Sacrificial Lambs?

According to reports in the Washington Post, among other news organizations, Michael H. McLendon, deputy assistant secretary for policy with Veterans Affairs, "resigned" as a result of the May 3 data breach announced May 22, just prior to Memorial Day. Veterans officials have also notified the civil servant from whose home the data was stolen that he will be terminated as a result of the breach.

Swift action, but is it merely window dressing for a practice that, according to this story in Information Week, has been going on for years? If this individual was known to have been transporting sensitive data since 2003, how many others have been doing the same thing?

McLendon and the unnamed VA employee have lost their jobs, but did the axe fall high enough and often enough to send the message that the VA is serious about revising its data security policy? I can only hope that is the case and that Veterans isn't just scapegoating these two individuals for the sake of saving face, while others equally culpable remain entrenched at the public trough.

Only time will tell if the VA and other federal (and state) agencies finally get it, or if sloppy data security will remain de facto policy.

In God We Trust, but the Government's Blowing It

Bob Sullivan's excellent work via his Red Tape Chronicles blog continues with this report on the theft of the PII of nearly 27 million U.S. military veterans discharged since 1975.

There are plenty of reports available on the story, so I won't go into the details beyond the basic: a Veterans Affairs employee downloaded the files to a laptop in order to do some work at home. The employee's home was burglarized and some stuff stolen, including the laptop and disks containing the veterans' information.

As a veteran, discharged from the U.S. Navy in 1987, this one hits home. There's a very good chance my information is on the stolen disk. But I'm not here to gripe about the fact that I now have to pay closer attention to my credit records.

Government institutions have a lousy record when it comes to protecting data. Taking state government out of the equation (including state colleges and universities), federal agencies had lost the records of more than 668,000 individuals since the Privacy Rights Clearinghouse started keeping track back in February of 2005. The list of federal breaches includes the Department of Justice (80k), U.S. Air Force (33k), U.S. Marine Corps (207k), Department of Agriculture (350k), and the Federal Deposit Insurance Corporation (6k). It doesn't include an April 28, 2006 breach at the Department of Defense in which an unknown number of personal records was compromised.

Add this week's 26.5 million veterans and the federal government accounts for at least one third of the 81+ million data records the PRC says have been compromised since ChoicePoint.

This doesn't mean that Congress has lost its moral authority to draft and enact federal data protection and notification law, but it does mean that the federal government needs to quickly and forcefully address its own shortcomings with regard to data protection.

As we know, consumers prefer to do business with companies they trust. Larry Ponemon's research has consistently confirmed that fact. Citizens should also be able to trust the governmental institutions that they must do business with each day. Furthermore, government has a responsibility to be accountable to the People and to work each day to earn and build that trusting relationship. In addition to the major issues of the day, it is "little" things like this news that erode confidence in government, and that's a dangerous proposition.


(As an aside, it's just a hunch, but it would not shock me at all to learn at some point down the road that this was a case of insider data theft made to look like a burglary.)

Somebody Stop This Guy

Don't mean to harp on the RFID issue, especially as it relates to the ongoing conflict between CASPIAN and anyone developing or using the technology, but this latest development offers a great illustration of what I mean when I say the industry needs to be more aggressive -- and smarter -- about the way it communicates.

RFID is a technology. It is neither good nor evil, but the latter characteristic has been applied to RFID by CASPIAN, and they are relentless in their efforts to demonize RFID. Capitalizing on the natural inclination of people to fear or mistrust things they don't understand.

I'll grant you that some uses of RFID do evoke the dreaded "creepy factor," and CASPIAN exploits this dynamic very well.

And it's easy to do when someone like Scott Silverman is on the loose.

Silverman is chairman and CEO of Applied Digital, parent company of VeriChip Corporation, makers of the infamous VeriChip implantable RFID capsule.

Recently, Silverman was interviewed on FOX News discussing VeriChip's potential use in the fight against illegal immigration.

CASPIAN gleefully makes a transcript of that interview available for you to read.

I have to believe that Mr. Silverman is acutely aware of the controversy that surrounds his company's product; I have to believe that Mr. Silverman is acutely aware of the volatile combination of implantable RFID and the government; I have to believe that Mr. Silverman is acutely aware that there is no shortage of people who utterly fear the potential for abuse of his company's product.

Why, then, does he go on national television and make statements like:

"...obviously, [VeriChip] can be applicable for the immigration issues we face today as well."

A clear reference to use of an RFID chip to track people.

"[Implantation is] an election on the part of the immigrant or an election on the part of the government."

Perhaps a misstatement, but implying that either an individual or the government can decide who to implant and track.

Making matters worse, Silverman absolutely bungles his description of how VeriChip works by speaking technoese. The words and phrases he uses (application, serial port, scanner/proprietary scanner, database, passive device) do nothing to placate a paranoid public and demonstrate any real value behind the technology. Silverman is talking with, among others on the show, New York Giant running back Tiki Barber and potentially millions of average Americans; he's not addressing a conference of the IEEE.

Observation: Silverman appears to have a poor grasp of how to effectively use communications to build trust and confidence in a situation that clearly calls for such an approach. That, or his apparent indifference is an indication of institutional arrogance. Either way, you can almost hear the collective cringe of the RFID industry upon the realization that, with every such interview, the challenge of overcoming RFID's negative perceptions grows more difficult.

RFID Panel Post-Mortem

Last night's RFID panel discussion went very well. Tony Imbriaco of iAnywhere Solutions opened with an excellent overview on the technology that included a wealth of real-world examples of how RFID is providing real value to business.

The panel I moderated took that discussion closer to ground level, with each of the panelists offering greater detail on various elements of RFID deployment, including network level infrastructure, readers and edge devices, necessary intelligence, and integration into end-user environments.

Of course the privacy issue was on the minds of the audience, who wanted to know what was being done to protect patient privacy in healthcare and consumer privacy in retail settings. Similar inquiries came in related to Viisage's combination of RFID and biometrics in their border security products.

It all underscored what I've known for a long time: not enough is being done to educate the public on the critical issues related to RFID (and biometrics and other technologies).

There was a healthy audience, especially in consideration of the rains and flooding that have affected the Merrimack Valley and a great deal of coastal New England this week. Kudos to the organizers for putting on an illuminating event.

Observation: I still believe strongly that the greater good available through RFID is being obscured by the protests of a vocal minority, but I also believe that companies involved in the development and marketing of RFID need to change their approach to discussing the subject.

Too often, technology companies seem incapable or unwilling to convey concepts in non-technical terms. Industry lexicon, jargon, acronyms, and cliche are the order of the day. It doesn't have to be that way.

Translation of complex technological concepts into Plain English is not difficult. Illustrating ideas with analogies taken from everyday examples is a must. Even if the communication is intended for an industry audience, this approach will help establish clear communication as a habit.

I think the panel took a step in that direction last night, but as an industry there is a long way to go.

Panel Discussion on RFID

I've been asked to serve as moderator for a panel discussion on RFID next week, Wednesday, May 17 at 5pm at the Merrimack Valley Venture Forum at UMass Lowell.

For more information on the event, or to register if you are in the area and want to attend, click here.

Representatives from Viisage, Radianse, Reva Systems, and ThingMagic make up the panel of experts.

Should be an excellent event. A lot is happening in RFID these days, including some developments at IBM related to simple privacy protection, and RFID useage standards established by a consortium of companies that includes Procter & Gamble, Eli Lilly.

I'll return to that topic in the near future. For now, the focus is shameless self-promotion.

I've been a member of the MVVF for a short while and have found these monthly topical panel discussions to be interesting, informative, and timely. This one should be no different. Hope to see you there.

Brain vs. Brawn

According to an Associated Press report , spammers have figured out a way to identify email addresses registered to anti-spam service Blue Security’s “do-not-spam” list. Individuals owning those addresses have been getting spammed more heavily as a result. Blue Security offers this service to consumers and, non-complying spammers may be subject to a bombardment of replies to the spammer's host, potentially resulting in a shut-down. Think of it as a reverse denial of service attack. As you might imagine, Blue Security has been the target of denial of service attacks from those who don't like what they are doing.

The approach taken by the spammers to defeat Blue Security's plan is simple: run addresses through Blue Security’s encrypted checklist and then correlate the matches against the spammer's original list. Technically, Blue Security’s list has not been hacked, but over time, spammers have been able to compile a fairly extensive list. It's a logical and simple work-around. Spammers are at work trying to punish those with email addresses registered through Blue Security with aggressive and frequent emails threatening even more spam.

This incident demonstrates the difficulties involved in controlling, policing, and otherwise regulating the online world.

In 2003, the US Congress passed legislation creating the Do Not Call Registry. Do Not Call would prove to be hugely successful and wildly popular with the general public. Some lawmakers, ignorant of the fundamental differences between telephone service and email as a means of communication, decided that they might win public approval if they authored similar legislation aimed at stopping spam. A "Do Not Spam" registry was floated, but ultimately wiser minds prevailed. The FTC and other federal authorities have taken to prosecuting US-based spammers through existing law, such as those designed to prevent fraud and deceptive business practices.

Observations: I don’t have specific communications recommendations for this piece of news apart from pointing out the challenges of dealing with spam and making bold, absolute claims if you are in the business of stopping spam. I’ll point out, however, that for all of Blue Security’s technical acumen, the spammers’ work-around here is decidedly low tech. That’s typical, and we’ve seen time and again how digital miscreants will use cunning techniques such as social engineering to defeat even the most sophisticated security systems. People are often the weakest link in the security chain – especially if they are ignored when implementing programs. Proper training and awareness programs can fix this problem.