Shostack + Friends Blog Archive


1.4 Million Californians Exposed

A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday.

(This is all over the web, I found a version at

A few questions spring to mind:

  1. Why did the researchers need home addresses and SSNs? Could that data have been used to fill out a field (like income) and then discarded? Organizations that fail to discard data are setting themselves at risk.
  2. Who was the researcher? What were they doing research on? (Helps answer the above question.)
  3. Do I have to turn over that information to help a senior?
  4. Did the state exempt itself from SB.1386, California’s new disclosure law? If not, is August to October an acceptable disclosure timeframe?

One key problem with the data-protection laws being enacted today is all the exceptions. As the article states:

Ramos said the state is authorized to share with researchers the personal information of individuals who participate in state programs administered by the state social services department.

As Mr. Tabarrok might point out, that’s properly written: “Ramos said that the state has claimed the right to give out information about its citizens without so much as a cost-benefit analysis…”

These exceptions fill every law passed in the US with the words privacy in the title. So much that one might get the idea that the legislators aren’t very interested in privacy at all…

One comment on "1.4 Million Californians Exposed"

  • Justin says:

    The same exception-itis applies for spam (CAN-SPAM avoids regulating political spam) and telemarketing (hence those “survey” calls we all get nowadays).
    Special interests…

Comments are closed.