Giving up Email

How long could you live without email? What would it cost in terms of lost productivity and increased difficulty and expense of communication?

I know that I could live without email. I suspect that doing so would significantly decrease my productivity (a suspicion supported by this study of the impact of email on productivity in a white collar environment). There would unquestionably be a period of adjustment when I would be most unhappy to lose what is probably my primary means of communication with friends and clients.

Now, Barack Obama is facing the prospect of losing his ability to use email (see article here). The short version of why is that there are concerns that email isn't secure enough for presidential communications, and the White House doesn't want the president to create an email paper trail which could potentially be subpoenaed. To me, this is crazy. Other secrecy sensitive professions, such as lawyers (who have to protect client confidences) have managed to make peace with the limitations of email and embraced it as a useful tool (see, e.g., this opinion regarding usage of cell phones and email by lawyers). Now, it's true that the president has information (e.g., plans for the conduct of war) which is substantially more important than the confidential information lawyers have access to. However, there's no reason for the president to be completely cut off from email.

So, given that most people are not, and will never be, president, what significance does this have for the day to day lives of ordinary individuals? Only this: I don't think Obama will do it. Even back in 2000, George W. Bush lamented having to give up his email. Since 2000, people's usage of email has increased dramatically (compare this article from 2000 which predicted email usage of about 9 megs/day/person in 2001, with this white paper which puts email usage at 19.3 megs/day/person in 2008) and Obama is a famously wired individual. I predict (though I realize that there is a note of wishful thinking in this prediction) that Obama will rebel against the prohibition on email, and will use his position as the most powerful person in the world to do something about it. Maybe he'll request that technology be put in place that will make his emails more secure, and that technology will eventually become available to the public at large. Maybe he'll propose tougher laws or regulations on network service providers so that email becomes a more secure medium of communication. Whatever the case, if Obama takes action to make being a wired professional more consistent with the heightened security requirements of being president, it can't help but have positive security implications for the country as a whole.

New Blogs (Update)

Back in June, I put up a post about a the (then new) blog Identity Theft and Business, highlighting it as a resource for news and information on identity theft. In the comments to that post, several bloggers put up links to their own blogs, which I wanted to repost here, since, as I said in the June post, the run of the mill stories about the latest thousand, or million, or ten million records being exposed get old fast, so new sources of informed comment can be good to have.
Anyway, without further ado, I'd like to highlight the Identity Theft Daily, and Identity Theft.com (featuring Sarah Smith).

Also, from the random rhetorical question file: will fact that Barack Obama's cell phone records were breached lead to broad support for privacy protective legislation since it shows that people on all parts of the political spectrum are vulnerable, or will it simply be another quickly forgotten blip in today's 24 hour news cycle? My cynical guess is the latter, but I suppose one can always hope...

Encryption and the Law

Encryption technology is so commonplace, one might think that it would be required by basically all information security laws and regulations. However, as discussed in the comments to yesterday's post, encryption isn't even required by HIPAA, one of the most well known information security laws on the books. Well, as was the case with data breach notification laws, states are stepping up to fill the void left by the Federal Government. For example, as discussed in this post at The Email Admin Massachusetts is set to implement legislation requiring encryption of personal data for its residents (rule here). It is this kind of law (+ private rights of action) that I was referring to when I said if people want legal protection they should work to get new laws passed. The Federal Government is slow, and generally lags far behind. If consumers really want to make a change, the place to do it is at the state, not the federal, level.

333,000 Unencrypted Records Exposed a Month Ago

In the "wow, that sounds bad" category, the University of Florida announced on November 12 that on October 3, they discovered that 333,000 unencrypted records for patients at the college of dentistry had been potentially accessed by unauthorized individuals. To make matters worse, the breach itself was caused when malware was remotely installed on the University's system. To make matters even worse, the malware was only discovered during a server upgrade (rather than, say, because the University's system detected and prevented installation of the malware). So, to recap, the facts (as set forth in this article from Computer World) are: (1) more than a quarter million records exposed; (2) notification takes more than a month after discovery; (3) records were patient records; (4) that were kept unencrypted; (5) on a system which was vulnerable to remote installation of malware; and (6) no automated security systems detected the remotely installed software.

Now, as it happens, I've presented the facts in such a way as to accentuate the negative, and I've done so to make a point: you aren't as protected as you think. While I don't know all the facts about this breach, simply from the facts I do know, it's not clear that any laws were broken either before or after the breach took place (other than the remote installation of the malware, of course). The HIPAA security standard regarding encryption (45 CFR 164.312(a)(2)(iv)) states that encryption of data is an addressable standard, not a required one. Similarly, Florida's security breach notification act gives a 45 day period for when notice can take place, so the month+ delay in this case could be (and, according to a spokesman, actually is) within Florida's law. Of course, even if there had been flagrant violations of both HIPAA and Florida's notification law, that wouldn't make much difference to the individuals whose information was exposed. Neither HIPAA nor Florida's law provides for a private right of action.

The bottom line? Laws relating to privacy and information security aren't as comprehensive or as effective as consumers may think. If people really want legal protection for their personal information, they should work to get new laws passed, not simply rely on the laws on the books. Otherwise, they could be in for a sad surprise when and if they try to go to court for redress when their own information is exposed.

Really valuable information

Before the election, I noted that private information of Samuel "Joe the Plumber" Wurzelbacher had been stolen, and it had been stolen in such a way (no way to know who had logged into the system, test account open for years, multiple individuals using the same log on information) that it seemed that someone had really dropped the ball on security. However, lest I give the impression that people's information is only menaced by insecure government (or large corporate) systems, I would like to present the example of the Intel Itanium Processor. The design for the Itanium processor, like Joe the Plumber's personal information, was stolen. This is true even though the Itanium processor was undoubtedly protected by the most sophisticated security available.

The moral of the story - if it has value, it is at risk of being stolen. Whether your personal information is stored on a government server with minimal security, or on a corporate server with encryption limited access, there is no such thing as complete safety.

Election eve privacy post

As you contemplate tomorrow's election, keep a place in your thoughts for Samuel Joseph Wurzelbacher, aka "Joe the Plumber." Of course, everyone knows the world's most famous plumber from John McCain's decision to repeatedly invoke him during his October 15 debate with Barack Obama. However, Joe the Plumber is more than a symbol of the economic everyman. He's also an example of the risks inherent caused by the lax security at many government databases. As described in this article, Joe the Plumber's data was access using a test account created when Ohio's Law Enforcement Information Sharing Network was created - over four years ago. Apparently, the test account was shared with several with several unidentified contractors when the system was being built, and was still available for whoever (currently no charges have been filed) accessed the Plumber's data.

It's a little surprising that this type of screw up would have happened. I count at least three glaring errors which never should have taken place that contributed. First, there was a test account left open for 4 years after the deployment of the system. Second, there were multiple contractors using the same account - in general, you should have a 1:1 user:account ratio. Third, they didn't have good enough controls to know who was actually in the account. Any system storing sensitive information should have logs which can be used to determine who accessed what and when. All in all, it sounds like whoever was in charge of security really dropped the ball.

Of course, that's why symbols like Joe the Plumber are valuable. His data security incidents reflect the risks that face us all, and serve as a potent reminder that none of us are truly safe from having our private data compromised.

And, on that happy note, I hope everyone (in the U.S.) has a great election day, and takes the time to vote.