More on SSNBreach.org
On July 24, Jim Malmberg of ACCESS posted a flattering, but inaccurate, account of SSNBreach.org and how the site operates. Since he also seemed to take aim at me without naming me, I thought I’d respond here.
[...]
Visitors to the site use their name to conduct their search.
Comment: Or they could use anyone else’s name or even just a partial string of letters to snoop, as Attrition.org explained in their “rant” and as I explained in a previous blog entry. Furthermore, because the site has a vulnerability that I will not identify at this time, you could access every single record in their database. (I notified SSNBreach.org so that they could secure their site instead of running to the media first to report their vulnerability and breach. Eventually I will provide a fuller report).
If their information was included in the breach, they are then told what information was made public, but without revealing any personal data.
Au contraire. In addition to first name and last name (and in many cases, middle initial), there were at least two additional pieces of personal information provided for everyone in the database, and sometimes more.
For instance, a search of the name John Smith currently returns records on twelve separate John Smith’s. Anyone who clicks on the first record (currently for John D. Smith) will be told that his name, address, Social Security Number and a variety of other information was breached. But what the search will not include is the actual address, or Social Security Number.
The site originally returned partial street addresses when it was first launched. They removed that information at my urging.
[...]
Since last week when his site launched, he has been inundated with e-mail messages. Most of the messages from consumers have been positive; thanking him for creating the site and allowing victims to take the appropriate actions necessary to protect themselves. But somewhat surprisingly, Titus has also received a variety of scathing messages from so-called privacy advocates criticizing him for publishing anyone’s name.
I am guessing that because of my firm criticism of the site’s problems, I am now a “so-called” privacy advocate? I can live with that. As to “scathing,” do note that I spent a lot of time in private email trying to show Aaron Titus the problems and privacy violations associated with his site. And I wasn’t the only one in email with him trying to help him understand that SSNBreach.org violates privacy in the name of “helping” victims. When Aaron cut off further discussion, I went public. And I’ll have a lot more to say publicly next week.
What these “advocates” fail to recognize is that SSNBreach.org is not publishing any information that hasn’t already been published and circulated on the internet.
What Mr. Malmberg fails to realize is that SSNBreach.org is currently revealing information that has not already been published or circulated on the internet. But more on that next week.
And the information that the site does publish is not enough for anyone to commit identity theft or fraud. The site simply provides victims a much needed tool to determine if their identities are at risk.
Identity theft and fraud are not the only concerns, as even “so-called” privacy advocates know. But Mr. Malmberg’s failure to consider other possible consequences may help explain why he does not appreciate the concerns that I and others have raised about the site. What about the right of individuals to control their information, for starters? What about other possible types of harm? Just because Mr. Malmberg may not recognize or appreciate how the information could be seriously misused does not mean that it is okay to reveal the information. I posed the stalker/domestic violence situation to Aaron Titus several times in emails and got no response as to how he could take it on himself to expose information on people who have no knowledge that he obtained their data and have not consented to him having access to it or publishing it and who might be placed in actual danger because he exposed their name and location. He never gave me any answer, much less a good one.
Downloading student records that the federal government say must be protected by educational institutions made Mr. Titus an unauthorized steward of private information. The LBR wrote to Mr. Titus and the Liberty Coalition (pdf) to request that they remove the information and destroy all confidential files that Titus downloaded without authorization. I hope that the Liberty Coalition complies.
But go ahead, Mr. Malmberg. Think of me as a “so-called” privacy advocate. I firmly believe that SSNBreach.org breaches informational privacy as well as the confidentiality of student records, and that is has the potential to harm people. And I’m not going to back off. I do know that some people have expressed appreciation to the Liberty Coalition for the site, but the Louisiana Board of Regents took steps to notify and provide free professional services to assist those affected — a free service that the Liberty Coalition totally failed to mention on its own site of “victim resources,” while it pointed site visitors to two commercial services with whom they had arranged “discounts.” The Liberty Coalition should allow the Louisiana Board of Regents to clean up its mess as it immediately took steps to do, instead of inserting itself into the process and thereby breaching the privacy of the very people it claims to want to help.
But that’s just the opinion of a “so-called” privacy advocate. YMMV.
Interesting article. I will continue to disagree with you on this point. I think there is a real need for the service that Aaron is providing. As someone who has been a victim of identity theft, I personally like the idea of having a third, disinterested party that allows me to see if I have been victimized.
The chances are very good that criminals already have the data that appears in Aaron’s site. We know that Louisiana already has it too and that they failed to protect it. The only people being denied access were those whose data was actually exposed. The site levels the playing field.
You also mention the fact that the Board of Regents has responded well. But their response may be a chicken and egg scenario. Was their response good because it was the right thing to do OR was their response good because of the glaring light of the media? There is no way to know for sure but experience tells me that media coverage played into the response. If nothing else, it allowed the public to view the size of this breach. It is quite likely that without the coverage, any mention of the breach would have eliminated the number of victims. SSNBreach.org has made that impossible.
And finally, your comment about being the “so called privacy advocate” is incorrect. You were not the only one who didn’t like Aaron’s site. But some of those were opposed to the site have self interest in seeing to it that this kind of information does not receive the public scrutiny it so richly deserves because they accept dubious sources of funding.
I’ll be more than happy to discuss my reasons for supporting Aaron’s effort at any time.
Regards,
Jim Malmberg
SSNBreach.org could have made the numbers known after informing LBR of the breach so that least LBR could get right on fixing the problem. The media still would have run with the story, but securing the files would have commenced sooner. Any assumption that cybercriminals already had the information is simply an excuse for delaying notification that might have prevented people from accessing the files.
Could you please provide links to the others you refer to who didn’t like SSNBreach.org? I’m curious to see what you’re referring to, as the only other commentary I’ve seen is Attrition.org’s.
And if you didn’t like this blog entry, you’re probably going to be less than thrilled with my next one on SSNBreach.org, but I thank you for your comments.