[gnso-acc-sgb] Does Secrecy Help Protect Personal Information? An essay,

[Jeff Williams <jwkckid1@xxxxxxxxxxxxx>]

All sgb members,

  I thought this may be useful reading, especially
 the next to the last paragraph.  However IMHO,
 and in my experience, secrecy does help protect 
 Personal Information, but secrecy only goes so
 far in doing so... Securing Personal Information,
 and being in control of whom has access to it,
 is necessary.  Expecting third parties to do
 so without serious financial remedies for failing
 to do so is folly and foolhardy.

Does Secrecy Help Protect Personal Information?



Personal information protection is an economic problem, not a security
problem. And the problem can be easily explained: The organizations we
trust to protect our personal information do not suffer when information
gets exposed. On the other hand, individuals who suffer when personal
information is exposed don't have the capability to protect that
information.

There are actually two problems here: Personal information is easy to
steal, and it's valuable once stolen. We can't solve one problem without
solving the other. The solutions aren't easy, and you're not going to
like them.

First, fix the economic problem. Credit card companies make more money
extending easy credit and making it trivial for customers to use their
cards than they lose from fraud. They won't improve their security as
long as you (and not they) are the one who suffers from identity theft.
It's the same for banks and brokerages: As long as you're the one who
suffers when your account is hacked, they don't have any incentive to
fix the problem. And data brokers like ChoicePoint are worse; they 
don't suffer if they reveal your information. You don't have a business
relationship with them; you can't even switch to a competitor in
disgust.

Credit card security works as well as it does because the 1968 Truth in
Lending Law limits consumer liability for fraud to $50. If the credit
card companies could pass fraud losses on to the consumers, they would
be spending far less money to stop those losses. But once Congress
forced them to suffer the costs of fraud, they invented all sorts of
security measures--real-time transaction verification, expert systems
patrolling the transaction database and so on--to prevent fraud. The
lesson is clear: Make the party in the best position to mitigate the
risk responsible for the risk. What this will do is enable the
capitalist innovation engine. Once it's in the financial interest of
financial institutions to protect us from identity theft, they will.

Second, stop using personal information to authenticate people. Watch
how credit cards work. Notice that the store clerk barely looks at your
signature, or how you can use credit cards remotely where no one can
check your signature. The credit card industry learned decades ago that
authenticating people has only limited value. Instead, they put most of
their effort into authenticating the transaction, and they're much more
secure because of it.

This won't solve the problem of securing our personal information, but
it will greatly reduce the threat. Once the information is no longer of
value, you only have to worry about securing the information from
voyeurs rather than the more common--and more financially
motivated--fraudsters.

And third, fix the other economic problem: Organizations that expose 
our personal information aren't hurt by that exposure. We need a
comprehensive privacy law that gives individuals ownership of their
personal information and allows them to take action against
organizations that don't care for it properly.

"Passwords" like credit card numbers and mother's maiden name used to
work, but we've forever left the world where our privacy comes from the
obscurity of our personal information and the difficulty others have in
accessing it. We need to abandon security systems that are based on
obscurity and difficulty, and build legal protections to take over 
where technological advances have left us exposed.

This essay appeared in the January issue of "Information Security," as
the second half of a point/counterpoint with Marcus Ranum.
http://informationsecurity.techtarget.com/magItem/0,291266,sid42_gci1238789,00.html

or http://tinyurl.com/2h5y5u

Marcus's half:

http://www.ranum.com/security/computer_security/editorials/point-counterpoint/personal_info.html

or http://tinyurl.com/27e2gj

Regards,

--
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 134k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security
IDNS. div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402
E-Mail jwkckid1@xxxxxxxxxxxxx
 Registered Email addr with the USPS
Contact Number: 214-244-4827