Sunday, July 31, 2005

U2, Amsterdam, Smart Cards, and Dataflation

I blame the long gap between posts on U2. A trip to see the band in concert, in Amsterdam, was my present to my wife on her birthday this year.

(Marital Bliss Tip #39: To experience "multiple gratitude" give your partner a trip for his or her birthday and get four stages of pleasure: one, the gift giving day; two, the days between the giving of the gift and the taking of the trip; three, the trip itself; four, the after-glow of telling other people about the trip when you get back).

We thought Amsterdam was a very cool city, even though they were experiencing something of a heat wave. Talk about a civilized, tolerant place! I'm not just talking about a sensible attitude to public transportation, herbal remedies, ethnic diversity, and sexual orientationz. You can take your dog most places, smoke tobacco if you feel like it, and get a good cup of coffee on just about every street. And you can use smartcards (read this if you are not sure what they are).

When you land at Amsterdam airport you can buy a smartcard with which you can then purchase train tickets to get into the city (a very easy and inexpensive way to make the journey). Then buy soft drinks at the station store, tram tickets to travel around the city, and so on. No need for bank notes and coins. When we got to the Amsterdam Arena for the concert we found that all the vendors there took Arena smartcards. Buy one and you can get beer or ice cream or whatever else in a flash. For example, the beer vendors (who stroll through the crowd wearing a keg in a backpack) can squirt you out a glass of beer while you pay by inserting card, hitting Ja, and removing card. No hassle with change means a much more efficient liquid refreshment delivery system.

So, the coolest smartcard has to be the specially minted U2 Vertigo Tour Smartcard that we bought that evening at The Arena. It will go into the commemorative picture frame, along with the tickets and the blurry cell-phone photos of the massive stage with the tiny stick figures of Bono and Edge blown up on the giant projection screen.

But what does this have to do with dataflation? Well, the trip did not prevent me from polishing off a column on the topic that should appear in an upcoming print issue of Information Security Magazine. There may also be an expanded online version where I go further into the practical and legal implications for ID theft victims.

And the widespread use of smartcards reminded me that deploying new data infrastructures is possible. Which means that, if someone comes up with a way to rein in dataflation that requires a new data infrastructure, opponents won't be able to use that requirement as an excuse not to implement it.

Stephen

Sunday, July 03, 2005

Dataflation Defined

I came up with the term dataflation to describe an emerging phenomenon, one that could have some fairly serious implications for the future of many things (e-commerce and personal security to name a few). As the inventor of this term, I reserve the right to tweak the definition at some later date, but here is my first stab at it:
  • Dataflation: the tendency of data to rapidly lose value due to factors such as large-scale unauthorized access, excessive abuse and loss of confidentiality.
I do not claim to understand all of the implications of dataflation, I don't think anyone can at this stage. But dataflation is real and it is going to cause problems. Consider the fact that, in the first six months of 2005, the media has reported the exposure of 66 million personal data records belonging to Americans. (I have listed the cases here.) According to the 2000 census there are 210 million Americans age 18 or older. Given the big security breaches that occurred in 2004, it is possible that data relating to one in three American adults is now "out there," meaning it is available to be abused.

This is personal data that cannot easily be sucked back or reflated. To paraphrase the definition of inflation, we are talking about a persistent increase in the open availability of previously confidential consumer data or a persistent decline in the value of that data, caused by an inability to adequately control unauthorized access.

You cannot change your date of birth or your mother's maiden name. Your Security number is hard to change. Moving to a new address is a pain. Changing banks or switching jobs is not always practical. Yet these are the pieces of information out of which an identity thief can fashion your likeness so as to incur debts and acquire goods and services in your name.

And what if that happens? The personal cost can be enormous. Even if you can avoid paying fraudulent debts, the amount of time and stress it costs you can take a heavy personal toll. So who will pay that toll? The company that exposed your data? I don't think so. For a start, how are you going to prove that an identity thief got your data from Company A versus Company B? The first company that finds itself facing negligence claims pertaining to the exposure of your data will defend itself with the very fact of dataflation, i.e. tens of millions of records were compromised by dozens of companies in the first six months of 2005 alone.

Ironically, the aggregation of industry-wide gross negligence means that for John Doe to pin the blame on the donkeys that were supposed to be protecting his data is now an all but impossible task, unless he can get a signed confession from the identity thief himself that says, "Yes, I got Mr. Doe's data from a Citigroup computer tape that I stole from a UPS truck."

Do you see what I'm saying? There is a one in three chance your data is out there already. I'd say there is a 50/50 chance that basic personal data on half of all Americans will have been exposed by the end of the year. At that rate everyone's data is going to be compromised within a frighteningly short span of time.

There are plenty of studies that show the rampant insecurity of personal data is holding back the growth of e-commerce. One indication of dataflation is that growth in electronic trust and e-commerce cannot happen without more and more personal data. More user names, more passwords, more secret questions and answers, more unique identifiers. But at the current rate of data exposure, electronic trust will continue to decline as dataflation increases. That, along with all the fraudulent charge write-offs, could hurt the economy just as much as traditional monetary inflation .

Stephen

Saturday, July 02, 2005

IBM v. MSFT, Good News At Last?

We interrupt a series of postings about the abysmal state of affairs in the world of information security to bring you this heartening bulletin: Convicted monopolist Microsoft must pay IBM almost $800 million "to resolve claims it bullied the big computer maker during the 1990s."

It is good to see justice meted out in a manner that Microsoft might understand, cash leaving its bank accounts. I am particularly pleased because Microsoft has never, to my knowledge, apologized to us poor sods who lost money in the fruitless struggle to make non-Microsoft applications run on a Microsoft OS that we later learned was intentionally rigged to foil us.

But consider the words: "resolve claims it bullied the big computer maker." This is how John Boudreau of the Mercury News described the news, and he is one of the better hi-tech journalists. Yet I'm tempted to take issue with the word "claims." After all, Microsoft was found guilty. Microsoft bullied other companies. That's a fact, not a claim.

The Solid Insider Threat

I just got back from Nebraska and man are my arms tired (sorry, very old joke) but seriously, my brain did get tired. I took a very challenging creative writing course on the campus of the University of Nebraska at Lincoln. There will be more about the course, and the campus, in a later post...

Right now I'm going to have to talk about the latest round of data/ID theft/abuse. Seems like the year I decided to step back from the privacy/security/fraud beat that has been my life for the last 25 years, boom! The world has woken up to just how big a mess its data are in. Consider a couple of recent articles that awaited my return from the prairie.

First, a useful reminder from Paul Nowell of the AP, that insiders at data-rich companies are a major threat to privacy. This was very timely and Paul talked to some good people, including the man who should be this nation's IT-czar, Peter G. Neumann. Howell also talked to a vice president of marketing at San Francisco-based Vontu, a firm specializing in data loss prevention. Now, I don't know Vontu or the man in question, Steve Roop, but he got it right when he said "About 70 to 80 percent of the risk is from insiders, although not all of them are malicious..."

This had been the received wisdom about risks to information security for decades until, during the last five years or so, more and more people who were surveyed ranked outsiders, notably outside attackers using the Internet, as being more serious. Big mistake! There's no way--having read and understood the history of how humans abuse trust, technology, and information--you can believe the outsider is more of a threat to the security of your information than the insider. Sure, it might seem that way when you're trying to stop a bunch of zombies from DDoS'ing your web farm into submission, or you're trying to rid your network of some particular nasty virus. But the trusted employee who turns heel and walks across the street to the competition with an SD card full of your customer data in his shoe, that's still the biggest threat, partly because it is the toughest to mitigate.

And let's not forget 'the number of people surveyed' factor. If you ask 250 people who work in computer security to name the biggest threat to that security, what you get is an opinion, not a fact. Like I say, those folks may sure as heck feel more pain from outsiders. But them thinking it is so does not make it so. Furthermore, computer security is not information security, as the award-winning Chief Security Officer of Choicepoint has hopefully learned by now. I will make that point in my next post, tackling the IRS, Choicepoint and something I call data-flation.