Not sure if anyone is reading posts anymore, but this was posted on slashdot. We already knew that government agencies have been buying our data from data brokers, but according to this article, some law enforcement agencies are buying things like phone records that are most likely obtained illegally through pretexting or other means.
I recently came across an article which describes how Westchester County in New York just passed a law to protect consumers from identity theft. County officials saw a growing trend of unprotected wireless networks popping up in local businesses, and many of these networks offered malicious hackers an easy way to get credit card numbers and other sensitive personal information about the businesses’ customers. The law specifies that any wireless networks which store financial information of consumers must use basic security measures such as firewalls or encryption, and they also must change the “default SSID” of the network so it isn’t such an easy target. With the proliferation wireless networks, hackers can sit outside businesses and collect valuable information during transactions which use these wireless networks.
Another important part of the law mandates that providers of wireless “hotspots,” such as those at hotels, Starbucks, or book stores put up signs which say “For your own protection and privacy, you are advised to install a firewall or other computer security measure when accessing the Internet.” While this doesn’t guarantee that consumers will heed this warning, it does, however, increase awareness about the risks of using these insecure wireless networks. Also, I think that these signs will make consumers more likely to approach the businesses that offer these hotspots and ask for protection on that side. Another benefit of these signs is that they might serve as some sort of deterrent against malicious identity thieves.
The county’s chief information officer estimated that installing the necessary security measures to comply with the new law would take less than one hour. Obviously this is a small price to pay to even marginally increase the security, protection, and confidence of the county’s consumers. The penalties for non-compliance, however, are not very steep and therefore it may be difficult to convince business-owners to change their practices. A first offense will get you a warning, while a third offense will only get you a $500 ticket.
I think that Westchester is taking a step in the right direction in the fight against identity theft; maybe this will set the tone for other counties around the United States.
The version in full draft has an earlier (outline-only) version of our section. Here is the newest version (including more humble phrasing)
———————–
We respectfully suggest that the Commission encourage telecommunications carriers to adopt a public data retention policy that limits storage of CPNI only as long as operationally necessary. An effective data retention policy will limit both the extent and severity of attacks in the event that the system has been breached. This will not, by itself, solve the consumer privacy problem. We also respectfully suggest complementing this policy with a two-tiered data deletion model.
In the first stage, we respectfully suggest that the Commission encourage carriers should strip all personally identifiable information from CPNI records after the legally required 18 month duration. [CITE 47 CFR 42.6] This includes, but is not limited to: all 7-digit phone numbers called and received; subscriber name, social security number, and contact information; and services purchased such as call forwarding or voice mail.
Stripping CPNI in the first stage protects consumers against extensive pretext, insider attacks and cyber attacks for information that carriers no longer need. We understand that carriers are concerned about long-term dispute resolution, but this rare occurrence should not be at the expense of privacy interest of their consumers.
In the second stage, we respectfully suggest that the Commission encourage carriers to purge individual call information by aggregating and then deleting the remaining record data. As a general guideline, the second stage could begin after 36 months. This includes, but is not limited to: all phone number area codes; individual call times and durations; and physical location of calls if the service is wireless.
The second stage safeguards consumers against sophisticated call analysis attacks in which customer identity could eventually be deduced. We understand that carriers may be maintaining this data for statistical purposes. The aggregate information will still allow carriers to collect general trends and statistics about their network, but should make it impossible to trace sensitive call information back to individual consumers.
We also respectfully suggest that the Commission encourage carriers to publicly disclose their data retention policies. This will allow consumers to make more educated decisions about their privacy risks when choosing an appropriate provider. Public disclosure would enable market forces to pressure carriers into adopting privacy-friendly retention policies in an effort to attract new customers. Note that a public retention policy would not assist wrongdoers by contributing to a “roadmap” for future attack.
The cost associated with data deletion is low for carriers since the deletion process can be computer-automated and data deletion is encouraging carriers to spend less by maintaining less storage data.
Moreover, we suspect that even an aggressive policy would not interfere significantly with law enforcement efforts since CPNI must already be retained for 18 months [CITE 47 CFR 42.6]. Carriers have no legal obligation to better assist law enforcement, but they do indeed have a legal responsibility to their own consumers to minimize unauthorized data disclosure.
Commenter CTIA opposes data destruction by claiming that “no security principle makes older records more susceptible or new records less susceptible to fraudulent disclosure.” Though this is true, destroying data will guarantee that fraudulent disclosure of older records will never occur in the future — the policy of deletion represents the best security principle possible. We point out that no carrier comments thus far submitted have expressed any strong objections to the data retention guidelines proposed in EPIC’s petition. [CITE original EPIC petition]
We are also concerned about the security of other stored communications data such as voicemail, text and photo messages sent among consumers. We have little public information as to whether carriers cache this sensitive data and ask the Commission to consider if this data is subject to the same rules as CPNI during the rulemaking process.
I would like to discuss an issue which relates to privacy protection and identity theft. While reading the Drudge Report, I stumbled upon an article about Broward County and its online database of public records. Apparently, by visiting the County’s public website at www.broward.org, one can search public records dating all the way back to 1978. What’s discouraging about this is that public records often contain very sensitive information such as Social Security numbers, dates of birth, and bank account details. Therefore, those who are interested in stealing identities and committing other acts of fraud can do so effortlessly (i.e., without even phishing or hacking), since the information they are seeking is posted on a website and hence publicly available. This information could also easily be used by terrorists interested in causing harm to the United States. Thus there is legitimate reason for concern.
Perhaps more discouraging is the fact that Broward County is doing nothing about this until January 2007 (at which point “redaction software” will be installed in order to clear the public records of all information which is potentially sensitive). In the meantime, current as well as past residents of Broward County will be at risk of identity theft as well as other types of fraud. While some residents like Bruce Hogman (mentioned in the article) have filed complaints not only with the County Records Division itself but also with federal organizations like the FBI, Broward County officials maintain that they are merely complying with laws which “require counties to post public documents on the Internet.”
If such laws do in fact exist in certain counties, they must immediately be amended to include a provision which requires all sensitive information to be adequately protected. Clearly, posting this kind of information on a public website poses a serious threat to certain individuals. One way to solve this issue would be to “white out” all potentially sensitive information, perhaps via software similar to that which Broward is planning on using, so that it is impossible for thieves to obtain this information. If removing all sensitive information is not feasible, then perhaps we should consider not posting public records on the Internet under any circumstances at all.
Generally speaking, we as a society need to be extremely careful when posting sensitive information on the Internet. If this information falls into the wrong hands, then a lot of damage can occur. Therefore, it might be wise to consider adopting legislation at the federal level which prohibits counties from doing what Broward did.
First, as a member of Avi’s group, I would like to add to his post entitled “Encryption as a Solution?”. While this post is very thorough, it does not address the question of whether or not requiring encryption would “place an undue burden on small carriers.” This is an issue on which the FCC specifically seeks comment.
We think that there might be a disproportionate burden on small carriers if in order to meet the new standard of security, these carriers must upgrade their technology, at least to a greater extent than large carriers. Large carriers, on the other hand, are likely to already have the best technology available, as well as experts on hand (e.g., chief technology officers) who know how to operate and install this technology. Therefore, requiring some minimum level of encryption, as we recommend, might force small carriers to spend money on new technology, whereas large carriers might not need to make such expenditures because they already have sufficient technological capabilities.
If placing an undue burden on small carriers is a big concern, then we recommend the following. Instead of enacting legislation which applies equally to all carriers, it might be wise to enact legislation which affects carriers differently depending on their size. Or alternatively, we could pass legislation which affects only large carriers. Given that these carriers presumably represent a substantial share of the telecommunications market, such a policy would have a significant impact (i.e., protect a large fraction of the consumer population) without imposing additional costs on small carriers.
Totally unrelated, I would like to make one final comment about MySpace. I have noticed that there have been a considerable number of posts recently about this website. There have also been a lot of stories about it in the news. Most recently, MySpace decided to remove about 200,000 “objectionable” profiles from its site.
Perhaps this move comes in response to all the media attention that MySpace has been getting lately. In fact, I question whether this is anything other than a PR move, especially considering that MySpace is now owned by News Corp, a company which is very conscious of its image. The fact of the matter is that those who want to post “objectionable” content on the Web, such as hate speech or risque material, will find ways to do so, even if they are restricted from using MySpace. Therefore, on the one hand, MySpace is essentially doing nothing to solve the problem; rather, MySpace is simply diverting users to other websites. On the other hand, this is really the only thing that MySpace can do to solve the problem. If we really feel as a society that certain content is too explicit for the Web, then maybe we should limit what can and cannot be posted on websites. I would argue, for example, that hate speech serves no purpose for society, and is not productive in any way. Of course, limiting content on the Web would raise serious concerns about free speech.
As Avi noted in his post about encryption, it is “ computationally infeasible” for an outsider to be able to determine both the “encryption key” as well as the process in which the key was used to encrypt the information into ciphertext. However, that is not to say that the use of encryption in a communications system is guaranteed to make the system secure. For example, SSL, which is a prominent security protocol used in nearly all secure online connections (https://), involves a public key exchange. A notable method of key exchange, Diffie-Hellman, is vulnerable to a “man-in-the-middle” attack in which someone receives and then re-sends all traffic involved in the exchange without ever being detected. Thus, a system of communication is vulnerable, even in spite of the use of clever encryption methods.
Also, there are some concerns on behalf of the carriers that encrypting too much information will cause the regular access of common information to take too long. As we will see, this is not a legitimate concern as the bottleneck on the amount of time it takes to access your own personal information is not the encryption protocol in use, but the actual speed of the connection.
I (by I, I mean our group) propose the 3-part model show at the end of this passage.
This model assumes that the carrier is large and has a certain level of technological capabilities, namely the database and web server are separate machines. This model also assumes that the end user is authenticated, that is to say that the person behind the client machine is who he/he claims to be, and their password’s integrity is maintained.
The first point of concern is the channel between the client and the web server. A security protocol named SSL is a nice way for a client to establish a secure connection through the use of a message authentication code, or a MAC, which can verify the integrity and authenticity of messages traveling back and forth, and a “handshake” between the two devices that confirms that each node is a trusted party. SSL, when used in conjunction with http, forms a secure connection that is believe to be secure [enough].
The next point that is a potential security concern is not the web server, but the database itself. Fortunately, the web server is not an effective spot for an attack to steal sensitive information, it is only effective for creating a Denial of Service situation. If an attack were waged on the database, then an intruder to the system could easily steal tons of extremely valuable information in a short time. Thus, it is absolutely imperative that the raw data sitting on the database server resides in an encrypted form. Encryption today is so strong that the Earth would likely end before the cipher could be cracked.
The final concern about encrypting information is that of look-up speed and accessibility. It turns out that the bandwidth capabilities of the client’s connection to the web server trump the time it takes for the data to be looked up/encrypted. This fact makes it entirely possible for carriers to efficiently/effectively implement encryption for security purposes.
Recently the FCC released a notice requesting comment on what additional steps they should take in order to protect the privacy of consumers phone records. This is my group’s draft of our thoughts on encryption as a solution to data brokers illegitimately acquiring such records.
-Avi
Encryption
Encryption is the process of obfuscating information so that it is unreadable without additional knowledge. Generally the special knowledge required to discover (decrypt) the original information is knowledge of which process was used to encrypt it, as well as knowledge of a specific piece of information, a ‘key,’ to unlock the encryption. When encryption is done well it is generally not possible to uncover both these pieces of information simply by examining the encrypted data.
Where Encryption is Effective
It is clear that a carrier would need to have at its disposal a means of decrypting the data. We recognize that CPNI data is used for legitimate business purposes, and so it is meaningless if it cannot be made readable. Some employees at the carrier must have access to a decryption device in order to perform their jobs.
Carriers also provide means of giving users access to their own CPNI. We do not dispute that these means should be available; we only note that CPNI cannot be disclosed to the user in encrypted form or they would not be able to read it. In order to provide such a service, carrier’s customer service representatives must have at their disposal a method of releasing decrypted CPNI data to the user to whom it belongs.
It follows that encryption is emphatically not a solution to the problems of pretexting and dishonest insiders. If someone has convinced a customer service representative that they should be given certain CPNI data, the data will be given to them in plain text. If a carrier employee is inclined to feed CPNI data to data brokers they will be able to do so if they have been given access to decrypted CPNI data in order to perform their job.
We believe that encryption of stored data is an effective counter-measure against two methods of acquiring CPNI data: cyberattack and physical theft of data.
Encryption and Cyberattack
In examining the effectiveness of encryption in countering cyberattack on carriers it is necessary to divide cyberattacks into two categories: attacks carried out by interacting with a carrier’s web site and attacks in which a data broker gains direct access to a carrier’s database.
EPIC notes that a data broker might crack a user’s online account with the carrier in order to obtain CPNI data. A carrier’s web site, like a customer service representative, must be able to give a user’s decrypted CPNI data to them. An attack on the web site would allow a data broker to bypass the authentication mechanisms of the web site in some way. Such attacks are analogous to deceiving a customer service representative by pretexting. Encryption is not effective against this sort of attack, as the web site, like the customer service agent, will simply display the decrypted CPNI data once convinced of the user’s identity.
We do agree that encryption could help in mitigating the damage dealt by a cyberattack where a data broker fraudulently gains direct access to a carrier’s database. In such an attack the attacker would be forced to go to the additional trouble of figuring out which encryption scheme and which key were used.
While encrypting data can help against some forms of cyberattack, we are not in a position to comment on the prevalence of such forms of cyberattack as means of acquiring CPNI data relative to other methods like pretexting.
Encryption and Physical Theft
It is common practice for databases to be copied and stored for recovery in case of an accident or some need for older data. There is no doubt that, if backup copies were encrypted, physical theft of backups would be a pointless endeavor. We doubt, however, that physical theft is the primary method, or even a common method, of illegitimately acquiring CPNI data.
EPIC notes that many data brokers claim to be able to obtain CPNI data in several hours or days. We doubt that physical theft could be carried out often enough to substantiate this claim. Mandating encryption to guard against physical theft might be a good idea, but if our goal is to counter data brokers then the statute would be mostly unrelated to the goal.
Carrier’s Reservations and Responses
Carriers have commented that data is already encrypted ‘where appropriate’ and that encrypting stored records would be costly. We find these two statements contradictory. If some data is currently encrypted, then infrastructure for the encryption and decryption of data must already be in place. We do not think it likely that it would be extremely costly use in place infrastructure to encrypt and decrypt additional data.
Carriers have also argued that encryption would slow legitimate inquiries for CPNI. We do not believe this to be true. There are varying types of encryption, but it is possible to choose a method that is both secure and fast. In the case of a customer interacting with a carrier’s web site we believe that the communication time between the web site and the customer’s computer will be far greater than the time required to decrypt the relevant CPNI data. As such, customers should not experience any noticeable slow down.
We believe that the most powerful criticism of encryption as a means of mitigating inappropriate disclosure of CPNI data is that encryption provides benefits largely unrelated to that goal. As discussed above, encryption cannot stop pretexting or dishonest insiders, and is only effective against some forms of cyberattack. This does not mean that such forms of cyberattack are not worth guarding against.
Recommendations
We find it somewhat troubling that CPNI data is encrypted ‘where appropriate,’ not because all CPNI data should be encrypted, but because this represents individual carriers’ understandings of which pieces of CPNI data are worth protecting. If only to encourage baseline security practices, we believe that categories of CPNI data that must be encrypted should be established.
We recommend that any piece of CPNI data that might be used as personal identification of a customer (i.e. name, address, phone number, social security number) should be required to be encrypted. In this way CPNI data that is acquired via cyberattack would not be valuable to data brokers as they would be unable to tie records to people without decrypting the data.
Small Carriers
We think that there might be a disproportionate burden on small carriers if, in order to meet the new standard of security, these carriers must upgrade their technology. Large carriers are likely to have significant technological resources and experience available. Small companies, on the other hand, are likely using software packages provided by third parties, and may not have the ability to edit such software. Therefore, requiring some minimum level of encryption might force small carriers to spend more money on new technology than they can afford. Instead of enacting legislation which applies equally to all carriers, it would be wise to specify a minimum yearly earnings threshold beneath which the legislation does not apply.