« March 2006 | Main | February 2009 »

May 22, 2006

Identity Exposure is an Architecture Failure

Today's software story is on the front page of the day's news: 

Monday, May 22, 2006; Posted: 5:46 p.m. EDT (21:46 GMT)

WASHINGTON (CNN) -- Personal information on 26.5 million veterans was stolen from the home of a data analyst in what appears to have been a random burglary, Veterans Affairs Secretary Jim Nicholson said Monday.

The computer records include names, Social Security numbers and dates of birth, Nicholson said. The Department of Veterans Affairs disclosed the theft Monday and said it has seen no indication that the information has been misused.

The analyst took the data home without authorization, Nicholson said. Department spokesman Matt Burns said the employee has been put on administrative leave while the investigation is conducted.

What makes this a story about software? Exactly this: Why did the software architecture permit this personal data to be available to anyone in the VA?

I don't work for the VA, but I can't imagine any analysis that requires the exact personal identifying data of every veteran (and spouse of a veteran). Given the concerns and regulations applied to privacy these days, a proper data and software architecture should make all data anonymous. Period.

The analyst who took the data home is going to be punished. But the investigation should target those responsible for making the data available in the first place:

  • the Chief Architect, Solution Architect, Software Architect, or whatever title is given to the architect "in charge". It is the architect's responsibility to recognize the importance of ensuring personal privacy of the veterans who are stakeholders in this system. The fact that the data could be combined and taken anywhere is an architectural failure.
  • the Data Architect or Information Architect. It is the data architect's responsibility to place an "arms-length" separation between personally identifiable information (PII).
  • the  Security Architect. It is the security architect's responsibility to block physical access to PII, applying firewalls, encryption and other means.

A well-architected software system would have made it impossible for the analyst to collect this data in any usable form. Okay, maybe not "impossible", but certainly hard enough to require something more than a routine lookup or download.

Given the circumstances, it's reasonable that the employee be "put on administrative leave". I would suggest, however, that the architects responsible for the definition, storage and security of the data should be put on leave as well, until the investigation is completed.

 

 

[ Yahoo! ] options

May 11, 2006

Who Owns The Data?

Today's US news hounds are aflutter about the US government collecting CDR's (call-detail records) from several telephone companies. This database, amounting to "billions" of calls, will -- according to the National Security Agency -- reveal calling patterns that will help unmask those involved in terrorist activities.

This is a big story because nobody who made or received the phone calls was aware that the data would be preserved and published to the government for any reason. This leads to the core question:

Who owns the data?

 A telephone call is a transaction. The parties to the transaction are: the person making the call; the person receiving the call; and the telephone service. It would make sense that these 3 are the involved parties in the transaction, therefore these 3 are the owners of the data about the transaction.

But that is not the case. As we see, neither the caller nor the recipient of the call have any claim to ownership. The data about the transaction was collected, preserved and distributed by the telephone service. There was no attempt to get the explicit permission of anyone else before the data was put to use for an unforeseen purpose.

This is no different from any other transaction that takes place in our daily lives. When we purchase goods from a store, the transaction data is captured and used by the store and the credit card company. When we see a doctor, the transaction data is captured and used by the doctor and the insurance company. And one telephone provider (AT&T) is reported to have declared that they exclusively own the data. In all cases, that data is widely distributed to credit bureaus, marketing firms, health care organizations, even the governments. Invariably, that data comes back around in the form of aggregate data, consumer profiles, loan rate factor, and other factors that impact our lives in large and small ways.

And in every case, we -- who initiated and consummated the transaction -- have no say in how that data is used.

When I put on my "data architect" hat, should I remove my "citizen consumer" hat? There is no need to do that. Yet we often do. As a technologist, I can take the position that "I'm not responsible for how the data is used. I just build the system to do what the client wants."

That's a cop-out. That's not good enough.

We who are technologists can't abandon the larger questions -- like "Who owns the data?" -- because we empower the clients to do what they do. We bring about the technology to make it easy to misuse or abuse data. We have a responsibility to protect against that misuse.

A search through Google for "Who owns the data?" reveals an IT focus on the data as a corporate asset. The discussions -- and they are numerous -- are about finding the person or organization within the corporation that has the responsibility or authority to change the data. That's an important business process question, one which resides within the corporation and outside IT.

But that focus presumes that the data is a wholly-owned corporate asset. The question I'm raising calls that presumption into question (in fact, I'm challenging that presumption). In my view, the data does not belong to the corporation, because it is data created by persons outside of the corporation -- customers, browsers, competitors. Although the corporation may have participated in the creation of the data, that is not sufficient to grant the corporation ownership of the data.

Share the Wealth

It's reasonable to share ownership of the data among all who created the data. In the case of the CDR, the data about that call is owned by the calling party, the called party and the telephone service provider.

So why not share the wealth gained from the data by splitting the proceeds (profits) with all of the data owners?

Sounds fair to me, I think. Whenever Axiom or Equifax sells my credit report, I should get a royalty.

Whenever Visa sends my transaction info to TransUnion, I should get a royalty.

This actually makes sense to me. Although, I have to admit, the finance industry would not stand for it. But after all, I made the transaction (and, in fact, paid the credit card company for the privilege), so I should be able to reap some of the profits from it.

Interesting question, I think.

 

[ Yahoo! ] options