Shostack + Friends Blog Archive


Quis custodiet ipsos custodes?

quis custodiet ipsos custodes.jpg
There have been a couple of interesting stories over the last week that I wanted to link together.

Verizon Employees Snoop on Obama’s Cellphone Records (followed shortly by “Verizon fires workers over Obama cell phone records breach“) and “4 more Ohio officials punished in ‘Joe’ data search.”

There’s a couple of things happening here. The first is that everyone who works in an organization with lots of personal data knows that snooping has gone on forever. But organizations are changing their approach. They
are now starting to audit and address that snooping.

The second thing is no one seems all that surprised. Companies have been hiding the problem, and when they own up to it, their customers don’t all quit en masse. (It might seem hard to stop having an Ohio drivers license, but then, Joe’s already proven you can get by without Ohio licenses.)

We actually saw something similar in the NSA wiretapping case. Much of what we’ve learned about what happened has come from insiders stepping forward to say that it was wrong. They’ve given information to journalists so that we can have an informed conversation, because in their professional judgement, the terrorists already knew we were spying on them.

So I see this as a very positive new school step. We’re talking about a problem. The sky isn’t falling. It turns out that for some things, the watchmen watch each other.

Now, that’s not to say we should rely on them to do so. But it’s an interesting phenomenon, and one we should look to include in system design. That’s often really tough, because pointing out mis-behavior can seem like a “betrayal. That doesn’t mean we shouldn’t try, we should just do so with a full understanding of how hard it is to change human nature.

Photo by Zog the Frogman.

One comment on "Quis custodiet ipsos custodes?"

Comments are closed.