Blippy, Facebook, and Lifelock, oh my! Each of these companies have come under scrutiny lately for mishandling, misusing, divulging, or otherwise playing a smoke and mirrors game with confidential information. This vignette is dedicated to conveying a different perspective on each situation, one that will hopefully convince you:
- that security controls will only be as tight as consumers demand, and
- that things can be different (better) with your help.
We just want to get this “disclaimer” out of the way, here and now in the first paragraph before you have a chance to form an opinion about our suggestions. We’re not condoning the actions or otherwise diminishing the liability of these companies (or any company for that matter) who has caused consumers or businesses time, harm, and any other loss because of a breach and subsequent leak of personally identifiable information (PII). The spirit of this article is to create awareness of the risks and to help everyone reading (consumers and business owners) understand that taking steps toward prevention is a collaborative effort in which consumers and companies alike must embark to see results. And so with that…
Blippy’s Security Blip
Synopsis: Credit card numbers for a limited number of beta users leaked into Google search results.
Blippy’s responsibility: Breaking this down to the most simple terms, Blippy’s dev team should have secluded all test data into a non-production environment. Furthermore, per PCI guidelines for SDLC dictate that all sample data must be purged from all accounts prior to launching the production environment. If you’ve visited the Blippy website or signed up for an account however, you’ll notice that there is no mention of PCI compliance or a PCI compliance badge… anywhere.
That’s because (arguably) Blippy isn’t governed by the payment card industry data security standard since they don’t directly collect or store credit card data. When the data leaked, all fingers pointed at Blippy (and rightfully so, I mean anyone who can read saw the cc numbers available in the statements associated with each user’s account.) The bigger problem however seems to be the fact that the issuing bank or credit card company allowed full, unencrypted, unmasked credit card numbers to be printed and/or stored on public statements.
Personal responsibility: Consider this. Participants in a clinical drug trial assume a large amount of risk by ingesting the pharmaceuticals under investigation. Wouldn’t a similar principle of risk apply when technology users participate in a beta, alpha, or electronic test of any kind?
Perhaps language in the warnings about unregulated pharmaceuticals is more ominous (or the risks more personal) prompting consumers take caution. Should commercial business ventures be more blatant about their warranties and have stronger indemnification policies so early adopters will think twice before signing on?
Consumers must realize that they are “swimming at their own risk” when participating in pre-releases of new, untested technologies. Blippy adopters who confidently linked bank accounts, retail payment card accounts, and credit card accounts to the service can’t be completely shocked when something goes awry with the system. Can they?
Bottom line: It is every business’ responsibility to take all measures possible to prevent problems like this from arising. It’s the consumer’s responsibility to perform due diligence and maintain our confidential information in higher regard and think twice before divulging information that could cause them harm.
(Life)lock Picked
Synopsis: Lifelock was built around the claim that subscribing to their service makes your identity “useless” in the hands of a malicious party. However, in reality, CEO Todd Davis’ identity has been successfully compromised ~13 times according to police records provided by Tempe, AZ PD.
Lifelock’s responsibility: The fact that Lifelock over promised in marketing and undelivered on service is not acceptable (and they’re paying a pretty penny to the FCC for that). Accurately representing your service offering and capabilities is a basic business rule that should not be breached, ever.
However, Mr. Davis published his social security number in million-point font on billboards and trucks and in TV ads, and he broadcast it repeatedly over the airwaves to instill confidence in prospective customers… If only 13 crimes came out of such a blatant misuse of PII (personally identifiable information), Lifelock and the general public should consider their service a success in our opinion. In everything, there is a “margin for error” and Lifelock’s margin seems pretty low.
Personal responsibility: Let’s be realistic. Procuring Lifelock’s service is like installing an alarm on your car or your home. It doesn’t prevent someone from smashing a window and coming it, but it does alert the proper authorities and squelch any wrongdoing as fast as possible. To some people, that peace of mind is worth the $10 fee Lifelock charges monthly.
You personally can not take a back seat to security, and you certainly shouldn’t blindly trust any service’s promise. You must remain a vigilant participant in protecting PII.
Bottom line: Reading their TOS, it doesn’t appear that Lifelock has lengthy contracts or unreasonable cancellation policies, so why is everyone sticking around? It must work. The wrong-doing that happened to Todd Davis suggests Lifelock doesn’t fulfill their service offering, but despite that, they still have a website. They still enroll new subscribers to their identity protection service. They still have an active customer base. So they must be doing SOMETHING right, right?
If the users are satisfied with the service “as is” (and Lifelock reports to have somewhere around 1.2MM subscribers), then the company will likely continue business as usual – at least as long as they can continue to defend their service offering… and keep up with the financial drain of defending their good name. Why? Because when it comes to advocating change for the better, votes from a consumer’s pocketbook are the ones that matter.
Egg on Your Face(book)
Synopsis: Facebook and Privacy have a sordid past. Most recently, the social networking community has made headlines for unauthorized dissemination of user data – phone numbers to be exact.
Facebook’s responsibility: Facebook and any company that handles confidential data is responsible for providing good, tight code and web application development in accordance with PCI’s standards – whether they accept credit cards or not – because PCI is one of the most stringent and specific sets of published guidelines.
Beyond that that, service organizations must provide sufficient warning about changes in privacy settings, opt-out procedures that are reasonably easy to invoke, and easily interpreted disclosures that don’t require a PhD or JD to comprehend.
Personal responsibility: In recent news articles, media and some (we’ll call them) “common sense” advocates like Tom Scott are proposing that consumers who use web based systems have some responsibility for the purported exploitation. Facebook (and many open source social networks in general) get a bad wrap when data “leaks”, but in some cases (this one in particular), it’s because the information was volunteered by users, not because it was stolen by a malicious third party or mishandled by an irresponsible custodian.
Bottom line: The lesson here — don’t let your guard down EVER. If you engage in the web, you’re susceptible to it’s good and bad traits. Again, we’re not sticking up for any trusted entity who leaks PII, we’re simply suggesting that maintaining confidentiality over information you don’t want to be shared is a cooperative responsibility.
Conclusion
Our aim for this article is not to offer a legal perspective or constitutional posture, we simply want to open your eyes to how technology works, who controls it, and how some of these bad situations could have been avoided with “an ounce of prevention” as they say. Social networking should still be considered a “new, fun and hip” trend. Like parkour for example. Anyone who engages in such an extreme hobby is susceptible to risk. If you break your leg hopping from roof to roof, do you (and the media) blame the building owner?
This entry was posted on Tuesday, June 29th, 2010 at 6:00 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
