Obama’s Cell phone records breached by Verizon employee - Privacy 2.0 to the rescue
CNN Reports in a recent story that records from a cell phone used by President-elect Obama were improperly breached, apparently by employees of the cell phone company Verizon. Spokesman Robert Gibbs said the team was notified Wednesday by Verizon Wireless that it appears an employee improperly went through billing records for the phone.
This incident brings up an important debate thats been brewing for years amongst privacy experts. As private companies and government institutions spend enormous amounts of money protecting their internal data from external threats, an important and integral component of securing private data is often overlooked.
As companies build up their customer databases, and fill them with loads of private data and personally identifying information, they often neglect to tighten security controls around the access levels they provide their employees. What ends up happening too often is that employees end up with having access to more information than is necessary for them to perform their work. This increases the risk of “inside jobs” for identity theft and privacy breaches. Many companies dont even have the capability to figure out what data a specific employee pulled from the database (a feature known as audit trail).
The government has seen this problem and is trying to do what government does, write into law that companies are to be held liable when their own employees are responsible for data breaches. A recent example of such law is SB 541in California, that among other things incorporates an important change in the law that terms “unlawful” access as not just data taken illegally by outside sources, but now also the misuse of patient data by those who have legal, but un-permission access to the information through their jobs.
Though improving security controls around employee access is an important part to cut down on privacy breaches, I dont think it can ever eliminate the problem all together. As long as the opportunity is there, and the underlying data hold significant enough value, there will always be situations where employees will attempt to access unauthorized data and be able to compromise private information.
What I’ve been advocating with Privacy 2.0 is that the industry start looking at a completely different model of storing private and sensitive information. Most of the private information that companies have on their customers is completely unnecessary, and only serves as a target to identity thieves. Why does Verizon need to know their customer’s Social Security number? Are they going to be issuing their customers Social Security checks? or accepting their tax return?, the answer, of course is no.
Privacy 2.0advocates that companies stop storing and using personal information in order to verify identity. This movement is in its infancy, but this blog is its central hub. The technology already exists today, whats missing is the shift in focus from spending resources on securing the data thats being collected, to simply stopping to collect various private information, especially information that is being collected solely for the purpose of verifying identity.
By cutting down on the amount of private data being collected, securing the data that IS being collected, becomes a much easier task. In order to verify identity companies can put in their customers hands technologies such as OpenID’s or RSA SecureID’s. There companies act as “external authenticators”, a means to verify that a person is who he or she says they are. Companies can simply tap into those services, and whenever a need arises to verify the customers identity, its performed not by asking them what their mother’s maiden name or last four digits of their social, but by using an external service that focuses on verifying identity.
Maginot Lines - Do we need a new approach in securing our secrets
In a recent post on Wired magazine , John Arquilla, professor of defense analysis at the U.S. Naval Postgraduate School gives his view on how Obama, Mr. President-Elect might make a difference in securing information. The idea is that the traditional ways of safeguarding information from unauthorized access no longer work. These protective measures typically consist of firewalls, anti-virus solutions, intrusion detection, etc. A bit like how the French Minister of Defense tried to fend of the Germans during WW I with artillery, machine gun posts, tank obstacles, etc.. While that did not quite work for the French back then, today a similar approach in Cyber security is quite ineffective too, since a determined individual always seems to find a way around those security measures. So what other option do we have? Well, according to Mr. Arquilla, we could consider dropping our defense lines and instead start using strong encryption all the time. This way we also open up the door to storing more and more of our information in the ‘cloud’ of cyberspace. Mr. Arquilla is not the first one to highlight this option and he won’t be the last. Fact is that a lot of hurdles need to be taken, before we can actually get rid of our current Maginot lines. Hurdles such as technology and regulation in general and privacy in specific. Our new president will have a lot on his plate.
Helpful Security Tips for Your E-mail
There are many things you can do to protect your email outside of having a strong password and good anti-spam service. The people at techrepublic.com have come up with a list of 5 measures you can take to make your e-email experience a bit more comfortable.
Many times it is not the bad guy that breaks his way in. Sometimes we just forget to do the simple things like replying to the whole mailing list instead of the one desired recipient that trumps even the strongest security measures. We have to remember that no matter how enhanced our software is and no matter how complex our encryptions are, in the end it is us, the end-users, that control the information we send out to the world.
Google tells the CDC if you’ve got a cold
We’ve known for quite some time that Google retains your search data and IP address for up to 18 months. Here is the latest example of how that data can be manipulated.
“Google’s new public health initiative, Google Flu Trends, looks at the relative popularity of a slew of flu-related search terms to determine where in the U.S. flu outbreaks may be occurring.
“What’s exciting about Flu Trends is that it lets anybody — epidemiologists, health officials, moms with sick children — learn about the current flu activity level in their own state based on data that’s coming in this week,” said Jeremy Ginsberg, the lead engineer who developed the site.
The tool, which launched Tuesday, operates on the idea that there’s likely to be a flu outbreak in states where flu-related search terms are currently popular.
The Centers for Disease Control and Prevention collaborated with Google on the project, helping validate and refine the model, and has provided flu tracking data over a five-year period, said Dr. Joseph Bresee, chief of the epidemiology and prevention branch in the CDC’s influenza division.”
What seems quite the novel idea, to me means yet another example of Google taking advantage of your search data they collect in their databases to improve their moneymakers adsense and adwords. This collaboration is mutually beneficial in a sense that with the CDC’s help Google can now fine tune their ad model to truly understand if the search for a Flu term is by someone whos in a Flu zone therefor more likely to be in need of Flu related products which of course will be prominently displayed alongside your search results. And of course, with this CDC collaboration, the search results will be more accurate therefore those keywords will come at a higher premium.
Dont be fooled by the .org domain, Google is in this for the money and they are using your private data to make their business more efficient.
How Google compromises your privacy
Consumer Watchdog Exposes Google Privacy Problems & Calls for Attorneys General Investigation