Software Liability by Contract, Not Regulation

While “other events” are causing me to prevaricate over data protection legislation in the US, it’s great to see this Wall St Journal story (reprinted in the Contra Costra Times) on large software buyers pushing for liability clauses in their contracts.

“I’m paying the bill. Other companies are paying the bill,” says Ed Amoroso, AT&T’s chief information-security officer. “The software companies are not paying the bill.” Amoroso says AT&T spends roughly $1 million a month just to patch its existing software. Testing and installing a single patch across AT&T’s network can require as many as 30 people working full time for several days.

But everyone is treading cautiously. For example, technology and security executives at big companies talk about getting tough on software makers. But their bosses — chief executives — don’t always agree. Instead, the Business Roundtable, an association of CEOs, has focused on reducing liability exposure for technology users, not increasing it for software vendors. The CEO group opposes mandatory reporting of security breaches and requirements that companies meet minimum computer-security standards, for fear such moves could expose their companies to legal liability.

BJ’s Wholesale Club Inc. last year filed suit against International Business Machines Corp. for providing software that allegedly allowed thousands of credit-card numbers of BJ’s customers to be stolen by an organized-crime ring last spring.

I like to see companies working out these arrangements amongst themselves, because, when the externalities don’t splash onto us, its a more efficient arrangement than new laws locking in a single set of liabilities for all parties. There may be issues of what clauses anyone can get into a Microsoft deal, but with increasing competition from Open Office, I expect those will get worked out over the next few years

Emergent Chaos Choicepoint Posts

I have added a Choicepoint category, which is great if you want to see all my posts on Choicepoint on one long page, and I am no longer updating this roundup.
I’ve been posting a lot on Choicepoint. I’ve done a number of roundup posts listing things I find interesting around the web, and a number of analysis posts.

Analysis

Roundups

An Invitation

The themes that pervade the my writing on the Choicepoint case, privacy, power, liability, the economics of all of these and the intersection of security technology and privacy are recurrent themes in this blog. If you like what you see, please, take a moment and read more.

Choicepoint Roundup ($16,600,000 edition)

Having already posted a Feb 28th roundup a day early, I was forced to think about a new title for today’s edition, and what better than the $16.6 million dollars that ChoicePoint CEO Derek Smith and President Douglas Curling have made selling 472,000 shares of CPS since the day before the first arrest in the case? (Use Bugmenot for a login to AJC.)

  • So our first link today is to poker players (that’s right, poker players!) invoking Caesar’s Wife. Mr Smith, Mr Curling, please take notice.
  • Robert O’Harrow has a web site for No Place to Hide. Ahh, poetry.
  • MSNBC has a story on the previous 11 lawsuits against Choicepoint.
  • I don’t know what to make of these Scratchings, but felt a need to link.
  • Contrary to what Softreset thinks, and to what I implied in this post I am still down on legislation, but think if its going to come, I might as well try to help shape it. (I’m down on new laws because I think that the law of unintended consequences looms large; I’ll try to post more on this, but will be busy this week.)

Choicepoint Roundup (Feb 28)

I accidentally published this too early, but given the nature of trackbacks, and other such privacy-invasive technologies, its too late. You know my secret. I accumulate and then (try to) post in the morning.

  • Midnight Special asks “Where’s the accountability” and talks about government outsourcing and incentives in a well written post.
  • Why Now has a couple of good posts, one on Who Owns Your Copyright, and another, Who Wins & Who Loses, asking why can’t these companies that collect data about you notice that you’re a victim of ID theft?
  • Inbite claims Declan McCullagh said “Investors are worried about the possibility of new regulations curbing ChoicePoint’s business model (and future profitability).” At press time, Declan had not responded to a request for confirmation or a better URL. [Update: Declan’s quote.]
  • When I look over my shoulder is a long, well thought through history of privacy by Lotus, Surviving a Dark Time.
  • Michael Zimmer point to a Milwaukee Journal Sentinel article that points out that the old “big three” credit agencies are dripping with disdain for consumers trying to reach annualcreditreport.com. Following a link brings you to a blocking page, and apparently they failed to provide proper capacity for their phone banks. However, if you type in the URL https://www.annualcreditreport.com/cra/index.jsp, or copy and paste it, it will work. I suggest you call or write, rather than applying online, to make them spend the money on printing and mailing your report. It’s only a little, but every penny comes out of the profit they make gossiping about you.
  • Finally, today’s Two Minutes Hate comes to us from Public Domain Progress

Publishing a List of SSNs Will Not Fix Anything

Pete Lindstrom suggests:

My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news.

The net result is to eliminate the notion that perhaps SSNs are “secure enough” for some purposes given that they are at least slightly less-widely distributed than other identity demographics.

Firstly, banks already know that SSNs make lousy identifiers and authenticators. They won’t admit that to you as a customer, but talk to bank security experts at a conference, and they’re all searching for something that’s better, as easy to use, hard to lose, and lets them transfer risk elsewhere.

Lets continue considering the banker’s perspective. They could try to use something other than an SSN as an identifier. But then they have to staff a help desk to recover lost passwords. The security of the system may go down because of the recovery mechanism, as it did with Paris Hilton using her dog’s name as a password. So the banker’s costs have gone up, and his security hasn’t. Now let’s say the SSN is public, and the banker chooses to not change his procedures.

What’s going to happen to the banker? Is the fact that an SSN is public going to change anything? Will courts suddenly start ruling differently on it? The bankers will close ranks, and describe this as “standard industry practice.” They will announce that, net of all the options, they all stink, and go home.

I remember a conversation at the first Financial Crypto with Michael Froomkin, about US crypto export controls. At some point, he said “All the neat technology demos in the world won’t change the judge’s mind.” Publishing a list of SSNs is no different than publishing the source code to PGP. The courts will defer to Congress the creation of new liabilities.

Thus the right focus for reform is to ensure that the law Congress shall pass includes elements of California’s 1386 (requiring disclosure of breaches), 116 (forbidding the use of SSNs as identifiers), and a new provision, forbidding the use of birthday, mother’s maiden name, or social security number as an identifier or authenticator. The law should impose strict liability on anyone who does either of the latter two, or fails to disclose in a timely manner.

Good Folks Looking for Help

A group that wants to assist free speech in authoritarian nations is looking for a technically savvy person — a CTO or lead engineer type — who can do a short term study, possibly leading to a longer-term job. This is a paying gig for the right person.

The project is intended, in its intitial form, to make possible blogging that is impossible (or at least extremely difficult) to trace. One of the people involved calls it an “anonymous, anti-tyranny blogging service.”

(Via Dan Gillmor.)

Choicepoint Roundup for Today (27 Feb)

  • Choicepoint doesn’t make an appearance in the June, 2003 Congressional testimony of Leonard Bennett, (or PDF), but the testimony is on how hard it is to get your credit files corrected with those companies that follow the Fair Credit Reporting Act. Given that Choicepoint believes that they don’t even have to do that, it will be poetic justice if whatever new law comes down on them is more expensive, and requires real rights of correction.
    (via Credit Suit, I think.)

  • This FoxNews story has some good old fashioned skepticism about government, and has a good quote from Jim Harper, of the Cato Institute:

    “If a company this central to this [surveillance] process is this careless, I think we should definitely step back and wonder about data mining,” he added.

  • Do you need a job? Really, really badly?
  • Adam Fields asks Is ‘We Deeply Regret’ the new corporate motto?
  • Len Bullard comments that Choicepoint has just bought I2; I hope he says more on why that scares him.
  • KipEsquire has an analysis of externalities of credit reporting that I’d missed earlier.
  • There’s some good background in today’s Atlanta Journal Constitution about how Oluwatosin was arrested.
  • And finally, today’s Two Minutes Hate comes to you from the resigned Quietness Distilled.

Choicepoint’s Orientation

As Choicepoint’s little error threatens to grow into a full-blown scandal, with Attorneys-General posturing, Congressional hearings, and daily press coverage in every state of the Union, it may be worth stepping back, and asking, “Why is this happening?” It’s not just the size of the exposure, both Bank of America and PayMaxx are larger. It may be the nature of the exposure, where a company whose victims have never heard of it is trafficking in gossip about them, rather than providing them services. It may be Choicepoint’s history, what with voting rolls problems in Florida, Mexico, and lord knows where else.

The largest reason that this is a problem is because Choicepoint can’t get their heads around the story. The story is about 145,000 Americans at risk. Yet Choicepoint’s press release is really about how inconvenient this is…for them.

ChoicePoint is actively engaged with local and federal law enforcement agencies in the continuing investigation of a fraud committed against us, through which a small number of very organized criminals posing as legitimate companies gained access to personal information about consumers. This incident was not a breach of ChoicePoint’s network or a “hacking” incident, and did not involve any of ChoicePoint’s customer information.

(From Choicepoint’s Response to Customer Fraud Litigation,” linked on their home page.)

Why is it that Choicepoint can’t say that they’re sorry? (Dan Gillmor pointed to David Lazurus asking this question.)

The answer lies in the orientation of the company, that is, their worldview, which is coloring their glasses as they respond. In Choicepoint-land, they are a trusted provider of information, helping businesses and governments make better decisions about the unwashed masses who want to attack, cheat, and commit fraud. In this world, those unwashed masses, who aren’t Choicepoint customers, aren’t touched by this fraud. “No Choicepoint customer information was involved.” In Choicepoint-land, the folks that matter are the business and government customers, not the “consumers” who are being discussed. And their press activity is centered on these folks. The cultural traditions of the company, the analysis they perform, and their prior experience have all combined to make them successful through focusing on these customers.

But American citizens — not consumers, thank you very much — are tired of being treated as lines in a database. We are individually and collectively outraged. Choicepoint has not only no experience in talking to us, they have actively sought to avoid it. And now, they are reaping what they have sown. A national dialog on data warehousing is happening, and they’re not a participant. Now they know how we feel.

Choicepoint Won’t Benefit from Bank of America Leak


I wasn’t going to blog on BofA‘s little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on:

In order to share the information, and raise the knowledge of what’s important and what’s not, we may have to get over the finger pointing. That may mean we have to go through several ChoicePoints, if only so that it can become routine and not scandalous. Bank of America is thus timely and expected; although I don’t think anyone else is likely to see it that way.

Ian is right about this: We need more routine disclosure of security incidents. We need to know what caused them, what mechanisms were used to get in, and how they were detected, so we can learn from them. This will be a slightly painful transition, but most companies with security issues are not facing a Choicepoint-scale scandal.

There’s an important reason that Choicepoint and BofA are different in the consumer’s mind. Everyone affected by this is carrying a BofA card in their wallet. They understand that BofA knows about them. In contrast, most of the stories on Choicepoint had to start out by explaining that this company exists, to spy on Americans, and oops, they can’t keep track of their own customers. Choicepoint has also managed to totally mangle their public relations because of their orientation and world-view. I’ll say more about that shortly.

Therefore, Bank of America, Maxxpay PayMaxx, and anyone else who’s releasing their 1386 notices this week aren’t really going to draw heat from Choicepoint. They’re still going to be the focus of the story.

[I have lots more on Choicepoint, visit the main page, or the February archive.] [Update: I said Maxxpay, because I hadn’t had enough coffee when I wrote this.]