Monday, November 3, 2008

Election eve privacy post

As you contemplate tomorrow's election, keep a place in your thoughts for Samuel Joseph Wurzelbacher, aka "Joe the Plumber." Of course, everyone knows the world's most famous plumber from John McCain's decision to repeatedly invoke him during his October 15 debate with Barack Obama. However, Joe the Plumber is more than a symbol of the economic everyman. He's also an example of the risks inherent caused by the lax security at many government databases. As described in this article, Joe the Plumber's data was access using a test account created when Ohio's Law Enforcement Information Sharing Network was created - over four years ago. Apparently, the test account was shared with several with several unidentified contractors when the system was being built, and was still available for whoever (currently no charges have been filed) accessed the Plumber's data.

It's a little surprising that this type of screw up would have happened. I count at least three glaring errors which never should have taken place that contributed. First, there was a test account left open for 4 years after the deployment of the system. Second, there were multiple contractors using the same account - in general, you should have a 1:1 user:account ratio. Third, they didn't have good enough controls to know who was actually in the account. Any system storing sensitive information should have logs which can be used to determine who accessed what and when. All in all, it sounds like whoever was in charge of security really dropped the ball.

Of course, that's why symbols like Joe the Plumber are valuable. His data security incidents reflect the risks that face us all, and serve as a potent reminder that none of us are truly safe from having our private data compromised.

And, on that happy note, I hope everyone (in the U.S.) has a great election day, and takes the time to vote.

No comments: