Over on BoingBoing, Cory Doctorow is doing his best to raise awareness of data breaches in a post entitled, “Database leaks are as immortal and toxic as nuclear spills – let’s start acting like it”.
If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor. Every gram – sorry, byte – of personal information these feckless data-packrats collect on us should be as carefully accounted for as our weapons-grade radioisotopes, because once the seals have cracked, there is no going back. Once the local sandwich shop’s CCTV has been violated, once the HMRC has dumped another 25 million records, once London Underground has hiccoughed up a month’s worth of travelcard data, there will be no containing it. And what’s worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government’s personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror.
On the off chance Cory makes it over to this humble site, I’d like to propose some more creative thinking to solve the problem.
The truth is we can never completely protect the data for many of the same reasons consumer DRM fails- it only has to leak once for it to appear everywhere. Assets in physical crime are self limiting; there are only so many ways for a horse thief to chop up a horse. Digital assets are nearly infinitely renewable and reusable.
We need to keep defending our data, but accept the bad guys will get it. Thus we need to limit the impact of those leaks. I see two options (one focused on a specific issue in the US, the other more generalized), and I’m sure there are more:
- Release all Social Security Numbers. Then they can no longer be used as a “secret” identifier for financial transactions. This will stop most forms of identity theft in the US, forcing bad guys to shift to more focused account-level fraud. This post explains the difference.
- Create systems for multi-factor transaction security. Fraud monitoring on credit card accounts is a basic example of this, but there’s a lot more we can do. Placing a fraud alert on your credit report so the monitoring company has to call you before creating a new account is another example. Having your bank verify major account transfers through back channels is another. I call this “Dynamic Authorization” (part of Dynamic Trust) and it leverages the power of real-time technology to change how we perform transactions and authenticate individuals. There are so many creative and effective layers we can add here I get pretty excited just thinking about it.
We accept that data will leak, then build security controls to minimize the damage. We’ve barely scratched the surface. Consider this anti-exploitation for financial transactions: we can’t eliminate the vulnerability, but we can reduce the exploitability.
There are exceptions. Health care data is one example where the private market won’t solve the problem; we’ll probably need government regulation to reduce the financial value of that data (e.g., forcing insurance companies to provide coverage despite prior conditions). Protecting consumer privacy, such as limiting data collection on buying habits, is another tough area. But right now the biggest problems are financial in nature, and that’s one area where we can make a big dent with some creative approaches.
There will always be criminals, but we can sure make their lives harder. Simply storing data in nuclear bunkers and hoping it doesn’t leak isn’t the answer.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Cory Doctorow, Cybercrime, Data Breach, Dynamic Authorization, Vulnerabilities
Reader interactions
7 Replies to “Cory Has It Wrong, We Should Free The Data”
I live in a country (Estonia) where SSN-s are effectively public (mine is 37001272722). Government used to have an interface to query anyone’s SSN, or relate a SSN to a name. They closed it down after a long debate, the problem being that our SSN contains birth date and gender (a stupid design decision).
Fraud related to SSN’‘s? None. Not because Estonians are nice and non-fraudulent, but because SSN – with or without of your address, phone, or employment data – is useless. You cannot get credit, open an account or apply for anything with simply _knowing_ something about another person. Such relationships start from physical authentication of the person, or use a government-issued smartcard, which contains a x.509 certificate saying “this private key belongs to some 37001272722, named kaur virunurm. trust it for SSL and digital signatures only.”
Inefficient? Not really, it works well. Expensive for the service providers (banks etc)? Not really, they have built it into their business models, systems and services from day one. Secure? Reasonably. At least identity theft in the modern western sense is non-existent.
Releasing SSN-is may be new and scary to U.S., but it actually _works_ in some more remote parts of the world.
I have to correct you about the “one of the only nations” part. It is nicely worded because “one of” means nothing really.
In South Africa we have ID (Identity) numbers which are probably about as secret as SSNs. They are used by everyone to verify details and are usually secret but not very.
In Australia identity is verified by Name and Address.
I know a lot of people around the world but I don’‘t know of any single country where you prove your identity with authentication. We do have ID books but even they are starting to become useless due to counterfeiting and corruption.
Having said that – I don’‘t know of any organisation (bank, chain store) in South Africa that offers credit cards without you physically going into a branch.
>>
…we’re one of the only nations in the world that bases our entire consumer financial system off a secret number that isn’t secret.
<< And yet we aren’‘t the only country that suffers from identity theft!
Rich,
You left out a critical piece. I’‘m up for pulling our heads out of our^H^H^Hthe sand and no longer using SSNs as financial passwords, but first we need to refit all the systems that depend on them. If we got your wish tomorrow, *everybody* would lose money to fraud before all the various pieces which depend on semi-fake security (SSN privacy) were fixed.
With a 5-year warning, and the acceptance that some systems would still be broken in 6 years, and some fraud would occur, okay…
SSN as the magic key to credit is a concept that seems weird to us coming from other countries. And it’s a pretty recent phenomenon.
I recall in 1992 when I arrived in Boulder on what turned into an extended business trip. It made sense from a bookkeeping perspective for me to get credit cards issued by US Banks. There was little trouble accomplishing this, as they could then get credit history from other countries (Canada, in my case) without an SSN or anything like it.
Six years later, long after I’‘d gotten a green card, SSN and moved here, I needed a mortgage to buy my condo. At that point, despite having been here for 6 years I had *no* credit history as far as the bank was concerned – despite the fact that I was carrying a credit card they had issued to me 6 years before.
Pondering this for a while, I realized the problem. Phoned Amex, the credit card service number for the bank, and read them my SSN over the phone to be associated with my existing accounts.
Walked back into the bank the next day and was instantly preapproved for my mortgage.
They use SSNs because they are easy. And more-or-less effective as a key to your past. Any alternative would need to be equally easy and it’‘d be hard to accomplish that without imparting some degree of magic to the method that would probably be subject to its own insecurities.
Pain is weakness leaving the body.
I realize it’s no small effort, but we’‘re one of the only nations in the world that bases our entire consumer financial system off a secret number that isn’‘t secret.
Banks used to issue credit based on relationships developed over time. Today it’s all about instant credit. We have enough other kinds of information we should be able to shift off a single public key into something with multiple factors.
The applications don’‘t even really need to change- we can keep using the SSN as a key, we just don’‘t need to secure it as much.
While in principle, I agree with releasing SSNs, one cannot do that until a second system or authentication is created, which is about as likely to happen as me waking up with a mustache like Tom Selleck.
How do I prove I am me? Not an easy question. I bet I could “prove” I am Richard Mogull. I bet you could prove to be me. Identity theft isn’‘t just about stealing money, it is about stealing identity. I can open up accounts in your name, turn on utilities, get a job, write bad checks, etc. All of the “creative approaches” rely on having some provable identity to validate intent of, say, an account being opened. But I’‘ve stolen your identitiy. I’‘m you. They call me instead of you. Why not? How do they know which of us is which? Where is the master register of souls?
Also, redesigning all of the legacy applications to use something different would be a Y2K type effort. And what would that something be?