Shostack + Friends Blog Archive


By their fruits, ye shall know them

We’ve made frequent calls here at EC for improved breach breach reporting. In particular, we’ve said that governments (be they state, provincial, national, whatever) should provide standardized reporting forms, should collect a basic set of facts in each report, should require precision in reporting rather than accepting weasel-words, and should mandate centralized reporting, so that legislators and the public can see (without commissioning a study) what the facts are. Additionally, we’ve mentioned research discussing notification fatigue, and the artful construction of notification letters seemingly designed to discourage both comprehension and action. Finally, we’ve praised efforts to increase transparency — in particular New Hampshire’s posting of notification letters on a government-administered web site.
In recent days, I was elated to learn of legislative efforts in California and Indiana that together substantially advanced each of these points. In California, Senate Bill 364 was recently voted out of the state senate. This bill requires that breach notification letters be written in plain language, and that they contain:

  • The toll-free telephone numbers and addresses of the major
    credit reporting agencies.
  • The name and contact information of the reporting person or
    business subject to this section.
  • A list of the types of information, such as name or social
    security number, that were or may have been the subject of a breach.
  • The date of a breach, if known, and the date of discovery of a
    breach, if known.
  • The date of the notification, and whether the notification was
  • A general description of the breach incident.
  • The estimated number of persons affected by the breach.

It also requires that breaches be reported to California’s Office of Information
Security and Privacy Protection (where they would be subject to Freedom of Information requests).
In Indiana, House Bill 1197 would require the attorney general to publish notice of a breach of the security of a system on the attorney general’s Internet web site, and closes a loophole in Indiana’s existing breach law, which currently allows password protection to be sufficient to exempt and incident from disclosure. The new law would only exempt completely encrypted portable devices, with unexposed keys.
Each of these bills is a great thing, and each shows that (despite what cynics like I might say), smart people who are motivated can make a big difference. In California, the smart, motivated people are at the Samuelson Law, Technology & Public Policy Clinic [link to no longer works], whose recent research [link to no longer works] supplied part of the bill’s foundation. In Indiana, infosec researcher Chris Soghoian was instrumental in educating his own local legislator, and making several suggestions which found their way into Indiana’s bill.
But the story gets more interesting. As Chris documents, the centralized notification portion of the Indiana bill is vigorously opposed by telecom giants AT&T and Verizon, as well as by Microsoft. The last, writes Soghoian, even argued that availability of actual breach letters would make phishers’ work easier. Funny that the letters already posted by New Hampshire and others haven’t done this. I guess phishers are too busy to write a FOIA letter, too. Note to Microsoft: this information is not secret from bad guys, it is merely hidden from the vast majority of good guys. Thanks for arguing that it should stay that way. Maybe Microsoft’s lobbyists should learn about threat modeling.
Lest it be thought that tech industry opposition to democratic transparency is a purely domestic thing, the Information Technology Association of Canada testified in opposition to a Canadian breach law, as reported by Canadian privacy law expert Michael Geist [link to no longer works].
Meanwhile, in California, a portion of the bill requiring breach notices to be placed on the web, thereby allowing the interested public to avoid the hassles of writing FOIA letters, has been stricken from the bill, this time for cost reasons.
I’m happy that California takes this issue seriously, and turned to some folks who obviously know their stuff. I guess they are strapped for cash. As for Indiana, and for Canada, it’s disheartening to see tech firms argue that technology should not be used to bring relevant information closer to those who want it.

7 comments on "By their fruits, ye shall know them"

  • Iang says:

    Calling on the government to solve some problem is almost always a mistake. SB1386 may be the rare exception.
    Calling on the government to improve on this … has to be treated with some degree of skepticism. I find it very unlikely that any government decree can cause reliable breach reporting and reliable information gathering. This mission is unachievable. There are always methods by which companies will find ways to confuse the data delivery. If you can’t see how to do that, then … you’re probably not in the security world!
    At some stage we have to think about open governance being run by the people. That is, expect to see some quality control from open institutions, ones that arise for a need. E.g., blogs like this and other aggregators of info.

  • A legislature is unwise to get into technical details like encryption.

  • Adam says:

    So you think we need more laws with bits like SarBox 404? I think a lack of detail can be less wise than detail.

  • Adam: When a legislature wades into a technical topic that it really does not understand, it makes a fool of itself. The California legislature made a fool of itself when it enacted Assembly Bill 779 in September. Even though the spirit behind 779 was pure, the legislation was technical mess and the governor vetoed it. See

  • Chris says:

    What specific guidance in the bill I wrote about is improper? Issues with AB 779 are irrelevant: that isn’t the bill under discussion.
    How is a requirement for “clear language” a technical topic, for example?
    It’s not like the CA legislature is providing prescriptive guidance to the people who design or operate the infrastructure used to hold or transmit PII; they’re just saying what you need to do if it is revealed, despite whatever technical measures you’ve used (save encryption) to protect it.

  • PHB says:

    Perhaps before we go into breach notification in even more depth, perhaps a bit of attention to the reasons for bad security.
    Yes I know that some companies are just lazy, but many are not and many of them have breaches as well.
    I have been looking at the usability of some well known security applications and the picture is not at all pretty.
    I can set ACLs to set up a database, but when I tried to use them to stop the kids from watching random stuff on the media vault I quickly realized that the whole system is broken.
    Protecting information according to where it is stored does not work once data starts to move about.
    We need to completely rethink some core approaches here. The security usability just sucks, and it is no better on the Mac and much worse on Unix.

  • Adam says:

    I think that attention to the reasons for bad security and breach notice are intertwined. As we start talking about what’s going wrong and why, we can start to address it better.

Comments are closed.