SSNBreach.org is “irresponsible”
Apparently PogoWasRight.org and Attrition.org are not the only ones trying to convince Aaron Titus to remove SSNBreach.org. I just learned that the Privacy Rights Clearinghouse (PRC) also tried to persuade Titus to remove SSNBreach.org (SSNB) and he refused their requests, too.
According to Paul Stephens, PRC’s Director of Policy and Advocacy, when a breach is discovered, the sequence is to first notify the organization or agency so that they can secure the files and only then go to the media if you want to — but only after the files have been secured and cache cleared from Google. As readers of my previous blog entries on SSNB already know, that is exactly what PogoWasRight.org and Attrition.org had advised Titus in terms of how to handle discovery of a breach.
In a general discussion of how to handle discovered breaches, Stephens explained that although he understands why people who discover breaches may download files as proof until the responsible agency admits the breach, any such files should be securely deleted immediately after the organization admits to the incident. In this case, SSNB not only downloaded the files, but they continued to store them long after the Louisiana Board of Regents publicly admitted the incident and only deleted files after the Board of Regents wrote to them requesting it. Stephens also stated that he has a problem with anyone using any portion of downloaded files to create a web site that names people, even if there is no serious risk of ID theft or fraud, because it violates informational privacy — — a position also taken by this site.
When asked specifically about SSNBreach.org, Stephens said he was tempted to describe the site as “irresponsible.” PRC Director Beth Givens added that there were and are so many options readily available to make the site more secure and privacy-conscious.
As an additional update and since my last blog entry: I have reached out to specific members of Congress and asked them to consider proposing and fast-tracking federal legislation that will close any gaps and make it flatly illegal to data mine and use in any shape, manner, or form any portion of confidential or sensitive personal information that is accidentally exposed on the web. I have also reached out to other privacy-related organizations and expect that in the weeks to come, you may see more statements on this site about how others view SSNB.
Aug. 16th: corrected attribution.
Gosh, please be careful. I’d hate to see attrition shut down over “data mining or using in any shape” data about breaches.
Saying “We discovered a breach and 200 patients at X Hospital had their medical records exposed” does not reveal confidential or personal information about any named person. I want the use and publication of the personal details prohibited. I think we can accomplish that without blocking legitimate use such as disclosing a breach or compiling statistics on breaches.
When I queried Michael Ostrolenk about what he would do if they discovered such a hospital security breach — and asked him whether they would report patients’ names (and thereby reveal who was a patient at what hospital and what types of records were exposed) — he replied that he was confident that they could report the breach in a manner “consistent” with their principles.
For them to reveal that “First MI Last” was a patient at a particular hospital is not only offensive to anyone who really respects privacy but may also reveal other info about the patient (e.g., if “First MI Last” is identified as a patient at the ABC AIDS Treatment Clinic, that reveals more than just a name).
So if you would like to help draft or suggest language that accomplishes protection of personal information in these types of situations (discovery of unintended exposure of confidential files or files containing personal info) while not prohibiting disclosure of breaches or compiling stats on breaches (which we agree are legitimate uses), I’d love to see what you come up with.