Helping your customers help themselves

Watch this video…. http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html

Now consider, how can a company help a customer protect themselves against this kind of attack?  Even given the inherent weaknesses of credit cards, consider this option:

The video says that hackers monetize compromised computers by installing key loggers. The hackers then search through the keyed data looking for credit card numbers. “But we can’t do anything if the customer’s computer is compromised!”  B.S.

What’s the solution?  Don’t have your customer enter all the digits of the credit card via their keyboard.  Display an onscreen keypad for entry of the last four digits.  This thwarts the CC thieves and demonstrates to your customers that you are attempting to protect them even on potentially compromised systems.  Simple, easy, effective.

KnowledgeNet

The KnowledgeNet speech in Boca Raton went really well. I got some great positive feedback.  In fact it was suggested that I propose to give the speech (or a similar one) at one of the IAPP’s national conferences. In addition, my preparation for the speech spurred my interested in several areas which I hope to explore, both within this blog and outside of it. 

The first, in trying to develop a simple PbD (Privacy by Design) example, I ran into the issue of protecting emails while still supplying the system with contact information.  Some people use one time email services (like Mailinator).  However, these have several potential downfalls, primary of which the email service can read your email and secondly, for some, you can only get email once.  I’m going to return to this subject when I have some time to do some more investigation.  I know there are other services out there that might fit the bill, I just need to find an innovative solution to this problem. 

Another issue that I found is that privacy professionals really need to be versed in cryptography.  They don’t need to actually know how the cryptography works, they just need to know about the capablities so they can demand those of their product development teams.  Things like zero knowledege proofs, homomorphic encryption, hasing.  I’m going to try and write an e-book about this but I think first I write each chapter (on a different technology as a blog post).

Still another issue that raised its head is the concept of provable audit-ability.  Most auditor just have to take the IT professional’s word that certain information/systems are secure.  Take for example, a developer who makes a backup of production data on an orphan server.  Nobody knows about it except the developer.  Nobody audits the access controls on that box because they don’t even know about it.  How is an audit supposed to find it?  The concept of provable audit-ability goes to proving with mathematical certainty that nobody tampered with or has access without authorization.  It’s doable, if organizations are willing to consider privacy by design rather than privacy by accident.  Currently auditors say “we think we’re secure” but they really don’t know and they can’t know until a breach occurs and it’s too late.

Giving this speech has put a lot on my mind and there are many more blog posts to make in the coming weeks.  Let’s hope I can find time to put the pen to paper, so to speak.

Social Security Number redux

This article describes the continuing problem of banks using social security numbers as identifiers and partial passwords.  It seems the FTC has previously identified the problem of SSNs being utilized as authentication tokens and has even gone so far as to propose legislation to reduce the over-reliance on them in industry.  I would like to point out my simple solution doesn’t require any legislation, simply publish SSNs on the internet as a ubiquitous identifier, thereby reducing their value to identity thieves and as authentication tokens.

IAPP KnowledgeNet

I’ll be speaking at the Miami KnowledgeNet event on July 14th.  The event will be held from noon to 1:30pm at

LexisNexis Risk Solutions
5000 T-Rex Avenue
Suite 300
Boca Raton, FL 33487

I’ll be talking about Privacy By Design, it’s history, justification, principles and ideas for implementation.  If you’re interested in attending go to the IAPP KnowledgeNet site.

Social Security Numbers — Password or Identifier?

Social Security Numbers have the unenviable position of being both identifiers and passwords.  They are designed to uniquely identify individuals (in the US) but yet are supposed to be secret enough that companies’ attempt to rely on them as passwords, keys to that person’s account.  However, unlike passwords in online systems which are (if proper protection is taken) transmitted and stored as hashes to prevent easedroppers or hackers from learning the password, SSNsare most often transmitted and stored in plain text.  The SSN is usually given to an employee of the company who must be trusted not to reveal it or use it for disallowed purposes.  When one looks that this password is shared amongst many companies, the vulnerability is clear. 

Social security numbers should really only be used as unique identifiers, and then only to correlate accounts and tie an account to a specific individual.  However, at no time should the SSN be used to identify a physical person as the person behind the social security number.  Just because someone knows an SSN does not mean that they should be authorized as the owner of that SSN. 

To push this notion through society, I would like to propose a law that would force companies to stop relying on SSN as proof of identity.  How do we do this? Not by making sanctions and imposing regulations on companies for misuse, but a simply by pubilshing Social Security Numbers and names of the corresponding owners.  The simple feat of maknig this information widely accessible and known to be widely accessible would quickly force companies relying on the false security of the SSN to reengineer their processes not to rely on that false notion.

Drivers Licenses vs Driverless Cars

The recent revelation that Google is applying to allow driverless cars on the road in Nevada combined with the stink over E-Verify (the backdoor National ID attempt) and its collection of drivers license data ala REAL ID got me thinking.  What happens to the identity infrastructure in this country if drivers and necessarily drivers licenses go by the wayside?  It has always been a pet peeve of mine that drivers license have become the defacto identification in our society, because so many people have them and must have them to drive.  Its a classic case of mission creep, where drivers license, which once were solely issued to display that the bearer had a license to drive (i.e. met the minimum standards) but now are used in all sorts of scenarios to verify identity.  In the future it seems, people might not need this ubiquitous item.  Its quite possible that most people may just transition to state issued ID cards, but it is interesting the pontificate on the alternative.

What is PII?

There has been a lot of discussion on privacy lists recently about whether IP addresses, email addresses, etc are PII (personally identifiable information).  Clearly with regards to a specific law, you’d have to reference that law (or the corresponding case law) to make a determination.  In general, though, I’d like to suggest a way of thinking about information in making this determination.  Much of the discussion has revolved around whether the information by itself or in conjunction with other information can “identify” an individual.  Does john.smith@gmail.com identify John Smith and if so, which one? What about butterfish90210@gmail.com? Does a dynamic IP address identify an individual or only when combined with the logs of the ISP?

The approach I suggest looks at information in terms of relationships to individual persons. Borrowing from the relational database world, information can be related One-to-One, One-to-Many or Many-to-Many. 
Some examples would be 
1. SSNs generally exhibits a One to One relationship: each person has one and only one SSN.
2. Physical addresses generally exhibit a One to Many relationship: several people could live at a particular address but most people only have one residential address. 
3. First names generally exhibit a Many to Many relationship: at any given time there are millions of people named John and most people have many names (surname, given name, nickname, etc).  
Hopefully you’ll see that almost anything COULD exhibit a many to many relationship.  Just as we change IP addresses, we change physical addresses and some people have multiple residences.  Even SSNs, though most people will only ever have one are used and reused by identify thieves.
A recent California court case,Pineda v William Sonoma, considered whether zip codes were PII. Clearly, the relationship is many to many as many people reside in a single zip code and people move and change zip codes several times throughout their lives. It’s clear from the alleged facts of the case that William Sonoma used the zip code procured from Pineda in combination with additional information to identify her and her address and used that to contact her to solicit additional sales. While in and of itself the zip code did not uniquely identify her, that information was useful in identifying her.  Without it, they may not have been able to track her down.

Other questions arise about whether car VIN numbers, license plates, etc are Personally Identifiable Information.  I would have to argue absolutely.  While in isolation the numbers don’t point to a particular individuals, they do relate to  individuals in various ways, as owners, drivers, passengers, etc at particular times.

In our information driven world, we must take care that any descriptive information when combined with what it’s describing is PII and should be treated as such.  “Blue” is not PII but “blue car” in context could very well describe (again) owners, passengers, sellers, drivers, etc….

Security is not Privacy

I read this blog last week titled “Privacy is not Security” and it got me thinking about the relationship between the two fields.  As the author states “Privacy is a whole lot more than security.”  I would like to clarify that statement by saying that security is a necessary but not sufficient component of privacy.  Again, security is required if you are to have privacy but really it’s insufficient to guarantee privacy.  Really, what’s required is a different mindset.

Toll roads have recently come up twice in my reading: first in researching Privacy by Design I came across a description of how to travel anonymously on Canada’s 407 and secondly in a recent article about a lawsuit commenced when the the local toll roads in Florida started asking for all this invasive information to combat counterfeiting of cash in addition to the existing privacy invasive electronic toll system.

The Florida toll system may (and I stress may) have all manner of security precautions on who has access to the data, how it’s stored, when to destroy it, etc. but the fact remains they have a culure that is inherently privacy invasive.  They haven’t even considered how to design their system in a way that is innately protective of privacy. 

IAPP KnowledgeNet Miami

I’ll be attending the IAPP KnowledgeNet in Miami next Tuesday.  This KnowledgeNet event will focus on a few topics:

Key points from the FTC Privacy Report issued in December 2010
Understanding the changes in the PCI DSS v2.0
Best practices when performing a privacy assessment
Incorporating MA 201 CMR provisions into your third party due diligence process

I’m really insterested to learn the best practics for privacy assesments, since that’s probably most pertinent to me at the moment.  It’ll also be nice to get my first continuning education credits towards my CIPP.  The good and the bad thing about being a Certified Information Privacy Professional is that they require you to keep abreast of changes in the law to keep the certification active.  Its good because potential employers know that you’re knowledge is not stale. The flip side of the coin, for an idependent privacy professional such as myself, is the expense involved.

I’ll certainly report back any interesting items I learn.