The following email is uploaded at the request of the author, Michael Ostrolenk. To see the reply to this email, see: http://www.pogowasright.org/blogs/dissent/?p=582 To: Dissent Message-Id: From: Michael Ostrolenk Subject: RE: SSNBreach.org Date: Sat, 11 Aug 2007 22:07:06 -0400 Dear Dissent, Thank you for your thoughtful critiques of SSNBreach.org. I always benefit from engaging in dialog about vital issues, such as those the Liberty Coalition is addressing at SSNBreach.org. You should know that we have temporarily taken SSNBreach.org offline to re-evaluate the website, in light of the points you have brought to our attention. While the website is down, no indexing by any search engine can occur. I would like to take a moment to respond to your previous letter, and other points you have made on your blog. We welcome any additional response you wish to give personally or post on your blog. We request and hope that you will also post a complete copy of this response with your post. As you are aware, SSNBreach.org is an online directory of individuals whose sensitive personal information may have been exposed. Much like zoominfo.com or other internet directories, SSNBreach.org is a centralized location where individuals can determine whether they were involved in a breach. Unlike zoominfo.com, or any other internet directories, SSNBreach.org does not contain Sensitive Personal Information or Personally Identifying information. Before information about a breach is documented on SSNBreach.org, we follow strict protocols to mitigate risk: · We ensure the Breaching Entity is aware of the Breach, and has had ample time to fix the problems. · We request that the Breach be fixed. · When applicable, we request major search engines clear their caches. · When appropriate, we may also notify the media of the breach. · We never store sensitive personal information in our databases. DEFINITIONS In order to keep our discussion clear in this letter, I am using these phrases in the following ways: Personal Information: Any information about an individual. This may include a name, a favorite color, or a pet's name. Since Privacy is not Anonymity, some personal information (such as a name alone) is not sensitive, or necessarily even personally identifying. Sensitive Personal Information: A complete set of Personal Information with which a malicious individual could negatively affect another's financial standing, commit a crime in another's name, affect another's medical history, or otherwise impersonate another without their consent. The most common set of Sensitive Personal Information is the combination of a person's Name, Social Security Number, and Date of Birth. Personally Identifying Information: A complete set of Personal Information with which a malicious individual could positively identify or locate an individual. Common sets of Personally Identifying Information could be: Name and Full Address; Name, Full Address, and Date of Birth; Full Name, Parent's Full Names, and Full Address. SSNBreach.org does not contain Sensitive Personal Information or Personally Identifying Information. Period. For example, reading Aaron D. Titus' IXR, I can gather that he was probably once a student or employee at the University of Utah. I know his name, state, and an organization. However, even if I take a trip to Utah, show up at the University of Utah campus, I still don't have enough information to find Aaron. I have no way to know that he has since moved to Washington, DC, and I certainly won't be able to call up a bank and get a loan or credit card in his name. I cannot get medical insurance, identification, or commit a crime in his name. I don't know whether he has a family, if he attends a church, or has any pets. I don't even have his phone number. Many individuals have taken pains to remove themselves from phone books, and limit their Internet footprint, in an effort keep themselves safe. If Aaron Titus were one of those individuals, his Information Exposure Report does not allow me to locate, or even positively identify him as the particular "Aaron Titus" I may be looking for. Since Aaron theoretically does not appear in any phone books, public records, or the internet, his SSNBreach.org report does not allow me to positively identify or locate him. And if Aaron showed up in phone books, or public records, I could look there even without SSNBreach.org. Many people are not as sensitive or careful with their identities. For example, when I visit the College of Business at Louisiana State University, I can do a search for "Jones" in the directory. Immediately, I get Kimberly Jones' name, photograph, the school she attends, the state she lives in, and her major. This information alone is far more than SSNBreach.org gives, but all of her sensitive personal information is hidden. I can do a search for Kimberly, and find out that she (or someone who shares her name) wrote an introduction for a story about Cystic Fibrosis, and that she is the manager of the Louisiana Crafts Guild gallery at Parc Sans Souci. When I visit Tulane University's student directory, I can find out that Philip Bergman studies Functional Morphology, I have his e-mail address, his address, phone number, state, school, and that his middle initial is "J." A Google search reveals that he associates with Anthony P. Russell, and has diverse interests. Another online student directory reveals that Denisha Nic Dennis- Smith attends Louisiana Tech University. The directory also gives me her e-mail address. I can quickly deduct what state and city she lives in. However, Denisha has apparently limited her internet footprint, and Google does not give me any more information about her. The existence of non-sensitive personal information on Louisiana Tech University's website has not put Denisha at any additional risk. Merely knowing a person's name and state does not put a person at risk. To demonstrate this point, I had three colleagues independently pick a first name, last name, and state at random. They came up with "Linda Gaines" of Arkansas. Without additional information, it is impossible for me to contact, positively identify Linda, or even know whether Linda exists. It was only after I did a Google search that I was able to determine that Linda is a real person, or find out any information about her. Had Linda removed herself from phone books and website, I would not have been able to find out anything else about her. Notwithstanding SSNBreach.org does not contain sensitive personal information, we understand that some individuals may wish to hide their Information Exposure Report from public view, once they have read it and investigated the exposure. We have set up a simple process for individuals to remove their Exposure Report. The process takes about one minute. More information is available in our Privacy Policy. SSNBreach.org is designed to help fill three "gaps" after breaches of sensitive personal information occur: The Notification Gap, the Information Gap, and the Aid Gap. NOTIFICATION GAP The "Notification Gap" occurs when a victim of sensitive information breach does not hear about the breach. Failure to hear about a breach can occur for many reasons. Sometimes, the breaching organization is under no legal obligation to notify potential victims. Many breaches happen "under the radar," and are never reported, regardless of applicable law. Some organizations never detect breaches, or may assume that the law does not apply to them. Even when a breaching organization acts in good faith to notify potential victims, breaches are often detected long after addresses and phone numbers change. Often, contact information was never on file, and direct contact is impossible. Privacy advocates can and do have differing opinions on whether media should be involved in publicizing breaches. We applaud the efforts of websites like pogowasright.org and attrition.org in publicizing data breaches to the media. We share the belief with many other privacy advocates that involving the media is a prudent thing to do early on. Our experience reinforces that notion. We believe that the media plays a vital role in publicizing data breaches. However, even a severe breach of sensitive personal information has a media shelf life of only 24-72 hours, and many do not hear the announcement, or may not identify themselves as a potential victim. Since there is no silver bullet when it comes to contacting potential victims, a broad and balanced effort to contact victims is vital; especially strategies using several media over several years. Creating an online directory is one of these important strategies. INFORMATION GAP The next problem SSNBreach.org solves is the "Information Gap," where victims of identity breach fail to get all of the relevant information surrounding a sensitive information breach. Ironically, the only source of information about a breach is often the breaching organization itself. Even when a potential victim is notified, the press release is often vague and does not give a full account of the information breached. Without this vital information, victims do not have the ability to accurately determine the risks to their privacy, financial well-being, and identity. A few bad-apple organizations may even refuse to give a full account of breaches out of a feigned desire to protect victims. Privacy risks extend well beyond breaches of Social Security Numbers, and we believe that breach victims should be able to make their own determinations of risk, based on the information breached. AID GAP Mere breach notification is not enough. Victims of identity breach are at high risk of identity theft, and must often take costly protective action. Victims of identity breach live for years with a proverbial sword over their head, never knowing when or if they will become identity theft victims. And of course, the damage to an identity theft victim can be immense. We believe that breaching organizations have a moral obligation to alleviate harm they have caused by breaching sensitive personal information[AT1] . Once victims determine their status, they are in a better position to seek the aid they need. SSNBreach.org is in a perfect position to notify victims of identity breach, without revealing any sensitive personal information. INFORMATION ON SSNBreach.org SSNBreach.org is an online directory of potential identity breach victims. However, unlike almost all other online directories, SSNBreach.org does not contain any sensitive or personally identifying information. The original sensitive information never reaches our online databases, and is therefore never, under any circumstances, searchable through our site. You are correct that we do not ask permission to retrieve online information. In fact, I cannot recall a single instance when I have contacted the proprietor of a website to ask permission to view information placed in the public domain. However, we destroy the original files as soon as practicable. We would destroy them immediately, but we must preserve them in case the breaching organization disputes the existence of the breach. However, we are happy to destroy the files as soon as the breaching organization requests. Until they are destroyed, they are stored offline, encrypted, on a secured machine. Ironically, during the same period, the same files may be simultaneously spreading across the internet due to the original breach. For a short time we had considered including a piece of "distinguishing information" in the IXR to allow people with identical names to distinguish themselves from among one another. Such as a partial zip code, partial address, part of a phone number, a pet name, a job title, an organization name, etc. While we are confident that such information poses no appreciable risk, we decided against that approach because of the complexities of managing the data. Instead, we opted to permanently purge even this limited "distinguishing information" from our databases. The Liberty Coalition contacted the Louisiana State Board of Regents in a letter dated July 16, 2007, explaining the website and our desire to destroy the original files. On Monday, August 6th the Board of Regents e-mailed a letter dated July 27th. At their request, we immediately destroyed all of the original files; they are not recoverable, and no longer in our possession. FERPA In a previous letter you made a brief but incomplete reference to FERPA, or the The Family Educational Rights and Privacy Act. According to FERPA's website, it " is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education." If your reference to FERPA was to imply that the Louisiana Board of Regents violated FERPA, you may be correct. However, I am not a lawyer and could not make that determination. Even though non- government entities cannot violate FERPA, SSNBreach.org does not publish the contents of the educational files to begin with. FUNDING As explained on www.ssnbreach.org/about.php, SSNBreach.org is funded through donations and some advertising revenue. However, we do not expect that this revenue will ever cover basic development, maintenance, and server costs. If you have additional ideas for funding, we would be happy to hear them. OTHER MISCELANEOUS POINTS I was unaware that the Louisiana Board of Regents had forwarded you a copy of their letter, before we received it. While this seems unusual, I see no problem with you uploading a copy of their letter. As I mentioned earlier, we destroyed all of the original files the moment we received the Board of Regent's request. The Board of Regents has been extraordinarily responsive and responsible as they have dealt with this unfortunate event. I hope you will consider uploading a copy of our response, too. The Board of Regents does not allege a copyright violation in their letter. My attorney advises me that this is because no copyright violation exists. The Board of Regents has no more copyright or intellectual property interest in SSNBreach.org than an author has in a review on his book. You pointed out a few features of our website you identified as "security problems." Though no website is bug free, the features you described are not security problems.. Like most online directories, it is possible to view others' names, using a number of techniques. While browsing the database by changing the URL one number at a time seems like a fairly inefficient way to find the record you're looking for, it is perfectly permissible. Since Information Exposure Reports do not contain sensitive information, and since the person may choose to remove his record at any time, Exposure Reports are accessible through search engines, our own search, or other methods such as you described. Of course, if you do find any security deficiencies, we appreciate that you would take time to notify us. In your letter you pointed out that I have a background in health care, which is correct. You also raised an interesting hypothetical situation. But like most hypothetical situations, I would have to see all of the facts before I could make any kind of judgment. I am confident that we would be able to effectively report such a hypothetical breach given the principles I have discussed. I have followed your advice and addressed your discussion with the FBI lawyer with our attorney. However, based on your incomplete description of being prosecuted for using "information" for financial gain, he was not able to comment on it. I would hope the FBI prosecutes cases where someone uses another's sensitive personal information to commit financial identity theft. I would also hope that individuals who sell sensitive information are also prosecuted. The Louisiana Board of Regents breach had a street value of approximately $4 million; unfortunately, the real money in identity theft is in identity theft, not in protecting people against identity theft. You should also be aware that WDSU in Louisiana reported on the fact that pornography existed on the Board of Regent's server. In addition, you should be aware that we found no evidence of child pornography among any of the Louisiana State Board of Regents files. Of course, had we discovered any child pornography we would have reported it to the proper authorities immediately. We thank you for the opportunity you have given us to re-evaluate the website before publishing your comments to the media. Like you, we think that media participation is important to help close the notification gap I mentioned earlier. We look forward to reading your next entry, but reiterate our request that you post this letter in conjunction with it. We welcome any reporting you can do to bring attention to this important resource for victims of identity breach, especially among security professionals who would be able to give additional feedback. We will try to notify you of additional breaches we document, and hope that you will report on those, too. With no exceptions, all of the feedback we have received from users is positive and grateful. I'm sorry that you do not approve of SSNBreach.org, but I welcome your feedback and thoughts in the future. Your comments to date have been very helpful. Sincerely, Michael Michael D. Ostrolenk Co-Founder/National Director Liberty Coalitiona www.libertycoalition.net Information and action items on the Liberty Coalition website, email Update or other materials should not be taken as an endorsement by any partner organization unless explicitly stated as such.