Hiding from Bentham?

Privacy No Responses »
Aug 042010

A colleague recently brought up an interesting discussion — how to hide from Google?

Privacy and anonymity are good things.  Bruce Schneier has some great points  – they are essential for democracy, and absence of anonymity is ripe for other kinds of abuse.

All arguments against online privacy and/or anonymity come down to the question, “what do you have to hide?” to which the only useful response is, “nothing, let me film you the next time you use the toilet”.

My first instinct is, “why bother”?  As others have pointed out, staying anonymous online is a myth.  Even if you disconnect yourself from Facebook, webmail accounts, and any support forums you might otherwise use, and religiously heed the dictum that you should never post anything anywhere online that you might not want someone to see, a sufficiently motivated analyst would find what I would refer to as second- and third-tier records, such as credit card bills, bank accounts, social security numbers, driver’s license details, etc. — more than enough for most purposes.

Both privacy and anonymity are, at most, best-effort affairs.  So what is the motivation for this sort of research?  A few plausible scenarios:

  1. Identify theft (e.g. constructive, for financial or other gain, or destructive, for defamation/slander)
  2. Targeted investigation (e.g. for a job, political office, or crime-related research, etc.)
  3. Statistics (e.g. targeted marketing)
  4. Trawling (e.g. to find instances of wrongdoing)
  5. Other (e.g. digging up dirt, fun)

I would guess that a vast majority of information collection falls into category 3, followed at a distance by category 4.  Category 3 is worrisome mainly if you disagree with it out of principle.  Fair enough. Growing technological capabilities of data cross-correlation systems allow for easy creation of entire profiles from otherwise disconnected bits of information.  The potential for abuse of such a holistic, instantly accessible set of information about you as an individual is immense.

Even in the “right” hands, such as law enforcement (depending on your point of view) and responsible marketing types working under a strong privacy policy, the temptation to misuse data is inevitable.  It is human nature to break rules, even in small ways — we are not automatons.  I won’t go into scenarios about what even a government agency, scrupulously following all laws to the letter, could do with instantaneous, 24/7 knowledge of what you do, where you are, and what you’re thinking (category 4, followed by category 2), let alone a criminal element with stolen data about you (categories 1 and 2). Just in the hands of advertisers alone, the potential for irritation is limitless.

So let’s say that, out of principle, you object to the collection of information in the course of routing activities like online searches and use of free webmail service.  I firmly believe that the best way for individuals to make the collection and correlation of information more difficult is to create as much entropy as is feasible.  You can’t make it impossible, but you can at least make it not as easy.

In addition to at least making an effort to secure your Facebook profile as much as possible, some basic points:

Use GPG or PGP for mail and files.  Most mail clients have easily available plugins.  Make your key available.

When using free services like (highly recommended, by the way) Dropbox, use something like PGPdisk.  You won’t be able to access it via the web interface, but it provides good security for files you share between computers.

Use SSL whenever you can.  Even if you don’t use a commercial ($$) certificate for your own web page, you’re just trying to encrypt traffic.  I recently made the mistake of accessing one of my (non-SSL) website accounts from a public wireless network, and only realized my mistake two seconds after logging in.  Whoops.  Password change time…

Use tor, and the excellent Vidalia package (on the tor site).  Tools like the Firefox torbutton add-on make this a snap.

Tunnel things via SSH, and only use SSH for access to UNIX boxes.  Of course, you’re already doing this.

Search on googlesharing (assuming you trust Moxie Marlinspike more than you trust Google) and use any of the other anonymizing services out there.  If you run your own system, I can also recommend tools like nph-proxy.

And, of course, never post anything online you wouldn’t want someone else to see.

But again, full anonymity and privacy are illusory.  Someone who cares enough can always find out about you, given sufficient tools and determination.  Enter a colleague’s attitude, which I find pretty interesting.

His point is that it’s best to establish patterns of regular usage, that most of what you do is utterly and completely uninteresting to anyone out there beyond statistical correlation with hundreds of millions of other users, and that you can’t realistically expect to hide 90% of your Internet activity anyway.  For those times when you really need to duck under cover, though, you should be technically astute enough to abandon those patterns you’ve established.

His logic, which I can’t refute, states that it’s better to have a public persona, which will provide plausible deniability of the few, specific instances when you really need privacy and anonymity, than to constantly attempt to hide everything you do.

Posted by john at 9:58 am

Why Biometric Authentication is (Frequently) a Bad Idea

Architecture & Design, Authentication, Best Practices, Identity Theft, PKI, Privacy, Social Engineering No Responses »
Feb 272009

Authentication Basics 101

First, some three-point lists to re-hash the elements of authentication, mainly for my own memory-jogging purposes.

An individual who wants to gain access to data or facilities goes through a three-stage process:

  • Identification (”Hi I’m Bob!  Let me in!”)
  • Authentication (”OK, I verify that you are indeed Bob.”)
  • Authorization (”Bob, I verify that you are among those permitted to enter.”)

Authentication can be done using any combination of the following three ingredients:

  • something you know (e.g. password, PIN code)
  • something you have (e.g. key, smart card)
  • something you are (e.g. fingerprint)

It’s been a given for a while that two-factor authentication is a good way of massively raising security of information or premises at a comparatively low cost, by reducing the impact from losing or disclosing any part of the authentication process.  If I drop my access badge on the train, big deal, because I also need a secret passcode to enter the office.

Some Problems (PKI / Certificate Example)

As a quick side-track, during every single PKI-related project involving token-based authentication (usually smart cards) that I’ve ever worked on, two major issues inevitably arose:

First, how do we adapt peoples’ credentials to changing circumstances.  For example, the subject marries and changes their name.  Signing keys used in authentication certificates can be expired or revoked, even though this requires maintenance of a functioning certificate revocation list, something a lot of enterprises don’t seem to be capable of, and which can be technically daunting in any case once you start dealing with multiple thousands of revoked certificates.  However, data signed and encrypted before the expiration or revocation date must be accessible or verifiable in perpetuity, no matter if Jane Smith is now called Jane Smith-Jones.

Continuing the certificate example, this is solved by using something like friendly names on certificates (where the user’s name is not part of the certificate’s LDAP distinguished name (DN), or unique numerical identifiers that are mapped to an actual name in a database accessible by other applications that use the certificate.  There are many ways to skin a cat, or a user who changes their name.  However, this falls squarely into the “bad planning” department that seems to be an attribute of many PKI deployments; architects often don’t make allowance for future requirements, such as extended key attributes (thanks for the tip, Arjo), thus raising the need for additional certificate rollouts and system redesigns.

Second, what happens when the user loses his chip card?  No problem, get him a new one.  Even better, prevent him from losing it in the first place, by combining his authentication token with something he is definitely not going to forget, like the bathroom access pass or his lunch card (but whatever you do, please PLEASE don’t put the company logo or address on his access badge.)

What to do, though, when he’s on a service visit to a missile silo at the North Pole, or with a client in Colombia, and can’t access his laptop?  What about one-man branch offices in Timbuktu?  This is where we start facing increasingly complicated problems with issuing emergency credentials via cell phones (a great medium for secondary authentication — they’re tied to a person, they’re at least somewhat secure against casual attackers via GSM encryption and PIN code access, and they’re one of the least likely items to be forgotten at home.)

Moving beyond the scope of digital certificates, biometric authentication offers a tempting solution for both of the above problems..  Passports can be forgotten, passwords extorted, and unless you’re using a system that doesn’t check for heat or blood flow (useful in the case of the Malaysian Mercedes owner several years ago whose fingers were severed by robbers to gain access to his fingerprint-protected car) or which can be fooled by fake biometric credentials, biometric authentication immediately and reasonably reliably identifies and authenticates a user in one go.  Unless he loses his hands or voice or has his eyes gouged out, but that eventuality doesn’t look so nice in the authentication product marketing brochure, so we’ll conveniently ignore it.

Passwords are Annoying

Passwords have their own problems; I agree that people should use pass phrases instead of passwords whenever possible [1],[2].  Furthermore, I believe that excessively strict password complexity and rotation rules lead people to do stupid things like (with all due respect to Bruce Schneier) writing down passwords in obvious places.  Very few individuals have the time, knowledge or intelligence to write down passwords in a way that keeps them safe (plus, the “YOUR PASSWORD WILL EXPIRE IN 5 DAYS” warnings on Windows workstations tend to catch people when they’re most stressed and hurried to log in and get to their meeting.  Furthermore, password vaults tend to be impractical if, like me, you access similar resources from different workstations, laptops, interfaces, etc.

Biometric authentication gets around all this; in the case of a lot of low-end applications, such as unlocking laptops, it is a thoroughly convenient mechanism that allows administrators to get around the expense and complexity of dealing with things like BIOS/startup authentication, or the aforementioned user failings in dealing with password security rules.

So Where’s the Problem?

There are a number of classic arguments against biometric technology — principal among them being that, in case of identity theft, it is not possible for a user to change his credentials, ever.  My major objection to most uses of biometric authentication, however, is the excessive trust placed in it, combined with the absence of non-repudiation.  While most technologies involved are technologically sound and deployed in a well-meaning manner, these related failings bear the probability of inevitable negative, unintended side effects.

By virtue of its perception as an advanced, “futuristic” technology, there is a tendency to ascribe some degree of infallibility to biometric authentication.  Errors are viewed as improbable; since there are no longer external factors (knowledge or objects) involved in authentication transactions, the person logging in with a thumbprint must perforce be the owner of the thumb who was registered as such.

As an analogy, DNA matching by police suffers from a similar weakness; first, we cannot discount concerns about false positives.  Even if there is a one-in-a-billion chance that a DNA sample from a crime scene matches an innocent person as well as the perpetrator, statistically this may be acceptable, but wouldn’t it suck if you were that innocent person?  Is this tolerable?  Furthermore, as the John Schneeberger case demonstrates, even if the technology were flawless, completely circumventing the context within which DNA matching functions, by means of such shenanigans as introducing fake DNA, the entire usefulness of an otherwise good system is thrown out the window.  This is similar to the famous analog hole argument about why media digital rights management is a fundamentally broken concept; even if the hardware and software works just fine, a method completely out of its scope will render its deployment irrelevant.

In the case of biometric authentication, there are a number of conceivable (and, in my case, for lack of greater expertise, purely theoretical) situations where its employment breaks down; this xkcd cartoon demonstrates one such eventuality in a fairly insightful manner.  Given that many people will be subconsciously awed and intimidated by the cool sci-fi retinal scanners at airports, or palm readers in front of offices, this translates into a disregard for the possibility that something will go wrong with the system — dangerous because, even if the security of the system itself were flawless (which no system is) it can probably be circumvented, somehow.  This brings us to the second, and greater danger, that of the lack of non-repudiation in biometric authentication.

By means of overview, digital identifiers are used in two related but different ways to determine the authenticity of data — signing tells the recipient of data, “the information you received is the same that was sent, and it is I who sent it.”  This comes in the form of MD5 checksums, PGP signatures, etc., or in archaic terms, the royal seal on an envelope — in x.509 terminology, signing keys with an authentication bit set in their certificate containers are normally used for certificate authentication (as the key is used to sign a set of credentials transmitted to an application and to guarantee their inviolability.)

Non-repudiation means that a recipient of information can be assured that the originator cannot deny that he provided certain information; the recipient can prove that something not only originated with a given person, but that person is not able to reneg on the information.  Signatures on credit card slips or notarized contracts are the most common real-world examples of this.  There is a subtle difference between the two — signing assures the recipient that information and sender data are correct, non-repudiation guarantees the recipient that the sender will abide by the terms of the information received.

Authentication by biometrics introduces the idea of non-repudiation into a transaction where it usually has no business.  A user is first identified, then authenticated.  Both of these components of the authentication transaction three-step process take place using the same single medium — part of the user’s body.  This is bad.  As the user is identified as who he is, the authentication process suddenly and automatically includes an audit trail — which cannot, by definition, be contested.

When John Smith, average employee, sits down to log into his company workstation, he enters his username and password.  Even though his username may be “smithj”, which is tied his employer’s Active Directory to his username and photo, the disconnect between the person and the authentication framework means that he is not treated as an individual, but rather as an anonymous construct that possesses, hopefully legitimately, John Smith’s authentication credentials.  Can I prove that someone did not steal John Smith’s username and password?  Not really.  Maybe he wrote it down — perhaps that’s a firing offense in itself, but there is at least the reasonable doubt that it was he who logged in.

Not so with biometric ID.  The moment he swipes his palm across the door entry plate, or looks into the airport retina scanner, even if there is some doubt that it is, indeed, John Smith requesting authorization, that doubt enters the realm of the statistically irrelevant.  Fine for criminal prosecution, but decidedly suboptimal if you are John Smith who spent his Sunday in bed with a book rather than breaking into his workplace with a fiendishly clever copy of his thumbprint, or by jury-rigging the actual scanner with a battery and a bunch of wires.  The fact that it was a physical part of John Smith that was used (in the mind of the authentication system) to open the door or unlock the workstation means that the audit trail automatically associates him with his action.

This extends to a person’s movements between countries, his use of a cell phone, his travel in a car, his purchasing habits — all of which can be plausibly denied and repudiated if physical or virtual items, such as passports and PIN codes, are used to authenticate the user.  Identity theft at this point may be unlikely, but fatal for the victim.

How to Fix This

Biometric authentication is not fundamentally bad.  It has its place, if properly planned and implemented, and if the consequences of its use are known.

For example, authentication can be insular and local.  That is, the process does not register a user’s physical characteristics anywhere centrally, but rather uses a locally cached checksum of, say, a thumbprint to unlock a laptop or smart card — similar to what many Windows-based thumbprint login mechanisms already use.  A kerberos exchange is made with a domain controller, as with a username/password or smart card login, but the actual physical characteristic is not associated in its “raw” form with any central user profile.

Second, biometric authentication must absolutely under no circumstances be tied to audit trails; the tracking of a user’s actions and movements is information desired by law enforcement, human resources, marketing wonks, scammers and any other number of other parties, but there is no reason to tie a user himself, through his physical qualities, to his actions.  I want to be able to deny that I used my credit card in Indonesia last Tuesday; the moment this ability falls due to the authority of a retinal verification for a card transaction that was somehow falsified, I have a huge problem.

Next, such authentication must not cause anyone to come to harm.  As with the Mercedes example above — people are (usually) more important than objects or data.  If you evaluate your security needs and believe it’s a good idea to force someone to go through a burly Secret Service guy to get to the nuclear launch codes, that makes sense.  However, endangering someone’s safety for a car or laptop when it’d get stolen anyway, no matter what they do, would be callous and pointless.

Lastly, authentication credentials must not be tied to any other stored instance of a person’s biometric information.  This sounds paranoid, but physical characteristics, since as we see above these are refutable only with difficulty, and credentials can’t be changed.  The instant someone is able to abuse biometric credentials, a user’s entire financial credibility, his workplace history, and any number of other valuable combinations of reputation and resources may suffer.

Posted by john at 7:50 am

De-Perimeterization Done Right, Part II

Architecture & Design, Authentication, Best Practices, Development, Network Security, Privacy No Responses »
Dec 142006

The core of any mobile working solution will always be a laptop, most likely running Windows XP (as of present I am not aware of any companies with concrete plans for large-scale Vista deployments.) The first step is to define some overall requirements for our solution:

1) Transparency and usability of security mechanisms whenever possible
2) Prevention of unauthorized access
3) Anonymity
4) Easy replacement of lost or compromised assets or data
5) Plausible deniability by users of data on their systems
6) Traceability
7) Ease of management and support of users and assets
8) Expandability and portability of the solution

Any mobile environment should be usable by all users, regardless of their security profile, so we will be relying on as much automation and build standardization as possible.

We start by breaking down the productivity requirements into two classes: sensitive (having to do with company-internal infomation) and general (contact to others via Internet.)

The basic functions that we want are thus:

  • Basic office productivity tools (documents, spreadsheets, presentations, similar tools)
  • Mail (secure when needed)
  • Other communiation and collaboration with internal users and external persons (such as chat and VoIP — secure when needed)
  • Browsing (secure Intranet sites)
  • Browsing (other)
  • Secure document & data storage (local and remote)

So essentially, we can group all these requirements into two rough clusters:  “stuff that needs to be very secure” and “stuff that doesn’t need to be that secure” (beyond the usual protection from everyday badness.)

The solution we came up with for all these requirements was a multi-tiered model, using a couple of commonly available tools.  Yet another short ingredients list:

  • Layered access control (boot sector protection, full disk crypto, a strong authentication model) for the laptop itself
  • An “inviolate” stronghold (such as VMWare ACE) running on the laptop — this is the only environment from which the more secure internal functions, such as corporate groupware and file sharing can be run
  • Integrity policy (mixture of Microsoft AD GPOs and Check Point integrity client)
  • A relayed VPN connection — via an offshore VPN gateway — so casual sniffers have trouble tracking the destination of your VPN link
  • Live remote AD logon — Check Point, and possibly other vendors do a really nice thing called “SDL”, or Secure Domain Logon, where your Windows AD credentials are taken from the MSGINA into a “holding pattern” until a VPN connection is established (via a “shim GINA” that comes right after the MSGINA), at which point you are given a full live AD logon, as opposed to authenticating to the locally cached auth credentials
  • PGP-based optional mail and file crypto, allowing for greater flexibility with removable devices (corporate ADKs, or additional decryption keys, deal with all those pesky recovery issues)
  • Terminal-server based applications and filestorage for sensitive material; Citrix or Microsoft Terminal Server both do the trick here.  The point is to add another layer of security between the laptop and the crown jewels, and to remove the need for remote workers to store unnecessary but sensitive materials locally.

That’s it for today, class.  At some point I’ll go into what to do about remove laptop recovery, allowing users to have data auto-destruct without incriminating them or garnering accusations of impeding investigations, and other cool topics.

Posted by john at 11:38 pm

De-Perimeterization, Done Right (Part I)

Architecture & Design, Authentication, Best Practices, Development, Network Security, Privacy No Responses »
Nov 272006

In March 2005, Brazilian federal police raided the offices of a Credit Suisse subsidiary in Sao Paolo. In addition to arresting the local management (and from what I understand, keeping them incommunicado for something like 48 hours), the Brazilians probably also had unfettered access to at least parts of CS’ worldwide corporate network. Similar harassment of international companies, both legitimate and arbitrary, has occurred in Russia and other countries.

Not all governments welcome the presence of high net worth private banking client advisors, or representatives of competitors to national champions in their jurisdiction, and such individuals should worry about industrial espionage. Furthermore, countries such as the United States have enacted restrictive immigration policies during the past few years, which allow pretty much unfettered access to laptops of business travellers. Several colleagues of mine entering the US for security conferences have been harassed upon identifying themselves as security consultants or experts.

Additionally, the maintenance of a fixed office may simply not be economical in certain regions, especially when individual sales reps, consultants or other professionals cover large geographical areas. The laptop should thus function as a completely secure, untraceable, self-contained office environment, giving the user access to all functionality he would have at a fixed, secure office but without endangering company data, user safety or corporate infrastructure.

One of my on-again off-again projects is the design of a secure mobile platform. Beyond the usual full-disk crypto + VPN solutions used by most companies with executives on the road, I believe that a true mobile architecture involves several more parts that are often ignored.

The Jericho Forum proposes ‘de-perimeterization’ as the removal of fixed barriers to the core network; they do not, however, offer a great deal of substance or concrete suggestions. To this end they are occasionally criticized, although in this particular case I can’t agree with the author. IPSEC may have its weaknesses, but solution elements such as Check Point’s Secure Domain Logon (which uses a “shim GINA” to establish a VPN connection to a corporate internal network before Windows authentication credentials are actually passed through from the XP GINA) both make PKI and smart-card authentication feasible and allow full integration of most types of mobile clients.

As the above hints at, the goal of a mobile solution must be to extend the corporate perimeter without sacrificing any security or usability, something which I believe is entirely doable and which, in fact, we’ve gotten nicely working on a number of occasions. However, as important as the integrity and security of a given laptop, are the maintenance of anonymity and discretion, and the manageability of a given workstation. Neither the laptop nor a user’s regular everyday actions should give any clues as to the provenance of a laptop, and in no way should compromise of a laptop construe a threat to the integrity of data on the laptop or corporate infrastructure.

In Part II, I’ll discuss individual elements of such a solution.

Posted by john at 8:10 pm

Virtual Space Viruses

Architecture & Design, Exploits, Privacy No Responses »
Nov 232006

Security Focus had an article yesterday about the virus attack that hit Second Life last Sunday. Apparently, this was a self-replicating exploit of the ability to create objects in SL, which bogged down servers.

A few years ago in a fit of mental masturbation, some colleagues and I postulated an online environment incorporating elements of Neal Stevenson’s Metaverse, Freenet, grid computing, various virtual currency incarnations such as e-gold, and various obfuscation, security and communications technologies. Underlying the concept was the nature of a computer; a processor, a bus and storage. And if you combine distributed computing, distributed storage and the Internet, voilà, a big computer.

With this in mind, the idea was basically to create a totally non-judgmental, uncontrolled secure and anoymous failure-resistant platform for online transactions — for legitimate business, tax evaders, kiddie pornographers, whoever. However, the parallel with the Metaverse doesn’t just stop at its distributed nature. Given the seemingly rising trend in attacks hitting MMORPGs and online communities, the villain Raven’s actual “Snow Crash” virus in Neal Stevenson’s book is something I can see being prototypical for a pretty big problem.

Picture this: just like with telephones and the Internet, commerce will adopt any new medium as a functional part of its business technology. So let’s say you have a totally decentralized, purely reputation-based, entirely secure transactions network of the sort that we’re postulating. For argument’s sake, let’s assume someone figures out how to exploit weaknesses in some of the protocols and/or client software used by participants in this kind of environment.

Given that the idea is to create a generally lawless state (i.e. not run by a company or controlled by a government agency, but designed to allow a green field for pure commerce), someone _will_ figure out a way to grief — be it for reasons of gain, sabotage, or pure vandalism. How do you respond to this? You have no recourse to Linden Labs, WIPO or the FBI. A community at large may not be sympathetic to, say, a Citibank under concentrated attack, and even then the response may be slow and ineffective.

A solution that comes to mind are variations on William Gibson’s “Black ICE” (i.e. the sort of strikeback capability that’s often poo-pooed and illegal in the real world.) However, in most virtual communities, there’s not enough of a “pay to play” mechanism to make vandals fear retribution, that they might lose their investment, and even if such a thing existed, there’s too much room for abuse (remember, who controls this? Even if there is a governing body, do you trust them?)

Just some thoughts.

Posted by john at 2:28 am

Swiss Police VoIP Trojan?

Exploits, Privacy, Spyware No Responses »
Nov 162006

This is a bit past its sell-by date, but Crypto-gram recently carried information of a story in the Neue Zürcher Zeitung (German article) about a supposed plan by the “Special Tasks Service” (DBA) of the Swiss communications ministry (Uvek) to requre Swiss ISPs to assist in infecting Voice-over-IP endpoint PCs with trojans that would enable interception of VoIP communications, such as Skype, Vonage or other protocols.

According to the NZZ, the Swiss company ERA IT Solutions is behind the trojan’s development, although no technical information is given. I especially love the claim that “it’s designed to be undetectable by firewalls or virus scanners.” Or Macs, or tripwire on Solaris, but maybe they can have a chat with Joanna Rudkowska about how to do it. Regardless, F-Secure probably won’t cooperate, and seemed to take a dim view of this toy’s chances of success.

The DBA, created as the Uvek’s “dirty tricks and espionage” department, lists wiretapping among its core tasks. According to Swiss telco law, when to deploy such toys is still within the purview of the local authorities, although data protection and warrant mechanisms are not mentioned. The trojan may apparently be either surreptiously installed by the police, or through ISPs. Under the threat of coercion, I assume.

More information is at PC Pro. I honestly can’t imagine what the hell ERA’s marketing directory was thinking; if I were him, I’d be doing PR damage control like mad now. Needless to say, Keystone Kop trojans don’t seem to be listed on their products page.

Posted by john at 10:16 pm

Data Protection Goes South

Identity Theft, Privacy, Privacy & Security Law No Responses »
Nov 112006

cedula-small.JPG Before arriving in Chile, where I’m spending a year with my girlfriend, I did a bit of research on the information security and compliance landscape in South America. I came up with a single short law in Chile governing the security and integrity of information–”Ley 19628″, dating back to 1999. Ut-oh.

On 28 August 1999, Chile adopted privacy protective legislation. Law 19628 provides a set of detailed guidelines, principles and rules relating to the gathering, use, processing, storage and export of personal data. To be legal, all the above acts require the person’s written consent. The law does not create a data protection authority. Its application is monitored by ordinary courts. Personal data registrars are bound to respect professional secrecy rules. Data subjects are entitled to access and correct the data relating to them and to claim compensation where loss or damage is suffered as a result of the use or disclosure of such data. Infringement of the legislation entails administrative, civil and penal liability. Special provisions apply on financial, commercial, banking and medical data.

Gotta love the absence of a data protection officer. The law also does not specify penalties like the UK Data Protection Act or Swiss law. To be fair, I think the Argentines also only have something basic on the books.

Why is this fun? Well, like everyone here, we are in possession of a “cedula de etrangeros”, or a “papers pliss” kind of mandatory national ID card. The “RUT”, which I can only assume was originally some sort of pension information, serves as a universal identifying number. All government agencies are tied into the database containing these — companies also have these, as well as some contracts. It’s used it for taxes, pensions, passoprts, etc. etc. etc.

(Yes, that is a Cedula above; the smudged bit is my RUT, and I’m not going to put you through the agony of my ugly mug more than once on this page.) So, what’s the deal?

The RUT isn’t just used by the government, but by your bank, insurance and other organizations as an ID. Sounds good, except that it’s also your supermarket loyalty ID, your video club membership number, and your identifier for anything you can possibly imagine–it’s given openly over the phone, the Internet (often via unencrypted authentication elements even in SSL-protected pages), to the pizza delivery guy, you get the idea. As it turns out, everyone who asks for your RUT (i.e. everone) has full access to the RUT database (or whatever it’s called).

Bills of participating enterprises are payable online via two websites, one of which, when I logged in (using my RUT as user ID, with a 6-digit numeric password, no more are possible, and it only works under IE, let me check out my entire phone history for the month. What’s interesting is that at first I typed in the wrong phone number — and got someone else’s entire call history, along with their name, address and, you guessed it, RUT.

At risk of sounding like I’m scoffing — I’m not, just incredulous — this is in an environment where I’m asked to put two pen dashes across the face of a signed check “for security” because, as we all know, once you’ve written over a check, it can’t be forged. When confronted with the incongruity of this, at least two people I spoke with responded with some variation on “but this is South America / Chile.” It could never happen here.

In absence of enough time to put together a properly thought-through post, I’ll leave it to you, dear reader, to come up with your own conclusions as to the potential for identity theft once someone cottons onto the fact that English (and extremely poor Dutch and German) aren’t the only language in which a lot of gullible, not-terribly-technical people do business online.

Posted by john at 2:06 am
© 2010 Chakraborty Software Suffusion WordPress theme by Sayontan Sinha