Wednesday, April 26, 2006

In between the lines of personal and sensitive information

In a previous post, "Give it back!" I mentioned the ongoing re-classification of declassified information and featured some publicly known sources for information on government secrecy. Today I came across to a news item relating to the topic in another way, "States Removing Personal Data from Official Web Sites", more from the article :



"At least six states use redaction software, which digitally erases information. It can be tailored to excise nine-digit entries such as SSNs. Chips Shore, circuit court clerk for Florida's Manatee County, removed SSNs and bank account numbers from 3 million public records on the Web site. Another 2.5 million court records were redacted before going online."



That's an interesting way to fight the problem from the top of it, namely personal data security breaches that never stop growing, but I wish they came up with the practice either by default years ago, or understand today's dynamics of the threat. Even if they start implementing this on a wide scale, it doesn't mean identity theft would stop occuring, or that phishing attacks wouldn't trick them into giving the complete details. Having implemented a process for securely storing, accessing and trasfering such sensitive customers' bank data, often results in complexities, but using "redaction software" when you can actually take advantage of a risk management solution, isn't the smartest move here -- yet again that's the effect of today's dynamics and ever-changing attack vectors. What's the point of putting so much efforts into sanitizing the data before going online with it, when an outsourcer, or an employee whose responsibilities include working with it will somehow expose it?


Wait, forgot the naive customer who's still taking all the phishing emails received "personally". Don't think SSNs and bank accounts "redaction", but insiders and storage/database security.

In respect to removing sensitive information from the Web, I feel the unability of successfully classifying information and balancing the accountability in front of society to a certain extend, generates contradictive responses. If you try to take down a document that has been somehow listed on the Internet or available in digital format, what you're doing is actually inspiring people to disseminate it, that include news agencies as well, so make sure it doesn't appear there at the first place. Recent cases such as these :

"DOD removes missile defense system report from Web site"
"NORAD orders Web deletion of transcript"
"Air Force One data removed from Web Site revealed details of security measures on president's jets"
"Leaks of Military Files Resume"



bring more insights on the issue. It is well known that the entire Chinese information warfare doctrine is backed up by the NCW visions of U.S's military -- they still have Sun Tzu's legacy though -- and that Al Qaeda's manuals actually quote U.S military's documents. If you know what exactly you're looking for, you will find it one way or another, just make sure information-sharing doesn't end up as an information leakage event.



Going beyond achieving the balance between usability, accountability, and secrecy, I also feel that disinformation and deception are reasonably taking place as well, given the reader is actually identified and consequently influenced.