Monday, December 31, 2001

A guy named Carl Schwartz found some psychological records, unshredded, in a trash can, and had a reporter write a story about it. Steven den Beste thinks that there had to be a more discreet way to properly handle the story. Me, I'm not so sure.

There's the same problem in computer security --- a lot of software is released with holes in it. The vendors would always like those holes to be handled "discreetly", with private notice to the vendor, and no specific public notice of the bug until a fix is available, if then. The problem with doing that, though, is that there are vendors who, absent pressure from customers who are affected by the bug but don't know about it, wouldn't do much about it. An industry clearinghouse which was set up to administer this sort of policy wound up sitting on reports of serious problems for literally years.

The response was the "full disclosure" movement --- people set up mailing lists to host detailed technical descriptions of bugs, and even code to exploit the bugs, without giving notice to the vendor, with the general idea of shaming the vendors into fixing it promptly. And of course, the crackers get to play with the bug in the meantime, if they didn't already know about it --- which gets people upset, and not just the vendors. And lately, the pendulum has started to swing slightly the other way --- towards giving vendors notice and a decent interval to prepare a fix, and away from distribution of canned exploits. Still, I think most security professionals would agree with Bruce Schneier's take on the issue, that on balance, it's done more good than ill, because without it, a lot of real problems, well known in the cracker underground, would simply never get fixed.

Maybe it's my blinkered view, but I see this as the same thing in meatspace. Hospitals and HMOs do sometimes mishandle confidential information. I remember hearing a practicing doctor complain that, in her experience in some of the local hospitals, anyone wearing a white coat could start typing and access just about anything without being questioned. It seems she was overly cautious --- you don't even need the white coat. Overburdened administrators don't always take these issues seriously. But public exposure seems to concentrate their attention wonderfully, as it did here a few years ago; when the Boston Globe wrote a few stories about sloppy handling of psychiatric records at a local HMO, they dealt with it in a hurry. (The same article discusses this case briefly towards the end).

In Mr. Schwartz's case, the newspaper story, while it clearly described the risks to patient privacy, did nothing itself to compromise the privacy of any patient --- beyond saying that the records involved were psychiatric, it doesn't even say what they were being treated for, let alone name names. And if patient privacy is an issue, then surely the patients themselves have a right to know their privacy is at risk of being compromised.

What the story did do is name the fourth-year student who removed psychiatric records without authorization, and then left them in full view in a gas station trash can. And if he gets publicly hung out to dry pour encourager les autres, that strikes me personally as an entirely desirable result.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home