Responsibility Of Data Warehouses
Imagine that you are going on a long vacation, and you ask a good friend to take care of your cat while you're away. Your cat seems pretty content with your home, so you give your friend the key to your apartment so he can come over once every few days and refill the water bowl, empty litter, etc.
One day, though, your friend forgets to lock your front door when he leaves. The next day, someone enters your home and steals your television, your jewelry, your computer, and everything else of value.
Who is to blame?
Obviously, we blame the robber. But do we blame the friend? I think most of us would blame the friend, as it was his responsibility to lock the door, and it was this failure to do so that caused your items to be stolen. We may feel a bit bad yelling at this friend (since we asked him to come over) but in the end we would still blame him.
Watch how this problem changes when you catch the robber, though. Right now, if you imagine yourself in this scenario, you're angry with your friend. Change the scenario to imagine the robber is caught the next day and all of your stuff is returned. Now, likely, you're angry with the robber. You don't feel any animosity toward the friend at all, yet his role in this is completely unchanged. He still should have locked the door, he still failed to do so, and he still allowed a stranger into your home as a result. Why are we less angry with him in this scenario? It is not because he is less responsible, but because we now have someone else to be more angry with. The robber is the MOST responsible person for the robbery, your friend a close second. Because of this, when you can hold the most responsible person accountable, you are likely to ignore the role played by the next-most-responsible individual.
Next time you go on vacation, however, you are likely to not ask this same friend to take care of your cat, because you still know he is partially responsible for this security breach.
Data Warehouses
Let's change the scenario one more time. Instead of a friend, imagine the person in your home has not been invited. Imagine that the way things really work is that, whenever you buy a home, or a car, or a television, or even a pizza, you have to pay with money as well as part of your housekey. It's not the whole housekey, but it's a chunk of the housekey - and each purchase requires a different chunk of the key. You are trusting every company you make a purchase from in this way not to do anything with the portion of the key, but you're not too worried; after all, it's only part of the key.
Then all of those companies turn around make a copy of your portion of the key, then send the portion to another company, which we'll call Acxiom. Eventually Acxiom collects enough portions of your key that they can form your entire housekey, which they then use to enter your home when you aren't there. They don't steal anything or take anything, but they do take notice of your home, your car, your television, and your empty pizza boxes.
This allows them to figure out what kind of thing you might be likely to buy next if asked. In your case, based on the stuff in your house, it seems likely that you'd be willing to purchase a DVD Player if given a little push. Acxiom then tells Sony that you might want to buy a DVD Player, Sony pays them money to do so (giving Acxiom profit enough to keep collecting portions of housekeys) and then sends you a DVD Player catalog, or calls you on the phone to tell you about a great deal, or sends you an e-mail.
Now, I don't want to get into how annoying this entire business model is, or how Acxiom has no right to be entering your home, even if you had to give portions of housekeys to everyone from whom you made a purchase. This post is not about how a company that does this shouldn't exist.
This post is about what happens when that company leaves your door unlocked.
Responsibility
Surely in this scenario, if Acxiom left your door unlocked, you would find Acxiom completely responsible. After all, who the hell invited them in the first place?
ChoicePoint (Acxiom's major competitor) had a data breach not too long ago, and it was held responsible and fined. Only a portion of the fine was actually given to the victims of the data breach (people whose identities were stolen), but the fine was still large. We also hold the robber responsible in these cases, but we do not allow the responsibility of the robber to overshadow the responsibility of the person who left the door unlocked. If anything, because we are placing so much trust in these kinds of companies, we hold the data company more responsible than the attacker.
To that point, ChoicePoint was fined $15 million, and the attacker sentenced to 16 months in prison.
Clearly we, as a society, said to ChoicePoint, "look, we aren't huge fans of you holding on to all of this data, but if you're going to do so, you had better damn well protect it." ChoicePoint is responsible for the theft of its data, and we have sent them that message loud and clear, to the tune of 15 million dollars. ChoicePoint invested tons of money in improving their security as a result.
If you hold data and do not protect it adequately, it is your fault when it is stolen.
Acxiom's Breach
He was caught, and much like when the robber was caught in the first scenario, that seemed to overshadow the fact that the breach happened in the first place.
The article explains:
Prosecutors said Levine had permission to access part of Acxiom's database but that he used decryption software to obtain passwords and go beyond his authorized access. Data stolen included names, telephone numbers, street addresses and e-mail addresses, along with highly detailed demographic information.
If Levine used "decryption software to obtain passwords" to other databases, it means that the passwords were, first, stored in a place that they could be retrieved without authorization to do so and, second, were stored in a cryptographically reversible manner. Passwords are usually stored as a one-way hash. You type your password to be saved, and the software hashes it into a special code. This code cannot be reversed to get back to the original password, but every time the password is hashed it yields the same code. Next time you try to verify your identity, the software performs the same hash and compares the hash codes. If they are equal, you must have typed the correct password.
If an attacker gets access to these hash codes, they cannot reverse them to get back to the password. This article indicates Levine did so, which indicates that the passwords we being stored in a way that allowed them to be decrypted. This was Acxiom's mistake - they should not have stored passwords in this manner.
Moreover, they should have had better access control, so that people with access to part of the system wouldn't be able to access a different part of the system.
These are both failures on the part of Acxiom to protect your data, yet the person being held fully responsible is Levine. As a matter of fact, Levine has to pay $153,395 to Acxiom, so they are actually being rewarded for failing to secure your data. Why?
Why did the government hold ChoicePoint responsible for a similar breach, but only hold the attacker responsible when it happens to Acxiom? On what grounds have we decided Acxiom has done nothing wrong?
They left the door unlocked.
Broz:
F’n Data industry.
22 February 2007, 2:23 pmb:
Personally, I would applaud legislation to outlaw up and down arrows.
23 February 2007, 1:38 pmJake:
Yes! The up & down arrows are the key here. We must ban them!
24 February 2007, 9:09 amtsal:
Because Axciom does work for the government, that’s why. Here’s my story with Axciom (disclosure: I married into a family that is close to the founder of Axciom and his family):
About a year ago, I decided my job was a dead-end, and started looking for another job. A government organization wanted to do a background check on me after an interview, and I agreed. Of course, the majority of background checks these days go through Axciom or one of their “partners”. Well, Axciom, in the process of checking into me, called my CURRENT EMPLOYER and informed him that it was a background check. That’s not all - they’d done this before to a co-worker at the SAME JOB. They got me in trouble, and had I not been the only technical person there, I would have been fired! Which, by the way, would have put me in a horrible position, as I was not making enough money to put away savings at the time, and it was barely enough to support both myself and my wife.
Two weeks later, I was luckily able to give my notice, as another company made me a really good offer. It turns out that my boss was in the process of finding a replacement for me, as he had one two days before I left. He had been interviewing people on the weekends so as to not give me any idea what was coming. How he found someone to do my job for so little pay still astounds me - I only took it because of the horrible tech job market in the area at the time I took it.
27 February 2007, 7:38 amRufus Evison:
Generally I am more interested in if and which people should be allowed to gather together the data profile of individuals and under what circumstances. That said, I am going to slightly take issue with a technical aspect of this post. I entirely agree that leaving security sufficiently loose that someone can gain access to the data is he equivalent of leaving out the house key, but …
Decryption software is generally used as a term for anything that, given an encrypted string, finds the decrypted version of the same string. The important factor to note here is that it is decryption software if it does this, *even if it does not do it by decrypting the string*. This sounds nonsensical, but is a standard technique for hacking passwords. As stated passwords are generally held in one way encrypted string. The standard way of cracking a password file is to develop an algorithm for creating likely passwords and then encrypting them. The encrypted versions are then compared and if they match the decrypted string must be the one that was encrypted to produce the comparison. This is then fed out as a decrypted password. This works with standard password protection, so the problem here may not be passwords stored using reversible encryption, but the access to the encrypted versions.
Leaving any sort of access to a password file open is dangerous and is like hiding your house key under a pot. It is safer than leaving the door unlocked, but most burglars know to look under the plant pot nearest the door. Leaving the passwords in a place where they were possible to access without proper authorisation may be only mistake here. That said, if they had not been allowed to store the data that was released in a form that would cause trouble there would not have been an issue. This brings me full circle to the question of who should be allowed to keep data about us, when and why?
Rufus Evison,
3 September 2007, 9:14 amReasonedRants.BlogSpot.Com