Superconductor

I just came across an article that talks about how the use of biometric data for identification can cause a security problem. Here's what this article said:

When biometrics get down to the local gym, however, serious questions must be raised. Your biometric identifiers are immutable and, once stored on a computer, impossible to take back. So if the 24-Hour Fitness database gets hacked and some enterprising Black Hat team of computer experts makes off with this sensitive information, many people could forever lose control of this permanent identification marker. Of course, you could scrape off your fingerprints and replace them with new ones. (This is probably possible). But that's getting a little too close to Total Recall for my taste.

This seems to miss the point of biometrics. Biometric data isn't secret and the security model of biometric identification systems doesn't assume that it is. Instead, biometrics need to ensure that the data that they capture is fresh instead of stored. This subtlety seems to have been missed by the author of this article.

I just finished an interesting book, Stand on Zanzibar, by John Brunner. It's about a dystopian future in which the Earth's population grows to the point that governments take all sorts of extremely draconian measures to keep it in check. It was published in 1968 but is set in the year 2010, and it's interesting to see how accurate Brunner's predictions of the future were. Like in any other work of speculative fiction, he managed to get a few things right but he also got others totally wrong. In general, Brunner's vision of the year 2010 is very different from the real 2010. It may not be as different as George Orwell's vision of the year 1984 was from the real 1984, but it really didn't seem very close.

I also read this book because I managed to get a copy that was published in 2009 yet autographed by Brunner, who died in 1995. It seems that before he died he signed some signature pages for a book that never got published, and that the most recent publisher managed to get ahold of these and use them in their edition of Stand on Zanzibar.

It looked to me like Brunner totally missed the affects of IT on society. Or maybe he didn't. Brunner wrote Stand on Zanzibar to point out how overpopulation could end up being a problem. It wasn't meant to point out how the rise of IT could cause a dramatic decrease in privacy. I actually don't know of any books that focus on that particular angle, but I'd probably read one if someone wrote it.

I'm sure that it wouldn't be too hard to extrapolate from the dramatic loss of privacy that we've seen happen in the past decade to the point that it would make the basis for an interesting story. It's not clear to me, however, whether such a story would be better classified as science-fiction or as horror.

Our marketing guys have yet another webinar planned, this time it will be held on June 16, 2010 from 10 am Pacific/1 pm Eastern and will last for 60 minutes. The topic this time is Managing 3rd Party Data Privacy - Protecting Your Own and Your Partners Information. Like some of our previous webinars, this one's also sponsored by FS-ISAC, the Financial Services - Information Sharing and Analysis Center.

Here's what they plan to talk about:

• How to ensure the protection of partner information and confidently manage third-party access to card holder and personal data, including protecting terabytes of files on mainframe and legacy systems
• Why a comprehensive end-to-end approach to data protection is critical to ensure the privacy of personal and sensitive information
• What market-leading organizations — such as AAA — really require in an enterprise data protection solution

The fact that one of the infrastructure consultants for AAA will be talking about his experiences is probably a good enough reason to check out this webinar. Every industry has it's own interesting set of problems that it faces and it's fascinating to see how they find clever uses of IT to solve these problems. I've never dealt with an organization like AAA, so I have no idea of the particular challenges that they face, but I'm certainly looking forward to hearing about them on this webinar.

Getting privacy right is tricky. People say that they want lots of privacy, but their behavior often tells us that they really don't value their privacy that much. If you promise to email someone a weekly cartoon, for example, they'll often give you lots of personal information that they claim they want to keep private.

The club cards that grocery stores are another example of this. The stores essentially pay you to let them track your purchases; they just pay you in discounts instead of cash. I was fairly surprised recently when I learned exactly how much stores pay you to let them track your purchases.

Voltage has social event every Friday afternoon. Someone buys a reasonable amount of food and drink for this event and they get reimbursed by Voltage. I bought the supplies for one of these events a week or so ago and was somewhat surprised to see that the total went from about $110 to about $85 with the discounts that my wife's club card gave me. That's almost 20 percent of the purchase.

I don't know how representative that single data point is, but if a grocery store is willing to give you that much of a discount if you let them track what you're buying, people must be fairly unwilling to let stores do this.

The Health Information Technology for Economic and Clinical Health (HITECH) Act that recently went into effect has provisions that encourage, but don't require, covered entities to encrypt PHI. The Interim Final Rule (45 CFR Parts 160 and 164) that implements part of the HITECH Act requires notification of the unauthorized use or disclosure of unencrypted PHI that "poses a significant risk of financial, reputational, or other harm" to an individual.

Some conspiracy theorists seem to believe that this wording was included to allow businesses to avoid the high costs of breach notifications by arguing that their analysis shows that their breach didn't cause a significant risk of harm. A more reasonable explanation is that similar language dates back as far at the original Privacy Act of 1974, and is already included in the existing state breach notification laws.

But if the breach notification requirements of the HITECH Act aren't there to let businesses freely violate our privacy while giving us the illusion of it being protected, why are they there?

The breach notification requirements of the HITECH Act are probably best understood as part of a trend that's slowly but surely increasing the protection that sensitive data needs to have. This started with laws and regulations that required organizations to protect sensitive information, although the exact way in which they protect it is typically very flexible. It then moves to requiring notification of breaches of unencrypted sensitive information. At this point, encryption still isn't required, but there's a strong incentive to use it to avoid expensive breach disclosures. The next step is to require organizations to encrypt sensitive information.

The HIPAA Privacy Rule was the first step in this process for PHI. It required health care organizations to protect PHI, although they could implement this protection in many ways. The HITECH Act is the next step. It essentially requires the notification of breaches of PHI that isn't encrypted. In the future, we will probably see a federal law that actually requires the encryption of PHI. This has already happened in some states.

In 2008, Nevada law (NRS 597.970) required the encryption of Nevada residents' sensitive information when it's transmitted outside a business' secure network. The Massachusetts encryption law (201 CMR 17.00) did the same for Massachusetts residents a short while later. Legislators are now considering similar laws in other states, and similar data encryption laws will probably become widespread over the next several years. It's now hard to avoid complying with these state laws, and it's going to get even harder in the future.

How to comply with these laws in a reasonable way is still an unsolved problem. Legislators want businesses to protect sensitive information, but not at cost that's too high to be practical for a business that needs to be profitable to survive.

Encryption is notoriously hard and expensive to use, but a combination of newer technologies and motivated IT departments is leading to solutions that are much more practical than they were a few years ago. Technologies like identity-based encryption, for example, are at least a factor of three less expensive to own and operate than the aging PKI technology that dates back to the dot-com boom. That's often enough of a difference to make encryption practical where it once wasn't.

Once the states find what works and what doesn't, it's likely that the federal government will raise the bar and require the encryption of all PHI, and when they do this, they will probably base exactly what they require on the lessons that the states have learned. Let's hope that this happens soon.

There has been lots of media coverage of the recent data breaches that have exposed millions of credit card numbers to hackers. But while it's relatively easy to cancel a compromised credit card and get a new one, it's not really practical to cancel and get a new medical history. Once it's compromised, it's compromised forever. Because of this, PHI deserves to have strong protection, and encrypting PHI is the best way to do this. The breach notification requirements of the HITECH Act only encourage encryption, but they're a good step towards ensuring that PHI gets the protection that it deserves.

In his article "Did Privacy Cause Identity Theft?" law professor Lynn LoPucki claims that the problem of identity theft that we have today is directly due to the increased privacy that various laws have given us in the past several years. He says that as recently as the '70s, identity theft was very hard for a criminal to pull off because there was so much public information about our identities. And because identity thieves need privacy to commit their crimes, the very privacy that we think is making things better for us has actually made it easier for identity theft to happen.

There's certainly a correlation between the proliferation of privacy laws and identity theft, but attributing the identity theft to the laws may be an example of post hoc reasoning. It seems to me that the ways in which identities were verified in the past didn't really take advantage of the additional information that was available at the time, even though it was available.

Instead of believing that our higher level of privacy has caused the higher rates of identity theft that we see today, I'd guess that it's just a case of criminals using the technology that's available to them. At the same time that stricter privacy laws made it easier for identity thieves to commit identity theft, information technology also proliferated. When this happened, there was much more information available to identity thieves, so they naturally used this information to commit identity theft. I'd guess that's why identity theft is a bigger problem today than it once was, and that the increased amount of identity theft isn't related to the stricter privacy laws at all.

On the other hand, I could be wrong. If that's the case, then I would expect LoPucki's model to predict that identity theft will decrease over the next several years as the proliferation of social networking web sites provides a handy source for lots of public information about our identities. Or I would expect his model to predict that users of social networking web sites suffer less identity theft than people who don't.

I don't believe that either of these will turn out to be true.

The 1890 Harvard Law Review article "The Right to Privacy" by Samuel Warren and Louis Brandeis is probably one of the most influential articles ever written on the topic of the protection of privacy. In this article, Warren and Brandeis argued that common law contained the foundation for effectively protecting privacy and that it was possible to modify and extend common law to make this happen.

From reading "The Right to Privacy," it certainly looks like Warren and Brandeis started thinking about the need to protect privacy because technological innovations were making it easier and easier to violate privacy. We have this same problem today. Cell phone carriers have databases of every call that we make as well as where we are when we make these calls, and e-commerce web sites track every click that you make and every page that you view.

Back in the 1880s, however, the problem was apparently a bit different. The example that Warren and Brandeis use again and again is that of the loss of privacy that the new technologies for photography allow. After all, if anyone can take a photograph without you knowing it, the possibilities for abuse of the technology are limited only by the imagination of the people who have cameras.

From the early twenty-first century, it almost seems hard to believe that cameras could cause so much concern. I wonder if people 100 years from now will have the same reaction to the privacy concerns that we have today. People seem to have adjusted to the widespread use of cameras fairly well, and they seem to have done this by accepting that the violation of privacy that they allow is an acceptable cost of using the technology. It may seem hard to believe now, but we might adjust to today's information technology by accepting that the violations of privacy that they allow. I wouldn't be surprised if that's how things turn out in the future.

Although identity theft is now getting more media coverage than it once did, the need to protect the sensitive personal information that’s used to commit identity theft has been well known for many years. As far back as 1973 this was know to be a problem. That’s when the report Records, Computers and the Rights of Citizens was written for Caspar Weinberger, who was then Secretary of Health, Education, and Welfare.

This report discussed the problems of privacy and recommended that the following five principles be used to create a “federal code of fair information practice” that would be enforced by one or more federal laws:

• There must be no personal data record keeping systems whose very existence is secret.
• There must be a way for an individual to find out what information about him is in a record and how it is used.
• There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
• There must be a way for an individual to correct or amend a record of identifiable information about him.
• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

The government has known for over 35 years that protecting sensitive personal information is a problem that needs to be addressed. Let’s hope that they can manage to do what needs to be done before we can say that they’ve known about the problem for over 40 years and still not addressed it.