In which I may have created a new term…

A reverse privacy breach is when people supply data that we don’t actually want to know about them, creating risk for us since we must now safeguard that information, whether we want it or now.

Recently, during the course of an internal review, we discovered that we were holding a lot of Personal Information that we had not previously been aware of. As a result, we had to try to track down where the information had come from so we could determine what policies it was covered under for use, retention and destruction.

This is yet another example of how Cory Doctorow was right when we wrote that accumulations of Personal Information are like “Nuclear Waste.”

Remember, it’s not breaking the law, it’s love…

Based on what I find in Google, there’s only one other Chandler Howell out there in the world and popping up with any level of frequency. Back when I had the time to blog frequently, I had pretty much pushed him out of the top three pages of search results–ironic, given that he’s an electronic marketing expert.

The closest I’ve ever come to crossing paths with him was a year or so ago, when I had an email from someone who thought I might be the “other” Chandler Howell. He lives in Virginia, whereas I live in Chicago. They were very nice and we had a friendly exchange where I explained that was not the Chandler they were looking for (no Jedi Mind Tricks required).

Then, a few weeks ago, I was at Dulles airport in Washington, DC for a return flight to Chicago. I went to the electronic check-in terminal and swiped my credit card to identify myself. The terminal then asked me which itenerary was mine–the flight to Chicago or the flight to Boston?

I briefly considered heading over to his gate and finding him to introduce myself, seeing has I knew his flight number and could probably get the gate staff to page him for me, but I thought that might have been a bit much.

Still, I’m curious. How frequently does this happen to people named, say, John Smith or some other more common name, and how many people would consider this some sort of privacy invasion? I know that it’s pretty trivial compared to the data abuses being carried out on an ongoing basis by the US and other governments, but it still bothered me enough to write about it some weeks later now.

Yes, I could probably dig out the stats on name frequency and airline passenger volume and come up with some sort of estimate of passenger name collisions, but it’s Saturday so I’ll pass.

Security, as we all (should) know, is a people problem. Throw a little bit of technology into the mix and it can get messy in a hurry. I’ve got two interesting tales of security woe today, both addressing the role of people and, more specifically, the interaction of people and technology leading to security woes.

First, consider the case of a Powerpoint presentation from the Office of the Director of National Intelligence:

Terri Everett of the Office of the Director of National Intelligence gave a Powerpoint presentation which was also hosted online, unfortunately some data behind his pie charts revealed rather more than intended. Writer R.J. Hillhouse found that she could open the chart object and extract the numbers from within. The result is that she, (and all of us, thanks to her blog) now know that the budget of the 16 US intelligence agencies is 25% more than previously thought - $60 billion.

Oops. For some reason, people often fail to comprehend that that data-driven tools (such as graphing controls) are backed by data, and that unless they explicitly sever that relationship (for example, by copying and pasting the values they want to use into a new document), that the underlying data from which they distilled their pretty pictures is still there, either directly or indirectly.

But the problems don’t stop there. A critical eye and a fundamental understanding of the system that the data is modeling can catch all sorts of interesting opportunities.

For example, a couple of years ago I was reviewing the results of our annual employee satisfaction survey. The information included not just my department, but the totals for each department in the entire group up through the CISO.

I noticed that there seemed to be an off-by-one error in one of the results, and realized that it wasn’t an error, but rather that the CISO’s answers had been included in the totals (”x people rated us a 1, y people rated us a 2 on it,” etc.) as an unlisted one-person department! It therefore became trivial to extract out his “confidential” answers to the entire survey.

Fortunately, the survey had not been widely distributed yet (and most people who had a copy hadn’t looked hard enough to notice this), but even so HR was loathe to withdraw and re-issue every report that was vulnerable to this simplistic Data Mining Attack.

Next, carrying forward the theme of the importance of knowing how much you do or don’t know, there’s a tale of social engineering gone horribly wrong. For a little background, Steam is a combination online community and license key management application that Valve Software, a major game developer, built to support their online games and (eventually) roll in some fairly DRM-ish anti-piracy features into their products.

Their technology is good enough that social engineering has become the preferred method of stealing keys. Of course, it works better for some than others, and so our story begins…

Greg_ValveOLS says:
my name is greg a member of the valve online Support team

br0kenrabbit says:
On MSN?

Greg_ValveOLS says:
yes :)

br0kenrabbit says:
Why?

Greg_ValveOLS says:
we logged multiple ips from your account and ned to verifi your information

br0kenrabbit says:
My information?

Greg_ValveOLS says:
we believe someone may have stolen your account mmmm you havent shared youre account infomation with anyone have you?

I won’t endorse the final outcome of the conversation, but needless to say, social engineering can be kind’ve like picking a fight in a bar–you won’t know just who you’re up against until it’s too late.

Mel Brooks once said, “Tragedy is when I stub my toe. Comedy is when you fall in an open manhole and die.”

The real victims of the Choicepoint breach have been allowed to fall in the open manhole by their State Attorneys General.

ChoicePoint Inc. has settled with 44 U.S. states over a 2005 data breach that resulted in criminals potentially having accessed personal information from more than 145,000 consumers.

The company, which maintains profiles of nearly every U.S. consumer, agreed to adopt stronger security measures and pay $500,000 to the states, Connecticut Attorney General Richard Blumenthal said in a statement.

That’s right, folks. If you’re a business whose core competency is supposed to be dealing in Personal Information, the criminal(?) penalty for mishandling it is approximately $3.50 per record. That ignores the mulititude of other costs that have come out of the Choicepoint breach(es), but it certainly adds a solid data point for one of the line items of breach costs.

Choicepoint’s shares closed up $0.08 on the news, which means that the market implicitly felt that the potential liability that eliminated was worth about $6 million.

Over at Wired’s 27b stroke 6, they got an item about the FBI’s response to their own rule breaking regarding subpoenas:

The FBI is under scrutiny for asking phone companies for telephone records using fake emergency letters and then not following up with the required legal documents. In a pre-emptive response, the FBI halted the rule-breaking by telling agents that emergency letters no longer had to be followed up, according to this story yesterday from the Washington Post’s John Solomon.

The rule was a compensating control–a formalized requirement to ensure that this “emergency” power was truly only used in emergencies when it could be justified. In a true emergency, there might not be time to fill out the paperwork and walk everything through the approvals workflow. I’m not quite sure what that scenario might be (this is a wiretap, after all–listening to people talk on the phone). Thus, the FBI’s removal of the follow-up rule tells us that their concern is with the risk of getting caught breaking the rules, not ensuring they follow it.

Any parent can figure out how this should work. My daughter wants something. Say, a pair of rollerblades. I agree to buy them, but only on the condition that she only skate on the sidewalks or along the bike trails by the lake and wear appropriate safety gear: knee pads, elbow pads and a helmet. Two days later, I look out the office window and see her skating in the middle of the street with no safety gear on whatsoever.

When I go down and tell her to get out of the street, am I going to let her tell me that it’s OK because she decided she no longer needed safety equipment? I don’t think so. I’m going to let her know that this was her one chance to screw up and the next time, I’m going to take the skates away. And if she does it again, the next time she skates it’ll be on a new pair because it will have been long enough that her feet have outgrown the new ones.

Of course, if I were over at the FBI, I’d be scared, too. Wiretapping someone without a warrant is a serious federal felony. Of course, if a bunch of our supposed Top Cops can’t understand that, then things may be even worse in this country than I’d previously assumed.

One of the reasons it was traditionally difficult to get a wiretap warrant was because we-the-people don’t want the government (including the FBI) listening in on our phone calls.

I think now would also be a good time to mention that the Electronic Frontiers Foundation has been doing good work fighting for us all in court as part of the NSA Illegal Wiretap suit.

Adam Shostack has “cluechick” in as a guestblogger at Emergent Chaos to provide some thoughts on background checks for on-line dating.

As I would expect of anyone whom Adam would let put words on his site, she gets it:

Finally, and perhaps the biggest issue, to my eyes, is the possibility that people will use this sort of thing instead of common sense tools like their brains and hearts. Yes, a background check might pull up some tidbit of information that I might otherwise never know, but it can’t tell me that my newfound love is the person I want him to be. A lack of data, after all, is not necessarily a positive finding.

Unfortunately, the vast majority of the readers of the original article probably won’t.

I’ve written previously about both risk homeostasis, of which this is a perfect example, and even specifically about background checks and online dating.

From the original article, “Dinner, Movie — and a Background Check — for Online Daters“:

Kimberly Hall was twice betrayed by men she met dating online. Both turned out to be married.

So she started doing background checks on her dates using a Web site called Intelius. Now, the 33-year-old from Laurel is engaged to a man she met on Blackplanet.com, but even he had to undergo record checks.

“He wasn’t happy” about doing it, Hall said of her fiance. But eventually he turned over his Social Security number.

I’ll bet he wasn’t, given that in the United States, the SSN is still the golden key to access someone’s potential lines of credit. Someone has probably already figured out that they can use a demand for this information as the source of inputs to commit full-fledged identity fraud. It’s an emotionally loaded demand, so it will probably work. Then, the scammer can break off the relationship for something that was allegedly found in the check. It’s the worst security of all: Insecurity in the name of security.

First off, if you’re going to let the presence of countermeasures increase your inherent risk tolerance, you’d better be sure that the countermeasure is actually effective at reducing your residual risk back to the desired level. Unfortunately, the various background checks and other offerings from the “dating security industry” tell you, at best, whether or not this person has been caught yet. Consider the average data quality in a background check database, and you should realize it probably can’t even do that.

As to the idea that a background check can keep someone safe? Puh-leeze. People with Top Secret clearances, which are a whole hell of a lot more invasive than a credit & criminal database check commit every kind of crime from murder to espionage to bestiality in front of their friends without getting caught for years. The whole dating security industry is nothing more than another way to separate fools from their money.

The only reasonable suggestion in the whole article is MatchTalk, and it’s just an extension of the core model, not a security feature at all:

Since November, Match.com has gotten more than 500,000 members to test its MatchTalk feature, which uses Jangl’s technology. The service asks for members to enter their phone numbers into the Web site, which generates a phone number that can be used to make calls between the two dating prospects without disclosing their actual numbers. The service is temporary: A couple can give up the temporary number if they get serious or if they call it quits.

TalkMatch was already on the drawing board by the time I left Match, and I thought it was an interesting idea. I took the position that it would be good for revenue, since we thought people would want it (and it sounds like they do from the numbers), but bad from an information quality perspective since we would lose the ability to do any more than “he-said-she-said” investigation, which we already did enough of even when people sent us transcripts of email conversations.*

Extending the online dating business model from E-mail to IM to Voice fills a real gap in the process, allowing people to get a feel for a person’s real-life timing and presence before they actually meet face-to-face. If the person comes off as creepy on the phone, then the real risk–an in-person encounter going horribly wrong–has been avoided, and that’s a good thing.

So the reporter found some woman in Texas who accidentally dated a murderer. I googled for 10 seconds and found a Houston TV station who invited a convicted rapist to an on-air speed dating event.

What we should all remember at times like this is that the plural of anecdote is not data. Data is what you get when you have a population of almost 20 million people, over a million of them paying you money in any given month to talk to one another, and every time someone gets hurt, you or your staff have to do the research.

The answer is, quite simply, that we had a lower risk of violent crime among our members than the average person looking for love in a bar. Maybe that was because our customers weren’t looking for love while drunk, but that certainly can’t have hurt. Our demographic was divorcee’s and thirty-somethings who had never married. As a result, our customers tended to be older and thus less likely to commit crimes, period. This may have changed since I left, since the college and twenty-something crowd was being marketed to quite heavily, but my data was that snapshot in time.

Now that’s not to say all was sweetness and light–after all, they paid me and my team for a reason–but on the product security side, we spent a lot more time dealing with (in descending order of frequency):

• people using our system as a marketing channel for either a competing dating site or porn. If done correctly, it was less than 1/10th the cost for a much better set of prospects than any email address list you could buy. If done fraudulently, it was essentially free.
• phishing for member accounts for use in above marketing fraud
• people attempting to commit fraud targeting our customers (e.g. 419 and other advance-fee stuff, Russian Bride scams)
• Subpoena requests in divorce proceedings
• credit card chargebacks or fraud complaints to the police, often attempts by cheating spouses to explain away the presence of match.com charges on their credit card statement

That’s not to say that we didn’t have violent crimes or con games between people who met on the site, but I can guarantee that it was a lot less than in a city of equivalent size.

* we did not store or archive message bodies, only subject lines at the time–I have no idea what they do or don’t archive now.

While this is opt-in, I would be mad as hell if they did this to me automatically.

Each day, it seems, marketers go further in their quest to deliver messages so engaging and personalized that one cannot help feeling special. The latest step will be seen today in four cities when Mini USA begins delivering custom messages to Mini Cooper owners on digital signs the company calls “talking” billboards.

The boards, which usually carry typical advertising, are programmed to identify approaching Mini drivers through a coded signal from a radio chip embedded in their key fob. The messages are personal, based on questionnaires that owners filled out: “Mary, moving at the speed of justice,” if Mary is a lawyer, or “Mike, the special of the day is speed,” if Mike is a chef.

The experiment adds a new wrinkle to the wrangling among marketers and safety experts over whether drivers might be dangerously distracted by messages flashed on the growing number of digital billboards around the nation. Some communities have forced billboard owners to modify or turn off such signs, and the federal government has said it will soon publish a review of the research on the subject.

The enthusiastic guinea pigs for the Mini experiment will be more than a thousand Mini owners in New York, Miami, Chicago and San Francisco who have signed up for what the company calls “an ever-changing array of unique, personal, playful and unexpected messages.”

As a former Mini Cooper S owner, I will say that I loved the car, but the personalized marketing was a little bit creepy. They sent birthday cards, trip journals, and various other tchochkes a few times a year as part of their owner loyalty program. To me, it felt more like they were bragging to me about my presence in their database.

I knew the key fobs were chipped, because I saw a service rep stick my key in a reader and it dumped the full diagnostic set, including mileage, sensor data, and alert history from my car to their maintenance tracking system. I saw the value of this–the cost savings on diagnostics must have been huge for the dealer and it also made the customer experience at the service desk a lot easier, too.

The idea that the RFID can be read from a couple hundred feet away when stuffed inside a metal cylinder doesn’t exactly give me warm fuzzies, though.

From Yahoo news:

NASHVILLE, Tenn. - An East Tennessee county that has beamed live 24-hour video from its jail on the Internet for nearly six years may nix the practice following complaints of harassment and security concerns.

Some viewers have been using the cameras to harass female jailers by calling them on the telephone and taunting them as they work, according to Anderson County sheriff’s officials.

In other cases, viewers are tracking inmate movements and using the information to coordinate deliveries of contraband to prisoners on work details outside the jail.

“It shows the public what we are doing. I like that idea,” said Anderson County sheriff Paul White.

“But by the same token, now that people are using it for bad things, we have to weigh the odds. The bad things that could happen are not worth the good things that happen out of it. And if you weigh the odds, it looks like we will have to shut it down.”

At least the sheriff understands risk, perhaps better than he even realizes, as well as technology as an unbiased enabler.

Cameras can allow fewer guards to monitor more area. Cameras can help provide oversight and prevent abuse. Cameras can also, however, invade privacy, both in intended (the inmates) and unintended (the guards) ways.

And as an article on the camera-ization of Chicago makes clear, some people are just not qualified to participate in the discussion:

“Hopefully it will make the crime rate drop and that should justify everything,” said Jeff Coates.

So Second Life got hacked:

On September 6 we discovered evidence that an intruder was able to access the Second Life database through the web servers. The exploit was shut down on the afternoon of September 6 when we discovered it.

Detailed investigation over the last two days confirmed that some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords and encrypted payment information.

No unencrypted credit card information is stored on the database in question. Unencrypted credit card information has not been compromised.

A news story puts the scope of the breach at 650,000 accounts.

Let’s read into the story a little bit.

First, we now know a little bit about the Second Life team’s risk management priorities. They encrypted (hashed, most likely) user passwords. By making this decision, they declared that they were more concerned with account security than incremental performance gains they might have derived from not encrypting them.

Still, even though Second Life handled the passwords responsibly, they still are paying the price for losing them–they will probably lose at least a few on-the-fence customers and also have to bear the increased cost of supporting 650,000 people all trying to change their passwords at once. Long-term, this is the Right Thing.

Second, we know that they care about protecting their revenue stream. I’m guessing they were PCI-Compliant since they encrypted credit card information. That’s also a Good Thing since it means that they aren’t going to be put out of business by lawsuits or the “Death Penalty” from Visa or Mastercard (even if that is, to a certain extent, killing the goose that lays the golden egg).

Third, we know that they have some concerns that at least some portion of the password database is vulnerable to (probably) dictionary attacks. John the Ripper would probably make pretty quick work those ~650,000 accounts, especially if the hashed passwords weren’t salted or weren’t salted with a large enough salt (random value included with the hashed password to prevent a single dictionary attack against the entire list).

Finally, we know that Linden cares less about protecting their customers than they do about their ability to get paid, even if those customers are also an integral piece of the revenue stream. I suspect this is more a case of the floor for compliance being the ceiling for effort than anything else–no law or industry legal agreement requires them to encrypt the data, so they didn’t. They did not perceive risk associated with losing that information, and I suspect that this will be what eventually hurts Second Life when all is said and done.

Interestingly, Second Life seems to have missed a significant tenant of their value proposition–that they provide a place where people really do have second lives. And that’s the real risk in this whole incident. Certainly there could probably be some fraud and account abuse in all this, but I would hope that Linden Labs has or is putting processes and tools in place to identify and make those affected “whole” again.

I strongly suspect, however, that their willingness to accept risk to people’s Identities will be the long-term impact of this incident. After all, I have to suspect that there’s going to be a tendency to self-censor (for better and worse) what people feel willing to do with their second life if they can’t be certain that it won’t be tied back to their first one.

I have to state that I’ve never spent any time in Second Life, but that’s only because I’m a recovering addict (you’re never recovered) of Evercrack addict and a couple of other MMORPG’s–the actual concept fascinates me. As such, I firmly believe it’s best for me if I just stay away from Second Life.

Nevertheless, I know from some experience that some people are very different on-line than in real life, for better and for worse. In the limited confines of an MMORPG, that can create significant problems. In the nearly unlimited scope of Second Life, while most of what goes on is pretty innocuous, I’ve read some things (no links–I’m offline as I compose this) in the past that leads me to believe that some people do things there that they’d just as soon not be tied to in their First Life.