What should a “privacy advocate” do?
Has the privacy of tens of thousands of students and employees in Louisiana been violated by self-proclaimed “privacy advocates?” Read what they did and see what you think.
Incident #1: “Well, That’s Not Good”
Last month, I was contacted by Aaron Titus, who alerted me to unintended exposure of personally identifiable information (PII) on the Arkansas Board of Psychology web site. After discovering the exposure, he had taken it on himself to email people on the list to alert them. But he also published the incident on his blog even though he knew that the files containing the PII were still available in Google cache. By his own statement to me, he did not directly contact the Arkansas Board of Psychology first. More importantly, perhaps, for several days, anyone who read his blog would have been able to figure out how to find the cached copy of the file in Google and get the names, SSN, dates of birth, addresses, and email addresses of almost 300 psychologists.
Incident #2: Attrition asks, “What the Hell Was He Thinking?”
On his blog, Aaron describes a subsequent incident involving the Louisiana State Board of Regents (LBR) where he discovered that he could access files on an internal network that contained PII on tens of thousands of students and employees. There was no password protection on the files. He writes:
The Louisiana State Board of Regents acted quickly to take the website down once they became aware of its existence. (emphasis added by Dissent)
They didn’t become aware of it immediately because Aaron did not contact them. Aaron went to the media first and the media contacted LBR.
If he had first contacted the Board and they didn’t move fast enough to address the issue, then I’d say yes, go to the media. Which, as it turned out, is exactly the sequence Jericho and Lyger of Attrition.org had suggested he follow when he had contacted them to ask their advice as to how to handle the disclosure. But Titus did not take their sage and ethical advice.
Incident #3: “Crossing the Line?”
Aaron is a firm believer in “It’s always best to know” if your data have been exposed or potentially compromised. I agree with him wholeheartedly on that, but I believe that it’s the responsibility of the agency or custodian of the data to notify you. If they don’t, then I can see others stepping in to notify, but first find out if the responsible party will be promptly notifying those affected.
From Aaron’s blog entry:
To assist the Board of Regents in notifying people affected by this breach, I am working with the Liberty Coalition to created (sic) a free victims’ resource online at www.ssnbreach.org. .
Translation (courtesy of Dissent’s Obfuscation Removal Service): “I didn’t discuss this at all with the Board of Regents.”
LBR did not ask Aaron to assist them with notification and is trying to get Titus to remove the site.
So now there’s a “free victims’ resource.” From his same blog entry:
When a user visits www.ssnbreach.org, they may search for their name, to find out whether they were affected by this breach. Because ssnbreach.org does not contain Social Security Numbers, addresses, phone numbers, or any other sensitive data, users are not able to search by any criteria other than their names. Neither I nor the Liberty Coalition have any interest in becoming stewards of sensitive personal information.
So are Titus and the Liberty Coalition admitting that they accessed sensitive personal information and downloaded it to a server? Didn’t they become stewards of sensitive personal information as soon as they downloaded records and files from LBR’s server?
LBR did not give him explicit permission to access those files, download them and save them on any server. LBR did not give them permission to use any of those files or records or parts thereof or upload them to another site. Many of those records are FERPA-protected education records, if that matters to anyone.
The first time I tested SSNbreach.org, I confirmed what Attrition.org had noted in their “rant:” anyone can use the search engine on the site and you don’t even need to know the individual’s whole name. You don’t even need to know their last name or any name at all. You can go on a fishing or snooping expedition if you simply type in a single letter or string for “Last Name,” you’ll see the nearest 25 names.
So I input a letter, saw a list of people’s first and last names, and clicked on one. That took me to a page that showed me the man’s first name, his last name, his job position, and a list of what types of records were in the files that had been left unprotected. It also showed that his pension plan information was in those files, and of course, I now also learned his affiliation/geographic location (Louisiana). I tried another name and got a partial address as well as full name of the student and types of records she had had exposed. From LBR’s FAQ on the incident, I could probably have figured out a bit more about her.
On July 21, I wrote to Michael D. Ostrolenk of the Liberty Coalition to express my concerns. He forwarded my email to Aaron. In his reply, Aaron noted that he had removed some of the information from the site based on the concerns I raised. But the site is still up and still reveals information on people who have not consented to have their information available to the public and their data are based on files Aaron seems to have acquired without authorization from LBR and that he knows that he does not have permission to use or reveal.
I spent many hours in email trying to explain my POV to Aaron — that what he and the Liberty Coalition were and are doing violates the privacy of everyone whose records they have in their database. All to no avail. After yet another round of email, I received a brief reply from Aaron that he wouldn’t waste any more words “in the pursuit of the futile.”
Well, neither will I. Which is why I’m posting this publicly. Yes, LBR had a security lapse, but I think that, on many levels, what Aaron Titus and the Liberty Coalition have done bothers me more because they are intentionally exposing personal information, even though Titus denies that they are revealing personal information. First name, last name, and location is not “personal information?” Since when?
Aaron and the Liberty Coalition do not know how many of the people whose data they have now made freely available may suffer harm because they decided that they had the right to publish other peoples’ information without their consent. Not everyone is listed in a phone book. Some people do not want their names in publicly available resources because they are trying to avoid stalkers or partners who engaged in domestic violence.
There are no training programs or certification for privacy advocates that I’m aware of, and just as special education advocates might disagree about strategies, privacy advocates may disagree among themselves. On his blog, Aaron Titus claims to be a “privacy advocate,” a “privacy expert,” and a law student specializing in information privacy law. If this is what his program is teaching him, I’ll happily forego formal training and stick with my gut about what’s right.
Rushing to the media instead of informing the source so that they can protect the data, downloading data that you know were not meant to be publicly available, exposing people to harm in the name of “helping” them, and riding roughshod over their right to their control what happens to their information — does that sound like what a “privacy advocate” should be doing? I don’t think so.
Hi, I’m the higher education reporter at The Atlanta Journal Constitution. Hoping to reach you on a security story I’m writing.
Can you email me contact info?
Thanks.
Check your email.
In publishing/making people’s home address, phone number, location with map, and complete descriptiion of itinerary accessble google is exposing such person to any predador. Google is not protecting people’s privacy. Such concept should’ve been restricted with password access/request complete information of the requirer.
I fully agree with your perspective and comments. As a former law enforcement official and now working in the private sector, I have had to unfortunately deal with Mr. Titus. He appears more interested in the publicity and furthering “his cause” than in protecting the privacy of individuals. Security, be it physical or logical, is never perfect … and sometimes things go wrong and information (unfortunately) gets exposed. Those responsible for systems management and security take that responsibility seriously, and when a breach or exposure becomes known work quickly to address it. Just like the “black hat” hackers who like to tell the world about vulnerabilities in software and systems they uncover, Titus would rather go to the press to reveal his “discoveries” instead of working with the organizations involved to secure privacy data that is exposed when discovered. Shame on him. We have too many media hungry wanna-be’s like Titus out there. We need quiet warriors instead.