Stealing without taking
If your data is stolen, how do you really know that is was? CNET's Robert Vamosi speaks with Verdasys CTO Dan Geer about data theft.
Verdasys CTO Dan Geer says one of the problems with data theft is that it has nothing in common with our current attitudes toward possession and loss. I recently talked with Geer about protecting your computer assets, and at one point he started quoting that famous Joni Mitchell line, "You don't know what you've got till it's gone."
(Data theft) is one place where our intuition about physical objects and our intuition about data can't be the same.
If I steal your car, you are likely to notice. Or putting it differently, if I have your whatever it is, your car, then you don't. This is, I think, technically called an exclusion principle.
But, that's one characteristic of the physical world that does not apply to the digital world in as much as I can have your data and you do too. The fact that I can have it and you do too means at least, as a matter of logic, that if I steal it you will not have evidence that it is gone unless you stumble over it being misused somewhere.
With respect to the TJX firm, I believe that's in fact what was happening; they were finding evidence in misuse. With respect to the loss of e-mail addresses from Ameritrade, they discovered that people who had used an e-mail address that was fabricated purely for the purpose of being used at Ameritrade, ended up showing up in other places. Therefore (the e-mail) had to have been stolen, and you know where it came from.
There are many examples like this where just because I took your data doesn't mean you lost a thing. It's only when I misuse it--and unless you are in a position to see this misused, strictly speaking--you won't know it's gone. Which is, again, different than your car, your lawn mower, the pillow under your head at night, or anything. That's both a challenge and an interesting problem.
You can hear more of my interview with Geer in this Security Bites podcast.