Chapell & Associates

Thursday, June 23, 2005

Pentagon Creating Student Database

Washington Post - June 23, 2005.
The Defense Department began working yesterday with a private marketing firm to create a database of high school students ages 16 to 18 and all college students to help the military identify potential recruits in a time of dwindling enlistment in some branches. The program is provoking a furor among privacy advocates. The new database will include personal information including birth dates, Social Security numbers, e-mail addresses, grade-point averages, ethnicity and what subjects the students are studying.

The Chapell View
As the U.S. Government increasingly turns to the private sector as a means to circumvent the spirit of the Privacy Act, it's difficult to avoid feeling somewhat helpless. While I recognize that the cultural and political pendulum swings to the far right these days, I'd like to think that much of the progress made during the 1960's and early 70's isn't going vanish in the proverbial haze of post 9-11 America. But little by little, our nation is heading towards a type of surveillance society that was unimaginable even ten years ago.

posted by Isaac on Thursday, June 23, 2005 | |

Tuesday, June 21, 2005

Gov't Collected Data on Airline Passengers

NY Times - June 22, 2005
Air travelers who have been concerned about the government collecting their personal information from airlines now have a second source to worry about: commercial data aggregators. The federal agency in charge of aviation security revealed that it bought and is storing commercial data about some passengers - even though officials said they wouldn't do it and Congress told them not to. The Transportation Security Administration is testing a terrorist screening program called Secure Flight that uses information about U.S. citizens who flew on commercial airlines in June 2004. "This is like a secret file that's been compiled," said Tim Sparapani, a privacy lawyer with the American Civil Liberties Union. The TSA hopes that successful testing of Secure Flight will allow it to take over from the airlines the responsibility for checking passenger names against terrorist watch lists. But Secure Flight and its predecessor, CAPPS II, have been criticized for secretly obtaining personal information about airline passengers, not doing enough to protect it and then misleading the public about its role in acquiring the data.

The Chapell View
Congress needs to completely deconstruct the TSA - and I mean completely. Take apart the TSA office buildings a la the Abu Grave prison. Salt the earth like the Ancient Greeks used to do. Let's just take a mulligan on this one - and start over.

Adding to their list of questionable decisions, the TSA has engaged data aggregators to help...

Ahh yes, the data aggregators. The same group that disenfranchised votes in Florida a few years ago. The same groups which have come under fire recently for their role in many of the data breaches.

Anyway - I have a brand spankin new data aggregator story for you. Bear with me - I going somewhere with this.

A friend of mine works at a large Ivy League Medical Research lab. Her office engaged one of the data aggregators to compile updated information on study subjects. (Ensuring HIPAA compliance, of course.)

As you probably know, some of the large data aggregators have recently undergone some significant changes to their methods and procedures in light of the ChoicePoint scandal. About a year ago, ChoicePoint was bamboozled by a group of Nigerian credit card scammers. The scoundrels (the Nigerians, not Choicepoint) had posed as legitimate businesses in order to obtain access to ChoicePoints' data products.

In order to ensure that their company doesn't succumb to a similar fate, the data aggregator put the Ivy League Research Lab through three months of hoops - requesting copies of the university's charter, photos of the building, etc. - in order to ascertain that the university is, in fact, a legitimate entity. Seems like a bit much for me given that the University is pretty much a household name, but whatever - rules are rules. And ensuring privacy is a priority, right?

Once satisfied, the data aggregator accepts the University's data file, and begins work. After a few weeks, the data aggregator returns a file that "they're pretty sure was encrypted." Again - great idea - ensuring privacy is a priority, right? Unfortunately, the data company must have done too good a job encrypting the data, as it was completely unreadable to the University staff.

When the University complained, the data company sent over another file to the University. The good news is that the file was completely readable. The bad news is that it was the wrong file. The new file included some other company's data - including names, addresses, phone #, and private health information.

By now you're probably wondering - is there a point to this story? I have two:

1. All the planning and due diligence in the world can sometimes be undone by one careless mistake.
2. Data is becoming more burdensome to obtain. And it will only get more bureaucratic as additional privacy legislation is ushered in.

posted by Isaac on Tuesday, June 21, 2005 | |

Monday, June 20, 2005

Senate Takes Up Data Security Law - June 15, 2005
With growing evidence that Americans want new data privacy laws, the U.S. Senate opens a series of hearing today on legislative solutions to data breaches and identity theft. Thursday's full Senate Commerce Committee hearing will not specifically address any of the several bills introduced in the 109th Congress, which combat identity theft and force data brokers to disclose breaches of personal information to consumers.

The Chapell View
Not much new information here. Consumers are drawing a connection between ID theft and Internet usage - and in some cases are curtailing their use of the Internet as a result. While Spyware and online scams certainly have played a part in ID theft, most of the ID theft cases of any significance over the past six months are a result of offline data breaches. The Choicepoint scandal had nothing to do with the Internet, and neither did the recent MasterCard data breach.

posted by Isaac on Monday, June 20, 2005 | |

© 2005 by Alan Chapell & Associates LLC