Comments on: Don’t Blame the Internet for Data Security Problems http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-security-problems/ Information, Law, and the Law of Information Tue, 24 Nov 2009 00:08:14 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Info/Law » Identity Theft and the Old-Fashioned Con http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-security-problems/comment-page-1/#comment-168 Info/Law » Identity Theft and the Old-Fashioned Con Thu, 08 Jun 2006 21:20:30 +0000 http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-secu#comment-168 [...] A column in today’s Washington Post by technology writer Leslie Walker gives further context to my earlier post emphasizing how often identity theft stems from garden-variety con artists and poor security by data collectors rather than any kind of high-tech hijinks by sophisticated computer criminals.  Walker writes: [...] [...] A column in today’s Washington Post by technology writer Leslie Walker gives further context to my earlier post emphasizing how often identity theft stems from garden-variety con artists and poor security by data collectors rather than any kind of high-tech hijinks by sophisticated computer criminals.  Walker writes: [...]

]]> By: Dean C. Rowan http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-security-problems/comment-page-1/#comment-53 Dean C. Rowan Tue, 23 May 2006 20:58:55 +0000 http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-secu#comment-53 A fair cautionary message here pointing out the "prosaic" nature of most security breaches. However, surely the 'net itself (i.e., the 'net in the broad sense, including those who populate it) shares some responsibility for the anxious rhetoric. The confusion of plain old boring inadequate security with some sexier higher tech variety of hacking and sabotage is also embraced by components of 'net "culture" (for lack of a better word). Think "social engineering," for example, a rather lofty term which more often than not means "con game" rather than nerdy tinkering with code. A fair cautionary message here pointing out the “prosaic” nature of most security breaches. However, surely the ‘net itself (i.e., the ‘net in the broad sense, including those who populate it) shares some responsibility for the anxious rhetoric. The confusion of plain old boring inadequate security with some sexier higher tech variety of hacking and sabotage is also embraced by components of ‘net “culture” (for lack of a better word). Think “social engineering,” for example, a rather lofty term which more often than not means “con game” rather than nerdy tinkering with code.

]]> By: William McGeveran http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-security-problems/comment-page-1/#comment-50 William McGeveran Tue, 23 May 2006 18:16:13 +0000 http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-secu#comment-50 No, Tim, I agree. Certainly I would not contest the fact that the internet increases data security risks to some extent. And of course we should take prudent precuations against that risk. I used all the important qualifiers! (e.g.: "biggest"; "usually") But still, loose talk about identity theft risks as a *product* of the internet -- as an internet problem -- get it wrong. The core of the issue is the collection, digitization, and handling of data. Two bad consequences of getting it wrong in this way: (1) Further contribution to sloppy and dangerous "the internet is out of control and we must control it" rhetoric; and (2) focusing ameliorative resources (legal, code, economic, and other) on the wrong aspect of the problem. No, Tim, I agree. Certainly I would not contest the fact that the internet increases data security risks to some extent. And of course we should take prudent precuations against that risk. I used all the important qualifiers! (e.g.: “biggest”; “usually”)

But still, loose talk about identity theft risks as a *product* of the internet — as an internet problem — get it wrong. The core of the issue is the collection, digitization, and handling of data.

Two bad consequences of getting it wrong in this way: (1) Further contribution to sloppy and dangerous “the internet is out of control and we must control it” rhetoric; and (2) focusing ameliorative resources (legal, code, economic, and other) on the wrong aspect of the problem.

]]> By: Tim Armstrong http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-security-problems/comment-page-1/#comment-48 Tim Armstrong Tue, 23 May 2006 17:43:28 +0000 http://blogs.law.harvard.edu/infolaw/2006/05/23/dont-blame-the-internet-for-data-secu#comment-48 Bill, you're quite correct that many of the most egregious privacy breaches that have made the news in the last few years occurred through relatively "low tech" means, such as the pilfering of data tapes that turned out to be unencrypted. The internet adds *something* to the overall level of risk, though, doesn't it? Digitized information is subject to one level of risk if it's kept on a machine that's not connected to the internet; a higher level of risk if it's networked but behind a strong firewall; and still a higher level if it's kept on a machine that's unpatched and running software that's known to be vulnerable. What the internet enables (particularly in the latter scenario) is remote attack by individuals who don't have to physically gain access to the (possibly physically secure) environment in which the data is stored, and who have a correspondingly lower risk of detection and capture. That is a qualitatively different risk than the burglary/corrupt employee/inept courier scenario, and it's a risk that is traceable directly to the prevalence of the internet, isn't it? That comparatively few attacks have so far occurred through such means doesn't mean the internet doesn't alter the threat profile in ways about which reasonable people should remain vigilant. Or do I have it wrong? Bill, you’re quite correct that many of the most egregious privacy breaches that have made the news in the last few years occurred through relatively “low tech” means, such as the pilfering of data tapes that turned out to be unencrypted. The internet adds *something* to the overall level of risk, though, doesn’t it? Digitized information is subject to one level of risk if it’s kept on a machine that’s not connected to the internet; a higher level of risk if it’s networked but behind a strong firewall; and still a higher level if it’s kept on a machine that’s unpatched and running software that’s known to be vulnerable. What the internet enables (particularly in the latter scenario) is remote attack by individuals who don’t have to physically gain access to the (possibly physically secure) environment in which the data is stored, and who have a correspondingly lower risk of detection and capture. That is a qualitatively different risk than the burglary/corrupt employee/inept courier scenario, and it’s a risk that is traceable directly to the prevalence of the internet, isn’t it? That comparatively few attacks have so far occurred through such means doesn’t mean the internet doesn’t alter the threat profile in ways about which reasonable people should remain vigilant. Or do I have it wrong?

]]>