When upper management is notified of a data breach, they have to choose between:

a) Announcing publicly and in a timely manner, which would result in major reputational damage, financial drain, loss of business, and potentially huge lawsuits.

b) Keeping quiet and hoping that no one ever finds out (in which case, nothing happens).

Of course, usually upper management doesn’t find out at all. There is little incentive for IT staff to report compromises all the way up the chain, since it just makes them look bad. System administrators fear that if they detect a compromise on their own servers, managers will accuse them of doing a bad job. Also, the breaches have to be detected in the first place– and often security staff are overworked and have limited resources for tuning IDS or following up on alerts.

The bottom line is that no one is motivated to do a good job detecting and publishing breaches– not corporations, not upper management, not IT staff, and in many cases not even security teams themselves. Ethics can hardly compete against real financial incentives and fears for job security.

Don’t Companies Have to Report Breaches?

Many states have data breach notification laws, but these tend to have major loopholes. Importantly, they don’t provide clear guidelines for deciding whether a “security breach” happened. As a result, if an attacker destroys important evidence or if the company does not retain records that would explicitly prove inappropriate access, then the company will probably decide that they are not required to report. Customers affected never even hear that there was concern about a breach in the first place.

The assumption is that the data is secure unless there is explicit evidence which proves otherwise. This is backwards! When log retention creates a liability, companies have reduced incentive to collect or retain detailed records. If we assume the data is secure unless there is proof otherwise, then there is no reason for companies to work to retain evidence.

The irony is that companies with the worst security practices, who do not keep logs or configure IDS systems effectively, are the ones who get off scot-free because they do not collect or retain the evidence of a breach.

What about the proposed federal Data Accountability and Trust Act?
The Data Accountability and Trust Act which passed the US House of Representatives last month does nothing to address this loophole. It requires that “Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data…notify each individual…”

OK, so what is a “breach of security”?

“(1) BREACH OF SECURITY- The term `breach of security’ means unauthorized access to or acquisition of data in electronic form containing personal information.”

How do you decide if there has been “unauthorized access to or acquisition of data”? The bill does not provide any guidance. As long as the organization does not keep records which would *prove* that confidential data was accessed or exported, their legal counsel may advise them that they do not have to report. I am not a lawyer, but I have seen this happen repeatedly with respect to existing data breach regulations.

How Can We Fix This Loophole?
Here are some ideas:

• Assume insecurity. Companies should be able to produce access logs and records which confirm that the data has been kept safe, rather than vice versa. This will motivate companies to collect and retain access logs in much greater detail than they do now.
• Proactively audit large organizations that retain lots of personal data.
• Publish yearly certificates based on audit results, the same way health inspectors publish certificates for restaurants. This way the public can decide which companies to give our information to, based on how well they secure it.

Today, the vast majority of security breaches are never reported. When you examine the incentives and the myriad of holes which exist in reporting regulations, it’s easy to understand why. Detailed logging and monitoring practices result in greater liability. Reporting incidents to the public can lead to financial ruin. There’s little incentive for organizations to do a genuinely good job tracking access to confidential data.

In this backward system, it’s a wonder we hear about any breaches at all. The fact that we do hear about data breaches frequently should make you stop and think about the number that are *really* occurring, but are never detected, let alone reported. Speaking from experience, I can tell you that the data breaches you hear about are just the tip of the iceberg.

Reverse of the United States Great Seal Novus Ordo Seclorum “A New Order of the Ages”

“Death of Anonymous Travel”
DEFCON 2009 – PDF
MD5sum: c772681c37c9ad5d210c19c12eb43095

Thanks to everyone who sent in comments, suggestions, and encouragement. (Special thanks to the EFF lawyers for reviewing this beforehand– you guys rock!)

I’ll have the full list of references (vendor marketing materials, news articles, FOIA docs, etc) up in the next week, so check back!

Abstract:
Worldwide, people who use cars, buses, trains, and carry cell phones are tracked in increasingly centralized corporate and government databases. This capability is still in its infancy, and has been facilitated by communication and payment systems which are linked to identification and refer to centralized electronic databases.

* Collate and disseminate information about current known travel monitoring practices;
* Discuss technical and social solutions for maintaining personal privacy and the freedom to assemble;
* Encourage greater transparency and public control over data collection and use.

“Red Flag Identity Theft Rule We are now required by law to ask for a Photo ID at the time of each visit. Please have your Photo ID ready for the receptionist to scan.”

As an avid bicyclist, I wasn’t carrying a driver’s license.

“I’m sorry, we’ll have to reschedule you,” said the receptionist. “We need to scan your ID before we can see you. It’s a new law.”

“No, I really don’t have one. I bicycle everywhere. I don’t even know where my old license is any more.”

She looked me in the eye and said, “Sorry. I suggest you get a photo ID. You need to have one to be seen.”

“What if I’m paying for my own visit, and not using health insurance?”

“We need to scan your ID and have it in your file or we can’t see you.”

“I don’t think it’s right to deny care to patients who don’t have a Photo ID,” I said.

“Well, I can talk to my supervisor,” she said. “But I think you’re going to have to reschedule.”

As I waited, I watched the receptionist take another patient’s driver’s license and walk off into a back room. Apparently, in order to comply with the “Red Flag Identity Theft Rule,” the doctor’s office now scans a copy of every patient’s driver’s license and stores it in their computer systems.

How secure are my doctor’s computer systems? Patients don’t have the right to know. Doctor’s offices, hospitals and even health insurance companies get infected with viruses, worms and spyware all the time. These are generally not reported as patient data breaches, because they are far too common.

Just in the past few weeks, there have been news reports of patient data thefts from UC Berkely Health Service, Virginia Prescription Monitoring Program and Memorial Medical Center. The vast majority of breaches never get reported or even detected, however, because tiny little health care clinics and hospitals all over the country have neither the resources nor the incentives to institute appropriate detection measures.

And now they want to store a high-resolution copy of my driver’s license on top of everything else? What is this “Red Flags Identity Theft Rule,” anyway?

The Red Flags Rules are a collection of new Federal Trade Commission regulations aimed at reducing the risk of identity theft. The American Medical Association and dozens of other medical societies “have protested the FTC’s decision to apply the Red Flags rule to medical practices and other health care providers.”

Why on earth does the Federal Trade Commission affect who my doctor treats?

According to the FTC, “Health care providers may be subject to the Rule if they are ‘creditors.’ Although you may not think of your practice as a ‘creditor’ in the traditional sense of a bank or mortgage company, the law defines ‘creditor’ to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance.”

The FTC requires “each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.” Although the Red Flags Rules do not explicitly require doctor’s offices to make copies of patient identification, they are often implemented this way.

Ironically, spreading more private information around– such as high-resolution copies of driver’s licenses- increases patients’ risk of identity theft. As a 2008 World Privacy Forum report explained:

“When patients are, for example, asked for a drivers’ license when checking in to hospitals for surgery, the license itself may be copied or scanned and added into the actual patient file. This can give hospital insiders with criminal tendencies access to a treasure trove of photographic, biometric, and other information that may have been unavailable to them before. The result can be more identity theft (medical and otherwise).

“…Just because customer identity proofing is commonplace in the financial sector does not mean that it has translated perfectly or even well to the health care sector. The two sectors have different regulatory requirements, approaches to access points, security, and information flows. Banks and health care providers also have different competencies, staffing capacities, training, and in many cases even procedures when it comes to reviewing and managing customer identification documents.”

Everyone should have access to medical care– not just people who have registered with the government and obtained a photo ID. Furthermore, patients should have the right to health care without being forced to give up control of our personal information. As a patient, I don’t really want a copy of my Photo ID stored on a crappy unpatched Windows box at my doctor’s office. Today’s patients do not even have the right to know how well doctor’s offices and hospitals are secured, even in the face of constant reports of medical data breaches. That’s sick.

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

For others such as myself who were not aware of it, 2257 is part of the Child Protection and Obscenity Enforcement Act of 1988, which “places stringent record-keeping requirements on the producers of actual, sexually explicit materials” and requires “producers of sexually explicit material to obtain proof of age for every model they shoot, and retain those records. Federal inspectors may at any time launch inspections of these records and prosecute any infraction.” (Wikipedia) Failure to do this is punishable with up to 5 years of jail time and fines.

Now, there is a lot of fallout from this seemingly straightforward requirement. For starters, this means that producers of pornographic material are collecting and permanently storing sensitive information about their actors and actresses, including name, social security number, maiden name, all other names they’ve ever performed under, address, etc. Many people star in pornographic films under pseudonyms for a reason– ie. they value their privacy, and pornography is a sensitive topic in our society. There are many legitimate reasons that an actor might not want their art to be associated with their real name.

Furthermore, consider the current state of information security in industry. It’s a mess. Large companies at least have full-time staff to devote to the problem of securing data, but not small businesses. The creators of pornography, especially small enterprises, are not likely to have the specialized security skills necessary to properly store this information. The best defense is probably to keep it off the network entirely, but actors have little control over how producers manage their data, and no good way to verify that it’s being carefully managed. Even if companies do store their actors’ information carefully today, how can the actors be sure that that will continue to be the case for the next ten, twenty or thirty years? In the current environment, giving sensitive personal information to a company and asking them to store it forever, with no verification of their security procedures, is pretty much equivalent to making it public. Section 2257 forces actors to choose between their work and their safety of their personal information.

In 2007, the courts “ruled that the record keeping requirements were facially invalid because they imposed an overbroad burden on legitimate, constitutionally protected speech.” (Wikipedia) However, the Department of Justice requested an en banc review of that decision, which is still unscheduled. Due to this legal limbo, the law still stands.

I’m guessing that one supposed purpose of this law is to thwart child exploitation, by ensuring that all producers verify the age of their actors and maintain records that they have done so. However, requiring them to actually store detailed identification information places their actors– free American citizens and consenting adults– at undue risk of privacy breach.

The same purpose could be accomplished with far less risk by having producers record other information, such as the actor’s age and manner in which it was verified, rather than store the actual identification data itself. I think it’s unlikely that the law actually protects children at all– if a minor wants to be in a sexually explicit film, they can always get a fake ID. If they’re being forced into it, then Section 2257 is not going to stop the producers (although I suppose it could extend their jail sentences).

Actors in sexually explicit films are free citizens and consenting adults. They should have the right to perform without being forced to give detailed identification information to companies that may or may not secure it properly. At the very least, companies which store this data should be required to provide verification that the data is being properly secured. In my opinion, as consenting adults actors should have the right to perform anonymously if they so choose. Section 2257 may have been created to “protect” minors from exploitation, but in reality it is ineffective, and places many Americans at real, immediate risk of personal data loss.
 
 

“If this government ever became a tyranny, if a dictator ever took charge in this country, the technological capacity that the intelligence community has given the government could enable it to impose total tyranny, and there would be no way to fight back, because the most careful effort to combine together in resistance to the government, no matter how privately it was done, is within the reach of the government to know…”

This statement has never been more relevant. Last week, the US Senate “passed the FISA Amendments Act, broadly expanding the president’s warrantless surveillance authority and unconstitutionally granting retroactive immunity to telecommunications companies that participated in the president’s illegal domestic wiretapping program.”¹ This provides legitimacy for the administration’s massive global communications interception programs, which have been aggressively developed since 2001. As part of this, the NSA has been “tapping directly into some of the American telecommunication system’s main arteries,”² with co-operation from telecommunications giants such as AT&T Corp.

Why should we care? If we trust the government absolutely, then it’s fine for the NSA to be monitoring phone calls and email. This information would never be used for anything other than the most upstanding purposes. However, our government is made up of human beings. Humans get jealous, humans take bribes, humans are manipulated, humans try to further their own goals at the expense of others. Sadly, our government has a long history of abusing its power to monitor citizens in order to achieve political or commercial goals (see Watergate, Project Minaret, ECHELON’s use for spying on representatives and activist groups).

When the government can monitor everyone’s communications, what is to prevent it from weeding out “troublemakers” –individuals that, through speech, threaten the government’s political agenda? This has happened over and over again throughout the world’s history, America included. (Valerie Plame, anyone?) Is it really hard for a government to make someone lose their job, fall on hard luck, become discredited, or even die from some tragic accident? If we collect a lifetime of detailed information about everyone, how hard would it be to find some embarrassing comment or action– anything– to use as blackmail? Monitoring will only make those in power more powerful, and harder for others to speak out.

Compounding the issue is our ever-increasing reliance on electronic mediums for communicating and organizing people. The average American is strangely isolated. Even in the cities, we work for ourselves, fend for ourselves, don’t know our neighbors. Our families rarely live within walking distance. The Internet, cell phones, cars, public transportation help bring us closer together, but at a price– our movements can be tracked, our words captured, and we can be separated from our communities with the push of a button. Our lives and social networks are dependent upon mechanisms outside of our control. When it comes to organizing ourselves, or even surviving, we are at the mercy of others. We the People are in a very precarious position.

When you design software, you include error-checking, because you must assume that things will not always go smoothly. Similarly, a government can’t be trusted to always run correctly, and must be designed so that it will keep itself in check. Why did our founding fathers take such pains to divide power in the government? You have to be very careful not to give the government so much power that its own people can no longer control it.

Once the American government is allowed to monitor any citizen’s private communications, then we have essentially given up our right to free speech, and placed our power to organize ourselves into grave jeopardy. That happened this week.

Part of the solution is to take our privacy into our own hands– ie, by using encryption for our private communications. One problem with email encryption these days, however, is that it’s rarely used, and so sending an encrypted message sends up an immediate red flag that you’ve got something to hide. It’s also not difficult to circumvent encryption when host-based security is so poor– if I really wanted to know what someone was writing about now, I could just install a keylogger on his or her machine, or steal his or her private key, which is probably stored on a machine connected to the Internet. If I were the government, I might have the capability to break encryption right now anyway without going to such trouble.

Email is only a small part of the problem. There are many different types of data that can be gathered about a person– for example, voice data. It’s strongly suspected, and in some cases confirmed, that government organizations world-wide (and the NSA in particular) have exerted pressure on the cellular industry in order to cripple cell phone encryption capability. The algorithms currently in widespread use are so weak as to be nearly useless. (See Wired’s article about the CMEA, Barlow’s “Decrypting the Puzzle Palace,” also Google for GSM security and the history of A5 development.)

So how can We the People protect ourselves?

1. Keep the government as transparent as possible. Ensure that the media is actively investigating and reporting its activities. Hold officials accountable for their actions. Actively request information. The Freedom of Information Act (FOIA) allows individuals to “request access to federal agency records or information”³

2. Limit the government’s powers. Don’t allow the government capabilities which will seriously infringe upon the people’s ability to keep it in check. This week, the EFF began their “Repeal Immunity” movement, to challenge telecommunications immunity provisions which Congress passed.

3. Encourage more self-sufficient, local communities which don’t depend on electronic communications to organize. Meet your neighbors. Create local social hubs, etc.

4. Other ideas welcome.

It’s fundamentally important that we know what the government is doing, and that if we don’t approve, we are able to stop it. Rights must be exercised, or they wither away.