Slashdot Mirror
Outsourced Confidential Data On Children Posted
Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."
Who do you trust? And who do you get to solve something like this?
Do you say, "Only certain government approved facilities can deal with this sort of information?" Seriously, should I feel that someone "government sponsored" is better off with my information than an outsourced programmer in India? Who gets to play Big Brother? And what will they do with what they know?
You can take this to the extreme, and be wary of anyone to handle private data about you. But then, if there's that sort of outcry, nobody would be able to handle it, would they?
I suppose it's better than having the Smoking Man from the X-Files having a file about you, and a blood sample. I find most programmers to have a certain level of professionalism to what they do.
I personally have access to roughly 10,000 credit card numbers. I'll never abuse the fact that I have access to them. But on the other hand, I'm not stupid enough to post all of them on the net for everybody to see, either.
I hope anybody who ends up doing something that stupid becomes a victim of identity theft. That'll really open their eyes to respecting other people's privacy.
By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
When you're looking to cut corners, be careful who you give the scissors to...
Obliteracy: Words with explosions
Why is the government (through sub contractor or not) outsourcing to begin with? Maybe this is the reason Bush came up 249,000 jobs short of his goal of 250,000 new jobs in 2003.
There is nothing wrong with being gay. It's getting caught where the trouble lies.
Talk of identity theft, damaged credit, and so on may not rile up the Soccer Moms of the world, but once something affects the children, watch and admire as their mouths begin to froth!
When you outsource, you run the risk that the individuals doing the work do not share your company or even cultural values. If you are not willing to take the time to make sure that your outside contractors are what you expect, this is the kind of thing that will happen. Few companies really understand this.
Floating face-down in a river of regret...and thoughts of you...
Its basically putting a sign saying rape meon each one of the kids on that list. I can see putting a list of people whicht they already do which is called a telephone book, but children come on thats just sick. Whats next a guy in a purple suit is going to be knocking on thier door asking them if they want to join NAMBLA.
MonkeysKickAss
This is a great example of the risks of outsourcing your IT infrasturcutre, and it's exactly why offshore outsourcing is doomed to failure. One or two high profile cases of millions of records of data being sold to (insert "terrorist" organization of your choice here) by low paid coders, and CIOs won't be able to move their IT infrastructure back in-house fast enough. It will be the IT Enron. Those of us left in IT will rejoice. :)
...fill-in-your-dogma. And be wrong. Shit happens to everybody. Don't be so quick to justify some religious issue by pointing out isolated incidents.
Couldn't a "non-outsourced" developer make the same mistake? What does this have to do with outsourcing at all? Seems to be a very leading post to me, designed to generate the usual angry, anti-outsourcing replies.
All your favorite sites in one place!
As much as I feel the outsourcing trend is not a good move, both for my career path and the US industry in general, this 'news' neither adds nor subtracts from the debate.
It would be better titled:
"Idiot makes mistake, exposes private data to Net. Sound thrashing in progress."
Anything is possible given time and money.
Those in the medical industry such as myself have a deep understanding of these issues. The government of the United States identified the amount of this kind of sensitivy in the information that we keep, and decided to pose some restrictions on how we handle it. For those who are interested, feel free to google for "HIPAA," and be sure to read over the consequences for disclosing "PHI" to unauthorized sources. Perhaps these kinds of sensitive information handling rules should be global, and not industry-based?
Jamon
I can count to 1023 on my hands. Ask me about #132.
That he has even tought of posting his customer's true dataset is inforgivably moronic. Whether it was data on children's whereabouts, credit card information, or even "just" accounting information on some business.
While it is true that not revealing your customer's data is the ethical thing to do, it's also just plain ol' common sense.
Though I should perhaps say vintage common sense. Seems that product has been discontinued for some years now.
-- MG
OMFG an "outsourced" programmer makes a mistake. Well if case this doesn't protect your holy US of A jobs then nothing will. Pesky foreigners.
a user named Mark Dennis, stuck with a tricky formatting issue, posted his question to RentACoder.
Chist, they're even stealing our anglo saxon names, is there no end to this perfidious threat?
-- Free software on every PC on every desk
I see several problems:
1) Looks like the IT work was being done on a budget. I mean they are not hiring Anderson to do this stuff right (OK, bad example, I know...)
2) But someone was paying SOME money if it could be subcontracted multiple times and the work was getting done...or was it.
3) It looks like it was contracted DOWN past someone's ability to do the job. It is kind of the opposite of the Peter's principle. Non interesting IT work keeps getting pushed down the chain until it is in the hands of someone that can't do the job. (If I just invented it, please don't call it the chamilto effect as I don't want my handle associated with this behaviour)
4) At the bottom of this there is always some careless sap that didn't know what they were doing wrong should get them slapped upside the head for thinking about it. This person was even worse because the article states that someone pointed out to him his error and then he...DID IT AGAIN!
Incidnet's like this require multiple wrongs and then will require a whole lot of legal work and policies and rules and regulations that will be once again thwarted by the idiots that inhabit this planet.
Magic Eight Ball: Outlook not so good., Hmmm, how about Excel and Word?
Unscrupulous? No, just incompetent. Posting credit card numbers to some hacker site is unscrupulous; this guy's just too stupid to do his job.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
"not yet determined"!?! Those parents should be informed so they can be alert for trouble.
I hope that the police in upstate New York correlate the kids whose information was posted and missing children reports.
Also for everyone who says: "This could happen with an American programmer just as easily." Yes that is true but you could punnish that programmer but you will have a hard time punishing programmers in other countries.
Additionally, one of the project types is 'Personal Project / Homework Help'(emph. mine). I can't really imagine a situation where solicitating this sort of help on a website wouldn't be considered cheating by most computer science professors/teachers.
What happened here is certainly appalling, but I'm not so sure that outsourcing is the main problem. Outsourcing arguably increases the risk of problems of this sort because an in-house programmer is more likely to know the rules of the game, but this seems to me to be a fine point. On the one hand, in-house IT staff are not necessarily going to be well-informed about privacy issues and the nature of the data they are working with. On the other hand, it is perfectly possible to make such constraints clear to contractors and to make them part of the contract.
It seems to me that there are several other issues here as well. For instance, why would any programmer be working with the whole, real database? I can see that if the job is convert an irregularly formatted text file into a usable database, but that is about the only situation in which the programmer needs the real data. Otherwise he or she just needs to know what the data looks like. If sample data is needed, it can be a small subset, and critical information can be camouflaged. Of course, the same applies to the programmer asking for help on RentACoder. There's no need for him to post his whole database.
It seems to me that the real problems here are:
This work was outsourced, not offshored. This article has obviously been posted to show how outsourcing threatens the future of our children. This work wasn't offshored. It was done by an American programmer. If outsourcing is bad, why did the navy outsource a 5billion $ chunk of IT work to EDS?
If you're an independent consultant, your insurance agent has probably mentioned "Software errors and omissions" insurance to you. Software E&O coverage is written to protect your ass(ets) in the event that you colossally screw up and do something that gets your client's client answering awkward questions from major news organizations. (A colleague once observed that, "if, when you walk in the door in the morning, your secretary says that a CBS producer is on the phone trying to schedule you for an interview with Mike Wallace, it's probably a bad day.")
Suffice it to say that if Mark Dennis doesn't have Software E&O coverage, he's going to wish he did. Because he's going to get so sued. Along with the community college, the government agency, and everybody else involved.
Getting sued, however, is the least of this bozo's worries
If he has insurance, it might cover his liability exposure. However, his real problem is the civil fines he is going to have to pay--and no insurance policy in the world will protect you from a criminal court sentence. He'll get a whopping fine--but I doubt he'll do jail time. Unless, that is, somebody can demonstrate that a child molester used the database to identify a victim and attacked him.
There's an important point here
The software community should make it ABUNDANTLY CLEAR that this dumb cluck should have the book thrown at him. We have absolutely zero sympathy--and when his attorney (with nothing else to argue) says "it was all a tragic mistake..." somebody needs to stand up and yell, "LIES! LIES! DAMNABLE LIES!" This was willful, deliberate, with knowledge aforethought stupidity. And this jerk deserves to get run up the (proverbial) yardarm for it.
But it is about outsourcing in general. Any company with a good amount of highly sensitive data should maintain a chain of trust across their IT personel. Everyone working on the data should have at least some idea of how sensitive it is and what has to be done to protect it. You don't get that from shoving the work off on the lowest bidder. There's a reason they ARE the lowest bidder...
And Rent-a-coder? Come on... it's looking for trouble when there are thousands of out of work programmers of varying quality and you're asking for the cheapest? Crikey! Programmers working on crap data are getting slammed with soul-stealing NDAs and these wankers are forking off kid's names to some shmuck on a glorified web-board? Again I say outsource the management, keep the programmers.
LilMikey.com... I'll stop doing it when you sto
Actually, I've found that they don't. Fake databases usually are well-organized and thought out. The real deal usually has many, many inconsistencies that have to be dealt with. I always require real data to test any program I develop with, because otherwise it's just a nightmare at go-live time.
Engineering and the Ultimate
I looked too... I'm not sure which is worse though - the fact that the prices on the projects are beneath a living wage for me to consider bothering with them (I'd make more as a barista or a dishwasher), or that half of them seem to be helping some dishonest schmuck in a CS class cheat on his assignment so there will be more clueless dorks that can't program their way out of a paper bag holding CS degrees out there applying for jobs.
I'm cool with competing with Indians - for the most part the Indian coders I've met worked their asses off and knew their stuff, even if they might be willing to do it for half the price I'm used to commanding. If I was in their shoes, I suspect I'd do the same. Feeding your family is a good thing....
It's all the people that fill their resumes with keywords for technologies they don't understand and couldn't use if their lives depended on it that clutter up the application inboxes that annoy me. HR departments encourage that behaviour, as do hiring managers that can't tell the difference, but it still pisses me off - both when I end up having to interview such cluebags and show them to the door, and when I'm competing with them for a job.
I write code.
OK the coder screwed up.
The primal problem is that the government agency gave the data to their outsourcing provider. That data should have never left the secure area of the government. Once it is out, it is out. It doesn't matter whether it has gone to Gennessee CC or RentaCoder. Posting it on the web is just a matter of degree.
Everybody is ready to hop all over this clueless coder and blame everybody's favorite boogie man of outsourcing. There is a manager back in the government that originally disclosed the data.
Don't tell me about NDCs. The first rule of confidential data is NEED TO KNOW. It would have taken someone 15 minutes to put in some dummy data for the programmer to work with, but they couldn't be bothered. Now that person wants to crucify the programmer.
The programmer who screwed up is only the last (and most visible) in the chain of screw ups.
When you outsource, you run the risk that the individuals doing the work do not share your company or even cultural values. If you are not willing to take the time to make sure that your outside contractors are what you expect, this is the kind of thing that will happen. Few companies really understand this.
When you outsource, you run the risk that the individuals doing the work do not give a flying f--k about the security and/or confidentiality of your data, they may even deliberately and maliciously seek to cause you harm. Few management types really care about this, as long as they're saving a buck.
The difference is that a government employee is easier to discipline. Both can be fired, but the regular employee can be prosecuted more easily than an off-site subcontractor who may be out of state (or country).
It is also easier to train and mentor such an employee versus an off-site contractor, and thus easier to enforce data security.
Finding God in a Dog
The fact is this person revealed details against their contract code and more importantly, if they are in this position they should have the moral/ethical decency not to do this.
Whether they were outsourced or not outsoured does not matter (IMHO) - they still have a personal moral/ethical judgement... FT government contractors are not great saviours, rather this individual is one with poor/sick ethical judgement (it is in no way 'freedom of speech' to disclose confidential/sensitive information about young kids).
I do not believe outsourcing creates a more or less trustworthy/moral/ethical situations/employees (well, they just have less benefits rights and more legal liability if somethinggoes wrong), it is the individual who makes a better individual and avoids being a piece of scum.
(A "scruple" is a unit of weight, don't you know.)
Publicly posting government records of children's whereabouts is not a morally neutral act; it is a reprehensible one. The programmer in question was not, it is claimed, ignorant of the nature of the data he had in hand; he simply did not correctly value that data. He failed to make a necessary value judgment: that to post masses of information on children's whereabouts is, in our world, a wrong thing to do.
It is not simply a stupid or ignorant thing to do. It is not simply incompetent, like writing C code with gets() in it, or turning in code to one's boss which won't compile. Rather, it is a form of carelessness that shows that one places no value upon that with which one has been entrusted.
If you're the sysadmin of a mail system, reading other people's mail for fun is an unethical act. However, leaving the mail-system password lying around, so that random hooligans can read other people's mail, is also an unethical act. Not just stupid. Wrong. It shows that you don't value your users' privacy -- that your values do not match up with your users' values. That, while you may be competent to operate a system for them, you are not trustworthy to do so.
That is a very different way to be bad at one's job.
You get what you pay for.
You know maybe it is just me but I don't see where he said it was an Indian programmer.
He simply said you get what you pay for.
How you got there was your own doing.....
BTW He was right you do get what you pay for.
You want to hire a crack programmer? Be ready to pay him/her much more then the regular intern. Otherwise you had better have some other way to keep their attention.
Since this is an outsourced job, there is very little, if any recourse that can be taken against the person in question. Perhaps US companies will see this and think "whoa, if this happens to me, and somebody sues me...who can I sue?"
One of the "justifications" for non-open-source-software was that there was a specific company to sue or threaten if something went wrong. It is odd how the very same corporations don't (yet?) see the same problem with intellectual property and confidential information going overseas.
Table-ized A.I.
Arent you the knee-jerker by assumming that everyone will think "outsource" means "to India"? Once you figure it out, you assume everyone else has misread the headline too. Then you take the first post you see and assume they are thinking incorrectly and flame them.
I think the headline should focus on the government, because the government is the one with the responsibility to protect the information.
Sure, the person who posted the information was wrong to do so, but it is still the government's job to prevent this sort of thing from happening.
Oh, shut the fuck up. It was a joke.
California has a bill designed to deal with these situations, though it's not clear if it would apply to this specific situation.
5 1- 1400/sb_1386_bill_20020926_chaptered.html
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_13
The problem is that the bill is designed for data theft, not for dipshits giving it away for free. Nevertheless, the bill requires that consumers whose data has been stolen be notified through viable means - email, letter, public notice if they can't be identified. Fines to the company for not doing this and the person responsible for the data is open to civil action.
The main problem I see from the article is that the impacted individuals may not be notified, which is just wrong. Granted, this kind of thing probably can't prevented (minimized, yes, stopped, no) but there's a right way to address the problem and a wrong way. At least notify the affected people of what's happened.
I think the best point so far is the lack of indenability for off-shore shops. In america we can get the authorities to arrest someone for disclosing IP and data that is sensitive. If you off-shore data or IP, you no longer have the ability to excercise NDAs, enforce patents, enforce copywrite, or enforce licenses. I can imagine off-shore companies creating software for large companies in the US, then selling the same sofware to the UK or some other country with big business.
... ... even if I am smarter than him and can program better than him (though slower out of the gate) due to my great schooling at a decent CS program?
This is a good idea. I should go to India and start buying UP IP and selling it. I know DELL, HP, and IBM are not outsourcing their sensitive projects because they have a large amount of skilled in house labor and more money than god. But I would like to know who is off-shoring what big projects?
I am a skilled programmer with no experience, unable to get a job in southern california because the market is flooded with highly skilled cheap IT/programmers. How can I compete for a $35,000 a year job with a guy with an MCSE, CCNA, A+, Java Certified, etc
- Kill Yourself, spare us all! -
I usually just read /., and I've only commented a few times here and there. But I feel this is kind of important.
RentACoder kind of had this coming. When I was struggling to be a, "real," programmer... wait, I'm still struggling.
Anyhow, I used to bid on some of those jobs at RaC. Not for the money, but to actually have something to put on my resume. This was way way back when RaC was just starting out. The site was very lightweight. Light on the cookies and HTML. Fast to download. Fast to browse.
I did a few jobs here and there. Picked up a couple of decent things to put on my resume. I felt things were looking good. After a while, there was one coder in particular who was beating me out on my bids. The strange things was that he was beating me out on every single job! "Well," I thought, "that's a part of competition."
One day, I was browsing an entirely different web site for help with a pet project of mine when I spotted a request for help. The title of the request for help was exactly the same as a project I got beat out on at RaC. Looking into the body of the request, I discovered the request was identical to one at RaC, right down to the typos!
So who was the person who was requesting help on this other site? Why none other than the very same person who beat my bid at RaC. I did a little research on the site and a few others and found dozens of projects that have been outsourced by the low bidder at RaC. At the time, I still had ideals, so I contacted the site admin/owner and pointed this out. Noting that the other sites had a point reward system (if any reward system at all) whereas RaC was exchanging money for the work.
I was appalled at the answer I got back. I was told that this was the ultimate in outsourcing and he would not bother intervening.
And yes, he is from India. This was well before the Indian outsourcing issue became big in the public eye. So I never really attached any importance to that, other than having a very unusual name (to my American ears).
To be clear, I was angry at the outsourcing of the work. But, what really irked me to no end was that this guys resume claimed he was a skilled programmer who worked on dozens of jobs! I sent off another eMail to RaC that I lost my respect for the web site and that I would no longer promote the site to anyone looking to outsource any work. I vowed never to return looking to increase my skill marks.
After this incident, I started paying more attention to other, "programmers," around me. The amount of outsourcing appalled me. A Visual Basic programmer who got extremely low marks in school the following semester (he couldn't build a simple tic tac toe program and, "borrowed," the source from another student instead.) manage to snag a decent job building UI to Database applications at a small telecom installation company.
A few years later, I caught a, "senior," programmer outsourcing a closed source and propriety database interface application on a web site. I knew it was the project I was working on since the requests were exact copies of my own internal requests for bug fixes to the programmer, again, right down to the very same typos!
I can't begin to express my disappointment about this sort of thing. Years of studying a half dozen different languages and all I needed to do was outsource everything I did to land that perfect job?
I get more satisfaction working in a retail warehouse and having customers screaming at me for their own stupidity.
Like many others I'm down as a Data Controller within the meaning of the Data Protection Act. I take this role very seriously even though I have just a few personal details, but also because I have access to a lot of other records and I view it from the point of view of: what if it was MY personal data that was being copied about ? My declaration also states that any data never leave the EU. Personally I see any data sent to the US as secure as posting it on the Internet. Good to see the actual US government confirming my views.