Shostack + Friends Blog Archive


Epic Problems With Phone Privacy

In the cover story of next week’s Maclean’s magazine, Jonathon Gatehouse reports that he successfully obtained the phone records of Canadian Privacy Commissioner Jennifer Stoddart:

…Her eyes widen as she recognizes what has just been dropped on the conference table in her downtown Ottawa office — detailed lists of the phone calls made from her Montreal home, Eastern Townships’ chalet, and to and from her government-issued BlackBerry cellphone. Her mouth hangs open, and she appears near tears. “Oh my God,” she says finally. “I didn’t realize this was possible. This is really alarming.”

So reports Chris Hoofnagle in “‘Drastic Action’ Necessary to Protect Phone Records.” His conclusion is really interesting:

Despite all of this evidence, the carriers’ responses to our petition were a bit chilly, to say the least. They attacked EPIC and argued that no improvements in security were needed. Bell Canada has responded with the typical argument–trying to paint itself as the victim because the data broker obtained the records through trickery. What Bell Canada and other carriers don’t get is that they have to protect our records from these fraudsters. It’s part of their job, just as protecting financial records from smart tricksters is part of a bank’s job.

I think there’s a dramatic shift underway in the way people perceive these things. Bell Canada was no more the victim than Choicepoint was. The new perception will be that they were a passive partner in crime. They designed a set of business practices that left them vulnerable to con men. With all the clever biometrics, password tokens, and cryptography that’s out there, businesses will be perceived as able to stop these things, if only they cared. (I’m not sure if this is actually true, or if its truth matters.)

Failure to care will lead to new laws. Smart businesses are investing in security, rather than painting themselves as victims. Painting yourself as a victim leads to laws like Sarbanes Oxley. (“If you don’t know how to operate your accounting system, we’ll tell you in exceptionally vauge terms, with criminal penalties for failure to comply.”) Who wants that? Bell Canada, apparently.