Thursday, March 27, 2008

Are data breach laws good policy?

This week Indiana passed a new data breach and notification law, which closes some loopholes in the previous law. Generally speaking, I think that's a good thing.

But what worries me about the Indiana law, as I read it (and IANAL), is that if I you, gentle reader, happen to live in Indiana and post your private information such as your name and social security number as a comment to my blog, then I could be in violation of the breach law - even though I never asked you to post it. (Or depending on how a court interprets the terms of the agreement between the individual and Blogger, it might be Blogger that would be in violation.) Simply the presence of personal information, even if it was never requested by the owner of a site, can put that site at risk.

This could obviously impact places like LinkedIn or VisualCV, where people routinely post some types of information that might be considered private (employment and education history), as well as the more obvious sites like MySpace and Facebook. If a user of LinkedIn decides to aid their job search by posting their SSN and driver's license number (two of the protected types of personal information), and then someone else copies the data from that site, is LinkedIn at risk? Even though their terms of service don't explicitly say "don't post personal data, stupid", most people would understand that - and it would be hard to say such disclosure would be a "breach" since LinkedIn pages are public, but would it come under the law? (LinkedIn's user agreement says you may not "post content in fields that aren’t intended for that content. Example: Putting an address in a name or title field" - but would putting your SSN be a violation of those terms?)

It's an interpretation that wouldn't make a lot of common sense, but some lawyers specialize in lawsuits against deep-pocketed targets like LinkedIn.

So to me, the problem with the law is that the site holding the data doesn't even need to ask for the data in order for it to be at risk of violating the law.

Friday, March 21, 2008

Brookings seminar on "Voting Technology: The Not-So-Simple Act of Casting a Ballot"

A couple of weeks ago, there was a lot of publicity around the new book "Voting Technology: The Not-So-Simple Act of Casting a Ballot" by Paul Herrnson et al (Brookings Institution Press). Much of the publicity was focused on the critiques in the book of the need for computer security, including the authors claims that the needs for security are much less important than the need for usability.

This morning, Brookings hosted a panel with four of the six authors of the book. I won't try to summarize their book, other than to say that it's well worth reading about their usability results, some of which are quite surprising. There are serious scientific problems with their work even as far as it goes, but that doesn't take away from the fact that this is one of the first studies with field trials of voting systems. One of the major limitations of their results is that in considering usability, they entirely ignored usability by disabled voters. I had hoped that they would address some in their field trials some of the issues that Noel Runyan's team identified in the California Top to Bottom Review Accessibility Study. However, as Paul Herrnson told me, their funding was less than requested, and this is one of the areas they cut, to the great dismay of Jim Dickson, a leading advocate for blind voters.

The biggest issues I have with this report are as follows:

(1) It states categorically that no elections have been corrupted due to intentional security breaches (i.e., no hacking), so therefore security isn't an issue. While I certainly don't know of any examples of successful security attacks on real elections, there are many cases where there have been accidental problems that have caused incorrect election results. The ironic thing is, of course, that we only know of the ones that did NOT take place on paperless DREs, since if there's no paper, there's nothing meaningful to recount. Although we can't prove incorrect election results on the DREs, I'd bet money that we've had them from accidental errors, if not intentional ones.

Besides, if anyone has successfully caused incorrect election results, one would hardly expect them to brag about it - just as old fashioned ballot box stuffing and switching was well known, but not advertised.

(2) Their primary focus is on whether voters get the votes selected correctly. This is important, but it misses the even more important factor of whether votes are recorded correctly. If the voting system (whether it's a computer, paper, punchcard, or something else) doesn't accurately record what the voter selected, it doesn't matter whether the voter was able to figure out how to use the system.

(3) Their secondary focus is on whether voters feel comfortable with the voting system, and are confident that it worked correctly. As was pointed out by Roy Saltman (author of "The History and Politics of Voting Technology: In Quest of Integrity and Public Confidence", an excellent book on voting systems), while it's important that the voter feel confident, it's less critical than whether the auditors can actually verify the results. He noted that we need to have systems that can be verified, even if that makes it slightly more difficult for voters to vote.

Incidentally, Roy told me his book will be available in paperback this summer for about half the price of the hardback, and Amazon is taking orders.


Norman Ornstein asked which of the technologies they investigated offer meaningful opportunities for recounts, especially given that "optical scan is what people perceive as the right answer". The authors didn’t answer directly, but noted that the real problem is which is the ballot of record in systems where there is more than one form (such as DREs with VVPAT). Herrnson strongly prefers that the electronic ballot fill that role - which of course defeats the purpose of having paper, and guarantees that we'll have more elections where we'll never know who was the real preference of the voters.

Among their recommendations which I agree with are the need for "pre-testing" of ballots to make sure they're not confusing to voters (ala the infamous Florida "butterfly ballot" of 2000 or the Florida 13th Congressional District election of 2006). While this won't help with security issues, it will address many of the problems that plague elections today. I also agree with them that there should be parallel testing, although there's no indication that they understand the limitations of that technology.

After the seminar, I suggested to Herrnson that asking voters about their comfort with the voting systems is like asking patients which of two medical procedures to diagnose a problem is better - trained experts (i.e., doctors) can be expected to answer that question, but the patient can only comment on the patient experience not the test accuracy. I suggested that offering as a choice an invasive procedure vs. a Star Trek-like "magic scanner", most patients would select the scanner as both more accurate and more desirable. He disagreed, saying that most patients would conclude that the invasive procedure is more accurate - if it's uncomfortable, it must be better. He might be right on that one...

Also after the seminar, when I asked Herrnson about his critiques in the press of security, he complained that it was taken out of context - he said he spoke to journalists for as much as an hour, and the part they chose to publicize was the security critique, which he claimed was hardly the focus of his work. I can appreciate that - anyone who talks to the press knows they'll take the "juicy" parts. But at the same time, I think it's unwise for a group of political scientists to be passing judgment on whether computer security is a real problem or not. As with the doctors above, let's leave that to the subject matter experts - the computer scientists.


I had at least a hundred more questions I wanted to ask, but given the constraints of the seminar that wasn't possible. Brookings videotaped the presentation; hopefully viewers will be able to judge for themselves the limits of this study.

[Updated 21 Mar to correct a number of typos and add a link to the video archive.]

Tuesday, March 04, 2008

How did those classified emails get out?

The Register is reporting that the owner of mildenhall.com, a site for the town of Mildenhall England, has been getting thousands of emails intended for people at Mildenhall Air Force Base, including many that are classified and include sensitive information such as the path of Air Force One.

What I can't figure out is how the emails got there. The US military runs several separate networks - NIPRnet for unclassified stuff, SIPRNet for Secret, and then various other networks that are more highly classified. If the information is classified (and from the descriptions, it probably should be), it should have been on SIPRNet. There are "guards" (automated or semi-automated transfer devices that do content-based filtering) that allow limited flow of information between network classifications.

So one of a few things happened:
  • The information wasn't classified, but probably should have been. Unlikely, given that the current administration is much more likely to over than under classify information.
  • The information was classified, but for some reason was on the NIPRNet, instead of SIPRNet (or higher). Maybe someone felt they absolutely had to get the information to Mildenhall AFB, and couldn't wait for the normal channels, so they took a shortcut.
  • The guards weren't in place.
  • The messages are bypassing the guards.
  • The automated part of the guards that are supposed to be filtering the data aren't working correctly, approving release of information that shouldn't be released.
  • The "semi" part of the semi-automated guards made bad decisions (i.e., the person reviewing the data for release approved things that shouldn't have been). Given the tens of thousands of messages involved, this seems unlikely.
Without knowing what actually happened (and I doubt we ever will - the Department of Defense is nothing if not tight-lipped), it's impossible to come up with lessons learned. But clearly something went quite wrong. And whether it was a personnel security failure or a computer system failure, it shouldn't take years to accomplish.

And it's worth pointing out that the problem isn't actually solved! All that happened is that the owner of mildenhall.com gave up on his site - the messages are still flowing across the Internet unencrypted, and to whomever the new owner of mildenhall.com is. The suggestions from the Department of Defense that mildenhall.com block messages coming from DoD sites is ridiculous - they shouldn't be sending out the classified information in the first place!