Search This Blog

Monday, August 06, 2007


ENCRYPTION IS NOT THE FIX-ALL FOR PREVENTING PERSONAL DATA BREACHES


As was the intention of the Privacy Act of 1974 to protect consumers’ personal data, the government has taken the lead again to set the standards for security controls to keep the fed’s huge system of databases from being breached. The Privacy Act was eventually circumvented when government agencies started outsourcing their dirty work—with data brokers like ChoicePoint and Acxiom—to collect every morsel of information available on U.S. citizens. You know the result: NSA spying and FBI wiretapping. In the article, “Standards body drafts guide on preventing data breaches,” Heather Greenfield talks about the establishing of these standards, one of which is encryption, to basically neutralize future breaches like the VA’s 26.5 million record loss. There are other aspects to Greenfield’s piece, but I want to concentrate on encryption. Although I do not feel that encrypting data is the solution to preventing data breaches, it could certainly temporarily reduce the risk in thousands of daily transactions of names and private information by the junk mail industry—particularly including the data brokers—where this sensitive data is winging its way to a final destination by storage device on public transportation or by electronic means. This is one of the true time-bombs of the identity crisis, and one the junk mailers have completely ignored so far. William Jackson writes in Government Computer News that “Crypto is no magic bullet for data protection,” explaining that “poor key management makes cryptography vulnerable.” Along with an algorithm, the “key” is used for encrypting and decrypting, and should be a large enough number that couldn’t be guessed or determined in exhaustive search. In other words, too expensive for business to consider. Right now they would rather fight the legal battles and pay the fines. There is only one authentic answer for controlling the identity crisis: Give consumers control over their names and personal data, and while we’re at it, compensate them when it is sold.

No comments: