Don’t Blame the Internet for Data Security Problems

As widely reported, personal data about some 26.5 million veterans fell into the wrong hands as the result of a mistake by the federal Department of Veterans Affairs. Apparently a Department employee had brought home computer disks containing the personal data (contrary to Department policy) and his home was burglarized. See this Washington Post story and the Department’s statement about the incident for full details.

Dan Solove offers his usual sharp observations about this huge privacy violation. I would add one more: data security and identity theft are often referred to, in a sloppy way, as problems arising from the internet. This is mistaken. The present incident has nothing to do with the internet. Nor did other recent headline-making data breaches, including the ChoicePoint fiasco. My favorite recent story is the delivery of the Boston Globe to newsstands wrapped in paper that had come from the recycling bin — and happened to list subscribers’ names and credit card information!

To be sure, digitization of information increases the risk of security breaches enormously. In an analog world, millions of files would have taken up huge rooms and this government employee could not have slipped them into his briefcase. (Indeed, in a pre-digital world the information could not have been collected and processed very easily so the government would possess less of it in the fist place.) But it is crucial not to blame this digitization issue on the internet. While in theory networked computers might be vulnerable to hacking by identity thieves, that is not the way it usually happens, at least so far. This fairly comprehensive list of known breaches suggests that a large proportion of those that do involve hacking occur at universities — I would surmise they are committed by students breaking into the school’s computers trying to snoop or change grades or pull a prank (echoes of WarGames, except the movie came out before today’s undergrads were born) rather than sophisticated thieves trying to steal identities for financial gain.

The biggest threat is far more prosaic. It’s lost packages, dumb employees, poor security, and plain old-fashioned stealing. It’s the fact that so much personal data is aggregated and stored to begin with. Just as the persistent myth of “stranger danger” interferes with fighting more predominant forms of sexual assault such as date rape, so too we must guard against thinking of identity theft as the domain of high-tech hackers — whatever the sensationalism of the 11:00 news and mass-market paperbacks might suggest in either case.

4 Responses to “Don’t Blame the Internet for Data Security Problems”

  1. Bill, you’re quite correct that many of the most egregious privacy breaches that have made the news in the last few years occurred through relatively “low tech” means, such as the pilfering of data tapes that turned out to be unencrypted. The internet adds *something* to the overall level of risk, though, doesn’t it? Digitized information is subject to one level of risk if it’s kept on a machine that’s not connected to the internet; a higher level of risk if it’s networked but behind a strong firewall; and still a higher level if it’s kept on a machine that’s unpatched and running software that’s known to be vulnerable. What the internet enables (particularly in the latter scenario) is remote attack by individuals who don’t have to physically gain access to the (possibly physically secure) environment in which the data is stored, and who have a correspondingly lower risk of detection and capture. That is a qualitatively different risk than the burglary/corrupt employee/inept courier scenario, and it’s a risk that is traceable directly to the prevalence of the internet, isn’t it? That comparatively few attacks have so far occurred through such means doesn’t mean the internet doesn’t alter the threat profile in ways about which reasonable people should remain vigilant. Or do I have it wrong?

  2. No, Tim, I agree. Certainly I would not contest the fact that the internet increases data security risks to some extent. And of course we should take prudent precuations against that risk. I used all the important qualifiers! (e.g.: “biggest”; “usually”)

    But still, loose talk about identity theft risks as a *product* of the internet — as an internet problem — get it wrong. The core of the issue is the collection, digitization, and handling of data.

    Two bad consequences of getting it wrong in this way: (1) Further contribution to sloppy and dangerous “the internet is out of control and we must control it” rhetoric; and (2) focusing ameliorative resources (legal, code, economic, and other) on the wrong aspect of the problem.

  3. A fair cautionary message here pointing out the “prosaic” nature of most security breaches. However, surely the ‘net itself (i.e., the ‘net in the broad sense, including those who populate it) shares some responsibility for the anxious rhetoric. The confusion of plain old boring inadequate security with some sexier higher tech variety of hacking and sabotage is also embraced by components of ‘net “culture” (for lack of a better word). Think “social engineering,” for example, a rather lofty term which more often than not means “con game” rather than nerdy tinkering with code.

  4. [...] A column in today’s Washington Post by technology writer Leslie Walker gives further context to my earlier post emphasizing how often identity theft stems from garden-variety con artists and poor security by data collectors rather than any kind of high-tech hijinks by sophisticated computer criminals.  Walker writes: [...]