Day 4: Experts talk about ID theft
Members of News.com's ID theft roundtable panel open up a discussion with News.com editors and our readers.
The members of this Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main discussion page.
Thursday: Encryption and responsibility
From: CNET News.com
Subject: ID Fraud: Who should be responsible?
Wed, 26 Oct 2005 09:39:09 -0700
One of our readers asked the following question about his own experiences, in which private companies were more helpful than government agencies when dealing with ID fraud.
CNET reader Paul Jones wrote:
As a victim of ID theft, I've often wanted to find a public forum through which I can express my opinion as to whom the real villains are in ID theft: it's the Government.
No, this is not an anarchist view. Rather, it's a statement of fact. When my ID was stolen in 2001, the perpetrators acquired several credit cards in my name, along with a mobile phone and service. It took just a few weeks to clean up that mess, as the credit reporting agencies and credit card issuers were very quick to respond to my written letters. However, the real damage came from the State of Indiana. One of the two perpetrators received a driver's license in my name. It is now 2005 and I still do not have that issue resolved. I have talked with the Indiana DMV repeatedly, but it's simply no use. As it is, I cannot go to any state in the United States and get a driver's license without also taking a piece of paper with me that says that the records the Indiana DMV have on file do not appear to be me.
In my opinion, companies should and, by and large do, make an effort to protect people's private information. The real question is what should our government do in order to address problems like mine where stolen information results in bogus records that are not removed from the system? Shouldn't the government have procedures in place to handle these kinds of issues? Are there any insights to be gleaned from the relative efficiency of the market process vs. the political process? Are companies becoming more aware of the situation? In such cases, who should be responsible?
From: Chris Hoofnagle
Subject: Resources on Expungement and Criminal Identity Theft
Wed Oct 26, 2005 1:37 pm
Paul Jones has experienced a very difficult situation, known as "criminal identity theft." One of my current interns has had this problem too, and he has a criminal record in California pertaining to another person that he cannot purge. It demonstrates one of the complications with the rise of personal information databases--institutions tend to trust them more than they trust people.
States are taking a number of steps to address this problem. There is better training and oversight of employees at DMVs, but one can still buy a fake driver's license for a couple of thousand of dollars. Some DMVs are employing facial recognition systems to discover whether the same person is obtaining multiple driver's licenses.
Overall, there needs to be better methods for expungement of criminal records, especially now that there is a growing problem of "wrongful criminal records." EPIC has a page on expungement at:
http://epic.org/privacy/expungement/
And identity theft expert Beth Givens has resources on criminal identity theft at:
http://www.privacyrights.org/fs/fs17g-CrimIdTheft.htm
From: James Van Dyke
Subject: RE: Resources on Expungement and Criminal Identity Theft
Wed, 26 Oct 2005 22:11:00 -0500
If you are listing resources and tips for consumers, please also list www.idsafety.net. The quiz is based on the novel idea that quizzes which provide advice should only be based on objective research data. The content on this site is from Javelin, although this site is co-sponsored by the Better Business Bureau.
From: Jim Harper
Subject: RE: Resources on Expungement and Criminal Identity Theft
Wed, 26 Oct 2005 21:22:42 -0400
What consequences befall a government agency, and the people in it, if it persists in getting an identification wrong? Almost none.
What consequences befall a private entity, and the people in it, if it persists in getting an identification wrong? Some.
I think this explains the differential responses Mr. Jones has seen in trying to clean up this identity fraud mess. While I don't think either one does that good a job, the government agency has the most power to mess up your life and the least incentive to get it right. It's a serious problem in either case, but much more serious when you could be arrested at gunpoint, assumed armed and dangerous, because the DMV is lackadaisical about straightening out its records.
The root of this problem is the government monopoly on identification and credentialing services. Identification could be done by a variety of the companies and card issuers that know us. There could be a diversity of systems that allow us to tailor who knows what about us and that provide anonymous access to goods, services, and infrastructure. At the same time, there could be bullet-proof identification mechanisms that would completely clear Mr. Jones of any suspicion based on this identity fraud.
These systems are only in the design phase, and it will take a huge amount of effort to dislodge public bureaucracies from their dominant role in this field. Up to this point, the only major institution that seems to recognize the value of identification as an economic service (akin to payments, communications, and so on) is the American Association of Motor Vehicle Administrators. They are working to further lock up the field for their bureaucrat membership. And they are tightening the national identification system in the process.
I'm sorry to say it but: expect things to get worse before they get better.
From: CNET News.com
Subject: Encryption: Should it be legally required?
Thu, 27 Oct 2005 08:18:47 -0700
Chris Hoofnagle wrote:
"Paul Jones has experienced a very difficult situation, known as 'criminal identity theft.' One of my current interns has had this problem too, and he has a criminal record in California pertaining to another person that he cannot purge. It demonstrates one of the complications with the rise of personal information databases--institutions tend to trust them more than they trust people."This invites another question that might be worthy of discussion. I doubt encryption would have helped Paul but it seems like it would have helped in many other cases of lost mag tapes, purloined laptops, and not-entirely-erased hard drives.
Should the government require that sensitive databases be encrypted? Or should it just strongly encourage it through measures like the California law?
If encryption is encouraged or mandatory, who determines if the encryption is "good enough" as technology advances--would that invite ongoing (and unwholesome) government regulation of software design?
From: Chris Hoofnagle
Subject: Encryption
Thu, 27 Oct 2005 09:43:06
I think the short answer to News.com's first question is no. It makes sense to instead let companies decide what specific methods are most effective and workable to protect consumer data, provided that there is a long-enough stick to ensure security.
One of EPIC's fall projects is the problem of unauthorized access to phone records. In that context, investigators are obtaining records by pretending to be the account holder (which is easy, because investigators have access to data broker files that contain common authenticators like the SSN, mother's maiden name, and date of birth). I think that the phone record problem points to a couple of important issues surrounding security: 1) that security issues are tied to privacy issues. If the investigators didn't have Choicepoint/LexisNexis access, they would have a much more difficult time impersonating the account holder. 2) that encryption just doesn't apply to some threats, like pretexting. 3) Audit logs might be just as effective as encryption to address insider threats, and pretexters. Employees who know that their access to data is being recorded in an immutable log are less likely to sell data. And an audit log can help in detecting fraud after the fact.
As for News.com's second question, how do you write regulation to ensure encryption is good enough? ROT-13 might be used if encryption goes undefined, right? The answer is to create a definition that changes with advances in technology. In the FCRA, the sliding scale is "maximum possible accuracy." Consumer reporting agencies aren't told how to achieve this goal technologically, but they are under a burden to find ways to do it.
I think the definition in the CFR deals with the encryption problem pretty well: "Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." 45CFR164
From: Orson Swindle (former FTC commissioner)
Subject: Thoughts on conversation of the first 3 days
Thu, 27 Oct 2005 12:05:53
My apologies to all--I have been traveling and demands prevented me from participating. However, I have been trying to follow the discussion on BlackBerry (not easy, I found).
For what is worth, here are some thoughts regarding past three days of dialogue:
First, a rather obvious statement: We are where we are regarding information security. We have problems, though perhaps not equal to the rhetoric, but we do have problems, and we need to get on with resolving them as best and as fast as we can--together. Everyone who engages in Web-based technologies has a stake (and a responsibility) in this from the highest levels of firms, government, organizations and right down to the end-users and consumers. The benefits of this technology (and competition) have distracted us from insisting on adequate info security technology and safe practices. The known and unknown vulnerabilities of the technology were not adequately addressed during the heady days of the internet expansion phenomena. We are now faced with myriad vulnerabilities taking a toll in terms of resources, not to mention contributing heavily to a trust deficit on the part of consumers as well as businesses and institutions.
Too many in business want a government-keep-your-hands-off approach. At the opposite extreme, many privacy advocates would so regulate information practices that critical flows of info would be severely impaired, with unintended adverse economic effects. The answers to our problems obviously are somewhere in between and both sides of the debate need to be committed to an acceptable solution for the common good. The solutions will require a lot of players with differing views working together, new technologies and above all, lots of rational thinking ... and maybe some refined regulation.
As Jim Harper began the conversation, info security failures have consequences...better said, they must have consequences. The FTC's BJs Wholesale Club case is affirmation that if you use information, you are expected to protect it.
The market place has many punishments for those who fail, as evidenced in the many info security breach revelations of this year. Jim weighs in on one of them: Legal liabilities. Add to that, diminished, if not outright destroyed, firm or brand name reputation; adversely affected stock value; loss of business; and, of course, government regulatory intervention . None are courses of action or results to be wished for.
Worst of all, however, would be a growing trust deficit, a significant loss of trust and confidence in information technology. The consequences of that would be quite grim.
Solutions by regulatory process are painfully slow, and, it can reasonably be argued, woefully inadequate, sometimes doing more harm than good. Yet, inadequate commitment on the part of the private sector to solve the problems or failure to protect against simple negligence, such as we read of daily, almost surely begets more regulation. Politicians are inspired 'to do something' amidst emotional uproar. In other words, the private sector, through its own conduct or lack of responsible action, often creates the perceived need for that which is does not want.
Chris Hoofnagle is correct: Consumer fraud has enormously painful consequences for the victims. James Van Dyke is correct--some regulation can help. But it must be rational regulation, that fills a void where the market has failed, and then only to the degree necessary. Our goal must be to provide essential information security and privacy protection while at the same time protecting essential free flows of information. A debate in which the extremes insist on winning will not lead us to practical and effective solutions.
Too often, legislative initiatives are poorly considered, filled with unintended consequences, too late to do any good, and are often used by political figures to declare victory and move on to the next problem, especially in even numbered years. This leaves regulators and law enforcers befuddled, businesses burdened and consumers filled with unrealistic expectations.
Regulation compliance often has the unintended (perhaps not totally unintended after the lobbyist get through with it)consequence of being manageable by big firms while drowning small firms, who might otherwise be competitive with those big firms.
Chris Hoofnagle, using IRSG as the example, suggests that industry has failed in performance and in keeping our trust. He also challenges Jim Harper for criticizing the government's politicians and bureaucrats. The point we must remember is that we collectively are dealing with complex technology that anyone is free to use. Controls, technology protections, user conduct and practices, and quality control are immensely challenging aspects of this hugely complex playing field. No new law, new technology nor new law enforcement action alone is going to bring about the comfort levels that we need. Our challenge is not unlike eating an elephant. We will have to do it one bite at a time, and we all must sit down at the table and dig in!
From: California Sen. Joe Simitian
Subject: Identity theft and encryption
Thu, 27 Oct 2005 12:05:11
I'm among those who believe that government can sometimes be part of the problem, rather than part of the solution. That's why I thought it important that the provisions of AB 700 (California?s Data Breach Notification Law) also apply to government entities, not just private sector actors. What's sauce for the goose is sauce for the gander.
That's also why I authored California's AB 1219 in 2002, dealing with the issue of criminal identity theft (the problem experienced by reader Paul Jones and by Chris Hoofnagle's intern). Prior to AB 1219 California residents who were victims of criminal identity theft were largely on their own--obliged to undertake costly and time consuming legal action to clear their records.
AB 1219 established a process in California for an expedited resolution of criminal identity theft upon a motion by the court or prosecuting attorney. In other words, "the system" can resolve the problem for the victim, without further burdening the already victimized subject of criminal identity theft.
I would also agree that the government's role in issuing identity documents of various types makes it incumbent on government to consider the consequences of its decisions. In pushing for some privacy protections when government identity documents employ contactless RFID (see below), I ran into opposition not only from private sector opponents with their eye on the bottom line, but also from potential public sector document issuers who are inclined to worry more about cost and convenience than privacy and security matters.
As for encryption, California's Data Breach Notification Law (AB 700) provides a strong incentive for encryption in that its notice requirements apply to non-encrypted data, but not to encrypted data.
The issue of encryption, and what level is "good enough," is a real challenge. I'm currently experiencing this with industry opposition to my SB 768 (formerly SB 682) dealing with the use of contactless RFID in government identity documents.
Whatever I propose in the way of encryption, industry opposes; but industry declines to offer an alternative standard that is acceptable to industry. It should be possible to tie our notions of "good enough" encryption to a dynamic standard (established and updated over time, for example, by NIST or FIPS).
The fact that technology improves over time can't be the excuse for providing no protection whatsoever.
From: Orson Swindle
Subject: Re: Encryption: Should it be legally required?
Thu, 27 Oct 2005 12:33:03
I suspect we are looking at a situation in which the debate is not "if," but when. Multiple factor authentication and encryption would appear to be inevitable as the "attackers" seeking valuable personal information for indentity-base fraud get more and more sophisticated. That word "valuable" is important. If is valuable, like everything else we value, we will learn and want to protect it (sensitive personal information).
I can imagine a tiered security structure, for example, with the "serious" user of e-commerce (in its many facets) having financial accounts being secured very strongly through two-factor authentication and encryption so that you know for certain with whom you are communicating and the institution or business or person on the other end knows as well. On the other end of the spectrum would be the casual email user with a much less protected environment. This would seem to demand the more sophisticated environment be protected from the less secure/authenticated.
The point is, I cannot see us going much further with out some "restructuring" -- we must achieve greater security which inevitably will mean authentication beyond today's common password requirements, as well as encryption.
The approach will likely (and properly) be market-driven rather than a government decree (unfunded mandate). Like privacy, consumers will demand better security of those with whom they have relationships, and businesses and organizations(although perhaps slowly) and competition will respond. Consumers and business relationships will increasing demand more protection.
As some bright person once said, consumers want to feel secure, in control and want what they want when they want it. Feeling secure and being in control are suffering right now. Consumers might just walk away without them.
Technology is evolving which can make practical and easy to use, two factor authentication a reality, thus not in conflict with "want what they want when they want it." To feel secure and in control, a little inconvenience will likely be acceptable. We sacrifice convenience in many aspects of our daily lives to alter our surroundings and relationships to something with which we can feel comfortable.
As to "good enough" regarding encryptions, surely there can be consensus on that!
(Note: In the interest of full disclosure, I am a long-time user of RSA tokens and recently joined the board of directors of RSA Security.)
The members of this Roundtable panel have agreed to have a discussion with News.com editors and our readers. Although we cannot guarantee a response for every e-mail, you can submit your questions for panelists here.
Click here to return to the main discussion page.
Thursday: Encryption and responsibility
From: CNET News.com
Subject: ID Fraud: Who should be responsible?
Wed, 26 Oct 2005 09:39:09 -0700
One of our readers asked the following question about his own experiences, in which private companies were more helpful than government agencies when dealing with ID fraud.
CNET reader Paul Jones wrote:
As a victim of ID theft, I've often wanted to find a public forum through which I can express my opinion as to whom the real villains are in ID theft: it's the Government.
No, this is not an anarchist view. Rather, it's a statement of fact. When my ID was stolen in 2001, the perpetrators acquired several credit cards in my name, along with a mobile phone and service. It took just a few weeks to clean up that mess, as the credit reporting agencies and credit card issuers were very quick to respond to my written letters. However, the real damage came from the State of Indiana. One of the two perpetrators received a driver's license in my name. It is now 2005 and I still do not have that issue resolved. I have talked with the Indiana DMV repeatedly, but it's simply no use. As it is, I cannot go to any state in the United States and get a driver's license without also taking a piece of paper with me that says that the records the Indiana DMV have on file do not appear to be me.
In my opinion, companies should and, by and large do, make an effort to protect people's private information. The real question is what should our government do in order to address problems like mine where stolen information results in bogus records that are not removed from the system? Shouldn't the government have procedures in place to handle these kinds of issues? Are there any insights to be gleaned from the relative efficiency of the market process vs. the political process? Are companies becoming more aware of the situation? In such cases, who should be responsible?
From: Chris Hoofnagle
Subject: Resources on Expungement and Criminal Identity Theft
Wed Oct 26, 2005 1:37 pm
Paul Jones has experienced a very difficult situation, known as "criminal identity theft." One of my current interns has had this problem too, and he has a criminal record in California pertaining to another person that he cannot purge. It demonstrates one of the complications with the rise of personal information databases--institutions tend to trust them more than they trust people.
States are taking a number of steps to address this problem. There is better training and oversight of employees at DMVs, but one can still buy a fake driver's license for a couple of thousand of dollars. Some DMVs are employing facial recognition systems to discover whether the same person is obtaining multiple driver's licenses.
Overall, there needs to be better methods for expungement of criminal records, especially now that there is a growing problem of "wrongful criminal records." EPIC has a page on expungement at:
http://epic.org/privacy/expungement/
And identity theft expert Beth Givens has resources on criminal identity theft at:
http://www.privacyrights.org/fs/fs17g-CrimIdTheft.htm
From: James Van Dyke
Subject: RE: Resources on Expungement and Criminal Identity Theft
Wed, 26 Oct 2005 22:11:00 -0500
If you are listing resources and tips for consumers, please also list www.idsafety.net. The quiz is based on the novel idea that quizzes which provide advice should only be based on objective research data. The content on this site is from Javelin, although this site is co-sponsored by the Better Business Bureau.
From: Jim Harper
Subject: RE: Resources on Expungement and Criminal Identity Theft
Wed, 26 Oct 2005 21:22:42 -0400
What consequences befall a government agency, and the people in it, if it persists in getting an identification wrong? Almost none.
What consequences befall a private entity, and the people in it, if it persists in getting an identification wrong? Some.
I think this explains the differential responses Mr. Jones has seen in trying to clean up this identity fraud mess. While I don't think either one does that good a job, the government agency has the most power to mess up your life and the least incentive to get it right. It's a serious problem in either case, but much more serious when you could be arrested at gunpoint, assumed armed and dangerous, because the DMV is lackadaisical about straightening out its records.
The root of this problem is the government monopoly on identification and credentialing services. Identification could be done by a variety of the companies and card issuers that know us. There could be a diversity of systems that allow us to tailor who knows what about us and that provide anonymous access to goods, services, and infrastructure. At the same time, there could be bullet-proof identification mechanisms that would completely clear Mr. Jones of any suspicion based on this identity fraud.
These systems are only in the design phase, and it will take a huge amount of effort to dislodge public bureaucracies from their dominant role in this field. Up to this point, the only major institution that seems to recognize the value of identification as an economic service (akin to payments, communications, and so on) is the American Association of Motor Vehicle Administrators. They are working to further lock up the field for their bureaucrat membership. And they are tightening the national identification system in the process.
I'm sorry to say it but: expect things to get worse before they get better.
From: CNET News.com
Subject: Encryption: Should it be legally required?
Thu, 27 Oct 2005 08:18:47 -0700
Chris Hoofnagle wrote:
"Paul Jones has experienced a very difficult situation, known as 'criminal identity theft.' One of my current interns has had this problem too, and he has a criminal record in California pertaining to another person that he cannot purge. It demonstrates one of the complications with the rise of personal information databases--institutions tend to trust them more than they trust people."This invites another question that might be worthy of discussion. I doubt encryption would have helped Paul but it seems like it would have helped in many other cases of lost mag tapes, purloined laptops, and not-entirely-erased hard drives.
Should the government require that sensitive databases be encrypted? Or should it just strongly encourage it through measures like the California law?
If encryption is encouraged or mandatory, who determines if the encryption is "good enough" as technology advances--would that invite ongoing (and unwholesome) government regulation of software design?
From: Chris Hoofnagle
Subject: Encryption
Thu, 27 Oct 2005 09:43:06
I think the short answer to News.com's first question is no. It makes sense to instead let companies decide what specific methods are most effective and workable to protect consumer data, provided that there is a long-enough stick to ensure security.
One of EPIC's fall projects is the problem of unauthorized access to phone records. In that context, investigators are obtaining records by pretending to be the account holder (which is easy, because investigators have access to data broker files that contain common authenticators like the SSN, mother's maiden name, and date of birth). I think that the phone record problem points to a couple of important issues surrounding security: 1) that security issues are tied to privacy issues. If the investigators didn't have Choicepoint/LexisNexis access, they would have a much more difficult time impersonating the account holder. 2) that encryption just doesn't apply to some threats, like pretexting. 3) Audit logs might be just as effective as encryption to address insider threats, and pretexters. Employees who know that their access to data is being recorded in an immutable log are less likely to sell data. And an audit log can help in detecting fraud after the fact.
As for News.com's second question, how do you write regulation to ensure encryption is good enough? ROT-13 might be used if encryption goes undefined, right? The answer is to create a definition that changes with advances in technology. In the FCRA, the sliding scale is "maximum possible accuracy." Consumer reporting agencies aren't told how to achieve this goal technologically, but they are under a burden to find ways to do it.
I think the definition in the CFR deals with the encryption problem pretty well: "Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." 45CFR164
From: Orson Swindle (former FTC commissioner)
Subject: Thoughts on conversation of the first 3 days
Thu, 27 Oct 2005 12:05:53
My apologies to all--I have been traveling and demands prevented me from participating. However, I have been trying to follow the discussion on BlackBerry (not easy, I found).
For what is worth, here are some thoughts regarding past three days of dialogue:
First, a rather obvious statement: We are where we are regarding information security. We have problems, though perhaps not equal to the rhetoric, but we do have problems, and we need to get on with resolving them as best and as fast as we can--together. Everyone who engages in Web-based technologies has a stake (and a responsibility) in this from the highest levels of firms, government, organizations and right down to the end-users and consumers. The benefits of this technology (and competition) have distracted us from insisting on adequate info security technology and safe practices. The known and unknown vulnerabilities of the technology were not adequately addressed during the heady days of the internet expansion phenomena. We are now faced with myriad vulnerabilities taking a toll in terms of resources, not to mention contributing heavily to a trust deficit on the part of consumers as well as businesses and institutions.
Too many in business want a government-keep-your-hands-off approach. At the opposite extreme, many privacy advocates would so regulate information practices that critical flows of info would be severely impaired, with unintended adverse economic effects. The answers to our problems obviously are somewhere in between and both sides of the debate need to be committed to an acceptable solution for the common good. The solutions will require a lot of players with differing views working together, new technologies and above all, lots of rational thinking ... and maybe some refined regulation.
As Jim Harper began the conversation, info security failures have consequences...better said, they must have consequences. The FTC's BJs Wholesale Club case is affirmation that if you use information, you are expected to protect it.
The market place has many punishments for those who fail, as evidenced in the many info security breach revelations of this year. Jim weighs in on one of them: Legal liabilities. Add to that, diminished, if not outright destroyed, firm or brand name reputation; adversely affected stock value; loss of business; and, of course, government regulatory intervention . None are courses of action or results to be wished for.
Worst of all, however, would be a growing trust deficit, a significant loss of trust and confidence in information technology. The consequences of that would be quite grim.
Solutions by regulatory process are painfully slow, and, it can reasonably be argued, woefully inadequate, sometimes doing more harm than good. Yet, inadequate commitment on the part of the private sector to solve the problems or failure to protect against simple negligence, such as we read of daily, almost surely begets more regulation. Politicians are inspired 'to do something' amidst emotional uproar. In other words, the private sector, through its own conduct or lack of responsible action, often creates the perceived need for that which is does not want.
Chris Hoofnagle is correct: Consumer fraud has enormously painful consequences for the victims. James Van Dyke is correct--some regulation can help. But it must be rational regulation, that fills a void where the market has failed, and then only to the degree necessary. Our goal must be to provide essential information security and privacy protection while at the same time protecting essential free flows of information. A debate in which the extremes insist on winning will not lead us to practical and effective solutions.
Too often, legislative initiatives are poorly considered, filled with unintended consequences, too late to do any good, and are often used by political figures to declare victory and move on to the next problem, especially in even numbered years. This leaves regulators and law enforcers befuddled, businesses burdened and consumers filled with unrealistic expectations.
Regulation compliance often has the unintended (perhaps not totally unintended after the lobbyist get through with it)consequence of being manageable by big firms while drowning small firms, who might otherwise be competitive with those big firms.
Chris Hoofnagle, using IRSG as the example, suggests that industry has failed in performance and in keeping our trust. He also challenges Jim Harper for criticizing the government's politicians and bureaucrats. The point we must remember is that we collectively are dealing with complex technology that anyone is free to use. Controls, technology protections, user conduct and practices, and quality control are immensely challenging aspects of this hugely complex playing field. No new law, new technology nor new law enforcement action alone is going to bring about the comfort levels that we need. Our challenge is not unlike eating an elephant. We will have to do it one bite at a time, and we all must sit down at the table and dig in!
From: California Sen. Joe Simitian
Subject: Identity theft and encryption
Thu, 27 Oct 2005 12:05:11
I'm among those who believe that government can sometimes be part of the problem, rather than part of the solution. That's why I thought it important that the provisions of AB 700 (California?s Data Breach Notification Law) also apply to government entities, not just private sector actors. What's sauce for the goose is sauce for the gander.
That's also why I authored California's AB 1219 in 2002, dealing with the issue of criminal identity theft (the problem experienced by reader Paul Jones and by Chris Hoofnagle's intern). Prior to AB 1219 California residents who were victims of criminal identity theft were largely on their own--obliged to undertake costly and time consuming legal action to clear their records.
AB 1219 established a process in California for an expedited resolution of criminal identity theft upon a motion by the court or prosecuting attorney. In other words, "the system" can resolve the problem for the victim, without further burdening the already victimized subject of criminal identity theft.
I would also agree that the government's role in issuing identity documents of various types makes it incumbent on government to consider the consequences of its decisions. In pushing for some privacy protections when government identity documents employ contactless RFID (see below), I ran into opposition not only from private sector opponents with their eye on the bottom line, but also from potential public sector document issuers who are inclined to worry more about cost and convenience than privacy and security matters.
As for encryption, California's Data Breach Notification Law (AB 700) provides a strong incentive for encryption in that its notice requirements apply to non-encrypted data, but not to encrypted data.
The issue of encryption, and what level is "good enough," is a real challenge. I'm currently experiencing this with industry opposition to my SB 768 (formerly SB 682) dealing with the use of contactless RFID in government identity documents.
Whatever I propose in the way of encryption, industry opposes; but industry declines to offer an alternative standard that is acceptable to industry. It should be possible to tie our notions of "good enough" encryption to a dynamic standard (established and updated over time, for example, by NIST or FIPS).
The fact that technology improves over time can't be the excuse for providing no protection whatsoever.
From: Orson Swindle
Subject: Re: Encryption: Should it be legally required?
Thu, 27 Oct 2005 12:33:03
I suspect we are looking at a situation in which the debate is not "if," but when. Multiple factor authentication and encryption would appear to be inevitable as the "attackers" seeking valuable personal information for indentity-base fraud get more and more sophisticated. That word "valuable" is important. If is valuable, like everything else we value, we will learn and want to protect it (sensitive personal information).
I can imagine a tiered security structure, for example, with the "serious" user of e-commerce (in its many facets) having financial accounts being secured very strongly through two-factor authentication and encryption so that you know for certain with whom you are communicating and the institution or business or person on the other end knows as well. On the other end of the spectrum would be the casual email user with a much less protected environment. This would seem to demand the more sophisticated environment be protected from the less secure/authenticated.
The point is, I cannot see us going much further with out some "restructuring" -- we must achieve greater security which inevitably will mean authentication beyond today's common password requirements, as well as encryption.
The approach will likely (and properly) be market-driven rather than a government decree (unfunded mandate). Like privacy, consumers will demand better security of those with whom they have relationships, and businesses and organizations(although perhaps slowly) and competition will respond. Consumers and business relationships will increasing demand more protection.
As some bright person once said, consumers want to feel secure, in control and want what they want when they want it. Feeling secure and being in control are suffering right now. Consumers might just walk away without them.
Technology is evolving which can make practical and easy to use, two factor authentication a reality, thus not in conflict with "want what they want when they want it." To feel secure and in control, a little inconvenience will likely be acceptable. We sacrifice convenience in many aspects of our daily lives to alter our surroundings and relationships to something with which we can feel comfortable.
As to "good enough" regarding encryptions, surely there can be consensus on that!
(Note: In the interest of full disclosure, I am a long-time user of RSA tokens and recently joined the board of directors of RSA Security.)