Dear News Media,

Recently, you had a very interesting story on your web site. I left a browser tab open, so I could read it on the plane. But your very interesting story meta-refreshed itself so you could serve me more ads. Then the airport’s wireless portal showed up, and it stopped refreshing. And I couldn’t read your story. That makes me sad.

What makes me sadder, and makes you appear stupid, is that it was the print version. There weren’t any ads. So your bad design only served to prevent me from reading your story. You didn’t even make any money on it. If I could remember what web site it was, I’d give you a special link, helping you sell more ads, so you could hire a competent web developer.

Prediction

A merchant is going to feel some pain from the FTC. Visa and MC are going to look bad for not talking about who this merchant is.

Jun. 8–Federal officials cannot disclose what national merchant or merchants were involved in a recent debit card security breach that spurred at least two local banks to reissue customers’ debit cards.
“FTC investigations are nonpublic with a narrow exception that would not be met in this case — when a company itself discloses that it is the subject of an investigation,” said Claudia Bourne Farrell, spokeswoman for the Federal Trade Commission in Washington, D.C.
In this case, the company has not disclosed it, she explained.

(Source)
Sounds like Claudia Farrell of the FTC confirmed that there is an investigation of a merchant.
Instances such as this are the “really big and bad” breaches I referred to yesterday. When Congress closes this loophole, fur will fly.

80% of Active Duty Military, 2.2 million SSNs

Social Security numbers and other personal information for as many as 2.2 million U.S. military personnel — including nearly 80 percent of the active-duty force — were among the data stolen from the home of a Department of Veterans Affairs analyst last month, federal officials said yesterday, raising concerns about national security as well as identity theft.

From the Washington Post, “Data theft hit 80 percent of active military,” via Bob Sullivan, “Lost VA Data: Who’s on The List,” which includes useful what-happened bits:

Thanks to NBC’s Pete Williams, we can offer a few more details about why the VA has been so vague. The data apparently was taken home by an employee on either DVDs or CDs. Some of those CDs or DVDs were copied to the employees computer, but no one knows how many. In the best case scenario, only some of the data was copied before the computer was stolen.

Active duty personnel should be aware that there’s an “active duty” alert they can put on their credit reports. For details, see “‘Active Duty’ Alerts Help Protect Military Personnel from Identity Theft” (Federal Trade Commission).

Medical “Privacy” “Law”

see-no-evil.jpgPop quiz time! What do you call a set of regulations that the government won’t enforce?

HIPAA.

In the three years since Americans gained federal protection for their private medical information, the Bush administration has received [nearly 20,000] complaints alleging violations but has not imposed a single civil fine and has prosecuted just two criminal cases.

Medical Privacy Law Nets No Fines.” Dan Solove suggests a right of private action in “HIPAA’s Lax Enforcement.”

Photo by James Tran.

Is encryption worth it?

Gartner’s Avivah Levitan says it’s better to spend money on encryption than on cleaning up after a data breach, according to a news report on her recent testimony before the US Senate.
The problem?
Gartner’s method in researching this claim, as best I can tell, relies on looking at a few high-profile cases. Sure, if they are representative of the actual breach population (about which we, and Gartner, know next to nothing) then encryption is cheaper than being hit with a breach. But, in deliberations over national policy the plural of “anecdote” is not “data”.
But wait — we also don’t know the likelihood that you’ll get hit with a breach. Gartner’s report doesn’t discuss this, but it does say a breach costs 15X more than encryption.
Cool. So, if you’re risk-neutral and you believe you have a one in fifteen chance of losing large amounts of personal information, you should encrypt. But how to tell what your chance of being hit are?
I’d guesstimate that over the last two years or so, we have heard about maybe 300 breaches. I dare say there are vastly more than 4500 organizations handling personal information. We have more colleges and universities than that, for example.
So, either breaches are grossly under-reported, or Gartner’s case for encryption is not a case at all — this is a mountain being made out of a molehill, or Gartner’s estimate of cost is too low (for example, by not including loss in stock price).
My personal opinion:
Breaches are vastly underreported. Those about which we do not hear are “dog bites man” stuff, or are really big and bad, but thanks to loopholes, no reports need be made. The impact of a breach outside the “dog bites man” category, not counting the externality imposed on those whose info is revealed, is primarily reputational, and for publicly-traded firms manifests itself via abnormally low returns.
Real research concerning these matters is being done. It’d be highly desirable for our legislators to hear about some of it.
[Additional observations on this topic were posted over at Security Curve, which prompted me to move this out of the Drafts folder and into the light of day.]

Breach Roundup

Where two organizations are implicated, the first is the one which collected the data, the second is Ernst and Young the one that lost it.

Many of these via Dataloss mail list.

How Damaging is a Breach?

overflowing-dam.jpgPete Lindstrom is looking at an important set of questions: How likely is it that a given breach will result in harm to a person? What’s the baseline risk? Data is nonexistent on these questions, which means we get to throw around our pet theories.

For example, we know of 800 ID thefts from the 167,000 Choicepoint victims, all of which happened before notification. We don’t know how many more of those people have been victimized, because no one is collecting data. The breach data we have is collected by three amateur volunteer efforts: ourselves, here at Emergent Chaos, the Privacy Rights Clearinghouse “Chronology of Data Breaches,” and Attrition.org’s Dataloss list. There are also regular reports through ISN, and Dave Farber’s Interesting People List.

While we’re happy that there are amateur efforts, it’s hard to measure the results. To the best of my knowledge, there is no central database of ID theft victims. There is no repository of who’s gotten notices. And thus, no easy way to measure the real human impact of breaches, or see how much crime they enable.

Dam Water” photo by Ed Hidden.

Jurisdiction as Property

sealand.jpgNick Szabo has a fascinating article on “Jurisdiction as property and peer-to-peer government.” I’m not going to attempt to summarize it, but will simply quote the opening:

Modern civics and political science is often taught as an absurd dichotomy: that government is a “monopoly over the use of force” and that the absence of government is anarchy. Using this fallacious dialectic, many highly lawful societies, such as most of medieval Europe, and in particular medieval and renaissance England, were “anarchies.” Even the United States is really an “anarchy”: jurisdictions are divided up among federal, state, county, municipal and other entities, including shopping malls and mass transit authorities whose security guards can legally arrest probable criminals.

I have two quibbles: I think the term peer-to-peer is at best misleading. It is a continuum of power relationships, some of which were between peers, and others were not. Also, I think the devolution of franchise may be interesting. It’s not only used for utilities and such, but also by businesses like McDonalds, which allow the franchisee certain rights over brand, symbols, and policies and processes owned by the franchiser, and also charge a tax of the franchisees.

Small Bits of Chaos

The Persistence of SSNs, and The Persistence of Thieves

jerry-lee-lewis-ssn.jpgPete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort.

He’s right. Monetizing an SSN does take effort. But the SSNs don’t really expire. If the people who stole them know what they have, they have years in which to exploit the data. The best way to do that is to wait a year or two for the news to disappear, the credit monitoring to go away, and the pickings to get easy.

If this were credit cards, we could just re-issue them. The lack of compartmentalization around SSNs which makes them convenient identifiers, also means they’re hard to change.

I don’t know why Pete thinks that entrepreneurial criminals won’t rise to the challenge of monetizing a large fraction of a motherlode of ore. There are criminal syndicates who do this already. They’ll scale. If they don’t, other syndicates will show up who will scale.

I look forward to hearing from Pete or Mike Rothman, who wrote “there is no way the bad guys can get to all 26 million records.” Next you’ll be telling me that bad guys couldn’t exploit hundreds of thousands of pwned home computers, the management tools are too hard to create.

[Fixed headline. Thanks Pete.]

Why Johny Can’t Precipitate

chemicals.jpgThere’s a great story in Wired “Don’t Try This at Home,” about how our obsessions with terrorism and safety have destroyed the ability of our children to learn chemistry:

The chemophobia that’s put a damper on home science has also invaded America’s classrooms, where hands-on labs are being replaced by liability-proof teacher demonstrations with the explicit message Don’t try this at home. A guide for teachers of grades 7 through 12 issued by the American Chemical Society in 2001 makes the prospect of an hour in the lab seem fraught with peril: “Every chemical, without exception, is hazardous. Did you know that oxygen is poisonous if inhaled at a concentration a bit greater than its natural concentration in the air?” More than half of the suggested experiments in a multimedia package for schools called “You Be the Chemist,” created in 2004 by the Chemical Educational Foundation, are to be performed by the teacher alone, leaving students to blow up balloons (with safety goggles in place) or answer questions like “How many pretzels can you eat in a minute?”

A little bit of chaos and risk are worth it to preserve American science education. Photo via Eccentrix.com.