If only . . .
I welcome the critical email I recently received about my April Fool’s Day post. The discussion has some interesting provocations, but more importantly it illustrates some security/privacy thinking that more people need to get their heads around.
Here’s my critic:
As a Systems Analyst, I applaud your efforts influencing public policy on such important issues as information privacy and security. However, I strongly disagree with your tactics, and methodology. Propigating fear through disseminating false information is a terrorist style tactic and in the long run I think it does more harm then good.
In this particular case, your attack on the EVVE Naphsis system was un-warranted as this is a system that was designed with security and privacy in mind. I would love to go into details about the architecture, controls, and auditing capabilities designed into the system to prevent the sort of attack that you refer to, but because EVVE is a secured system, I cannot discuss those details.
However, I agree that there inherent security risks with any application that transmits or stores personal data, and unfortunately we are now finding out that not all such systems were architected with the proper concern for security and privacy. When the proper care and attention is given to security and privacy, information systems offer more layers of security, and more throough auditing capabilities then the sytems they are replacing (particularly true of the EVVE system).
In order to ensure the privacy and security of personal information, we need to raise awareness about not only the security issues, but also ethical and moral implications. However, disemminating false information and inciting distrust of the technology is not going to solve any issues, and only serves to further damage the reputation of the industry as a whole.
Here’s my response:
Thanks for writing, [name omitted].
Your comparison of my April Fool’s Day post to “a terrorist style tactic” is wildly off the mark. I had trouble reaching your main points because of it. If propagating fear and false information is your gauge of terrorist-style tactics, you have a bigger beef with DHS, Congress, the media, and proponents of the REAL ID Act than you do with me.
As to the security of the EVVE system, the fact that it was designed with “security and privacy in mind” tells me nothing. The fact that the details of that security are something I can’t be privy to suggests that it uses “security by obscurity” which you probably know to be a flawed approach. You can’t build something as valuable as a centrally managed identity system for all the people of the United States and say, “Trust us. It’s secure.”
You clearly have some familiarity with securing data systems, and that’s good. But the entire idea of having a uniform identity system, relying on centralized networks and facilities like EVVE, is error. The April Fool’s Day post was designed to illustrate that, and did so (to the few paying attention) quite harmlessly.
I don’t know what industry you’re referring to, but it’s part of my job to sow well-placed distrust of programs like REAL ID and, to the extent it’s a component of REAL ID, EVVE.
Thanks again for writing.