12.12.2005

And the worst security idea of 2005 was ...

In Government Computer News (GCN.com), William Jackson nominates the 360 senators and congressmen who voted for the Real ID Act of 2005 (and our president!) for the "first Bonehead Award for Notable Failures in IT Security." He says that
The Real ID Act, now a part of Public Law 109-13, may not be the worst piece of legislation passed during the year, but it certainly is a model for how not to do information security.
He zeroes in on the security and privacy-invasion aspects of real ID:
Under the law, the new cards must contain, in machine-readable format (read: digital), the holder’s name, date of birth, address, ID number, signature and photo. The act not only fails to require any encryption or other security for data stored on the cards, but also mandates the creation of shared state databases of sensitive information with no security or access restrictions.

This is particularly disturbing given the type and amount of data the act requires states to gather on citizens. States must “capture digital images of identity source documents so that the images can be maintained in electronic storage in transferable format” for 10 years. Each state must provide all other states electronic access to this data.

The ability of any Tom, Dick or Harry with a card reader to capture a copy of your vital statistics from your driver’s license is worrisome. The creation of unsecured databases containing digital images of your birth certificate and other documents is even more so.

Under the terms of this act, every bartender, bank teller or cop who swipes your electronic card is free to do as he or she pleases with the information that is captured. States are free to sell their databases to anyone for any reason, and even to access other states’ databases and sell that data.

Given that Congress now is considering legislation that would require companies to tighten security on personal data, it is particularly boneheaded to ignore this issue in government databases.

As usual, I recommend reading the whole article.

0 Comments:

Post a Comment

<< Home