Privacy schmivacy!

To follow up my post about the recent security breaches at T-Mobile and ChoicePoint there is an article from Wired that dishes the dirt on the T-Mobile breach. Apparently the security breach at T-Mobile affected at least 400 people who's information was extracted using a WebLogic server security flaw. The flaw that was announced by BEA (who make the WebLogic server) as a high severity problem along with a patch to fix it March 2003. The hacker was able to exploit the flaw for a year before being arrested in October 2004, a full 18 months after WebLogic had posted the patch for the problem. By which time he'd already extracted all kinds of private information including social security numbers and passwords from the T-Mobile databases, this information was made available for sale online by the hacker. Just what where they doing storing unencrypted passwords in their database? Duh!

At this point it is not clear if the hack on Paris halting T-Mobile account exploited the same flaw, but regardless it seems clear that all those "privacy" policies that companies send their customers aren't worth the paper they are written on. A company can say all the warm and fuzzy things it wants to about how carefully it will guard your private information, but if they don't follow even the most basic procedures for keeping websites secure then its going to be open season on your "private" information. For a company like T-Mobile to leave a publicised high risk security flaw unpatched for 18 months, or even for one month, well its is just plain negligence - heads should roll and fines should be imposed on them.

That's the problem with all these privacy rules, none of them really have much bite. Even with the ChoicePoint situation where the law forced them to publicize their breach there is no serious consequence for them. Sure they get egg on their face and have to field some bad PR and a few civil suits. But ultimately there are no punitive measures taken, no license to store private data is revoked, and no audit to ensure the source of the problem has been corrected.

What I suggest is that any organization storing personal information on a website should be licensed, regularly audited and held fully responsible for the privacy of that information. Like the captain of a ship, "responsible" means there will be consequences if privacy compromised. So if it can be shown that company was negligent in guarding the privacy of its customer information then their license should be revoked and all data they hold should be made completely inaccessible from any website, by any means. That means the likes of T-Mobile would be forced to shut down their websites and loose a hugely popular and convenient feature of their service. T-Mobile could probably muddle by with only phone and snail-mail based customer service, but for a company like Amazon it would basically mean the end of their company.

Notice I said the company would have to be shown to be negligent, that's usually a pretty high bar to prove. Being responsible for a problem is one thing and usually quite easy to prove beyond reasonable doubt, but for example, even Union Carbide has not yet been proved negligent in the Bhopal incident. So if T-Mobile area are hacked because of a flaw in someone else's technology that they didn't know about that's probably not negligent. If they are hacked the day after a security flaw is published, that's also probably not negligent. If they systematically or consistently fail to implement security policies to guard information then that's quite likely a long way towards provable negligence.

But the severe consequences of being proved negligent (in a court of law) would mean a company would do everything they could do to avoid falling foul of. And to avoid the problem of corporations with how shall I put it - "slippery shoulders" (aka. high paid lawyers and "connections") - perhaps some kind of three strikes rule could be used. If a company experiences three breaches where privacy is compromised and is demonstrated to be responsible but not necessarily negligent, then they will loose their license just the same. This is rather like the points system for driving licenses, once the points add up to high away goes your license, no questions asked - just to be safe.