Get Smart about Business Spending
I'm speaking, of course, about the recent rash of data loss--the innocuous term for millions of accounts containing personal data being exposed to the wrong eyes. Whether it's MasterCard, ChoicePoint, LexisNexis, Bank of America, Wachovia, Stanford University or the University of California at Berkeley, the rapid expansion of this problem is stunning.
The reasons for the data loss are all over the map, ranging from physical tapes lost in transit, to hackers, and even malicious insiders. And of course, there is always the ever-present bogey of bad network security practices.
We're told the solution is to embrace better network security, better encryption, better corporate safeguards and better "data protection." Of course, all of these proffered solutions are a bit specious, since they're always accompanied by the corporate lawyer caveat: "We cannot guarantee that this won't happen again."
All of this will ultimately result in some bloated piece of federal legislation around data privacy and protection that will impose new restrictions on corporate security practices and result in a wave of new spending on IT solutions to help solve that problem. But will we have solved it, really?
I don't think so.
This isn't really a question of data loss, data protection or data safeguarding. That, my friends, is a red herring. The real question is why corporations need to store all of this personal data in the first place. Why does my credit card company need to store my social security number? Why does Amazon need to store my credit card number? Why shouldn't every company store only what I tell them they can store? And why shouldn't the data that they store be as little as they possibly need to conduct business?
Assuming that I'm right, the next question is how to go about turning the possibility behind these questions into a reality.
Possible future directions
Federated identity is an infrastructure that makes security follow the transaction. It does this by making the identity associated with the transaction "portable" across heterogeneous security domains. The identity metasystem is a newer concept, one that bubbled forth from community conversations around Kim Cameron's Web log.
In brief, the identity metasystem is a conceptual backplane that would allow individuals to have control over which attributes or claims are presented and stored about them. This could be anything from a birthday to a credit card number to a favorite color. What we're really talking about is a framework for individual control and presentation of identity data. Taken together, federated identity (the infrastructure) and the identity metasystem (the control and presentation) would give individuals control over their digital identity in ways that have so far eluded them.
When I buy something from Amazon, it asks for, receives and stores my credit card number. In a future of federated identity and the identity metasystem, I would grant permission to seek a one-time use of my credit card. This permission could be presented to my credit card company, which could then charge my account. Amazon would no longer have a need to store (or even see) my credit card number.
This future would be a lot closer to a web of electronic commerce that protected both customers and companies. We would have actually moved toward solving the problems around personal data. In the meantime, however, we'll still hear a lot about data protection, corporate safeguards and legislative initiatives.
Biography
Eric Norlin is vice president of corporate marketing at Ping Identity, a company focused on identity management.
See more CNET content tagged:
data protection, identity federation, data loss, credit card, identity
It will also be difficult to get agreement on such a federated ID and to make all the changes that using such an ID would require. Even with an agreement among the millions of parties that are involved, there will still be questions about the trustworthiness of the federated ID and its managers as well as the overall security of the federated ID system.
Some other questions: How will we know a given federated ID system is any better than what we have today? Will governments have access to the federated ID system?
The ease of storage is part of the problem with ACH and DCH was related to trust banking, insurance and gold storage so it was not updated until the genius at Barclay's bank came up with that innovative program which was stolen and re-engineered by all the pirate bank gold debit card agencies that work with the cyber crews.
So why keep data online if it is not secure. Can we take a step back to go forward or do we need to do more innovative non digital online storages that cannot be hacked?
Selling my information to marketers? This is not acceptable to me. This shouldn't be acceptable to any of us. Past what is the common public records, these companies should not be keeping all this data on us. I am all for capitalism, but this is entirely unnecessary.
This blog entry describes a little bit more about identity management as a mission for DHS:
http://directorblue.blogspot.com/2005/04/mission-for-cybersecurity-foks-at-dhs.html
A number / password is REQUIRED like a PIN number that can only be accessed and verified by the issuing CC company and cannot be stored or captured by the merchants. Merchants should be treated as un-trusted. After all what is the difference between Amazon having a list of credit card numbers and myself compiling a list of them? Companies are run by people, people that ultimately have access to your data. No regulations are going to protect against an inside job.
I've been disclosing my bank account number, for example, every time I have written a check, i.e., since I was 15, but, until recently, that did not enable anyone who had ever seen one of my checks, or from whom I had ordered something on line via bank debit, VISA debiyt cartd, credit card, etc., to just keep debiting my account and sneding the money somewhere even my bank can't figure out. I don't want to have to go back to some site that may no longer exist and try to opt out of some renewal or new purchase next year, I want them to ask me and try to sell me on this new transaction. We lost a month's income, and a lot of checks to utilities, etc., bounced, after my wife bought a $6.95 item, and only that item, from a heavily advertised seller, on line using a debit card.
Some of you hwo understand the technical side may be able to explain why we don't have the same protection for on-line abuse of a debit card that we would for similar abuse of a credit card from the same bank and issuer.
When I was in law school, we studied how the law governing liability for improper storage of things--wild animals, huge tanks of molasses, human waste, etc., dangerous if they got loosse or were stolen, developed long before computers. Personal and private data should be treated with a high degree of care, and whoever lets it get loose should have to disclose the fact and be liable for damages. This is a virtual honey pot and anyone who collects and keeps it should be liable for failure to keep it secure, whether anyone outside the enterprise was involved or not. Actually, One suspects that. much of the time, somebody in the enterprise left the gate unlocked, let a low-level employee get conned out of releasing the information, or had someone on the inside working with the thieves. This reminds me of a whole series of large thefts of drugs from police property rooms, including the evidence in the "French Connection" case, that should have been disposed of earlier anyway, from New York to Dallas over my career.
Dean John Wade of Vanderbilt Law School liked to tell us students Will Rogers' old joke that went:
"Any time Congress tells a joke, it's a law, and any time they make a law, it's a joke!" because it summed up why so much legislation doesn't really do what it was supposed to do. The lawyer in Austin who taught me the Texas Bar review course told us "Any time you have a question about a law, figure that the people it was supposed to regulate probably wrote it." Who do you really expect our politicians, of both parties, to protect: you and me, or Equifax, ChiocePoint, the Medical Information Bureau and the insurance and financial conglomerates who are allowed to share data with an infinite number of "affiliates" nobody ever heard of, etc.
Congress just decided it would cost their real employers, i.e., their campaign contributors (many of whom give big money to both sides) too much to reassert the original law which said, as printed on my first Social Security card, "Your SSN is for Social Security purposes only," with the result that SSNs are (a) gateways to everything else about you, and (b) readily available on or off line if you know where to look, and readily offered for small fees on line. If you hve ever been a day late paying a traffic ticket here, your name, address, Driver's License, and SSN are available on line. The name, breed, and description of my wife's dog are sold in bulk to marketers and available to stalkers, burglars, and extortionists who have sent her pet tombstones with his name and birth date.
If I'm going to appear before a judge or other beaurocrat, such as in an IRS audit, I really would prefer that they not have ready access to my political or many other affiliations with First Amendment implications.
Somehow, one very sensitive legal question, including privileged and confidential information aobut me, and my very low opinion of certain public officials I'm forbidden by law to criticize but who can be identified once you hve my name, which I had Emailed to one entity shows up now, with my name, when I Google myself.
Ironically, while my having made a proposal for a rule change to a public body is hardly a secret, although it does happen to deal with incest and child sexual abuse, for good or ill, that is almost the only trace of my active 35 year legal career, and active involvement in some political issues, that showed up on Google. My address listed is years out of date. I found the direct telephone to the desk of Harriet Miers, President Bush's White House Counsel, on line, but can't find the number to reach her secretary, or to Email her, about a conversation we had years ago that has become relevant to a current legal matter.
Back in 1975, I was briefly general counsel to a downtown Dallas bank, one of the experiences that led me to discover all kinds of problems with credit reporting data, for inaccuracies in which there is no enforceable liability either in facor of the subject individual or the credit grantor. It was proven to me that one crook had a way not only to access, but to change, the data. He proved this, as a sales tool, by adding some very scandalous allegations and implications against the CEO's daughter and then pulling it up at will on creditor clients' terminals. That bureau has been sold ot a bigger one, and maybe that system has changed since then, but I would bet that with a little capital I could set up a scam and do it now, just as those in the ChoicePoint leak did.
I get all kinds of stuff purporting to be from Microsoft, PayPal, etc. that I have discovered isn't, but the source and destination URL that showed up on my computer said Microsoft, PayPal, etc., complete with logos.
I have also been offered, cheap, any number of domain names clerly designed to be deceptively similar to those of established enterprises. One, run by a really ignorant computer program, offered me six different deceptive variations of the domain name seller's OWN name when I typed it into their "whois" and again into their availability search!
For a nice two-figure fee, I can buy the current address and telephone number of practically anyone I type in. I tried my deceased kid brother, Hester Pryne, the fictional heroine of the classic "The Scarlet Letter," etc., as well as a witness I need and can't find who I think has remarried, and received messages that for a fee they could get me their current addresses, telephone numbers, Email addresses, etc. If you can't steal data, you can always make it up.
The Supreme Court of Texas, citing the high value of criminal record data, reversed a lower court and refused to order correction and expunction of the criminal record of someone who had already proven in ocurt that she had been arrested--as I have seen happen to many people--because of identity and check blank theft and was guilty of nothing except getitng arrested for someone else's misuse of her name. Until the state legislature and Congress correct that, I'm not holding my breath waiting for any good, or even honest, legislation on privacy or computer fraud, etc.
There is already supposed to be some law against the kind of attack I understand from your and other articles resulted in this latest and biggest loss of credit card and other such data.
Maybe the computer magazines etc. should carry score cards on elected officials and candidates based upon whether or not they are listening to, and acting upon the informed advice of, people like yourself. Maybe there could be Best and Worst awards.
Just a thought......
problem in the first place! The more distributed the
information is the better. Having a single point of
failure makes it easier for the thieves. Much like
the ill-concieved notion of a national id card.
Making a single all-encompassing security system
concentrates (amplifies) the risk exponentially.
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=/netahtml/search-bool.html&r=7&f=G&l=50&co1=AND&d=ptxt&s1=ice.INZZ.&OS=IN/ice&RS=IN/ice
My Pledge
I, Mr. Abdul Tawala Ibn Ali Alishtari, pledge my Foundation to halt child slavery activities including his Global Peace Film Festival, Inc., at www.peacefilmfest.org. I pledge moral support of legal, peaceful activities and my non-profit gifts offshore, onshore and globally, primarily with philantrophy from my personal investment to help halt all fraud, violence and scams hurting innocent children, women and families so help me God.
The bill forbidding this practice has absolutely no chance of passing, because as usual, anything in the public interest is not in the interests of those corporations that have invested so much money in buying up members of congress (all lobbying is bribery, it doesn't matter if you're given an all expenses trip to the Bahamas "to discuss an issue close to our hearts" or if you're campaign is given large sums of money, the end result is a member of congress is bought and paid for).
So until we outlaw corporate lobbying, nothing that financially benefits the public, but at the same time puts a corporation at a disadvantage, will come to pass.
Just look at the latest bankruptcy laws. Credit card companies are supposedly fed up with individuals charging up huge credit accounts then wiping them out every 6 years or so. They are fed up, however, with assisting your credit balance with large and immoral interest charges, late fees and overlimit fees.
So to suggest a system where credit card companies have less of your data, which in turn enables them to make money either by selling it to other financial institutions, marketing companies or by immorally increasing your interest rates just because you are over extended on your credit has absolutely no chance of becoming law. Not ever.
We live in a country where government is for sale to the highest bidder and except for a small minority called Donald Trump, none of us have the finances to compete.
WHY?
DrJonesg6hsospam86@alum.MIT.edu
- by eiliswood June 20, 2008 2:13 AM PDT
- I found this Guide to online backup on Wikipedia! I thought it was extremely helpful so I put it here to share! Guide to online backup ! I just discovered online backup and I think it?s a good way to protect data! Can anyone confirm this???
- Reply to this comment
-
(15 Comments)