Riddle me this: When one does not know what it is, then it is something; But when one knows what it is, then it is nothing…what is it?
Recently we have witnessed a series of high-profile leaks, this in and of itself is nothing new we have been experiencing an orgy of disclosure since the early part of the decade, but the latest “disclosures” highlight the law of inevitable disclosure, which goes something like – if more than one person knows it then it will at some point in time be disclosed.
Against the backdrop of Copenhagen and ongoing attempts to properly frame the climate issues impacting our world, against the billions being spent for and against ‘Green’, the political posturing, the claims, the denials, and the elevated ladder – seriously who could forget the elevated ladder Al Gore used to demonstrate the unprecedented increase in temperature levels in an Inconvenient Truth – we have Climategate, the scientific communities equivalent of a Paris Hilton video.
A hacker broke into the computers at the University of East Anglia’s Climate Research Unit (aka CRU) and released 61 megabytes of confidential files onto the internet. These files included emails and other information which portray the climate scientists as colluding to manipulate data results, expressing doubts about their hypothesis on global warming, suppressing evidence that wouldn’t support their positions and some rather awkward emails concerning violence against those opposed to their views. No doubt they assumed many of these communications would be “private”.
TSA Leaks Screening Procedures
The Transportation Safety Administration (TSA) accidentally leaks a 93-page manual detailing specifics of the their screening procedures (here). The standard operating screening procedures document includes information on calibration techniques and limits of the X-ray machines, as well as information on how to treat various individuals from diplomats to law enforcement to prisoner transports. All in all a wealth of information that can be used to bypass controls.
The manual was posted as a redacted .pdf document, however they simply placed black rectangles over the sensitive text in the .pdf, instead of cutting the text itself. Anyone can uncover the hidden text by simply copying and pasting the blacked out portions into another document.
Data Accountability and Trust Act
It isn’t just negligence, technical goofs, and malicious actors attacking the sanctity of online secrets, the Federal government wants to play a role in ensuring what one might want to keep private is made public.
A national data breach notification bill was passed in the U.S. House of Representatives on Tuesday. The Data Accountability and Trust Act would require organizations to establish security policies and procedures, to follow FTC guidelines on data destruction, to ptrovide the FTC with information regarding various aspects of their data security policies and procedures and that all individuals and the FTC be notified in the event an organization experiences a breach.
Data Accountability and Trust Act – Requires the Federal Trade Commission ( FTC) to promulgate regulations requiring each person engaged in interstate commerce that owns or possesses electronic data containing personal information to establish security policies and procedures.
Authorizes the FTC to require a standard method or methods for destroying obsolete nonelectronic data.
Requires information brokers to submit their security policies to the FTC in conjunction with a security breach notification or on FTC request. Requires the FTC to conduct or require an audit of security practices when information brokers are required to provide notification of such a breach. Authorizes additional audits after a breach.
Requires information brokers to: (1) establish procedures to verify the accuracy of information that identifies individuals; (2) provide to individuals whose personal information it maintains a means to review it; (3) place notice on the Internet instructing individuals how to request access to such information; and (4) correct inaccurate information.
Directs the FTC to require information brokers to establish measures which facilitate the auditing or retracing of access to, or transmissions of, electronic data containing personal information.
Prohibits information brokers from obtaining or disclosing personal information by false pretenses (pretexting).
Prescribes procedures for notification to the FTC and affected individuals of information security breaches. Sets forth special notification requirements for breaches: (1) by contractors who maintain or process electronic data containing personal information; (2) involving telecommunications and computer services; and (3) of health information.
Preempts state information security laws.