Here we go again. Sensitive, personal information stolen -- and the files weren't encrypted. The negligent organization this time? NASA. Yes, the very same NASA that defeated a legal challenge last year to intrusive background checks, based in part on privacy concerns:
Justice Alito said that the plaintiffs' privacy concerns should be allayed because the Privacy Act imposes strict restrictions on how the government could use the information it obtained.
Nothing stopped it, however, from leaving personal information, in unencrypted form, on a laptop in a parked car. That's where the thieves found it. Data on 10,000 NASA employees, including social security numbers, dates of birth, and -- yes -- some of that background check information the Supreme Court was so confident could be protected.
But this is beyond a joke. Only last week, I wrote about the theft of hundreds of thousands of unencrypted records from the South Carolina Department of Revenue. Do people think encryption is something that exists only in spy novels? Trying to get states to focus on adequate security measures may be like herding cats, but at the level of federal agencies, somebody needs to take ownership of this problem.
We have a seemingly intractable challenge with trusted identities in cyberspace -- ensuring that only the right people get to look at files. But we could, at least, encrypt the sensitive data contained therein. Encryption isn't perfect; keys can be stolen. But it's better than no encryption at all.
One argument against encryption, of course -- especially full disk encryption -- is cost. Some analysts maintain that the benefit of encryption in mitigating damage from data breaches more than justifies the expenditure involved. Others advocate encrypting data only when necessary.
In my book, when sensitive data is going to be placed on a laptop, and taken outside the security perimeter, it's necessary.
What other data from federal agencies is sitting unattended in the backs of cars? Remember, we still have a rump of Republican senators filibustering attempts to pass cybersecurity standards for the national grid. To the extent the grid is in private hands, security is unsupervised; to the extent it's in the hands of federal agencies -- well, given this example from NASA, we might as well give up.
If we're not going to give up, however, what we need are mandatory security benchmarks, at least for government departments and agencies. It's not impossible: FedRAMP (the Federal Risk and Management Program) has set standards for federal use of cloud computing services.
I'm asking for something more basic. Rules on the storage, distribution, and use of defined types of sensitive data, together with sanctions if the rules are broken. Once the federal government has standards in place, it can engage again in the difficult task of persuading the private sector to adopt standards at least as stringent.
I would say, as we all know, file encryption can be done through free PGP implementation. Drive encryption is TrueCrypt or BitLocker on Windows, they are free too. There might be overhead coming if you do encryption on root drives but on data drives benefits outweighs the overhead.
Agree. I have been using GnuPG for long time, easy to implement and quite effective when you want to share data with external entities. There is no reason why we do not encrypt everything that leaves our data center.
@Kim - I cannot find anything about the Massachusetts hard-drive purchase incident online. Maybe someone paid to get this story sanitized from the Internet before the campaign began, or maybe I'm just not looking in the right place. If you find a link, can you post it.
That if you travel abroad with an encrypted hard drive, that you're not exposing yourself to liability of exporting banned technology. Some encryption is legally prohibited from export....
Amen to that! Encryption can be the difference between being sued to thriving. I have no idea on what NASA was thinking since a technological company should know better than that. However, with that being said it does seem like those who know better are the worse offenders of not following the rules. It makes the statement "do as I say and not what I do" to be very true. Hopefully whoever was behind the lack of encryption will face the music over this big brouhaha at last.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Edward Snowden was so convinced that the Prism program involved secretive surveillance through Internet backdoors that he walked out on his job and his girlfriend, spoke to the media, and resigned himself to jail, or worse. It turns out, he might just be wrong.
In one of the nastiest -- not to mention large scale and long-term -- hacking exploits yet to be reported, it appears that the Chinese army has been rummaging through the data of those who have served in the US Armed Forces.
ASA Risk Consultants added its voice this week to the slowly growing chorus of voices demanding a coordinated international response to cyberattacks. In a research note circulated by IDG, ASA asserts that "nations will need to come to an agreement on how cyber warfare should be handled."
Extending existing US wiretap laws to give federal agencies easier backdoor access to Internet communications -- especially real-time P2P services like VoIP -- will give, not only aid and comfort, but also technical assistance, to the country's enemies. Not to mention cyberthieves.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, discusses the state of "Do Not Track" and the problem with consumer behavior tracking online.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
Our online communications and privacy are being threatened by governments and corporations. Eben Moglen believes it's time for a People's Internet, made possible by "Freedom Boxes."
WikiLeaks' founder says that Facebook is an instrument for government spying. Whether that's true or not, we're sharing too much, and we’re on the edge of compromising the notion of identity, and with it of privacy and commercial protection.
Deep Packet Inspection to intercept behavioral data has never been a popular idea, but recent comments by the FTC and ISPs suggest that the players are dodging the most critical issue of all, which is whether DPI use should be considered wiretapping.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
