Privacy schmivacy!

To follow up my post about the recent security breaches at T-Mobile and ChoicePoint there is an article from Wired that dishes the dirt on the T-Mobile breach. Apparently the security breach at T-Mobile affected at least 400 people who's information was extracted using a WebLogic server security flaw. The flaw that was announced by BEA (who make the WebLogic server) as a high severity problem along with a patch to fix it March 2003. The hacker was able to exploit the flaw for a year before being arrested in October 2004, a full 18 months after WebLogic had posted the patch for the problem. By which time he'd already extracted all kinds of private information including social security numbers and passwords from the T-Mobile databases, this information was made available for sale online by the hacker. Just what where they doing storing unencrypted passwords in their database? Duh!

At this point it is not clear if the hack on Paris halting T-Mobile account exploited the same flaw, but regardless it seems clear that all those "privacy" policies that companies send their customers aren't worth the paper they are written on. A company can say all the warm and fuzzy things it wants to about how carefully it will guard your private information, but if they don't follow even the most basic procedures for keeping websites secure then its going to be open season on your "private" information. For a company like T-Mobile to leave a publicised high risk security flaw unpatched for 18 months, or even for one month, well its is just plain negligence - heads should roll and fines should be imposed on them.

That's the problem with all these privacy rules, none of them really have much bite. Even with the ChoicePoint situation where the law forced them to publicize their breach there is no serious consequence for them. Sure they get egg on their face and have to field some bad PR and a few civil suits. But ultimately there are no punitive measures taken, no license to store private data is revoked, and no audit to ensure the source of the problem has been corrected.

What I suggest is that any organization storing personal information on a website should be licensed, regularly audited and held fully responsible for the privacy of that information. Like the captain of a ship, "responsible" means there will be consequences if privacy compromised. So if it can be shown that company was negligent in guarding the privacy of its customer information then their license should be revoked and all data they hold should be made completely inaccessible from any website, by any means. That means the likes of T-Mobile would be forced to shut down their websites and loose a hugely popular and convenient feature of their service. T-Mobile could probably muddle by with only phone and snail-mail based customer service, but for a company like Amazon it would basically mean the end of their company.

Notice I said the company would have to be shown to be negligent, that's usually a pretty high bar to prove. Being responsible for a problem is one thing and usually quite easy to prove beyond reasonable doubt, but for example, even Union Carbide has not yet been proved negligent in the Bhopal incident. So if T-Mobile area are hacked because of a flaw in someone else's technology that they didn't know about that's probably not negligent. If they are hacked the day after a security flaw is published, that's also probably not negligent. If they systematically or consistently fail to implement security policies to guard information then that's quite likely a long way towards provable negligence.

But the severe consequences of being proved negligent (in a court of law) would mean a company would do everything they could do to avoid falling foul of. And to avoid the problem of corporations with how shall I put it - "slippery shoulders" (aka. high paid lawyers and "connections") - perhaps some kind of three strikes rule could be used. If a company experiences three breaches where privacy is compromised and is demonstrated to be responsible but not necessarily negligent, then they will loose their license just the same. This is rather like the points system for driving licenses, once the points add up to high away goes your license, no questions asked - just to be safe.

Allen Holub stole my job!

Yeah, yeah, and dingoes ate my baby...

I'm sure you've heard it all before but apparently today I was usurped on my first opportunity to do contract software engineering by one Allen Holub. My fatal mistake was, apparently, to say "Can I let you know tomorrow?". In between then and tomorrow the software rockstar Allen Holub was drafted and apparently took the job. I guess that I, a veritable software jack-of-all-trades shouldn't feel bad that Holub was selected preferentially over me, after all I had all along said I wanted the client to get the right person for the job.

Never mind, I've heard there are still jobs available fixing wind generators over at Altamont pass...

I, Bush - Episode 2 Take 3

Nicely following my topic of people getting screwed by ChoicePoint and probably with no effective recourse comes Just a cost of doing business, an article by Jeff Kaplan. In it Jeff Kaplan points out that Bush's recent bill to restrict class action suits by private citizens has further swung the pendulum of unequal protection in further in the direction of corporations. Bush told us that this bill was necessary to prevent frivilous lawsuits hurting businesses and damaging our economy.

Of course when Bush says "businesses" he is always quick to frame that as "small businesses" of the mom and pop kind. Approximates 80% of all businesses are sole proprietorships or partnerships, the rest are corporations, however 95% of all revenue comes from the big corporations. So while appealing to the "small business sector" Bush manages to appeal the the maximum number of people with the minimum of economic effect. We can all associate with those small guys, well all know a small business and a great number of people own one of some kind.

But the problem is, according to Kaplan recent studies have shown its the corporations, not people and small businesses, who are 160 times more likely to sue, and even worse they are 69% more likely than a regular person to be chastized for launching a frivilous suit.

So, did the Bush bill address frivilous lawsuits by corporations too? Hell no! The truth is by restricting suits by people but not corporations (who actually claim to be people when it suits them) Bush was able to create a lot of noise and smoke without the actual fire that might damage the huge profits made by legal companies that prop up our so called democracy.

And so it came to pass that the people got screwed, and the corporatiosn ruled - again.

A two tiered response to privacy violations?

Does anyone else see not just a slight, but a massive inequity between what happened when Paris Hilton's personal phone information got stolen, and what happened when ChoicePoint managed to give away personal details of not just one, but potentially hundreds of thousands of people?

In one situation we have a bunch of celebrity phone numbers and some happy photo snaps posted on the web. A few celebs get their phones jammed with crank calls and no doubt quickly got a new phone number, big deal. I'm sure that T-Mobile has probably dished out new phones and free T-Mobile service credits to everyone concerned even if, as it is likely to be the case, they weren't to blame for the "hack". So, one emabarassed celebrity who probably wont get anyones phone number given to her again, and a huge amount of press, and bad PR for T-Mobile even though its quite possible she just had a dumb password that someone guessed.

In the other case we have a bogus application to ChoicePoint resulting in the release of names, addresses, phone numbers, social security numbers and every else the budding identity fraudster needs to steal the identity of thousands of people. And even after the fact, even those who didn't yet get their identity stolen (several hundred already did), the rest and sit back and wait, fingers crossed, that their information isn't out on the web somewhere waiting to suck their bank accounts dry at any moment. No one really nows and quite possibly these people will have to run scared for years before they can think of taking their eye off their credit reports.

So what is the inequity? Well in one case we have the Secret Service involved, looking out for Hilton's back, working with T-Mobile to investigate and shutting down all sites that continue to propogate the information from her mobile. In the other well, the news of the fraud appears to have been buried for almost a year at the request of "federal authorities" in defiance of the California law that required ChoicePoint to notify everyone of the release of their personal information. Now ChoicePoint are just offering a free year of subscription to credit history monitoring services to those 145,000 is has, so far, identified as victims of the fraud. Apart from that little, if anything seems to be done about it and ChoicePoint appears to be washing its hands of the problem.

At least one person has already decided to hit ChoicePoint with a law suit and I can easily expect a class action suit to follow quite prompty, although being a multi-state case it is likely that it would fall fowl of Bush's recent anti-class action bill that forces it to be fought in class-action unfriendly federal courts. Wired News is now indicating they think such suits will fall on deaf ears, as courts have previously dismissed attempts to sue banks that have been duped by identity thieves on the grounds that the victim wasn't a customer of the company they were suing. Maybe that was just a badly presented suit that failed, but it certainly sounds like there should be a case to sue someone when a company that you didn't even ask to be holding your data screws up and hands it over to criminals.

Or is it, that just because we the people are many and not of celebrity status we dont get a personal investigation by the Secret Service, and in general we just get screwed because on average we don't have the time or resources to seek restitution in a court of law.

Repost: Hunter S. Thompson

In honour of the late Hunter S. Thompson who died today I'm reposting this LDTT entry from July 2003. Yesterday I came across the following quote from Hunter S. Thompson. After some investigation I discovered it is from an essay in his latest book "Kingdom of Fear : Loathsome Secrets of a Star-Crossed Child in the Final Days of the American Century".

We have become a Nazi monster in the eyes of the whole world--a nation of bullies and bastards who would rather kill than live peacefully. We are not just Whores for power and oil, but killer whores with hate and fear in our hearts. We are human scum, and that is how history will judge us....No redeeming social value. Just whores. Get out of our way, or we'll kill you. Well, shit on that dumbness. George W. Bush does not speak for me or my son or my mother or my friends or the people I respect in this world. We didn't vote for these cheap, greedy little killers speak for America today--and we will not vote for them again in 2002. Or 2004. Or ever. Who does vote for these dishonest shitheads? Who among us can be happy and proud of having all this innocent blood on our hands? Who are these swine? These flag-sucking half-wits who get fleeced and fooled by stupid little rich kids like George Bush? They are same ones who wanted to have Muhammad Ali locked up for refusing to kill gooks. They speak for all that is cruel and stupid and vicious in the American Character. They are the racists and hate mongers amon us--they are the Ku Klux Klan. I piss down the throats of these Nazis. And I am too old to worry about whether they like it or not. Fuck them. -Hunter S. Thompson, 2002

The essay in full is here.