title

Process as a Problem

By Scott Bradner

I ran into Federal Trade Commission (FTV) commissioner Mozelle Thompson at a conference the other day. After he politely admonished me for something I had said during a panel session a bit earlier we got to talking about Internet privacy, which had been one of the panel topics. He pointed out that process problems were likely to be a bigger threat to Internet privacy than bad technology or invasive policies. This message also comes through in a new review of the official review of the FBI's Carnivore wiretapping system.

It does not matter how privacy protective a web site's privacy policy is if they have bad back room procedures. CD Universe, which managed to give out a few hundred thousand credit card numbers to some hacker due to poor system security is a perfect example. Their public privacy statement was rendered irrelevant by bad system management.

The FBI got a formal independent review done of their Carnivore "lawful intercept" system by the IIT Research Institute. Steve Bellovin, Matt Blaze, Dave Farber, Peter Neumann and Eugene Spafford have just published a review of the review. (http://www.interesting-people.org/200012/0007.html) In addition to a number of specific technical issues they found with the review or Carnivore itself, they specifically complained of an "inadequate discussion of audit and logging." They went on to say "we were disappointed that more attention was not paid to operational and "systems" issues. It is simply not possible to draw meaningful conclusions about isolated pieces of software without also considering the computing, networking, and user environment under which they are running."

More and more personal data is being put on-line. This includes increasing sensitive data, including health care and corporate personnel information. This joins the ever more complete history of your buying habits and a running log of your exact location. This data is being exchanged between organizations. This exchange is sometimes just what you want (letting the emergency room you were just admitted to know your medical allergies) and sometimes not (letting every vendor of frilly undergarments that you once bought a frilly undergarment for someone.)

But when data is moved it does not take with it a way to ensure that the new holder of the data is willing to abide by the rules under which the data was collected or even if they are, that their internal processes are up to the task.

In the future, the companies that know how to properly handle data, and that includes maintaining accurate and complete logs of who has access to the data, are the companies that consumers will trust and will be successful. Unfortunately, there is little way that an individual consumer can know who is doing this right except to find out the hard way that someone is not. Maybe government regulations requiring regular process audits of companies handling data is in order but unless there are significant consequences for sloppiness I doubt much will happen to protect my on-line data. Not a good holiday message but something to think about as you make all those on-line purchases.

disclaimer: I can not even take a guess at how many times Harvard had tried to get its internal data handling procedures correct but the above observation is mine alone.