcript about former UN Oil-for-Food program lead, Benon Sevan. Apparently the UN is paying his legal fees.

    Question: The other question was a follow-up to a story in the New York Sun today. The United Nations has been paying Benon Sevan’s legal fees. Is this appropriate? Is this normal practice? And why did the United Nations not announce this?

    Spokesman: Indeed — well, first of all, we haven’t paid for anything yet. But it is true that the Secretary-General decided, in principle, to reimburse Mr. Sevan for what we called “reasonable legal fees” as determined by the United Nations for services in connection with his appearance before the Volcker Commission. The payment of these fees was to be made on a strictly exceptional basis, for the purposes of facilitating the work of the Commission.

    Electronic Voyeurism

    Jason Young has a great, thoughtful post at Blog*on*nymity:

    Like other nations, Canada has moved to adopt criminal sanctions for electronic voyeurism, a social problem that has become acute with the availability of cheap and inobtrusive surveillance technologies. The legislative efforts are welcome and yet I cannot help but wonder if we are missing the forest for the trees.

    Privacy is a mutable value and can mean many different things. It can represent distinct legal interests as well as broader social ones. Our respect and disdain for privacy – our own and that of others – alters the nature of our relationships to one another and also the very fabric of the community. Legal sanctions for voyeurism seek to mitigate the personal harms and protect individual interests, and to some degree they will do so, but they are ill-suited to address the social harms or protect the social value of privacy.

    How Many Home Pages?

    I was trying to enter someone’s web address into Apple’s Address book recently. Unfortunately, Apple believes that you have a home page. This is at odds with almost all the other fields in Address Book. You can have lots of phone numbers. A profusion of email addresses. And one home page.

    Me? I have a longstanding personal home page. I have this blog. I have a side consulting business. I have a personal journal. If I was working for a company, I’d have a corporate page. That’s five. Ooh, I have a page at Flickr, too, to share photos. So six. Unless you ask Address Book.

    But dig those nice green plus signs. You have to figure, it would be pretty easy to add that to the other fields that are there.

    Now, admittedly, I may be a little extreme in having six web pages one might call my home page. But I think that two or three (personal, professional, blog) is no longer unusual, especially amongst the Mac’s new target audience of tech executives. So come on Apple! Let’s have more home pages.

    Choicepoint, March 21

    • Businessweek has an editorial, saying strong regulation is unlikely, but credit freezes, mandatory disclosure, and liability for breaches should come. (I’d argue that liability for inaccuracy, creating a duty to the subjects of a database should also be considered a floor for a new law.)
    • EPIC has written to the FTC, critiquing their testimony. (Via Consumeraffairs.com.
    • It seems that Choicepoint owns Rapsheets.com, the company providing back-end data for investigate-your-date company true.com. (From the Desert Dispatch, via Kathryn Lord. Note that Choicepoint also has a bad habit of reporting erroneous criminal histories.
    • In the fallout department, IRBSearch has taken to truncating SSNs, according to The Daily Caveat, a PI blog.
    • Bob Sullivan at MSNBC turns a skeptical eye towards ID theft insurance and monitoring services.
    • Screendiscussion has some thoughtful and interesting discussion of background check related issues. His writing style resonates with me more than many of the other PI and screening industry folks who’ve blogs that I’ve come across.

    The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.

    Small Bits: Caller-ID, FBI Lies, Intel Reform, and GCC

  • Wired is carrying a Reuters story blaming VOIP systems for security flaws. The claim is that VOIP, by allowing everyone to set their caller id string, is causing security problems. This is false. These security problems have existed and have been exploited for a long time. For banks, or anyone else to rely on caller id when the provider accepts no liability, is an accident waiting to happen. And now it has. Don’t blame VOIP. Blame the financial services companies who have placed their convenience over your security.
  • Ed Hasbrouck has a long article on the FBI’s grubbing around in personal data:

    Once again, the question comes down to whether the TSA was incompetent or lying: Was the TSA actually unfamiliar with the FBI’s analysis of the content of PNR data, even as the TSA was devising massive, and massively intrusive, systems highly dependent on what such data might contain? Or was the TSA actually aware, from its familiarity with at least the structure of the FBI data set, that PNR’s invariably contain personally identifiable information on people other than passengers, in the form of the required unique agent sine?

    These folks would be a lot more trustworthy if they could be relied on to get basic facts right in their public statements.

  • Speaking of trustworthy, the Economist has an article on intelligence agency reforms.
  • Lastly, GCC4 has a new feature, mudflap, for debugging pointers and some stack/heap issues. The slashdot discussion has some good bits.
  • Kyrgystani Democracy

    The BBC is reporting that

    Opposition demonstrators in Kyrgyzstan have taken control of a town, as protests continue a week after the second round of disputed elections.
    In Jalal-Abad, a police station was set on fire, and protesters took control of the airport to prevent reinforcements being flown in.
    Protesters say President Askar Akayev’s party used fraud to win the elections.

    Response to Solove & Hoofnagle

    As I mentioned previously, Daniel Solove and Chris Hoofnagle have written a paper on “A Model Privacy Regime.” This post makes a lot more sense if you’ve read their paper. I’ve read through it, and think that it’s pretty good. My responses to specific sections are below. First I’d like to comment on the free speech critique of data protection law.

    A number of smart people (for example, Jim Harper writing on Politech) critique the drag on innovation that such a regime entails. I’m very sympathetic to this critique. I’d like to suggest that the regime only kicks in when there is government issued, certified, or verified data involved. That is, if you want my (government issued) social security number to link records, or my drivers license to certify my name, or you check against a list of voters, then you’re taking advantage of the threats of penalties the government applies. It becomes harder for me to protect my anonymity. If, like supermarket discount cards, I can use any name I want, then I see no need for generalized privacy law. Such a balance would encourage companies to offer deposits as an alternative to credit. (I’ve written about why this is good business practice in the past.)

    That said, onto specific responses to their model law:

    1. Universal Notice: Why require only informing the FTC? If you’re putting me at risk by storing information about me, why shouldn’t you notify me directly? Yes, this would impose a startup cost on new information brokerages. Today, those costs are borne by victims of ID theft. Let’s assign those costs where they belong.
    2. Meaningful Informed Consent: I like this. Let’s be specific, and say that informed consent requires knowing what data is going to whom. Again, notification to effected individuals, not just the FTC.
    3. One Stop Stopping: Others have criticized the one step opt-out, but I’d suggest that the right mechanism is to never sell, share, or transfer personal data without associated privacy information.
    4. I have no comment on individual credit management.
    5. Access and Accuracy: Current rights of access are not very effective at getting credit reports fixed, as Bennett discusses in Congressional testimony. Companies who trumpet how much data they can store ought to store where the data comes from, so that they can remove false statements that come from ID theft.
    6. Secure Identification: This is a hard problem.
    7. Disclosure: Actually, the first incident came to light because of reporting by David Colker and Joseph Menn regarding criminal prosecutions, not 1386, which was passed after that incident.
    8. Social Security Numbers: As I suggest above, make the data protection regime kick in whenever a business chooses to use an SSN.
    9. Public records: There is a clear tension here, which the authors admit to.
    10. Background checks: I have very mixed feelings about background checks. On the one hand, there are people whose references I wish had been more forthcoming. Clearly, laws that require disclosure of who said what in a reference check are acting as a drag on a much needed part of the hiring process. (About a month ago, I was at dinner with friends, and failures of that process, and venting about it, and the lawsuits that have followed, took up half the dinner.) On the other, many of these checks are full of bad data. I’d like to see economics kick in here, and perhaps one way to do that would be to tax background checks at some high rate, with proceeds going to those unfairly denied jobs based on botched checks.