Fingertips

From today's Austin American Statesman, this article discusses the fraud deterrent effect of fingerprinting applicants for food stamps, and if it is worth the delay it may be causing in processing (Department of Agriculture says it isn't).
There are lessons to be learned at Texas HHSC.
Starting here:

The electronic fingerprinting program costs $3 million a year: $1.6 million for a contract with Cogent Systems for the imaging and $1.4 million for state workers' time. The state and federal governments split the cost.

Last year, the fingerprint program led to the state investigating just four applicants for fraud.

But state officials say it's impossible to know how many people are deterred from applying multiple times because of the fingerprinting.

But later in the article:

The state estimates that the deterrent effect of fingerprinting saves $6 million to $11 million a year.

I imagine the latter figure could have been pulled from cost justification of the project, or from the vendor's response to the RFP, or even the LBB when the law was passed. (Does the cost include the initial implementation of the system?) But measuring the actual decrease in applicant fraud is a solvable problem. To say that there is "no way of knowing" the deterrent effect is not defensible. If they never measured a baseline of applicant fraud to begin with, how would they have known how much to spend on an anti-fraud measure? If they don't try to measure the change post implementation, how do they know it's working?

On the other, more cynical, hand, why should they care? They are in compliance with the state law, and the system was implemented. The only people who suffer are the citizens who need help to buy food. Folks who may not be able to take off from their minimum wage job, or don't have the transportation, to go be fingerprinted. Measuring the dignity of your customers is harder than measuring your fraud deterrence cost.

You tell 'em Stevie.

Releative Position and Privacy

Ed Felton recently wrote two posts on the failure of the marketability of privacy, and how corporations and consumers should respond. According to Felton:

There’s an obvious market failure here. If we postulate that at least some customers want to use web services that come with strong privacy commitments (and are willing to pay the appropriate premium for them), it’s hard to see how the market can provide what they want.

In the follow-up, Felton describes a standard contract and a sort of privacy escrow protocol to protect individuals against the desperate actions of a cratering start-up.

The more I read and think about privacy, the theory that an individual's privacy has a value that can be exchanged on the market becomes less and less compelling. Frank Pasquale wrote at Concurring Opinions that in the market model, you trade your privacy for efficiency and convenience, using Gmail as an example:

[C]onsider the type of suspicions that might result if you were applying to a new job and said "By the way, in addition to requiring 2 weeks of vacation a year, I need to keep my email confidential." The bargaining model is utterly inapt there. . . . just as it would have been for women to "bargain" for nondiscrimination policies, or mineworkers to bargain, one by one, for safety equipment.

He concludes that people who trade their privacy will outcompete those who do not, and that
"[a] collective commitment to privacy may be far more valuable than a private, transactional approach that all but guarantees a 'race to the bottom.' " The paper he cites on cost benefit analysis and relative position was interesting (to me at least) when read in terms of privacy. From the abstract:

When a regulation requires all workers to purchase additional safety, each worker gives up the same amount of other goods, so no worker experiences a decline in relative living standards. The upshot is that an individual will value an across-the-board increase in safety much more highly than an increase in safety that he alone purchases.

"Privacy" can be substituted for "safety." Can "security" also be considered in this context? Is it already?

Confusion In My Eyes That Says It All

I figured I'd wait until after my paternity leave was over before I started thinking seriously about words like "control" and "compliance," but I felt the need to say something after reading Bejtlich's post "Controls are Not the Solution to Our Problem."

He illustrates through citing an example of a control, and identifying ways that it fails to achieve total effectiveness. The control may not work and could be superfluous. His alternate approach is a system of assessments, tests and monitoring coupled with a rigorous set of metrics.

If someone describes an asset as "secure," "safe" or "reliable," my job as an auditor is to ask the question "How do you know?" The answer is a control. Bejtlich's "field-assessed" approach is another set of controls, mostly detective rather than preventative. What happens when his approach is codified into a government procedure or a vendor contract? A security practitioner with a preventative approach could grouse about how these pen tests and honeynets don't address the security needs in his shop (due to scale of operations or type and level of risk).

Tossing out controls is also just not an option. Effective or not, compliance keeps you out of jail. I don't always feel that on some roads a 55 mph limit is a necessary control to prevent accidents, but that will mean I am not breaking the law when I speed.

I'm not as big a proponent of metrics as a control solution, but I'll leave that to another post.

Compliance for Road and Track

My Alfa, a 72 GTV coupe, like all GTVs of its approximate vintage, has a recessed panel in the headliner over the back seats. It has proven to be a mystery to passengers in the car, looking like the cruelest joke of a sun roof for the rear passengers who are otherwise treated poorly by the car's design. So cruel, in fact, that a sticker was placed on the rear windows by Alfa. When viewed from the outside, it read:

ALFA ROMEO "2000" GT VELOCE
GROUP 2 TOURING CHAMPION 1971
EUROPEAN MANUFACTURES SERIES

This side of the sticker explains in part the pseudo-sun roof. The GTV raced in the sedan class. To comply with sedan class regulation, there had to be a specific number of inches of headroom for the two passengers in the back seat. Hence the "cheat" of recessing a spot in the headliner, because the seats were as low as they could go. So you can race, and sometimes beat, Minis, BMW 2002s and Datsun 510s.

From the inside, the other story of compliance was visible. From a knees-to-chin head-ducked position, the contorted rear seat passenger could read the obverse:

REAR SEATS ARE NOT DESIGNATED
TO BE OCCUPIED BY PASSENGERS
WHILE VEHICLE IS IN MOTION

The other set of regulations the GTV had to comply with were written by the US Department of Transportation, that defined of sports cars and sedans. Being classified by the DOT as a two-seater would require less modification of Alfa's aging (yet still stylish) design - less in the way of bumper protection for the would be passengers. Actually taking the seats out and putting in a package shelf (a la 911) would make it race in an uncompetitive class. Hence the sticker forbidding rear seat passenger, which attempts to serve both masters. (I'm guessing the seat belts back there are for securing cases of Chianti and bundles of pastrami.)

The different approaches in compliance reflect the different levels of enforcement. Perhaps Alfa felt it could convince the DOT that, really, who would ever be so silly as to sit back there? This is a sporting coupe, not a sedan. However, Alfa knew that the sanctioning bodies for the racing series they participated in would be out there with tape measures and calipers before every single race for tech inspection. Alfa's compliance would be challenged by every other team on the track.

I don't believe it would be too far off the mark to say that an implementation of a control, especially a compliance control that may not have a palpable financial return, will be as effective as the perceived enforcement.

(Read the story of the 2.5 liter Trans-Am at 1971 Laguna Seca for more sad stories of compliance. The Datsun version, the Alfa version. "Oversize fuel lines" vs "expanding gas tanks." )

(sticker image courtesy Papajam at the AlfaBB)

Half Baked

What follows are annoying thoughts that have been ground to meaningless gravel in my head for the past month or so. As soon as I think them through, and dismiss them, my brain belches them back up. Committing them to the ether seems the only way to purge them, but I've been wrong before:

Proximity and Privacy: Privacy breaches due to negligence occur when there is a distant relationship between the identity custodian and the individual. Malicious breaches occur when there is a close relationship between the two. (Half baked corollary: Web applications proxy a close relationship with distant actors.)

Metrics Will Be Juked: The compiling of stats is the prelude to the inevitable juking of stats. Observing, recording and reporting the data underlying a performance metric corrodes its value. The reason data that is difficult to access and compile is compelling is because it is difficult to access and compile. Once people realize that their behavior, or the results of their behavior are being observed and measured, their behavior will change, not necessarily to impact the desired results, but to change the metric. This change will be multiplied if the measure is tied to compensation or perceived to be tied to compensation.

Lone Gunmen Theory of Privacy Risk: Measuring a corporation's loss due of breach of privacy is futile and meaningless. This loss is not related to the harm to individuals whose privacy was violated. It makes no difference if the data is lost, stolen, or sold, or if it occurred within or without the bounds of the law. I don't see any equation that will match corporate postage, legal fees, data broker accounts receivables, or public relations consulting with personal financial trials, embarrassment, loss of employment, prohibition of travel, or physical detention. Privacy risk is borne by individuals, not corporations. Which is why I was a bit distressed when I read this:

If you are not suffering any damage due to these breaches, then why are you even trying to deter, detect, and respond to them in the first place?

In privacy, it's always the other guy that suffers the real damage.


Now I can concentrate on the important things: sorting out my emotions regarding the preemption of TV coverage of the German GP by live broadcast of Lady Bird's burial and Laguna Seca.

The Easy No

From Concurring Opinions, this commentary on a recent New York Times article on Hypercompliance on the HIPAA front. Health care folks have been intimidated into denying access to PHI to people who have legitimate inquiries and a legal right to it.

This type of behavior is born out of fear and poor understanding of rules filtered through complicated reports written by obfuscating contractors. It seems reactionary, and unreasonable, but a means to the safety only an ass well-covered provides. As Mr. McGeveran points out, "it is always easier to say 'no' than to figure out how to say 'yes.'" I believe mistaken "safe" attitudes like this is often how security policies end up being implemented, and are difficult to purge once they become corporate folklore.

The "easy no" is not uncommon in security management, and enables ten thousand wannabe Kip Hawleys to exercise passive aggressive nonsense in its name.

Beats thinking.

New Concepts in Data, Compliance and Marketing or The Overly Dramatic Truth

Like the rest of the world, I read J. Cline's article on the upcoming data eclipse while listening to El P's I'll Sleep When You're Dead, which is the best way to read it.

J. Cline is prophesyin' the impending darkness where all corporations will crumble 'neath the cleated boot of data governance.

Mr. Cline identifies the signs of the data eclipse endtimes: Ford has abandoned autos to focus on quality improvement. Wal Mart has unburdened themselves of the lucrative Chinese tube sock trade for supply chain management. In the post-eclipse world, we must surrender control of our enterprises to the wanton desires of regulators, lawyers and audit chimps such as myself. We no longer make the decisions, but wait for them to be passed down from these distant parties who ponder our fate far from the red meat and hot breath of corporate operations. It's not the moon, after all, but the pointing finger of compliance and legality we should focus on.

I may have been born yesterday, sir, but I've been up all night. Like a diamond bullet between the eyes, I was struck with an aces-on Notion (with a little backing I think I could turn it into an Idea) which will make me the fortune I frankly deserve. A methodology that will empower the document generating wherewithal of ten thousand legions of certified information control professionals.

I will call it the Compliance Legal Object Audit Client Architecture: CLOACA. Look for my booth at a tradeshow near you.

CLOACA: You'll Be Surprised What Can Come Out Of It!

Vulnerabilty v. Threat

Jeremiah Grossman's analysis of the MSNBC stock contest cheat.

It seems to me that this sort of flaw would rise to the surface quickly from a threat perspective, but slower from a vulnerability perspective. I'm not sure why though.

Everyday Privacy & Security Part 2: Fear Factor Authentication, or I Won't Forget You Baby, Even Though I Should

If you are like me, or, if in fact, you are me, your online financial transacting experience has gone all Security 2.0 by the factor of WOW!

Over the weekend, I had an unpleasant experience. The clerk at our local What-Nots 'N Such franchise denied me use of my cash card. I figured my financial institution was trying to protect me whilst humiliating me, so I scurried home and logged into my financial institution's websperience.

But! Wait! My financial institution has gone all Fort Knoxy on my ass since the last time I websperienced them. They want to really get to know me before I can check out my balance. It went like this:

Dude! We're all secure and stuff now. It may be a pain in the back-end, but you will thank us because we will know you better. It's all legal. As a matter of fact, we wouldn't even be doing this unless we had to, but banking is mostly about money, and partly about pretending. So let's pretend.
Please enter your account number.

O.k.. But, no, that was your SSN.

Wait. Ooops. O.k. Let's call it an account number for now and move on.

Here are some fun disclosures for you to read. I'll wait here whilst you peruse them. Our attorneys wrote them to be concise but with a hint of whimsy, sort of P.G. Wodehouse meets Sartre.

Done already? Man, took our lawyers a bit longer, but whatever. Let us begin.

Type in some random characters.

More... More.... TOO MANY.
Did you include some numbers? Try that.
And some non-alphanumerics.

O.k. Hope you remembered that. It could be your new password, or your new account number or what the tellers will whisper under their breaths when you come in to get a loan.

Now comes the fun part. To your right you will see pictures of six different semi tractor trailers. We're going to use these pictures to identify you in the future.

Please pick the truck that most resembles your maternal grandmother.

Interesting choice.

Now some questions. Answer using your gut, and pretend that this is just between you and us. We'll use these questions for something in the future, probably resetting your password when you realize that your keyboard doesn't have a cent symbol on it. But pretend it's a legit reason.

Answer the following to the best of your knowledge:

Your favorite color.

The brand undergarment you are wearing right now.

Your favorite place for making whoopee (City and State only, please!)

Your favorite Poison lyric.

Interesting. You know you just qualified for a boat loan the way you answered that last one.

Now just press enter. (I hope you have Javascript, ActiveX and are typing this from a Internet Explorer 6 on Windows XP cause else I don't know what's going to happen.)

Sorry! You chose the wrong truck. Let's start again. Hit the back button. NO, NOT THAT BACK BUTTON!

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

Invincible

New York Magazine article "The Young Invincibles: A Generation Uninsured" discusses the way uninsured 20-30 year olds in New York deal with health risks (link and commentary from Concurring Opinions.)

The article is interesting study of people who do not participate in the most common health risk management strategy: insurance. Unable to afford it, or "rationally" choosing to be uninsured, they have created their own strategies to minimize exposure. Curtailing snowboarding activities (only the half pipe), daily brushing, and yoga are balanced with careers as bike messengers and retailers. There is a wide range of risk appetites: the bike messenger who feels that "helmets are cumbersome," and artist who eschews bicycling completely. Maintenance and prevention are expensive or inconvenient, so the Invincible's focus is on the severe or catastrophic cases.

Are there corporations out there that believe themselves to be "invincible"? Is this the sort of attitude that prevents real security from becoming embedded into a corporate culture? No doubt possible. Also likely is the false sense of security associated with "compliance" as a risk mitigation technique. SOX is like a bicyclist's helmet ("too cumbersome"). PCI is like brushing your teeth every day. No one condemns daily brushing, but it won't help when you get a kick in the teeth.


(I recall my own period of "invincibility." Working without insurance as a deckhand on a towboat on the Ohio, Tennessee and Cumberland Rivers, I didn't see the dangers of hopping from barge to coal soot covered barge, lugging 90-lb ratchets and wire, all risk mitigated by my Redwings and a bump hat. Not until a near death experience while epoxying the inside of a fresh water tank did I think "Hey, what if I get crushed? What if my brain is actually damaged, and no one will ever get my jokes?" Then I sought less perilous employment. With a health and dental plan. So I found my way to the Guild of the Green Eyeshade.)

Men's 8-inch work boot with metatarsal guard courtesy Redwing.

Impacted Molars II

Occlusal
Panopticonistas Cyveillance say ID theft is so bad, we are all going to die. Seems like shutting down copyright scofflaws got a little too Web 1.0 for them, so they've unleashed their vicious crawling spiders on a search for contraband identities. And guess what they found out? EVERYBODY'S IDENTITY IS ALREADY PWN'D! Now that they've collected this data, I'm curious as to what are they going to do with all those credit card numbers, SSNs and mothers' maiden names. Did they help shut down the sites hosting the illicit data? Did they notify the victims? This sort of research is on an odd ethical footing. I hope they get it all sorted before they do their research on other forms of digital contraband.

Distal
California Secretary of State Debra Bowen kicks ass in the name of privacy for Californians. She gets privacy, and maybe even cares about the citizens of California. I wish she could impart some of her knowledge to the Texas county clerks.

Mandibular
CDT publishes their draft Privacy Principles for Identification. Seem pretty much like Fair Information Practices to me, which is not necessarily a bad thing.



Fake Teeth Resting on Image of Monk courtesy jsdart

Auditing Privacy Part 1 - Ethics and the Canon

It would comfort many compliance auditors to discover the ultimate checklist and tear after their organization's privacy program, collecting tick marks and developing the dreaded deficiency finding. I say to them, "Google is your friend." For the more enlightened internal auditor, the first step in evaluating their organizations privacy practices should be a step back.

The Canon
There are best practices, and there are benchmarks. There are torts, laws, and rational fear of the irrational regulator. However, for most every auditable area there is also The Canon. Take a file to the gilded crust of Sarbanes-Oxley and the PCOAB (and all their works and all their ways), you eventually uncover the Generally Accepted Accounting Principles. Take a snowblower to the myriad layers of dust and ash of the Code of Federal Regulations. If you squint and hold your head just right, you'll see a vague outline of the Decalogue. And somewhere below ornate filigree and baroque ornamentation of HIPAA, Gramm Leach Bliley and SB1386 is the shape of the Fair Information Practices of the US Department of Health, Education and Welfare, 1973.

From the link above, here are the five practices of the modern privacy canon:

1. Collection limitation
2. Disclosure
3. Secondary usage
4. Record correction
5. Security
   

These five principles will be your mantra for your audit. They will guide your question and inform your issues. Advanced practitioners may chose from the following according to their path:

The 10 AICPA's Generally Accepted Privacy Principles

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data


The Ethos
Like the Torah, the Sermons of Buddha, the Qur'an, the Gospels, or Fermat's Principle, a canon is only meaningful if applied. You must ask the CEO, the CIO, the Chief Marketeer, the General Counsel, and listen, and interpret their answers accordingly. Are the principles used as values to guide their decisions, obstacles to be worked around, or are they simply unknown? Read your corporate policies regarding privacy. Do you see in them evidence of the Fair Information Practices, or do they appear to be more oriented to a specific set of industry specific regulations? Interview the folks who handle the data. Do they treat the data with the care they would treat their own? The answers to these questions will begin to lead you to determining if your organization has the ethical basis for a privacy program.

What Does This Mean?
A compliance oriented organization may maintain reasonable concordance with Fair Information Practices without even knowing what they are. However, the organization may be reactive, and inefficient. The organization's privacy direction will be dictated by outside entities, rather than developed within.
A organization with a firm foundation in privacy practices, coupled with an ethic duty to privacy, will be more efficient, more effective, and retain a better reputation in the face of an incident.

SSN Panic, Texas Style

Here's the Computerworld run-down. And here's the Attorney General's letter (worth reading) and the proposed bill to change the law Texas HB 2061 so as all the county clerks don't get thrown in jail.

The AG letter says it in fourteen different ways NO, YOU CANNOT RELEASE SSNs, quoting an imperial raftload of laws, state and federal, why, and why you should even be asking the question. The clerks need to grab a big ol Sharpie and start their redactin'. Shut down your infonet tube, and stop selling your goods to some skanky information brokers from the desolate wasteland known as "Not Texas." Good on the OAG. Shame on collective elected doofi that are trying to find them an out.
I can only take solace in knowing the traditional efficiency and effectiveness of Our Lege.

This fiasco is an example of why privacy principles rather than mere compliance is important to an organization. Even if the Ft. Bend clerks were ignorant of the law, they reflected a disregard for the citizens they are charged to serve.

Privacy and Security Lessons from Criminal Enterprises: The Corner & PCI

Either you have heard the stories, or encountered first hand the difficulty in convincing an organization's leaders to take adequate precautions to insure the privacy of identity related data, and maintain the integrity, confidentiality and availability of their information assets. Privacy and security have to be marketed to management since privacy and security are "non-functional" without a "ROI." As a last ditch effort, privacy and security can be pitched as a compliance effort; these activities must be performed to satisfy the requirements of an
independent, potentially hostile third party.

Nonetheless, criminal organizations, which by definition care not one whit about compliance, and have a vigorous appreciation of the bottom line, focus significant efforts on the privacy of personal data and the security of transactions and communications. For example the following story of touts, runners, ground stashes* and the electronic processing of credit cards.

The typical drug transaction occurs thusly:

• Junkie finds slinger. Junkie's selection may be based on the Slinger's reputation, effectiveness of the Touts, past business practices or location.
• Slinger takes order, collects cash from Junkie.
• Slinger signals the order to a Runner.
• Runner distributes product to Junkie, either from minimum amount on person, or collected from ground stash.
• Junkie moves on to consume product.

So the slinger is the payment processor, and the merchant is the runner. Both will be held accountable for inventory, and separation of duties not only minimizes the compliance risk (i.e., being observed by law enforcement), but also provides an accounting control. The corner boy who put out the package knows that even if the slinger and the runner collude, the collusion will result in a wrong count at the end of the day.

So what part of this transaction is so hard for folks like TJX to understand? A couple items to consider:

• Although the merchant may mitigate risk by gaining distance from the transaction (Verified by Visa, PayPal), the merchant is more interested in the customers than the Slinger is in the Junkies. The merchant and the processor want to keep all that secondary data and compile it, and convert it into cash. The Slinger wants only not to get burned by a counterfeit bill.

• No one is responsible for the "count" on credit card transactions. Unlike the corner, the matching of goods, customer and payment is out of order in electronic commerce, with each party shirking responsibility for the transaction.

• Each has to deal with impostors, though. The seller of baking soda is the "phisher" of the drug trade.

Next, yelling "5-0" as an intrusion detection mechanism.


*taken largely from Simon & Burns terrific book The Corner
or on most episodes of Simon's The Wire.

Impacted Molars: Misguided Ninja Dudes and PCI Awareness

MESIAL
Dark Reading continues its obsession with physical security:
Network dude rassels potential bad guy, followed by a stern warning on what a scary world it is out there, cause physical attacks hurt.
Forgive me if I'm out of line, but why would I hire a network security guy to dress up as a maintenance dude to steal a laptop out from under an executive? Especially since there are skilled investigators who could get a signed confession and all his passwords from just talking to the accused. I wouldn't going to hire an investigator to secure my network, and I shouldn't ask a network security guy to conduct fraud investigations. I'm not going to hire the network guy to run my HR department either.

LINGUAL
The Bank Lawyer celebrates PCI Awareness Month early, with his take on the TJX Incident. Nice run down of all the parties involved. His characterization of the consumer is incomplete:

The consumers' concern for nuance extends only to the following extent: "I see a sturdy live oak right over yonder. Let's get us a rope and hang him."

The consumer is likely to be distracted by a shiny object on the way to the noose dealership, since he or she has no loss. Credit card numbers are becoming more a disposable commodity, unlike SSNs, HDL levels or Sudafed consumption. Coming this summer: Retailers v. Credit Cards v. Banks Smackdown at the Legislative Arenadome.

Photo from Henrier.

Everyday Privacy and Security: The Drug Store

After a conversation with a friend, I thought I'd cite some examples of how privacy and security impact day-to-day life. Here's the first in the series; though I admit, dissecting the CMEA would take more effort than I have time to fully understand. My ear is still ringing and Battlestar is on in 20 minutes.

The scenario:
Last week I went to see the doctor about my tendinitis and a persistent ringing in my right ear. I rarely go to the doctor, so you must take my word that these were annoying, persistent and painful condititions, resulting in grouchiness, restlessness, nonsensicalitude and Irritable Spouse Syndrome (ISS). I was processed through the HMO machine like a burger at Jack in the Box, with a shot of cortisone in my arm and an Rx for some OTC pseudo-ephedrine.

At Walgreens, I scan the aisles for Sudafed, a rare purchase since I'm not normally an allergy sufferer. I pick up a card for the store-branded Wal-Phed and head over to the pharmacy. The pharmacist asked for my drivers license. I show it to her, figuring it was an age requirement. She asks me to take it out of my wallet. I hand it to her, and she types my information into the cash register. She asks me to sign what looks like a receipt. What for? I'm paying cash. It's the law. It's for the Wal-Phed. So I pay her the $3.50 or so, grab the receipt, my license and leave.

What Just Happened Here:
An ingredient in the Wal-Phed is used to manufacture bathtub methamphetamines (speed/crank). To stem this scourge, the Combat Methamphetamine Epidemic Act (CMEA: part of the USA PATRIOT Act Reauthorization of 2005) placed additional controls on retail sale of ephedrine, pseudoephedrine, and phenylpropanolamine.
Consumers have to show ID and be tracked by retailers so they get just enough to take care of their stuffy nose, but not enough to start up a meth lab. The retailers have to protect the privacy of their congested customers according to the law, thusly:

C) PRIVACY PROTECTIONS.—In order to protect the privacy of individuals who purchase scheduled listed chemical products, the Attorney General shall by regulation establish restrictions on disclosure of information in logbooks under subparagraph (A)(iii). Such regulations shall— ‘‘(i) provide for the disclosure of the information as appropriate to the Attorney General and to State and local law enforcement agencies; and ‘‘(ii) prohibit accessing, using, or sharing information in the logbooks for any purpose other than to ensure compliance with this title or to facilitate a product recall to protect public health and safety.

The Data the Walgreens Now Has On Me:
Well, my name and my Texas Drivers License information (DOB, address, glasses wearer, motorcycle rider). According to the DEA website, I could also show my passport, or, if I were under 18, my report card. They also know that I bought Wal-Phed and paid cash.


What About the Data Now?
Good question. The CMEA states that the retailer has to keep it for 2 years. There is also a raft of conflicting state laws, some requiring the logbooks to be kept electronically. The retailers' association raises concerns regarding HIPAA, tracking consumer behavior (e.g., can Walgreens send me a coupon for Wal-Phed now?) and real-time tracking versus logbook maintenance. Ever since it went behind the counter, pseudoephedrine sales have decreased, so does it really matter anymore?

Everyday Privacy For Me?
Walgreens knows I ride a motorcycle because my ear rings.
This data for a cash transaction will be maintained for two years.
It may or may not be subject to any privacy rules, depending on when/if the DEA writes the regulation.
I may have no recourse if Walgreens decides to use the information in a way to which I haven't consented.
I may have no recourse if Walgreens loses, misplaces, or sells the information to unsavory third parties.

Infosecalypse Now

A number of links in the chain:
Mr. Walsh asks Why We Fight?
Which spurs Mr. Hoffman's Nam flashback.
Bloginfosec says it's safe to surf this beach, so its safe to surf this beach.
Meanwhile, Charlie squats in the bush, everyday getting stronger, and the BS piles up so fast, you need wings to stay above it.

Me? I'm an errand boy sent by grocery clerks to collect the bill.

Buzzword Compliance or Compensating Controls

The most recent SANS e-mail letter, this article from Computerworld on pretty minor (all things considered) security incident at federal retirement fund agency.

The voice of SANS (Pescatore in this case) remarked thusly:

This and the Nordea incident, as well as the huge TJ Maxx compromise, continue to point out how commonplace financially motivated, targeted attacks now are. Attacks change faster than regulations - tunnel vision on being compliant with regulations, whether Sarbanes Oxley, Basel, or PCI, means you will not be looking at processes and architectures that can deal with changing threats.

Pescatore, duuude. Hate the game, not the playa.

First, I don't any of those regulations really apply to the TSP, except as perhaps amusing past-times in the off season.
Secondly, what the hunh??? I really don't get how some users who got their account hijacked through the client side would have to do with a focus on regulations. About a dozen accounts, $35,000 all told. In retirement fund terms, not a whole lot. And they did find out about the incident, it is possible that some account monitoring controls were in place. So maybe the system worked. And cruising around the TSP site, it looks like they are trying to educate their users.

Unfortunately, whatever cred the TSP folks gained is blown in the following quote:

"External penetration testing has demonstrated that our system has not been breached"

Umm... ? I'd like to see the pen-test firm that signed off on that. Maybe next time you should hire some forensic analysts over for a post-incident discussion. They may give you better results.

Just because you don't have heavy super duty NAC/HIDS/NIDS two factor network with buzzwords du jour and a burled walnut interior, doesn't mean that you are so distracted by your BASEL II crossword puzzle that your accounting department doesn't notice some odd ball transfers. It's all about the compensating controls.

Corporate Information as Reverse Spam

From the NYT - Firms Fret as Office E-Mail Jumps Security Walls.

A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased.

And it goes on about how the suspender-snapping punch-card set is all wound up because the people they hired are trying to work. And that their remote access solution probably sucks and doesn't meet their needs. You can go out and buy some sort of reverse spam filter that will process all the outbound e-mail for your corporate sensitive words. Once the offender is identified, you can then go mete out punishment. Of course you'll have to be watching for false positives. It's hard enough to create an accurate spam filter with the huge sample of spam processed through it, can you correctly identify all the corporate Type 1 and Type 2 errors?

The real answer is in the comment in last paragraph of the article:

“We have as high a security standard as any company,” said Ms. Bargero of Sendmail, “and sometimes it is just too difficult to access our e-mail.”

Bingo. If you design a system that is usable, you might not have this problem.

Provably Private?

From the Guardian, I read this curious article on privacy and contextual
integrity. "Linear temporal logic," eh? I wish I could groove to what that means. So I read Wikipedia, then I started researching the folks mentioned in the article, finding the paper mentioned in the Guardian article: Privacy and Contextual Integrity: Framework and Applications.

Two things I liked, from what I've been able to digest so far (but I'm a lover, not a logician, so I am likely indigesting as well).
First:

"Unlike a number of prominent normative accounts of privacy, the approach taken here rejects the idea that a simple dichotomy-usually between public and private (sensitive, intimate) information-is sufficient for adjudicating privacy claims. Instead, there is potentially an indefinite variety of types of information that could feature in the informational norms of a given context."

That sounds right to me, but I'm going to have read more to make sure fully understand the if the words mean what I think. I also really like the idea of time as a factor to enter into the privacy question.
I also found figure 4 irresistible and disturbing:
Irresistible? Because I like the idea of the fistful of regulations and laws boiled down to a set of numbers, letters, (and especially) symbols.

Disturbing? Because it looks too much like compliance. Wrestling the GLB down to a series of equations is noble and mostly cool. However, if it falls in to the wrong hands, it could launch a raft of ill advised applications that get the auditor's seal of approval, are "provably compliant" and yet don't do much in the way of privacy. (This is a knee-jerk reaction.)

The paper covers the US privacy law hit parade (COPA, HIPAA, GLBA), but wait! What about everybody's favorite - SB 1386?

"Finally, our current language faces a limitation common to many policy languages. Consider SB 1386, a California law requiring businesses that inappropriately disclose personal information to notify the subjects of the information. This provision cannot be expressed properly in the language because it takes effect only when an agent violates norms. In our model, agents never violate norms and thus would never be required to notify individuals. However, such notifications are common in California. To express such “defense in depth” provisions, we plan to extend our model to account for agents who occasionally (perhaps unintentionally) violate the norms. We expect this to require modifications to the current logic."

Hmmm.