16 October 2008

Personal Data

Schneier is shocked to find that people whose jobs are to handle other people's personal data, actually take an interest in what they are doing.

Faulk says he and others in his section of the NSA facility at Fort Gordon routinely shared salacious or tantalizing phone calls that had been intercepted, alerting office mates to certain time codes of "cuts" that were available on each operator's computer.

"Hey, check this out," Faulk says he would be told, "there's good phone sex or there's some pillow talk, pull up this call, it's really funny, go check it out. It would be some colonel making pillow talk and we would say, 'Wow, this was crazy'," Faulk told ABC News.


I'm sure anyone who's worked for a telephone company, or an ISP, or a retail bank, finds that familiar. The information available is generally less interesting than actually hearing people's phone conversations, but occasionally you get something worth mentioning - look at all the the sex-line calls on this bill, is this Fred Bloggs the Fred Bloggs that was on the telly, and so on.

If the personal information is more obviously sensitive, then there should be rules to limit how it is casually accessed. Of course, those rules will be broken from time to time - tax people are not supposed to investigate celebrities out of curiosity, here is a story from Britain, and one from the US. But in many cases it's very much a grey area. A fraud investigator, say, or a programmer trying to track down a bug, would have more freedom to legitimately poke about where she wanted to than a call centre operator who would have little excuse to look up any information except on the calls received (although accidents can happen).

There will always be people whose access bypasses the checks - it is rare to have an in-house IT system that can work without the support staff being able to access the production system to fix it. The major regulatory/compliance effort within banks over the last five years or so has been restricting access to production data to fewer people, for the sake of Sarbanes-Oxley compliance, but it's really hard to deny access to the people who write the software.

Now, the NSA ought to have very strong controls on access and use of information, with monitoring and spot checks and so on, but if the telephone interceptions are being carried on by the NSA in defiance of the law, it is hardly to be expected that appropriate rules will be applied to the staff.

No comments: