- Alacrablog discusses a Morgan Stanley research report:
Certainly manageable numbers, but I think the report underplays both the potential growth in these markets prior to these incidents and the rising costs due to increasing regulation of the data brokers.
There’s also an interesting post rounding up the SIA Anti-Money Laundering conference.
- The Atlanta Business Journal reports that the Georgia House has passed a notification law.
- Choicepoint may be developing an access system, according to a March 31 AP story that’s only been picked up by the Kansas City Star (bugmenot has logins):
“You will receive the reports that we have on you,” Don McGuffey, the firm’s vice president for data acquisition, told the state’s Senate’s Banking, Finance and Insurance Committee on Wednesday.
It doesn’t seem that they’ll be moving towards the right of correction. Rather, you need to convince whoever reported bad data to correct it, and they will update Choicepoint. (Based on past evidence.) Compare this to credit reporting agencies, who have to include your corrections or disputes. Michael Zimmer has comments as well.
- Bruce Schneier quotes a Register article:
Sadly, Congress’s response has been to increase the penalties for identity theft, rather than to regulate access to, and use of, personal data by merchants, marketers, and data miners. Incredibly, the only person with absolutely no control over the collection, storage, security, and use of such sensitive information is its actual owner.
For this reason, it’s literally impossible for an individual to prevent identity theft and credit card fraud, and it will remain impossible until Congress sees fit to regulate the privacy invasion industry.
- and Mark Earnest makes a similar point.
- Finally, today’s Two Minutes
Hate Irony is brought to you by “Ayn Rand is my Homegirl,” carrying a press release from
Executive Alliance, Inc., the premier provider of leadership-recognition forums, today announced that it has named the Distinguished Panel of Judges for the first annual Information Security Executive of the Year (ISE) Midwest Awards(TM) 2005
The judges panel includes:
Rich Baich, Chief Information Security Officer Winner of the 2004 ISE in Georgia Award ChoicePoint … Leo Cronin, Senior Director, Information Security Finalist of the 2004 ISE National Awards LexisNexis Group
Apparently, UC Berkeley doesn’t have a CSO.
My Choicepoint posts all show up the Choicepoint category archive.
Screendiscussion makes a case for criminal records searching as an adjunct to a background check:
One of the biggest downsides is that the records can only be searched by name, an occurrence that is becoming more common even at the lower courts. This might not be a problem if the name being searched is pretty unique, but if someone has been cursed with a common name then look out.
While it makes sense to curb identify theft by not providing a person’s name, date of birth and Social Security Number to the general public, in practice it’s a double-edged sword. Identity theft is limited, but it also means that an employer has to deal with how to use the information in deciding whether or not to make a job offer. There have been plenty of situations where a person wasn’t offered a job because of faulty information retrieved in a background check, and this newer practice doesn’t help things much.
I think the problem with this is that it’s a self-fulfilling prophesy: As national criminal background checks become possible, for liability-avoidance, they become mandatory. As they become mandatory, more and more data is made public. But they’ll never be perfect. So should we be going in that direction, or choosing to keep background checks expensive, so that employers are less tempted to perform them?
With the announcement yesterday of a stolen laptop with 30 years of alumni social security numbers on it, and the October break-in that led to 1.4 million people being exposed, how long until California forbids the University from holding such numbers? Clearly, they’re not to be trusted; students have no choice but to provide that information; government action is called for.
The other day, Samablog and I did some P2P mining, after Michelle Malkin blogged about it. She links to P2P Provides Safe Haven For Pedophiles. There, Rick shows screen captures of extremely disgusting file names (“2 yo getting raped during diaper change”). He doesn’t download any files, but takes this as evidence for his title.
I don’t want to defend such sick behavior, but there are some things worth thinking about. First, are these files what they purport to be? That is, are they child porn, or are they trojan horses carrying spyware or viruses? (They could also be 5 minutes of someone screaming “You sick, sick bastard! Go get help!”) Second, are they being distributed by law enforcement or investigative agencies, who log every search and transfer?
So, it’s pretty quick and easy to come up with interpretations of the evidence that aren’t “P2P Provides Safe Haven For Pedophiles.” I have no interest in downloading such files to test the “alternate content” theories. An interesting test would be to run such searches, and dig into the IP addresses sharing such files. Maybe they are law enforcement?
I was talking to someone about a New York Times story “U.S. Is Examining a Plan to Bolster the Rights of Detainees.” The story contains the line:
Those changes include strengthening the rights of defendants, establishing more independent judges to lead the panels and barring confessions obtained by torture, the officials said.
I made a snide comment about just including those confessions in the secret evidence that we won’t show defense attorneys. He commented that it’s actually a step forward, and he’s right. I am deeply saddened that the United States is taking a step forward to exclude torture-derived evidence, but glad that things are heading back towards normal.
The pessimist in me says that there are liberties that we’ll never regain. The banking system is probably a permanently tied to “know thy customer” rules. Air travel will never again be as easy as it was. Tourism will never get back to where it was. The psychological intrusiveness of measures chosen for the US Visit program deter visitors from coming to the US. Even if you think the program is useful, it could have been better implemented. Poor choices include fingerprinting vs other biometrics such as hand geometry which aren’t associated with criminality, and the extensive secondary uses of data, so that it continues to track you through your entire life, not just your entry and exit to the US.
We don’t know what great things might have happened with the liberty that we’ve lost. We’ve chosen to accept fear over hope. To allow fear and pessimism to infect our thinking. I’ll try to do better. To laugh at the fearmongers, rather than cry. To pursue happiness.
The best way to see all my Choicepoint posts is probably the category archive for Choicepoint.
Juan Carlos Merida is an unusual victim of the watch lists. He knows why he’s on one. As the New York Times reports, while a volunteer at the Airman Flight School, he gave rides to lots of students. The students he gave rides to included Zacarias Moussaoui, who is currently awaiting trial on suspicion of being a part of the Sept 11th attacks.
But even knowing why he’s on the lists isn’t helping him clear his name.
Update: Michael Froomkin caught a detail I skimmed over, and it’s implications in “The Insidious Effects of Security State Blacklists.”
I’ve discussed the concept of watch lists before.
The US Government is pushing a plan to add radios to every passport in the world. These radios will broadcast all the information in your passport to any immigration officer, id thief, or terrorist who wants it.
Want to see if there are more Americans on the right or left side of the plaza? No problem. Uncle Sam is helping the terrorists. There is no good reason for this. Canada, Germany, the Netherlands and Britain have all opposed this. The technical term for these chips is RFID, but really, they’re just small radios that invite thugs and terrorists to attack you as you travel abroad. If we need electronic chips in passports, they don’t need to include radios. I’ve never even seen anyone make an argument for the radios.
I’ve covered this in RFID Passport data won’t be encrypted and The Open Passport, and in small bits have pointed to articles by Ian Grigg and Ryan Singel.
Bill Scannell has set up a web site to make it easy to send your comments to Uncle Sam. Take five minutes and tell them: No RFID chips in passports. They don’t make sense, and RFID Kills.
Michael Howard mentions that Microsoft has published their Software Development Lifecycle for security.
Slag all you want, but I don’t see a lot of other vendors doing this. And now, if you need leverage to get buy in, you can either say, “We should emulate Microsoft…” or “Even Microsoft does…” It’s a win. Thanks for making it available.
Framing effects are what a variety of types of academics call the variety of contextual effects on perception. For example, six months ago, this laptop went for $4800, and now it’s just $3,500! Similarly, law reviews, where lawyers write for each other, are usually exceptionally long, from my perspective. And so we get Orin Kerr saying:
Fun, Entertaining, Clever, and Short: Believe it or not, that’s a description of a forthcoming law review article. Yes, a law review article. Check out The Perfect Crime, by law prof Brian C. Kalt, forthcoming in the Georgetown Law Journal. It clocks in at 22 amusing double-spaced pages…
Yes, in law review-world, that’s short. In my world, this is slightly fun, mildly entertaining, clever in a sort of self-referentially post-modern fashion and short, at slightly over 22 words.
Ryan Singel reports that lying to Congress is now legal, at least according to TSA spokeswoman Amy Von Walter. “Von Walter also indicated the agency is working to make sure that the public and Congress are better informed about the agency’s actions.”
In other news, the Pentagon will ignore the recommendation of the Army Criminal Investigation Command to try the soldiers responsible for the deaths of detainees. Michael Froomkin has commentary.
Next up, sending prisoners to Egypt, and then seven or eight other things.
- The Federal Reserve has joined the FDIC in ordering banks to notify customers of breaches.
- Forbes reports that Choicepoint director Thomas Coughlin has resigned his day job at Wal-Mart:
“A senior board member of Wal-Mart Stores Inc. resigned Friday following an internal investigation related to personal reimbursements, billing and company gift cards.”
- [Choicepoint CEO] Derek Smith has apparently received threats via fax, according to TV station WXIA Atlanta. Here’s a cheat sheet for you:
- Denying his job application because of a Texas criminal record: Entertaining.
- Sending him Nigerian spam from a Kinko’s in LA: Self-referentially ironically cool.
- Sending threats: Not cool.
- Scott Berinato has a column at CSO Magazine calling this the Waterloo of information security. (Is there a permalink to that column?)
- The Christian Science Monitor has an editorial entitled “Locking Out Identity Thieves.” The subtitle is “Why are data collectors blocking efforts to require notice of a security breach?”
One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that’s a small price to pay for privacy and a more secure online identity.
The best way to see all my Choicepoint posts is probably the category archive for Choicepoint. [Update: added Berinato column, 2: Identified Smith]
Screendiscussion responds to my comments about “Three Privacy Breaches” in Security In a Changing Nation. He sums up his argument as “Why? The reason is that we, as a nation, have become extremely security conscious in the past few years.” I think this is only partially correct. I suspect that this is part of it. Perhaps that consciousness also entails an understanding that no one is perfect? That the attacker only needs to win once? That a cover-up is a worse sin than a mistake?
I suspect its the last bit: We’re coming to see security mistakes as mistakes, that will happen. I think we need to start designing systems with that in mind.