Shostack + Friends Blog Archive


Drowing in Notices?

In “Access controlled by a password,” Phillip Hallam-Baker writes:

It probably makes sense to have an exception of this type in the first instance when the law is enacted. Otherwise we may well drown in privacy disclosure notices.

I must say, I don’t get this objection. Does it apply to any other bit of information disclosure? Are we drowning in SEC regulatory filings? National Crime Victimization Surveys? Statistical Abstracts of the United States? (How ought one pluralize that, anyway?)

Sure, there may be lots of notices. Sure, those notices may, to a degree, be fiscally inefficient. However, the stock market doesn’t think they matter a great deal (see “Does Lost Data Matter?“) At the same time, as Phill points out:

In the longer term the problem with such exceptions is that lost laptops are a major cause of data loss and there is at least anecdotal evidence to suggest that stolen laptops do trade for the information on them. A few months ago I had lunch with Simson Garfinkel who remarked that there is a correlation between the price of used disk drives on EBay and the purposes that they appear to have been used for.

We should sweep any such evidence under the rug, before it becomes apparent that there are material weaknesses in all sorts of controls.

The reality is that while companies are actually working to improve the security of their data with things like drive encryption, consumers are not (near as I can tell) getting either bored or overwhelmed with notices. Seems like sunlight is a fine disinfectant.

2 comments on "Drowing in Notices?"

  • Phill says:

    My concern was that if the warning notices become too familiar they loose their impact. It might not just be the case people get blase about seeing them, they might lose their embarassment in sending them.
    Legislation is not going to change behavior overnight. I have recieved two notices this month.
    The desired outcome here is better security, not companies spendind time and money trying to get the regulations overturned and using spurious ‘hot coffee’ anecdotes to do so.

  • Chris Walsh says:

    How many computers storing this info are not “protected [sic] by a password”?
    The reason I highlighted that portion of Indiana’s law is that unlike many other states’, it’s “escape clause” is deliberately weaker than the norm — that norm being “the data were encrypted”. It’s fine (IMO) to forego notification if the data are encrypted with a good algorithm, and the key hasn’t also been lost. Escaping your legal obligations because you’re running Windows 2000 or later seems a bit too much :^).
    I did a state-by-state breakdown of how these laws look in re: various loopholes like this, for anyone who wants more context:

Comments are closed.