Slashdot Mirror
Outsourced Confidential Data On Children Posted
Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."
Myself, I'm always careful about 'stripping' any information when posting code samples or looking for help in Forums. I'm surprised this isn't reported more often...
I wonder if the parent company that hired this 'outsourcer', even knows that their data has been compromised...
This, and the Florida case will be brought up again and again. And I am sad to say that these are just the beginning of a long decline.
I have seen some people spread data via slashdot comments encoded with base64 and encrypted. (anyone have a link to a specific occurance - at least one time someone decypted it and posted it) Could slashdot be used as a way to anonymously leak information like this, and use slashdot's general policy of "just mod to -1, don't delete" towards comments as an advantage? Unlike other forums, posting anonymously leaves nothing but a MD5SUM of your ip to be used in court. Also, if you "post anonymously" while logged in, slashdot caches your username. You can verify if you have mod points by noticing that even when you post anonymously AND change your ip address, you can't mod up/down the comment.
I wonder if they've checked the wayback machine at archive.org.
One line blog. I hear that they're called Twitters now.
Yes, but when you sue, you can either sue the employee which you have a direct contract with for damages, or the company from which you outsource. With the case of the developer, he has a closer relationship, so is less likely to do wrong since he's not under the protection of a company. With the case of a company, you sue the company and the worse the company may do is fire them. Less vested intereste in what the big boss might say -- depends on who your big boss is.
-
ping -f 255.255.255.255 # if only
The fact that the data went through multiple levels of subcontractors doesn't bother me, so long as each has signed the appropriate waivers and so long as each have been checked out enough to be trusted with the data. But there's no excuse for leaving proprietary and/or sensitive information out there, unprotected.
Password-protecting an entire directory is trivial. 20 seconds to a seasoned user, or a few minutes in a web interface for a newbie. This info wasn't just accidentally left unprotected; it was intentionally posted to a public-facing site, in an attempt to attract programming assistance. This, on it's own, could easily be called criminally negligent. But after being warned of the potential consequences and posting it again the following day... that's verging on knowing child endangerment. Use dummy data, for crying out loud!
Everyone makes mistakes, myself included. I'll admit to posting members-only data in a public area once or twice. But once you know about it, there's no excuse to not fix it. This guy should probably be prosecuted. And while I hope the families get notified... I seriously doubt most of the affected families will ever find out.
Oh... and write this story down, boys and girls. This is yet one more nail in the coffin for TIA-styled programs. "Oh, we're very careful with our data." Right.
First of all, the article is fanning the flames by saying this is a database of children's whereabouts. Okay, this is a problem, but then again it doesn't matter if its children or anyone, it just gets "oh please save the children!" sympathy clicks.
It also doesn't address what I think the biggest problem is. It's obvious to me someone assumed this bozo of a programmer had some not-so-common-sense about posting information to a website. I deal with customer data all the time, and my company has taken some steps to make it a little harder for people who should not need the data to not get the data, and our data exchange policy clearly states "Do not give this data to anyone outside of this company or you will be beheaded!"
I get to this day accountants in our company saying "why can't I peek at this customer's data" to which I reply "Do you have a signficant need? If so, tell your manager to talk to my manager, and I'll be happy to give it to you." I get nothing after that. The customer data we have is for support and development use, not an accountant who has no use for inventory and sales information (at least not in this company). It is also freely accessible amongst those people, who typically only share it within others in their department.
One day a manager might get an idea that looking at a customer's data might give them an idea of their open bills, but that might be unethical or illegal so until a manager says to give access, I won't.
My point is, it could be that the policy was not pounded into this dolt's head, or that a proper data exchange policy even existed. If so, he's still a dumbass, but companies frequently hire dumbasses, which is why you sometimes need a policy to help prevent dumbass behavior. The article puts full blame on the programmer and doesn't really give any blame to the company who hired him.
"All great wisdom is contained in .signature files"
You would not believe the sensitive information we receive. People don't even think about the ramifications when they send us, for example, somebody's high school transcript, or mortgage closing documents, or people's credit reports. We have secret inventory lists for competing companies, each of which would probably kill to get their hands on that information. We have "insider" information on the international banking industry. We have medical records. Prison records. It goes on and on.
Because of this, we have an extremely tight document policy. Data exists on paper only long enough for testing purposes, then it is destroyed. The bug tracking database is purged of old test cases on a regular basis. Customer files never leave this office, in paper form or otherwise.
In fact, as I write this message, I can think of several ways that we should probably be even more paranoid. Fortunately, the officers of the company take our responsibilities very seriously, and there has never been any serious breach of customer confidentiality. I hope there never is.
The programmer who posted identifiable information to a public web site, because he was too incompetent to solve his own problems, is an idiot who should be fired and beaten with a wicker cane.
My guess is that is incorrect. Programmers can certainly make mistakes like this one did. But when you hire programmers and staff to do things so cheaply, you give up the quality control. When you are dealing with personal information, quality control is extremely important. Its also not to say that that kind of thing can't happen in the US. But its unsettling for people to know that they can't even meet the person who is working with their personal information.
If one of the programmers at a children's hospital starts publishing information about it's patients, the hospital will want to start slapping the programmer silly. Its not that easy if the person is overseas.
Quality control with information is much more important than the QA with manufactured products. Cheap products are good for most average people in the US, so outsourcing is ok. But cheap products in airliners and military equipment is not good. Highly personal information should not take the route of cheaply made goods.
http://github.com/gbook/nidb
"It's not likely all those visitors unzipped the attached database, but there's no way to know how many did, according to RentACoder CEO Dan Ippolito."
This company is so damn stupid they don't know how to check their logs to see how many times that file was downloaded,
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
You might think it looks like this on the outside, but the environment of outsourcing creates events like this by making it impossible to determine who's competent and who's not. There are so many degrees of separation between the company needing the work and the individual doing it that it's impossible to keep track of what's going on until it's obviously gone wrong or right. Also, outsourcing is so awful that the turnover is very high. This leads to excessive pressure on each new outsourcee as they get employed closer and closer to the deadline -- forcing them to take risks like these in order to do the job "on time". Outsourcing incubates problems like these.
"Of course, the thrashing could be inflicted faster & with less preliminary legal wrangling if the culprit had been a regular employee & not an outsourced "consultant.""
Actually, it's far easier in most states to manage a consultant or vendor than an employee, because employees are covered by labor protection laws, while vendors have to live up to their contract. So if the contract is at all reasonable, their should be immediate, significant financial penalties for their violating professional ethics, while for an employee, particularly a state employee, there's a fairly detailed disciplinary process that has to be followed.
Enable 3D printed prosthetics!
I work for a large healthcare organization. A while back, we caught some heat because we were transferring a lot of patient data over to India for use in one of our offshore projects and a local newspaper found out about it. Our official response was "Hey, Americans do this work too. It's not necessarily safer there than here."
A month later, one of the outsourced programmers took off with a couple of backup tapes and blackmailed my company.
This exposed the real issue at hand here: Offshore workers aren't in America, which means that we found ourselves unable to bring the weight of American law enforcement to bear on this person. In America, we would have had the FBI kicking in this guy's door within the hour. Instead, this individual simply moved to a different part of India, which is apparently like moving to another planet for the purposes of getting them arrested. The issue was clamped down on by management before the resolution, but the word around the water cooler is that we just paid them off -- really, the amount of money they wanted was insignificant against the massive PR damage we were looking at.
So while it's true that a worker in America can spill private data just as easily as a worker in the third world, *getting away* with it is a completely different matter. Companies which offshore private data deserve the lawsuits they'll face when something like this actually plays out wrong...
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
This is one of the things that really concerns me about offshoring. As US corporations keep outsourcing software development to another countries, the confidential data will inevitably move there too.
How long before private information like credit histories, medical records etc. is leaked out from some company in Bangalore?
Imagine being blackmailed by someone in a third world country. Given the state of law enforcement over there, you would have no legal recourse.
[/paranoia]It's great to see how different news orgs handle headlines. MSNBC makes pains to name the Government as the offender in it's headline, "Government agency exposes day-care data". Slashdot is a little less breathy and indicates the true source of the leak, the out-sourced coder.
Both could be called correct, but more interesting is how the positioning of the story indicates the inclination of the news source. MSNBC is part of the mainstream news establishment that has been telling us for years that the government hasn't done a good thing since kicking the British out of Yorktown.
Slashdot speaks to a lot of developers who don't ever want to work for a place called "RentaCoder", and don't have a lot of respect for anyone who would.
Personally, I much prefer the Slashdot take on the story.
I'm much funnier now that I'm a subscriber.
Quick google check (mark dennis lima) finds name, address, phone no. spouse, and three pets. http://www.limademocrats.com/bios/mark.asp
is this little bit at the end of the article
County officials have not yet determined if they will tell the families involved about the incident.
If that isn't sick I don't know what is. I thought it might be more like 'haven't decided how to tell....' not IF they would tell
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Just in case all you unemployed geeks consider rentacoder for some work, here is a sample email from Ippolito that I have received a while back:
"... When you try to issue a charge back, here is what I will be doing:
1) I will be reporting you to the VISA (or Mastercard) Internet Fraud
Division with your tracked email address and IP Address (both of which
have been re-confirmed again by the headers in this email you just sent
me!). Every time we've done this, people have lost their credit card
accounts, and I look forward to making you lose yours.
2) I will be reporting "...." to the Better Busisiness Bureau in
Aliso Viejo, California as the deadbeat business that it is. I look
forward to having everyone in your local community know exactly what
kind of business you are.
3) Site rules will force me to inform the coder that you are trying to
stiff him, so we will notify him of this. It's probably one of the
stupidest things in the world to try to stiff a coder as you usually end
up email firebombed or worse. Exhedra does not condone such
activity...but I've been around a long time to know how people react."
It's your call. Either act responsibly for your actions, or suffer
the consequences.
Sincerely,
Ian Ippolito
Now all we need is for one of those children to be the child of a Congressman. Same way we need just one of the RIAA targets to be some senator's kid off at school...
Schnapple
Some institutions, primarily banks, are very careful to properly anonymize the test cases they send to us. However, sometimes this "anonymization" makes the bug go away, and they are forced to send us a genuine document to illustrate the bug.
All employees sign NDAs for various customers who send us large amount of sensitive information.
We obviously cannot stop people from emailing this stuff to us. If they have a problem, they send us the file. We fix the problem, try to boil down the test case to something anonymous, place that in our QA database, and destroy the original. We have very specific procedures for doing this.
Often, we receive stuff where it is fairly obvious we should not be in possession of it. We destroy these files immediately. However, the damage is really already done, since there is someone inside the other company who is willing to transmit confidential files via unencrypted email -- if they sent it to us, they've probably screwed up other times as well.
However, the article suggested that these kids are foster kids, which means that at a minimum they were victims of neglect to the extent that the state stepped in and removed them from their birth parents.
It's likely that a number of these kids were victims of sexual abuse. Needless to say, many of them have views on sexual issues that are warped by their experience. A predator would likely know how to take advantage of their experience.
Also, typically, the goal is to re-unite them with their parents. Obviously, some of these parents are not worth anything. But a number of them are genuinely trying to do whatever they can to make their family right. This doesn't help.
My wife works with kids in this situation, and I don't know any names ever. I don't want to know, and she takes her commitment to their confidentiality very seriously.
I hope we get to hear what becomes of Mr. Mark Dennis, the fine bleeding-edge developer who had to ask RentACoder for database formatting help. It would only be fitting if we all got to experience his worst or most vulnerable moment. I'll turn it into HTML for $15.
Databases are not always or automatically subject to copyright. Pure factual information (ie the telephone book) has no creative or interpretive value added to it; it's not an "original work", just a list of factual information.
... then the copyright stuff can come into play, but again only if that field's text was distributed verbatim.
For the purpose of this I'm going to limit most of this to the information itself in the form of pure text, and won't wade too deeply into the details like the "design" of the database form and fields if it were presented in a GUI format.
There is a grey area where purely factual information is not publicly available, and the unauthorized use of it may be actionable, but usually not on the basis of copyright. What would be the deciding factor would be based on how it was copied; ie word for word including the format, page numbers, annotations, etc would probably be copyright infringement.
If it was limited to the factual information only, an action would probably be based on theft of proprietary information. Should that information be posted publicly, it by definition becomes public from that point on, so fair game from then on. Not to say that a court wouldn't have to rule as such; but posting it publicly would be the basis the ruling would hinge upon.
However, keep in mind that you can't photocopy the phone book and expect to avoid breaking copyright law; you could however enter all the information found in a phone book in your own database and publish that info in a "phone book" that factually is identical to the original.
What is different is you copied the design of the phone book in the first instance (the creative component is the design, with the design incorporating in part some factual information) but just the information it contained in the second (no creative component; just the facts).
Another example; if the database contains original work, even if this only amounts to a field where someone writes something like:
"Bob is an engineer; he and his wife Patty have 3 kids. The whole family loves dogs."
You could use it as pure information by, for example, putting "Engineer" in a "occupation" field you create and you would be OK.
The pure factual information remains non-copyrightable so one must limit the use to that information only.
There are many instances of factual information that is not subject to copyright itself; even though it might be incorporated into a work subject to rights; for example the title of a song itself is not copyrightable while the title and lyrics together are.
Incidentally, UCSF has revised its contracts to require its transcriptions firms to reveal who they subcontract with.
You really think this'll help any? Subcontracting with companies in other countries for this is just stupid. I'm willing to bet that not only will their government look the other way, they'll get official aid if you try to sue them in American courts or ruin their reputation. And you can bet that they'll have some way to sue YOUR ass off. At the very least, you'll go down as an easy mark and other Indian companies will start doing the same thing.
I strongly suspect I work for the same hosed up HMO as this guy, and I'm in a position to know for a fact this happened pretty much as he said it did.
I don't need no estinkin'
Jeepmeister
I think I work for the same place. They're overall good to their employees, but they do some shitty things. Check out what was in the lobby this morning. Keep in mind this is in Walnut Creek, California, which is about 20 minutes from San Francisco on BART...
Kaiser Foundation Hospitals is seeking approval of a labor condition application for the period of February 26, 2004 to February 26, 2007 to permit employment of one H-1B worker in the classification of Programmer Analyst. The salary for this job is $77,501 per year. The H-1B worker will be employed at our facility located at 501 Lennon Lane, Walnut Creek, California 94598. The labor condition application relating to this employee is available for public inspection at our main office located at One Kaiser Plaza, Oakland, California 94612. Complaints alleging misrepresentation of material facts in the labor condition application and/or failure to comply with the terms of the labor condition application may be filed with any office of the Wage and Hour Division of the United States Department of Labor.
Posted January 26, 2004
(can't read the signature)
I'm surpised someone didn't end up in prison. That is a direct violation of HIPAA Privacy rulings...your supposed to have a chain of trust agreement, specifically a Business Associate Contract. This states that your company is HIPAA compliant in all areas where you deal with PHI (protected health information). If you outsource, your company is supposed to get a BAC from the people you outsource to.
2 .pdf ASAP. If you deal with PHI, then you are probably a covered entity.
Your company could probably get hit with a violation of 42 U.S.C. 1320D-6(a), which is a federal law. If management knew (or should have known) that the chain of trust was supposed to be followed, your Privacy Officer can be hit with a $50,000 fine and/or one year in the federal pen. If it was done "with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm" someone can be hit with a $500,000 fine and up to 10 years in prison.
Go read this http://www.ehcca.com/presentations/HIPAA3/malone_
Maybe we DID take the blue pill. You wouldn't remember anyway.
How about "you do _not_ need a 'hidemydata' _coder_".
I've worked on several enterprise projects so far, and in _none_ of them did I need any actual production data while coding the app. All the test databases we worked on were filled with dummy data. Including login accounts, addresses, products/materials, financial data, etc. You name it, it was fake.
What you do need are a few examples that _look_ like the real data. They don't come from a coder, they're not real data that ran through some encription code. They're just bogus.
Where do they come from? They come from the people who work with the real data. Only those need to see it.
_They_ are allowed to see where little Timmy Victim lives and where does he go to school. So they take some records from that data, read it, then replace the name with Bart Simpson, the address with something bogus, and so on. Then send me the database with a few such examples.
What if I need thousands of records, you say? Well, then I, or another "rent-a-hidemydata-coder", takes those bogus samples, and writes a small script to generate thousands that look like those. Voila, now you have thousands, maybe even hundreds of thousands, of bogus records to run those tests on.
If there's a bug that needs fixing -- e.g., to stick to the article, the formatting code sucks -- I don't need production data to reproduce the bug. I just need an example -- _any_ example -- that clearly demonstrates the bug. If it's a bogus example, all the better.
You may notice how at no point did a coder actually see the confidential data. Not the developper of the application, not the "rent-a-hidemy-data coder", not the coder's PHB, not the company's marketroid (who might go "ka-ching! we have all those people's records, let's try to sell them stuff.") The only ones who saw the confidential data are (surprise!) the people who actually have a right to work with that data.
It wasn't that hard, now was it?
A polar bear is a cartesian bear after a coordinate transform.