Slashdot Mirror

← Back to Stories (view on slashdot.org)

Outsourced Confidential Data On Children Posted

Posted by simoniker on from the spiral-of-delegation dept.

Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."

31 of 438 comments (clear)

  1. Who do you trust? by DarkHelmet · · Score: 5, Insightful

    Who do you trust? And who do you get to solve something like this?

    Do you say, "Only certain government approved facilities can deal with this sort of information?" Seriously, should I feel that someone "government sponsored" is better off with my information than an outsourced programmer in India? Who gets to play Big Brother? And what will they do with what they know?

    You can take this to the extreme, and be wary of anyone to handle private data about you. But then, if there's that sort of outcry, nobody would be able to handle it, would they?

    I suppose it's better than having the Smoking Man from the X-Files having a file about you, and a blood sample. I find most programmers to have a certain level of professionalism to what they do.

    I personally have access to roughly 10,000 credit card numbers. I'll never abuse the fact that I have access to them. But on the other hand, I'm not stupid enough to post all of them on the net for everybody to see, either.

    I hope anybody who ends up doing something that stupid becomes a victim of identity theft. That'll really open their eyes to respecting other people's privacy.

    By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at.

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
    1. Re:Who do you trust? by R2.0 · · Score: 5, Insightful

      "By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at."

      Yes, it would suck if my daily schedule was put up in the internet. Then I'd have to worry about pedophiles or my crazy parent with the restraining order snatching me up.

      Oh, wait - I'm an adult male who carries a cell phone, "pocket knife", and just enough martial arts experience to get me out of (okay, into) trouble.

      Stories like this about children ARE different. Adults might have the means and methods to deal with the consequences of such a massive blunder. Children DO NOT! Especially lists about kids in day care: children who are pre-selected to be literally unable to take care of themselves.

      Oh, and your "even worse" example sucks too. At least women in shelter are somehow connected with help. Think instead of a database of phone calls to an abuse hotline - lots of women who are totally vulnerable.

      To borrow from the pigs in "1984": All privacy breeches are equally bad, but some are just way effin' worse than others.

      --
      "As God is my witness, I thought turkeys could fly." A. Carlson
  2. Today's lesson: by American+AC+in+Paris · · Score: 5, Insightful

    When you're looking to cut corners, be careful who you give the scissors to...

    --

    Obliteracy: Words with explosions

  3. Maybe now someone will pay attention. by Anonymous Coward · · Score: 5, Insightful

    Talk of identity theft, damaged credit, and so on may not rile up the Soccer Moms of the world, but once something affects the children, watch and admire as their mouths begin to froth!

    1. Re:Maybe now someone will pay attention. by gr0ngb0t · · Score: 3, Insightful

      I doubt that any of the kids would be the child of a congressman, as in the article it says that the database "listed the names, addresses and other details of low-income and foster families".

      Now I'm not an american, but I assume that your congressmen are all on pretty damn healthy wages, like they are pretty much everywhere, so I don't think that their children would be involved in this child care program.

  4. Downside of outsourcing by johndiii · · Score: 5, Insightful

    When you outsource, you run the risk that the individuals doing the work do not share your company or even cultural values. If you are not willing to take the time to make sure that your outside contractors are what you expect, this is the kind of thing that will happen. Few companies really understand this.

    --
    Floating face-down in a river of regret...and thoughts of you...
    1. Re:Downside of outsourcing by allgood2 · · Score: 3, Insightful

      I'd have to say, and the article didn't indicate whether or not the originating company had indicated that the data was private and confidential. I've done data cleaning, analysis, report creation, etc. as an outsourced contract for a slew of organizations, nonprofits, government, and corporate--and I can't say the number of times I've been handed confidential data without any type of NDA or even a brief conversation stating this data is confidential. In fact, it happen so much, that we developed our own policy, indicating to all potential clients that all incoming data would be treated as the exclusive, confidential property of the organization, and only those staff members directly working on the project would have access to the provided data, etc.

      The truth is, even in places where HIPAA and other types of policies that demand handling of confidential data, thatbesides for the few items that get drilled into the staff-- oh that database requires a password, you can only view those forms in-house, or only that single computer can be used to transmit data to our insurance agency--most of the staff rarely give it a second thought. Its not that they mean to be careless, its just that administrators have typically given them a checklist of guidelines and those are the only issues they worry about.

      Outsourcing overseas, is an issue about legal power or the ability to restrain legal. People will take advantage, aand at least if its an American outsourcer you have some recourse.

      But the issue of outsourcing has always been convoluted by who considers what valuable and how well you portray that to a third party. And to that regard, I find, you generally have two camps--those that just decide to put a blanket level of valuability on everything they do--you know the firms that have you sign and NDA, confidentiality agreements, and other legal forms, just so you can tweak their tech support database, and their staff sends email like "hey, had a great time last night" followed by a blanket two paragraph long confidentiality statement, that everyone they communicate with on the regular basis has stopped reading because its typically not relevant.

      Then their are those who try to make the legalities relevant to the staff and data that is relevant, but find themselves hopeless at conveying the extent and necessity of why confidential needs to mean confidential. These places are typically of the you can only work on that database on that single machine that isn't connected to the internet, and has four levels of passwords. But you can go to the common printer and pick up pages of customer or client profiles that contain data such as social security number, HIV status, etc., etc.

      At the one type, the employees and the people the deal with become inured to the message of privacy and confidentiality because its stapled to everything and at least 90% of the items its stapled to is inappropriate. The others fall into the trap of thinking that security, confidentiality, etc is a thing--that's the secure machine, that database contains confidential data, we have our 5 point checklist, and I use it. That they overlook the multitude of everyday things that deserve to be treated with a level or respect and confidentiality.

  5. Before we bash on outsourcing... by wan-fu · · Score: 5, Insightful

    ... before everyone starts bashing on outsourcing, let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer. This could just as well happen on usenet with someone asking for programming advice from any company. It is the programmer who was not careful with data and the fault is on his side (and possibly the company who gave him the data and did not give him specific instructions for care of the data).

    1. Re:Before we bash on outsourcing... by Dimwit · · Score: 4, Insightful

      That's true - this could have happened with any company. However, to play Devil's advocate:

      Since this is an outsourced job, there is very little, if any recourse that can be taken against the person in question. Perhaps US companies will see this and think "whoa, if this happens to me, and somebody sues me...who can I sue?"

      It's sad that corporations are sending jobs overseas in the name of cheap labour. I frown upon the implications of the term "human resources". However, it's also sad that there are countries in the world poor enough that they can offer labour at those prices. I wish everyone had a standard of living equal to what I enjoy here, and I'm afraid outsourcing may be the way to do it. At this point, all I can hope is that the outsourcing is done in an ethical way - no sweatshops, no gang-ruled factories, no government corruption. Unfortunately, since money is involved, it suffers from all those things and more...

      --
      ...but it's being eaten...by some...Linux or something...
    2. Re:Before we bash on outsourcing... by laird · · Score: 5, Insightful

      "let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer"

      I'm not sure it's "unscrupulous" as clueless. Whether he's paid as an employee, a consultant, or a sub-contractor, he's just as responsible to treat sensitive data appropriately. He should have been fired the first time, or at least warned in writing and fired the second time. Allowing this to happen three times exposes both the agency (who's responsible for managing its vendors) and the vendor to tremendous liability because they've obviously not taken this issue seriously.

      --
      Enable 3D printed prosthetics!
    3. Re:Before we bash on outsourcing... by Perl-Pusher · · Score: 5, Insightful
      Didn't read the article eh? I'll post the important part.

      County attorney David Morris said that programming work for the day-care center had been outsourced to the locally-based Genesee Community College. The manager of the college's program refused to speak to a reporter, but Morris said Dennis was a third party consultant hired by Genesee. Dennis, in turn, used RentACoder to once again subcontract the database work, which ultimately fell to a New Jersey-based programmer. By that time, the programmer actually working on the day-care data was four steps removed from the county's social services program.

      So the gist is they outsourced to a CommunityCollege who then outsourced it to a website. The coder who answered the website not only didn't know what he was doing and tried to get someone else to help him, he probably had no idea the significance of the data to begin with. Since nobody who had a clue actually hired him. Outsourcing something that important is exactly what is wrong. I've seen companies outsource jobs that were essential to the well being of the company and nobody in charge (CEO,CIO) will admit that the reason the business failed was due to putting something critical in the hands of others who didn't have the same priorities as them. You should only outsource when the task is not critical and doing it yourself is too expensive. If it's important and you don't have the expertise, hire employees who do. Then when something is needed, you get it when you want it and how you want it. If neither is possible choose another line work.

  6. Obvious bias in post! by teetam · · Score: 5, Insightful

    Couldn't a "non-outsourced" developer make the same mistake? What does this have to do with outsourcing at all? Seems to be a very leading post to me, designed to generate the usual angry, anti-outsourcing replies.

    --
    All your favorite sites in one place!
    1. Re:Obvious bias in post! by totatis · · Score: 5, Insightful

      Well, yes and no.

      In theory, a non-outsourced developer can do the same mistake. But there is something important called relationship and trust.

      If a developer is in-house, if he has talked to clients, project manager, if he had be given a lecture on how the data is sensitive, you can bet that this developer will not mistakenly post that data on the web. Sure he can be corrupted, but that's not what happened here.

      On the other hand, if some code-monkey receives some coding to do for an unknown company, in an unknown place, for an unknown application, and he is given a set of data not knowning what it is, then he might publish his data without knowning what he is doing.

      The "outsource" stuff is important, not because of some "save jobs" issue, but because it implies the developer should never had received this data in the first place.

      If some company/government entity outsources some programming job, it should give said developers only fake datas. And administration jobs with access to the real datas should be done by trusted guys.

    2. Re:Obvious bias in post! by L-Train8 · · Score: 3, Insightful

      Government agencies deal with sensitive data all the time, and have carefully developed practices and policies in place. These have been developed over years and are part of the culture of the workplace.

      When you outsource to a company that specializes in IT work, and that gets outsourced to a database contractor, the sensitive data is no longer in an institution used to handling it. Yes, you might have an unscrupulous or incompetent coder in your orginzation, but you are far more likely to have a problem when you hire someone because they are cheap and they can code. The instititional controls and culture that protect the data are not in place after 3 degrees of outsourcing.

      --

      Don't forget that Friday is Hawaiian shirt day.
  7. Look! Outsourcing Bad!! NOT. by RedHat+Rocky · · Score: 3, Insightful

    As much as I feel the outsourcing trend is not a good move, both for my career path and the US industry in general, this 'news' neither adds nor subtracts from the debate.

    It would be better titled:

    "Idiot makes mistake, exposes private data to Net. Sound thrashing in progress."

    --
    Anything is possible given time and money.
  8. Medical Industry by jamonterrell · · Score: 4, Insightful

    Those in the medical industry such as myself have a deep understanding of these issues. The government of the United States identified the amount of this kind of sensitivy in the information that we keep, and decided to pose some restrictions on how we handle it. For those who are interested, feel free to google for "HIPAA," and be sure to read over the consequences for disclosing "PHI" to unauthorized sources. Perhaps these kinds of sensitive information handling rules should be global, and not industry-based?

    Jamon

    --
    I can count to 1023 on my hands. Ask me about #132.
  9. Peer ethics by Montreal+Geek · · Score: 4, Insightful
    Ethics are hardly involved. This is a question of raw stupidity.

    That he has even tought of posting his customer's true dataset is inforgivably moronic. Whether it was data on children's whereabouts, credit card information, or even "just" accounting information on some business.

    While it is true that not revealing your customer's data is the ethical thing to do, it's also just plain ol' common sense.

    Though I should perhaps say vintage common sense. Seems that product has been discontinued for some years now.

    -- MG

  10. Not "unscrupulous", just stupid... by Saeed+al-Sahaf · · Score: 3, Insightful
    "let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer."

    Unscrupulous? No, just incompetent. Posting credit card numbers to some hacker site is unscrupulous; this guy's just too stupid to do his job.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  11. Yikes! by eli173 · · Score: 4, Insightful
    County officials have not yet determined if they will tell the families involved about the incident.

    "It's kind of a shock," said Morris, the county attorney. "Right now we are consulting with the state office ... to find out what we've got to do."

    "not yet determined"!?! Those parents should be informed so they can be alert for trouble.
  12. Kidnappings correlated? by forand · · Score: 3, Insightful

    I hope that the police in upstate New York correlate the kids whose information was posted and missing children reports.

    Also for everyone who says: "This could happen with an American programmer just as easily." Yes that is true but you could punnish that programmer but you will have a hard time punishing programmers in other countries.

  13. Before the India/outsourcing bashing begins by andy1307 · · Score: 3, Insightful
    That's how personal details about hundreds of children ended up on the Internet. A user named Mark Dennis, stuck with a tricky formatting issue, posted his question to RentACoder -- and attached a zipped copy of the database he was working on.

    This work was outsourced, not offshored. This article has obviously been posted to show how outsourcing threatens the future of our children. This work wasn't offshored. It was done by an American programmer. If outsourcing is bad, why did the navy outsource a 5billion $ chunk of IT work to EDS?

  14. This is relatively simple... by John+Murdoch · · Score: 4, Insightful

    If you're an independent consultant, your insurance agent has probably mentioned "Software errors and omissions" insurance to you. Software E&O coverage is written to protect your ass(ets) in the event that you colossally screw up and do something that gets your client's client answering awkward questions from major news organizations. (A colleague once observed that, "if, when you walk in the door in the morning, your secretary says that a CBS producer is on the phone trying to schedule you for an interview with Mike Wallace, it's probably a bad day.")

    Suffice it to say that if Mark Dennis doesn't have Software E&O coverage, he's going to wish he did. Because he's going to get so sued. Along with the community college, the government agency, and everybody else involved.

    Getting sued, however, is the least of this bozo's worries
    If he has insurance, it might cover his liability exposure. However, his real problem is the civil fines he is going to have to pay--and no insurance policy in the world will protect you from a criminal court sentence. He'll get a whopping fine--but I doubt he'll do jail time. Unless, that is, somebody can demonstrate that a child molester used the database to identify a victim and attacked him.

    There's an important point here
    The software community should make it ABUNDANTLY CLEAR that this dumb cluck should have the book thrown at him. We have absolutely zero sympathy--and when his attorney (with nothing else to argue) says "it was all a tragic mistake..." somebody needs to stand up and yell, "LIES! LIES! DAMNABLE LIES!" This was willful, deliberate, with knowledge aforethought stupidity. And this jerk deserves to get run up the (proverbial) yardarm for it.

  15. Re:the dumbasses... by johnnyb · · Score: 4, Insightful

    Actually, I've found that they don't. Fake databases usually are well-organized and thought out. The real deal usually has many, many inconsistencies that have to be dealt with. I always require real data to test any program I develop with, because otherwise it's just a nightmare at go-live time.

    --
    Engineering and the Ultimate
  16. Rentacoder sure seems slow right now... by Satan's+Librarian · · Score: 4, Insightful
    From the speed of the RentaCoder site, I'd say a lot of unemployed slashdotters want to be 'outsourced programmers' too....

    I looked too... I'm not sure which is worse though - the fact that the prices on the projects are beneath a living wage for me to consider bothering with them (I'd make more as a barista or a dishwasher), or that half of them seem to be helping some dishonest schmuck in a CS class cheat on his assignment so there will be more clueless dorks that can't program their way out of a paper bag holding CS degrees out there applying for jobs.

    I'm cool with competing with Indians - for the most part the Indian coders I've met worked their asses off and knew their stuff, even if they might be willing to do it for half the price I'm used to commanding. If I was in their shoes, I suspect I'd do the same. Feeding your family is a good thing....

    It's all the people that fill their resumes with keywords for technologies they don't understand and couldn't use if their lives depended on it that clutter up the application inboxes that annoy me. HR departments encourage that behaviour, as do hiring managers that can't tell the difference, but it still pisses me off - both when I end up having to interview such cluebags and show them to the door, and when I'm competing with them for a job.

    --
    I write code.
  17. The Original Problem by fatray · · Score: 3, Insightful

    OK the coder screwed up.

    The primal problem is that the government agency gave the data to their outsourcing provider. That data should have never left the secure area of the government. Once it is out, it is out. It doesn't matter whether it has gone to Gennessee CC or RentaCoder. Posting it on the web is just a matter of degree.

    Everybody is ready to hop all over this clueless coder and blame everybody's favorite boogie man of outsourcing. There is a manager back in the government that originally disclosed the data.

    Don't tell me about NDCs. The first rule of confidential data is NEED TO KNOW. It would have taken someone 15 minutes to put in some dummy data for the programmer to work with, but they couldn't be bothered. Now that person wants to crucify the programmer.

    The programmer who screwed up is only the last (and most visible) in the chain of screw ups.

  18. Does even outsourced matter? by Uber+Banker · · Score: 5, Insightful

    The fact is this person revealed details against their contract code and more importantly, if they are in this position they should have the moral/ethical decency not to do this.

    Whether they were outsourced or not outsoured does not matter (IMHO) - they still have a personal moral/ethical judgement... FT government contractors are not great saviours, rather this individual is one with poor/sick ethical judgement (it is in no way 'freedom of speech' to disclose confidential/sensitive information about young kids).

    I do not believe outsourcing creates a more or less trustworthy/moral/ethical situations/employees (well, they just have less benefits rights and more legal liability if somethinggoes wrong), it is the individual who makes a better individual and avoids being a piece of scum.

    1. Re:Does even outsourced matter? by Skuld-Chan · · Score: 4, Insightful

      This is true - but the original post does suport some of the evils of outsourcing in general. And that is any time you outsource you have to give part of your company to another person or company. That company can be here in the US, Canada or in a country you have never heard of. And many times (depending on how the contract is written) its up to the actual outsourcer where that labor is performed - more often than not actually this is the case.

      For 2 years I worked in an outsourcing company doing tech support - and pay rate really writes volumes on why tech support agents really truely don't care about you or your problems (for example they were starting people at 9$/hr to support graphics apps most people get paid 50-150/hr to use). The only goals in companies like this are a) to get customers to go away and b) look for a new job between calls (if you have that luxury). More than once I've seen people fired or repremanded not on just my contract but others for stealing, using, exchanging or sending confidential information to people they probably shouldn't have. Usually its details about the contract, what company uses what vendors for outsourcing, working conditions inside the outsourcing company and confidential knowledgebase/email docs on service and support. Many more times I've seen people take this information without anyone ever paying attention.

      To me this is a rampant problem since - the only reason this is on slashdot is because someone noticed.

    2. Re:Does even outsourced matter? by budgenator · · Score: 3, Insightful

      I would hope that as a DBA, if you hired me as a sub-contractor, or even as a sub-of-a-sub-of-a-sub, that the database I was given to develope the prototype of the app with would be populated with dummy data. Posting of the data on the Internet runs afoul of New York state's confidentiality laws, not to mention some federal laws for example:"M,Tue. & Fri when mother attends treatment program and therapy,( approx. 20 hrs per wk)" sure looks like a HIPPA violation to me (IANAL ect.) at $50K/occurance, it passed thru 5 hands, 1 the Livingston County Department of Social Services, 2 Mark Dennis, 3 Genesee Community College, 5 RentACoder.com, 6. The programmer who took the job that $250K in potential fine for just one database record!

      It always struck me as ironic that the same people crying the loadest about protecting children, are usualy intrumental in getting them hurt.

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
  19. Not just stupid -- unscrupulous. by Frater+219 · · Score: 4, Insightful
    Unscrupulous? No, just incompetent.
    No -- unscrupulous: lacking in moral measure; unable to discern the moral weight of one's actions.

    (A "scruple" is a unit of weight, don't you know.)

    Publicly posting government records of children's whereabouts is not a morally neutral act; it is a reprehensible one. The programmer in question was not, it is claimed, ignorant of the nature of the data he had in hand; he simply did not correctly value that data. He failed to make a necessary value judgment: that to post masses of information on children's whereabouts is, in our world, a wrong thing to do.

    It is not simply a stupid or ignorant thing to do. It is not simply incompetent, like writing C code with gets() in it, or turning in code to one's boss which won't compile. Rather, it is a form of carelessness that shows that one places no value upon that with which one has been entrusted.

    If you're the sysadmin of a mail system, reading other people's mail for fun is an unethical act. However, leaving the mail-system password lying around, so that random hooligans can read other people's mail, is also an unethical act. Not just stupid. Wrong. It shows that you don't value your users' privacy -- that your values do not match up with your users' values. That, while you may be competent to operate a system for them, you are not trustworthy to do so.

    That is a very different way to be bad at one's job.

  20. A phrase that will always live on... by Anonymous Coward · · Score: 3, Insightful

    You get what you pay for.

  21. California SB 1386 by JohnsonWax · · Score: 5, Insightful

    California has a bill designed to deal with these situations, though it's not clear if it would apply to this specific situation.

    http://info.sen.ca.gov/pub/01-02/bill/sen/sb_135 1- 1400/sb_1386_bill_20020926_chaptered.html

    The problem is that the bill is designed for data theft, not for dipshits giving it away for free. Nevertheless, the bill requires that consumers whose data has been stolen be notified through viable means - email, letter, public notice if they can't be identified. Fines to the company for not doing this and the person responsible for the data is open to civil action.

    The main problem I see from the article is that the impacted individuals may not be notified, which is just wrong. Granted, this kind of thing probably can't prevented (minimized, yes, stopped, no) but there's a right way to address the problem and a wrong way. At least notify the affected people of what's happened.