Saturday, March 23, 2019

Poor Practice

Since getting people to think of the children has become passé, the new mantra seems to be "Won't somebody please think of the impoverished?" While there's nothing wrong with considering the needs of the poor, there does seem to be a tendency as of late to use them as proxies, when perhaps a more direct criticism of a circumstance may be warranted. The article "‘Privacy Is Becoming a Luxury’: What Data Leaks Are Like for the Poor" seems to be an example of this. The article attempts to make the case that "Late Capitalism" is providing yet more opportunity for bad economics to injure poor Americans, but it comes across as relying on the reader's pity for the women it holds up as victims, rather than any factual support for its premise.

To make a long story short, the Seattle Housing Authority accidentally released names, addresses, e-mail addresses, and tenant code numbers of people enrolled in the Scattered Sites housing program to a group of Scattered Sites members, when they should have received an e-mail newsletter instead. The SHA says that it was a case of human error; the person sending out the newsletter attached the wrong file. To be sure, the SHA does seem to be downplaying the situation. If Personally Identifiable Information is understood as pieces of information, either alone or in combination, that may be used to positively identify a specific individual, then the mistake resulted in a release of PII.

But it's worth keeping in mind that PII isn't always a closely guarded secret. Information such as names and addresses can be a matter of public record. Any one of those dubious personal records sites can likely turn up the address that goes with a particular name. Therefore, if a name and an address is all that's needed for identity fraud, as one of the advocates quoted in the piece notes, an awful lot of people, poor or not, are exposed.

This, however, doesn't mean that the SHA wasn't being sloppy with people's data. Accidentally sending out PII when one means to send a newsletter is the sort of basic error that they should have been prepared for. While Data Loss Protection technology would have flagged the error, had it been set up to look for the specific fields in question, a better model would have been an automated system that pulled down the PDF file, attached it to a prepared e-mail and sent the finished combination to the recipients, possibly after having sent it to an SHA staffer for a final once-over. The article quotes a security advisor who hints that organizations slack off on security when dealing with poor people, because they understand that since the poor have bigger fish to fry, it won't be a problem. While this strikes me as taking cynicism to an illogical extreme, it also fails the sniff test. Given an obvious release like this, it seems that some enterprising lawyer would have gone after the city for damages already, had they done something that constituted real harm. Banking on the clientele not having the free time to participate in a legal case seems like a remarkably dangerous strategy for organizations to undertake.

The article being grouped in with the topic of Late Capitalism is telling. While it's intended to be yet another critique of a modern American economy/society that cheerfully ignores the travails of of the lower classes, the only real consequences it speaks to are one woman's feelings that a) her identity didn't matter to the Seattle Housing Authority and b) that the SHA might retaliate against her if they knew she was speaking to the media (even though, ironically, there may be enough information in the piece to allow the SHA to identify her). Everything else is in the form of hints or suggestions, rather than concrete information. The author doesn't even bother to find out if the specific release in question needed to be disclosed, even though it's established that "specific disclosure laws vary by state." If one is interested in knowing Washington State's rules, they are summarized here: https://www.atg.wa.gov/data-breach-notifications, along with a list of notifications (the SHA release is not on it as of now).

There is certainly something to be said about the fact that public agencies tend to be given the funds to demand and collect quite a bit of personal information from people requesting public benefits, yet not enough to adequately secure the information once they have it. Protecting "makers" from fraudulent claims is clearly more important that safeguarding "takers" from those who would either prey on them for what little they have or attempt to use them as cover for their own bad acts. But that's not a facet of capitalism. Socialists can be stingy and suspicious, too.

No comments: