Author Archive

Transparency: The Forgotten Tool

Monday, May 8th, 2006

Those of us who come to the privacy management arena from a computer security background tend take an extremely narrow and focused view of how technology can protect privacy. We love to debate each other on esoteric subjects cryptographic key strengths, the merits of strong two-factor authentication, trust models in networked systems and all sorts of deep technologies. As someone who worked in public key infrastructure technologies for several years and firewall technology before that, no one is a bigger fan of emerging security technology than I. These are all good and useful topics to be discussing and theses sorts of technologies are important foundations of a networked world.

Traditionally we think of privacy enhancing technologies has tools for hiding, obfuscating, and controlling disclosure. But in terms of an overall approach to privacy management we should also think about how technology can be used to creates visibility and awareness of informations security practices.

This point was made quite well recently by Harriet Pearson, VP of corporate affairs and Chief Privacy Office for IBM, in an interview with Computer World.

Read the rest of this entry »

Infrastructure Components to Catch The Rogue Employee

Monday, April 10th, 2006

Computerworld story reports that the employee was caught only after one of the owners of a property under foreclosure was called by the employee and the property owner subsequently complained. The ComputerWorld story is careful to note that “no actual hacking” took place. But more importantly, there was no internal business process or IT infrastructure in place to detect the “wrongful” accesses. The good news is that the actions taken by the employee were clearly against Progressive’s published information security policies and the employee was quickly fired.

The ComputerWorld article correctly points out, in my opinion, that this is an example of the rising problem of insider threats from rogue employees.

Read the rest of this entry »

The New Frontier of Privacy Management: Policy Based Auditing

Monday, April 3rd, 2006

No technology can replace a culture of respect for privacy. Arthur Riel, a former IT manager at Morgan Stanley found out the hard way. Information Week has done a good job covering the story. Seems that Mr. Riel was in charge of putting in place an e-mail archiving and searching solution at Morgan Stanley. Ironically enough, as a result of SOX findings that indicated that the company needed to do a better job of managing it’s e-mail.

Read the rest of this entry »

The Real Lesson Behind Laptop Loss

Monday, March 27th, 2006

Ernst and Young is the latest company to fall into the data breach spotlight due to a lost laptop. An E&Y laptop was lost which had the personal information of over 38,000 British Petroleum employees. BP officials began notifying their employees that their personal information may have been exposed and may put them at risk of identity theft. In this particular case, social security numbers were among the personal information on the laptop.

The UK IT Trade web site, The Register, had the following headline:

40,000 BP workers exposed in Ernst & Young laptop loss

Read the rest of this entry »

On Secondary Use of Information

Thursday, March 23rd, 2006

In their enthusiastic charge to protect people from privacy invasion, privacy advocates sometimes get to focused on preventing the disclosure of information. He see bunches of client based tools, often browser plugins that warn people that they are about to submit personal information to web sites that don’t have published privacy policies. Some of the more sophisticated tools will compare an end-user’s preferences to a site’s published policy and inform the user if the site policy is consistent with the user’s preferences.

But focusing on preventing the disclosure of information isn’t enough because people _want_ to disclose their information to companies, both electronically and directly.

Read the rest of this entry »

Data Minimization and Virtual Credit Card Numbers

Tuesday, January 10th, 2006

When we talk about privacy enhancing technologies we often immediately jump to talking about encryption methods and DRM technologies and instance based access controls. But sometimes we forget about techniques for minimizing data disclosure. I know I’m guilty of this. I’d much rather debate the pros and cons of various policy expression languages!

I was reminded about data minimization recently when I tried for the first time a service from my credit card company, virtual credit card numbers. With so many people experiencing credit card fraud online, I’m surprised more people aren’t using virtual credit card numbers. They are a great way to minimize the disclosures of your real credit card to others. So I thought I’d share my experience with the service so far.

Read the rest of this entry »

Google Personal Search Tracking

Friday, April 29th, 2005

Information Week reports
that the beta version of Google’s personal search tool is raising significant privacy concerns among privacy advocates. No one is a bigger fan of Google as a whole and I have defended Google’s privacy practices in the past. But not this time. The lack of privacy protection in their Google Personal Search Tracker is inexcusable.

Read the rest of this entry »

Stolen laptops contain medical info on 185,000 patients

Tuesday, April 12th, 2005

Network World Fusion reports that a “medical group” in San Jose California experienced a burglary in their offices in the middle of the night. Two laptops were stolen containing personal information for 185,000 patients. The patient information included social security numbers. Thanks to the California law known as SB1386, these news stories are becoming more and more common because it requires that organizations make a good faith effort at notifying people affected by identity theft.

HEADLINE: Kaiser Permanente patient data exposed online

Wednesday, March 23rd, 2005

That was the headline for Linda Rosencrance’s article on Computerworld on March 16th. (See

But did they really? When you dig several paragraphs deeper into the story the picture becomes much more ambiguous than the headline would lead you to believe.

A woman, known as “Elisa” and “Diva of the Disgruntled” on her weblog had been terminated from her job as a web coordinator at Kaiser. Some time later, she claimed that Kaiser had posted a series of system schematics for Electronic Medical Records (EMR) project on a publicly accessible web site as well as personal patient information for about 140 people. She filed a complaint with the Office Of Civil Rights on the grounds that it is a violation of HIPAA regulations. She apparently made no attempt to notify Kaiser directly. A Kaiser spokesman said that the company learned of the incident when the Office of Civil Rights began an investigation.

The parts of the story regarding posting of the EMR project schematics doesn’t seem to be in dispute. Elisa found the web site URL with the schematics when she googled the name of her former manager. She made these URLs publc on her web log. A Kaiser spokesman admitted that the schematics had been put on the web site in order to share them with remote IT people. It’s unclear that the project schematics themselves were particularly sensistive, though they have since been put behind a password protected site.

Now, if that had been all there was to this story it wouldn’t have been such a big deal. But what about the patient data for those 140 individuals? Elisa didn’t provide a URL on the Kaiser site where that information had been posted. She only posted the URL to where the schematcs were located. So as far as can be determined by the information in the Computerworld article, Elisa doesn’t seem to have produced any forensic evidence that Kaiser accidently exposed the information on their public web site.

What is known to have happened is that Elisa posted the real patient information on her web log. So it’s clear that she had possession of the patient information, but it’s not at all clear that she obtained that information from the Kaiser public web site. Kaiser got the web log ISP to remove the information and had to do so at least twice because Elisa reposted the information. She claims that she had intended to remove the information once the Office of Civil Rights had investigated. Of course she could have supplied the information directly to the consumers and she could have refrained from posting patient medical ecords to her publc web log.

The Kaiser spokesman said that Kaiser has notified the affected patients and is continuing to investigate how Elisa came into possession of the data.

Now, read the headline again:
Kaiser Permanente patient data exposed online

Ask yourself, does this headline accurately reflect the story? I don’t think so. The only evidence of an exposure is for the IT system schematics and it’s not at all clear that these are particularly sensitive, especially from a HIPAA point of view. Perhaps a more accurate headline should have been:

Former Kaiser Employee Posts Kaiser Patient Data To Weblog

There is no dispute about the fact that Elisa did this. But there is no evidence (at least none mentioned in the article) that Elisa obtained this information through an accidental disclosure on the Kaiser web site.

My point is not to disparage Linda Rosencrance or ComputerWorld for a misleading headline. My point is that Elisa had access to patient data somehow. Maybe she got it from the Kaiser public website as she claims. Maybe she somehow got access to the data while she was still employeed. Maybe she received it from an insider who still works for Kaiser. The fact of the matter is that it doesn’t matter to Kaiser how Elisa obtained the patient data. It’s still a publicity nightmare.

The question is, how can this be prevented? This is the heart of good data stewardship and good data governance. As far as I can see, there’s no way to prevent this except to treat the operating environment of the business inside the firewall as an untrusted environment. Everytime sensitive information is seen by eyeballs, everytime it’s written to any media as clear text, there’s a potential for this kind of incident, which I expect is keeping a lot of CSO-types awake at night.

The (De)Construction of Social Security Numbers

Sunday, November 14th, 2004

The current issue of Mental Floss ( has an interesting story about the origin of Social Security numbers and what the different parts of the number mean.

According to Mental Floss, the first three digits are assigned based on the zip code where you applied for the number, the second two digits are group numbers and are not assigned sequentially but rather according to a rather complicated sequencing scheme which goes something like, a) odd numbers between 01 and 01 b) even numbers from 10 to 98 c) even numbers from 02 through 08, and d) odd numbers from 11 through 99. The last for digits are simple sequence numbers

The Mental Floss article has an interesting story about accidental misuses of the social security numbers in the early days of the system . . .

Read the rest of this entry »