Last week I received a letter about the possible theft of my personal information from a UC Berkeley computer. It was dated Oct. 15 and had taken three months to reach me. The letter helpfully informed me that "an unidentified individual" had hacked into one of UC Berkeley's "datasets" and that "some information" about me "was potentially available in these records." It concluded with some information about the dangers of identity theft and the number of a detective in the UC Police Department whom I could call.
I haven't been a student at UC Berkeley since 1998. But for some reason, my driver's license number and a very outdated address are still archived there. In fact, it was the outdated address that probably kept me from getting the letter in a timely fashion. Luckily, somebody I know is still in the flat where I lived in 1998. He passed the letter on to me.
Of course, I had to call UC to find out what the hell was going on. It turned out the detective in charge of the case was no longer working in the investigations department, and his replacement was on vacation. After another phone call, a UCPD operator put me in touch with Capt. Marguerite Bennett. Despite the fact that she'd obviously answered the same questions I had countless times -- she said the school sent out hundreds of such letters after the break-in -- Bennett was quite helpful. She told me somebody had been caught trying to install a sniffer. (A sniffer is a program that can record logins and passwords on the network where it's installed.)
Bennett was as mystified as I was by why my information was still on campus computers six years after I stopped going to school there. "Why wasn't it purged?" she asked. "You'd have to ask [the chief information officer's] office about that." She added that one of the people affected by the break-in had dropped off an ID card at one of the UC libraries in the 1980s to check out a book. "That person's ID information was still in there," she said.
But what's really amazing about the whole situation is that the university actually sent out a letter to me and hundreds of others just to let us know that our personal information was potentially in danger. Don't give the folks at UC Berkeley too much credit, though: they were just obeying the law. In June of last year, California passed a law (S.B. 1386) requiring companies to notify Californians if their personal information (social security, driver's license, credit card, or bank account number) is "reasonably believed to have been" stolen via computer break-in. So my humble letter from UC is just the first in a deluge of high-tech security-breach-disclosure notices that will start hitting the mail with increasing frequency in 2004.
Sen. Dianne Feinstein introduced a similar piece of legislation as a U.S. Senate bill last year, dubbing it the Notification of Risk to Personal Data Act.
Although I'm generally in favor of disclosure in these matters, I think there are a lot of problems with how S.B. 1386 is being implemented. The biggest issue is the "reasonably believed to have been" language as applied to data theft. Who determines what is reasonable here? Companies and institutions that are overly cautious are likely to send out notices that will merely alarm and confuse their clients. I hate to break it to you, but computers are compromised all the time, and that doesn't mean all the data on them (even your super secret personal data) is in danger of being stolen.
However, it's certain that e-commerce sites and banks where execs are worried about their reputations being damaged will be less likely to send out disclosure letters. After all, how many letters about computer break-ins at your bank would you have to receive before reconsidering your choice in banks?
These issues around disclosure go a lot deeper than you probably realize. One of the big debates among technical types in the security industry is how to report a vulnerability you find in a piece of software, or even whether to report it at all. Do you tell Sun Microsystems you've discovered a way to hack its server code if you know it's going to ignore you and let its users remain unprotected? Or do you tell other hackers about the vulnerability and let them fuck around with a bunch of Solaris boxes until Sun freaks out and releases a patch? Or, if you're a real mercenary, do you sell information about the vulnerability to the highest bidder and let the rest of the world be damned?
Geeks often say computer networks are a compromise between security and usability. The more you lock a system down, the harder it is to teach ordinary users to deal with it and the more difficult it is to administer. S.B. 1386, like many pieces of computer-related legislation, adds to this difficulty. The question is whether we can make the law usable.
Annalee Newitz (firstname.lastname@example.org) is a surly media nerd who can't wait for a certain person to start playing with a certain very large antenna on a certain roof that might or might not be connected to her flat. Her column also appears in Metro, Silicon Valley's weekly newspaper.