This type of thing goes on all the time among friends – it is juvenile humor at its finest. But it makes me (mildly) uncomfortable to read something like this. I guess I can't understand how someone who respects privacy so much could violate someone else's so easily.

I believe the core issues of privacy revolve around loss of control and misperception. This has both.

I find it even more interesting to consider the outcome of exercises like this on a broader scale – let's say many people start doing this many times… assuming there are also many who value authenticity, it only increases the demand for a national ID program.

There’s two important takeaways. First, if you’re reading "scorecards"
from somewhere, make sure you understand the nitty gritty details.
Second, if you’re designing metrics, consider what perverse incentives
and results you may be getting.

His example is a classic "rate of change" versus "coverage" challenge that highlights the law of diminishing marginal returns. I frequently joke with vendors who suggest that their "year over year revenue increased by 400%" that going from $1 to $4 is not so exciting; having a baseline to work with helps. (This is also somewhat related to the dearth of features by rev 3 or 4 of any product – the stuff that finally gets integrated has already been accounted for in previous rev marketing .

But there is a broader issue here – selecting the correct metric to do the job. Since gaming metrics systems are a standard objection to doing metrics, what exactly are the security metrics that people don’t like? Here are two of mine:

1. From privacyrights.org: TOTAL
               number of records containing sensitive personal information involved
               in security breaches. And given the history, this is about as clear a case of gaming that you’ll find in security, IMO. And don’t forget this.
2. Jeff Jones’ (et.al.) "Days of Risk" – primarily because he is using it as a measure of vendor responsiveness to security issues while the general public sees it as a measure of the vulnerable state of the systems. This latter belief makes the metric, which only counts days between disclosure and patch, horrible.

On the enterprise side, I have heard folks say at one time or another that the percent of security spending over total IT spending is a bad measure, as is number of firewall drops. I like both of these if they are put into the right context.

So what is your least favorite security metric?

* As far as I can tell, this is the real crux of the issue – there is some entity (potentially including yourself) that is somehow judging or assigning moral value to what you are or what you did.

Basically, John sounds the alarm about Citibank when he finds a comment he made to Citibank on his cocomment page. Cocomment, as far as I can tell, uses a browser-based extension to copy POSTs from anything the user POSTs to and sends the copy to the cocomment page. If that is true, then Citibank is not in the communication stream.

A few posts later, and as far as I can tell, John still hasn’t realized his part in all of this:

In any case, I don’t want to lay blame here officially one group or the other, as it appears there’s some things that Citi’s site could be doing better, from an outsider’s perspective, and I’m guessing there are things that coComment is doing that they might not have originally intended.

He has caught on that there is a cocomment setting that he should have set to block the comment from going to his cocomment page, but still doesn’t realize that it is HIS fault. And then:

we both are very surprised that no word has come down from Citi’s PR department or agency, based on the fact that this was indexed more than two days ago as far as Technorati and whatnot.

I can’t tell who actually made this post on John’s behalf – if it was John or not… but this is completely bizarre to be thinking about PR agencies in the face of a security concern.

More than anything, this is a user error – John Ratcliffe-Lee did not recognize the leakage possibilities in the new toy he was trying out. (Okay, I guess cocomment is slightly responsible for not realizing that its users would be this naive).

As I mentioned, if John can demonstrate how Citibank could have somehow protected against this (without a client-side footprint), then I will happy retract this statement, as I am sure he will once he reads this post (I was so careful to get the spelling right ).

Update: He’s still at it. Here’s a choice quote:

I could speculate about what that means for Citibank, their understanding of the situation, and the people who handle their Internet security – but I won’t.

Update 2: It appears that coComment by default doesn’t aggregate SSL comments, so Citibank must not use SSL. That is an interesting but separate question from Citibank’s ability to explicitly protect against this; the user and his coComment software are in complete control.

1. For as long as we continue to pretend that SSNs are secret and therefore may be used as authenticators, they will be.
2. There are over 150,000 people (my estimate) with "defendable" access to your SSN right now. They aren’t secret.
3. You are more likely by a factor of 10 to be a victim of identity fraud via one of these "authorized" folks.
4. The real problem is not how easy it is to get your SSN, but how creditors et.al. allow the SSN to be used as an authenticator (See #1).
5. The SSN is fine as an identifier. No, it is not perfect, but its main benefit is that it is already used in so many places.

Martin, you are stuck inside the box. You keep feeling the need for secrecy/privacy even in the face of overwhelming evidence to the contrary. That’s why you speak of "disclosure" and "choice" and all those things. But "disclosing" the SSN should be no more significant, and quite a bit more useful, than providing your name, address, and phone number to folks.

Of course, something will need to be used officially. That is a function of fraud against the government. People cheat on taxes. People cheat on welfare. People cheat on, well, social security. If they didn’t, we wouldn’t need SSNs.

To whatever extent you don’t want or need credit, then I agree that you shouldn’t be "forced" to use the SSN. In fact, there are businesses out there that issue "junk" credit which is all you can get if you can’t prove that your credit history merits better. You have the choice to keep your SSN "private"; they have the option to deny you credit and/or services.

Knee-jerk regulations and laws really suck. They are not a solution to every problem, and they are unnecessary here. Martin, feel free to tell me what organization would accept the SSN as an authenticator if the SSA published every single one of them publicly. Chances are almost nil and if it did happen, there is plenty of recourse in today’s court systems to stomp on the practice without any new regulation.

Other things I’ve written on the topic: SSN as Identifier and A Modest Proposal to Eliminate the SSN Facade.

I have been taken to task by Emergent Chaos for my use of the term "lost" instead of "compromised" with respect to Privacy Rights Clearinghouse’s tally for data breaches.

[It is particularly telling when people pull out a dictionary to make a semantic argument and don't note that "compromise" has about a dozen definitions and "lost" has over 30 (depending on how you count).]

First, let me say that I am changing the word in my previous post to make Chris happy and because I agree that "compromised" is a better word in this case. However, I am surprised that Chris finds his definition of compromise satisfying. Since it makes "compromise", "expose", and "make vulnerable" all synonymous. It is clear that he was reaching in that regard. With that definition, I would suggest that ALL credit cards (1.3 billion Visa cards in 2004) have been "compromised." Why doesn’t the Privacy Rights Clearinghouse list those?

Second, I note that Chris didn’t bother to actually pull out the definition of "lost" to contrast with compromise. That is because "lost" has many definitions (according to his reference) that are extremely close to the meaning of "compromised" and are certainly much closer as used colloquially in the security world than "exposed" and "vulnerable" are.

Finally, Privacy Rights Clearinghouse doesn’t seem to care about the distinction. They make liberal use of the word "breach" which is clearly not in the spirit of Chris’ explanation and imply some comfort with Attrition.org’s data loss database.

You only need to ferret out this one line to have your answer to my original question:

"Sure, there may only have been a confirmed loss of 260K records."

So, either Privacy Rights Clearinghouse needs to increase their number into the billions or reduce it to 60 million. It is really that simple.

Or, I could be wrong… but when I read the congressional testimony of the CardSystems’ CEO he clarified that it was actually 263,000 records (a full…ummm….something % of that adjusted 60 million records). The only copy I could come up with quickly was a Google cache but I note this because when I read the statement I remembered this adjustment, which is obviously significant and was covered at least nominally.

So, what do you think? An "oversight" or deliberate? If I were a privacy advocate, I certainly would want the rather substantial correct number of 60 million to be the one that is used, considering it appears to reflect the real numbers better.

"I’m consistently amused by the utter shock and dismay of various individuals and corporations when… gasp.. someone takes something they made public and does something… and you won’t believe this… unexpected and unapproved with it!"

Given that more than 150,000 people (by one estimate ) have access to the typical SSN, that certainly sounds public to me. So don’t be surprised when you become a victim.