8.9%

peek-a-boo.jpg8.9% of Americans are at increased risk for ID theft due to that fellow at the veterans administration. Wow. Sure, the 13% at risk for account take-over from Cardsystems was bad, but that was just credit cards. This is about the databases that control our lives. This is horrendous. Maybe we’ll get some better laws about credit freezes out of it. [Update: That sentence doesn’t quite read as I intended it, which was half optimistic, and half giving-up in disgust. That’s what you get sometimes with blogs.]

[VA Secretary] Nicholson initially told the committee that the stolen information “did not include any of the VA’s electronic health records,” but after further questioning by Rep. Bob Filner (D-California), the Bush cabinet secretary admitted the data did include codes representing veterans’ specific physical ailments, Reuters reports. (From “VA Data Theft Could Cost Taxpayers $500M” in CSO Online.)

(The Census Bureau says there are 298,817,315 Americans today. 26500000/298817158 = .08868. Photo by daxsauerwein. )

“Encryption is hard, let’s go shopping!”


On upcoming changes to the Payment Card Industry Data Security Standard:

“Today, the requirement is to make all information unreadable wherever it is stored,” Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.
In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. “There will be more-acceptable compensating and mitigating controls,” he said.

News.com.com
Yeah. It sure is hard to encrypt a file. Or a filesystem. After all, the important thing about controls is not that they achieve their objectives, but that they be palatable.
Note to credit card companies:
sed ‘s/Veteran’s Administration/YOU/g’ < /dev/cnn (Image: BlinkTank/Tim Wright)

Voting Registration Fraud

voting.jpgOne of the motivators often discussed for voter ID card requirements is voter registration fraud. I believe that ID card requirements are like poll taxes, and are not justified. I believe that they’re not justified even if they’re free, because of personal privacy concerns, regarding addresses. You know, like Gretchen Ferderbar had before her 911 operator ex-boyfriend killed her. Or like Amy Boyer had before she was tracked down and murdered. Or like Salman Rushdie, who can’t vote because he’s very aware that people want to murder him. Government claims that the data will be secured are laughable when you face threats like that. (If you don’t believe me, read the breaches category archive.)

Until last week, I didn’t have data to back that. In “Reed: 55,000 illegal entries scrubbed from database,” we get numbers (it’s a good article, and worth reading in full):

The purge of illegal registrations is the result of months of work by county and state elections officials, who began combing the new statewide voter database after its launch in January.

Reed, the state’s top elections officer, said the invalid registrations included 35,445 duplicate records and 19,579 entries for dead people.

But probes of the records found very few cases of potential voter fraud. About 30 cases of possible double voting were forwarded to county officials for investigation, Reed said. (Emphasis added.)

Sitting on the Fence

fence-border.jpg
Last week Dan Gillmor talked about Verisign’s monopoly wishes, stating:

This deal would be great for VeriSign, but terrible for the marketplace. It would consolidate one company’s control over an essential part of the Internet infrastructure.

Is the sky falling? I don’t think so. This sounds a whole lot like before GeoTrust was launched. GeoTrust earned market share by providing a less expensive, faster, easier to use solution. This demand will hasn’t magically gone away. I’m fully confident that someone else will come along and fill this hole.
[Fence photo from SeenyaRita via Flickr.]

Blogrolling Kim Cameron

I’ve added Kim Cameron’s Identity Blog to the blogroll. There’s a great post “Inebriation and the Laws of Identity” about what happens to you when you’re not firm and resolved about when you hand over your ID.

Hint to Paul Toal: The data is used for fraud prevention, and will stay in their databases forever. Just be glad that UK drivers licenses don’t have quite so much data on them as they will when they’re turned into your national ID cards.

American Red Cross, unknown number of blood donors in Illinois and Missouri, insider thief+dismal process

Normally this would go in the breach roundup, but it is noteworthy in that it is the only case of substitute notice I can recall seeing.
All state breach laws provide for notifications to be made via mail or telephone, and allow so-called “substitute notice” via a press release, prominent web page placement, and the like under certain circumstances.

Continue reading

The Human Element

In one of the soon-to-be countless articles about the VA Incident, Network World’s Ellen Messmer writes:

The sad irony in all this is that there are many at the VA who have worked hard to design and install network-based security. But in the “multiple layers of security” everyone is so fond of discussing, the human being apparently remains one of the hardest to fix.

Yes, while “there’s no technical solution to a social problem”, in this case the problem seems to have been that unencrypted sensitive data were literally left lying around. Even if one accepts the premise that these data need to be stored on laptops (which is far from clear in this case), any number of commercial products could easily have helped here.
A further point. Much is being made of this being a “simple burglary”. Let’s imagine that it was not. With crypto, an insider being paid for information would need to commit two offenses: leaving the info lying around (which might be worth it, depending on how much he’s being paid and by how gullible investigators are), and deliberately disabling the protection provided by crypto (by leaving the machine running, or by leaving the crypto key in plain sight on a Post-It). I’m no lawyer, but it seems that the second scenario makes it easier to separate malice from stupidity. Sounds like something that might be worth doing.

Counting In Background Checks

There’s some fascinating presentation of numbers in the BBC’s “Criminal records mix-up uncovered:”

Education Secretary Alan Johnson told the BBC only 0.03% of the nine million “disclosures” the agency makes had been wrong, so the issue had to be put “into context”.

He is so right! Let’s put those numbers in context, shall we?

The article says that 25,000 “unsuitable” people had not been hired, and 2,700 had incorrectly been labeled as criminals out of 9 million inquiries. So I think that the right context is that 2,700 of 27,700 “unsuitable” responses were “incorrect.” That’s a 9.7% error rate, not a .03% error rate. (We also have no numbers on how many real criminals, like Cleon Jones were incorrectly passed.)

I also don’t know if people are being notified of why their job application is rejected. It could be that more of those 25,000 “unsuitable” people are “suitable,” but they don’t know to appeal, or that the same bureaucracy that refuses to apologize for being “cautious” is also “cautiously” failing to correct real errors in their system.

Returning to the math, the same sort of math applies to things like the No-Fly list. A very low false positive rate snares lots of innocent people, while there are no real terrorists being caught. This is because there are an awful lot of innocent people, so flagging a very small fraction of them leads to lots of people flagged.

On the bright side, the British Government is at least measuring its failure rate.

Via Canadian Privacy Law blog, “Almost perfect accuracy still labels hundreds as criminals in the UK.”

Vulnerability Markets: Under a Cloud

trading-floor.jpgAfter some great conversation with Ryan Russell in the comments to “Economics of Vulnerabilities: Markets,” I saw Pascal Meunier’s “Reporting Vulnerabilities is for the Brave:”

So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?

(Trading floor image from Texas A&M.)

Personal Data on 26,500,000 Veterans Stolen (Including SSNs)

Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.

The material represents personal data of all living veterans who served and have been discharged since 1976, according to the department. The information was included the veterans’ discharge summary that goes into a government database.

From the New York Times AP story.

[Update: Bob Sullivan has some good analysis at “Vets deserve better treatment after data theft.“]

911 Dispatcher Kills Woman by Abusing Database

An emotionally disturbed 911 emergency dispatcher abused his access to the call center’s databases while tracking his ex-girlfriend and her new boyfriend before murdering both of them.

See Declan McCullagh, “Police Blotter: 911 dispatcher misuses database, kills ex-girlfriend,” which covers the court case stemming from a 2003 shooting, described in “Job loss tied to fatal shooting in Shaler” in the Pittsburgh Post Gazette.

As personal data is collected, distributed, and made available for a broad range of uses, its misuse is nearly inevitable. Stories such as this one, and the Utah case of a credit check leading to rape and kidnapping, are uncommon. I believe that’s because they’re reported less often than they occur, because the shocking crime is the murder or rape, and the details of what enabled it are not yet collected and correlated.

Breach round-up

Ohio University I:

On Friday, April 21, the FBI advised the Technology Transfer Department at Ohio University’s Innovation Center that a server containing office files had been compromised. Data on the server included e-mails, patent and intellectual property files, and 35 Social Security numbers associated with parking passes.

Ohio University II: 300,000 alums and friends. 137,000 have their SSNs exposed. Exposure was under way for over a year before detection.
Ohio University III:

Names, birth dates, Social Security numbers and medical information for 60,000 people were accessed in records at the school’s Hudson Health Center, the university discovered last Thursday [May 4]. The student clinic has records on all Athens campus students dating back to 2001, plus faculty, workers and regional campus students who sought treatment there.

Mercantile Potomac Bank: Stolen laptop. 48,000 customers exposed. Bank says it was against policy to remove the portable computer from the bank’s premises.
AICPA: Hard drive with member information, including name, address, and SSN, lost. The drive had been sent to a data recovery vendor, and was lost while being shipped back. Notice sent to members was dated May 8. The AICPA has 300,000 members. Based solely on my experience, they prefer to see rules followed, which they reportedly were not in this case.
Columbus Bank and Trust: 2,000 cardholders notified they may have had card info stolen. Is this related to the huge debit card mag stripe theft that may or may not involve a large retailer? Nobody is saying.

Homeland Security Privacy Office Slams RFID

Via Kim Cameron (“Homeland Security Privacy Office Slams RFID Technology“), I read about “The Use of RFID for Human Identification.”

This is an important report. The money quote is useful because it comes out of DHS:

Against these small incremental benefits of RFID are arrayed a large number of privacy concerns. RFID deployments’ digitally communicated information is easier to collect, save, store, and process, and is, therefore, more easily converted to surveillance than other methods. The silent, unnoticeable operation of radio waves means that individuals will always have difficulty knowing when they are being identified and what information is being communicated, leaving them vulnerable to increased security risks such as skimming and eavesdropping.

Comments are due by Monday, noon Eastern. I’ll be sending a short note (draft after the break, comments welcome) discussing the fact that many documents are carried internationally, and may not be subject to any of the mitigating factors discussed.

I’ve also urged stronger conclusions, but really, this seems to me to outline risks and alternatives well. It’s what we hope our civil servants produce, and so I can’t even be snarky about the title of the office that produced it.

Continue reading