Outsourced Confidential Data On Children Posted

Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."

Who do you trust?

[DarkHelmet]

Who do you trust? And who do you get to solve something like this?

Do you say, "Only certain government approved facilities can deal with this sort of information?" Seriously, should I feel that someone "government sponsored" is better off with my information than an outsourced programmer in India? Who gets to play Big Brother? And what will they do with what they know?

You can take this to the extreme, and be wary of anyone to handle private data about you. But then, if there's that sort of outcry, nobody would be able to handle it, would they?

I suppose it's better than having the Smoking Man from the X-Files having a file about you, and a blood sample. I find most programmers to have a certain level of professionalism to what they do.

I personally have access to roughly 10,000 credit card numbers. I'll never abuse the fact that I have access to them. But on the other hand, I'm not stupid enough to post all of them on the net for everybody to see, either.

I hope anybody who ends up doing something that stupid becomes a victim of identity theft. That'll really open their eyes to respecting other people's privacy.

By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at.

Re:Who do you trust?

[Skyshadow]

Posting anon for reasons which will become clear:

I work for a large healthcare organization. A while back, we caught some heat because we were transferring a lot of patient data over to India for use in one of our offshore projects and a local newspaper found out about it. Our official response was "Hey, Americans do this work too. It's not necessarily safer there than here."

A month later, one of the outsourced programmers took off with a couple of backup tapes and blackmailed my company.

This exposed the real issue at hand here: Offshore workers aren't in America, which means that we found ourselves unable to bring the weight of American law enforcement to bear on this person. In America, we would have had the FBI kicking in this guy's door within the hour. Instead, this individual simply moved to a different part of India, which is apparently like moving to another planet for the purposes of getting them arrested. The issue was clamped down on by management before the resolution, but the word around the water cooler is that we just paid them off -- really, the amount of money they wanted was insignificant against the massive PR damage we were looking at.

So while it's true that a worker in America can spill private data just as easily as a worker in the third world, *getting away* with it is a completely different matter. Companies which offshore private data deserve the lawsuits they'll face when something like this actually plays out wrong...

Re:Who do you trust?

[Greyfox]

Posting anon for reasons which will become clear:

Dibbs on his 3 digit user ID when his company has him killed!

Re:Who do you trust?

[pwtrash]

Yep, your example would have been worse.

However, the article suggested that these kids are foster kids, which means that at a minimum they were victims of neglect to the extent that the state stepped in and removed them from their birth parents.

It's likely that a number of these kids were victims of sexual abuse. Needless to say, many of them have views on sexual issues that are warped by their experience. A predator would likely know how to take advantage of their experience.

Also, typically, the goal is to re-unite them with their parents. Obviously, some of these parents are not worth anything. But a number of them are genuinely trying to do whatever they can to make their family right. This doesn't help.

My wife works with kids in this situation, and I don't know any names ever. I don't want to know, and she takes her commitment to their confidentiality very seriously.

I hope we get to hear what becomes of Mr. Mark Dennis, the fine bleeding-edge developer who had to ask RentACoder for database formatting help. It would only be fitting if we all got to experience his worst or most vulnerable moment. I'll turn it into HTML for $15.

Re:Who do you trust?

[orthogonal]

Who do you trust? And who do you get to solve something like this?

In this particular case, you needn't trust anyone.

Nothing that Mark Dennis wanted to do -- build the database structure, build the front-end, or get help with his "tricky formatting problem" required that he use supply real data to RentaACoders or other sub contractors

And furthermore, nothing the Livingston County Social Services Commission wanted required that Mark Dennis ever see live data.

This one's simple, folks -- sure, Mark (or someone) needed to do a requirements analysis, sure, somebody had to decide what data entities to capture -- but very little real data was needed.

First, make some dummy data for the developers' use: run through your real data -- if you even need to base the dummy data off the real data --, and replace every name with a random dictionary word. Do the same thing for addresses, and replace Social Security and other id numbers with randomly chosen numbers. In all cases, maintain a constant map of real to dummy, to preserve relations within the data: "Mike Smith" is always translated to "Armchair Landowner" and "1450 Main Street" to "3321 Crumpet Sponge".

Once you've finished your translation, throw away the map.

Now the coder has data that's exactly as diverse as the real data, shows the same frequencies and inter-relations as the real data, is as internally self-consistent as the real data, and yet is (nearly) completely meaningless in terms of the real world, and (nearly) impossible to link to any real persons, places, or identifying information.

(It's possible one could still do traffic analysis on the data, and come up with aggregate data: either more male or more female (but which?) children are in the Social Services system; two zip codes out of six produce 70% of the cases (but which two?). If this is a problem you have to take a weighted slice of the data, and provide the developer with only this weighted slice; that (intentionally) skews your frequencies, but still preserves diverse data and any inter-relations among that data, closely enough to be representative for almost all design and coding needs.)

No trust involved. Just a simple and mechanical translation process that has to take place only once.

(If you really have a situation where the developer must base his requirements and code against gradually accumulating real world data -- and you shouldn't if you've planned at all well -- let one non-out sourced person hold the translation map -- and be held responsible for keeping it secret.)

And a process like I've outlined should be standard for any organization dealing with sensitive data.

Re:Who do you trust?

[R2.0]

"By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at."

Yes, it would suck if my daily schedule was put up in the internet. Then I'd have to worry about pedophiles or my crazy parent with the restraining order snatching me up.

Oh, wait - I'm an adult male who carries a cell phone, "pocket knife", and just enough martial arts experience to get me out of (okay, into) trouble.

Stories like this about children ARE different. Adults might have the means and methods to deal with the consequences of such a massive blunder. Children DO NOT! Especially lists about kids in day care: children who are pre-selected to be literally unable to take care of themselves.

Oh, and your "even worse" example sucks too. At least women in shelter are somehow connected with help. Think instead of a database of phone calls to an abuse hotline - lots of women who are totally vulnerable.

To borrow from the pigs in "1984": All privacy breeches are equally bad, but some are just way effin' worse than others.

Today's lesson:

[American+AC+in+Paris]

When you're looking to cut corners, be careful who you give the scissors to...

Maybe now someone will pay attention.

Talk of identity theft, damaged credit, and so on may not rile up the Soccer Moms of the world, but once something affects the children, watch and admire as their mouths begin to froth!

Downside of outsourcing

[johndiii]

When you outsource, you run the risk that the individuals doing the work do not share your company or even cultural values. If you are not willing to take the time to make sure that your outside contractors are what you expect, this is the kind of thing that will happen. Few companies really understand this.

Before we bash on outsourcing...

[wan-fu]

... before everyone starts bashing on outsourcing, let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer. This could just as well happen on usenet with someone asking for programming advice from any company. It is the programmer who was not careful with data and the fault is on his side (and possibly the company who gave him the data and did not give him specific instructions for care of the data).

Re:Before we bash on outsourcing...

[laird]

"let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer"

I'm not sure it's "unscrupulous" as clueless. Whether he's paid as an employee, a consultant, or a sub-contractor, he's just as responsible to treat sensitive data appropriately. He should have been fired the first time, or at least warned in writing and fired the second time. Allowing this to happen three times exposes both the agency (who's responsible for managing its vendors) and the vendor to tremendous liability because they've obviously not taken this issue seriously.

Re:Before we bash on outsourcing...

[Perl-Pusher]

Didn't read the article eh? I'll post the important part.

County attorney David Morris said that programming work for the day-care center had been outsourced to the locally-based Genesee Community College. The manager of the college's program refused to speak to a reporter, but Morris said Dennis was a third party consultant hired by Genesee. Dennis, in turn, used RentACoder to once again subcontract the database work, which ultimately fell to a New Jersey-based programmer. By that time, the programmer actually working on the day-care data was four steps removed from the county's social services program.

So the gist is they outsourced to a CommunityCollege who then outsourced it to a website. The coder who answered the website not only didn't know what he was doing and tried to get someone else to help him, he probably had no idea the significance of the data to begin with. Since nobody who had a clue actually hired him. Outsourcing something that important is exactly what is wrong. I've seen companies outsource jobs that were essential to the well being of the company and nobody in charge (CEO,CIO) will admit that the reason the business failed was due to putting something critical in the hands of others who didn't have the same priorities as them. You should only outsource when the task is not critical and doing it yourself is too expensive. If it's important and you don't have the expertise, hire employees who do. Then when something is needed, you get it when you want it and how you want it. If neither is possible choose another line work.

Confidential data on slashdot

I have seen some people spread data via slashdot comments encoded with base64 and encrypted. (anyone have a link to a specific occurance - at least one time someone decypted it and posted it) Could slashdot be used as a way to anonymously leak information like this, and use slashdot's general policy of "just mod to -1, don't delete" towards comments as an advantage? Unlike other forums, posting anonymously leaves nothing but a MD5SUM of your ip to be used in court. Also, if you "post anonymously" while logged in, slashdot caches your username. You can verify if you have mod points by noticing that even when you post anonymously AND change your ip address, you can't mod up/down the comment.

Obvious bias in post!

[teetam]

Couldn't a "non-outsourced" developer make the same mistake? What does this have to do with outsourcing at all? Seems to be a very leading post to me, designed to generate the usual angry, anti-outsourcing replies.

Re:Obvious bias in post!

[totatis]

Well, yes and no.

In theory, a non-outsourced developer can do the same mistake. But there is something important called relationship and trust.

If a developer is in-house, if he has talked to clients, project manager, if he had be given a lecture on how the data is sensitive, you can bet that this developer will not mistakenly post that data on the web. Sure he can be corrupted, but that's not what happened here.

On the other hand, if some code-monkey receives some coding to do for an unknown company, in an unknown place, for an unknown application, and he is given a set of data not knowning what it is, then he might publish his data without knowning what he is doing.

The "outsource" stuff is important, not because of some "save jobs" issue, but because it implies the developer should never had received this data in the first place.

If some company/government entity outsources some programming job, it should give said developers only fake datas. And administration jobs with access to the real datas should be done by trusted guys.

Is it really gone?

[AndroidCat]

I wonder if they've checked the wayback machine at archive.org.

Not outsourced overseas

[crymeph0]

Rather than mod you down, I'll just let you (and all the other knee-jerks) know that THIS WAS NOT AN INDIAN PROGRAMMER. This was a guy named Mark Dennis. Not a very Indian sounding name. Also, Mark Dennis actually subcontracted the job involving the database out to someone in New Jersey. Maybe IHBT, but the article summary could make you believe this had to do with offshore outsourcing, so that's a misconception we should clear up early.

Re:Not outsourced overseas

[Shut+the+fuck+up!]

This was a guy named Mark Dennis. Not a very Indian sounding name.

True, but if you replace the 'rk' in Mark with 'ndara' and the 'nnis ' in Dennis with 'eptanshu' then you have Mandara Deepthanshu. That, as I am sure you will aggree, sounds Indian to me.

Re:Not outsourced overseas

[SoSueMe]

True, but if you replace the 'rk' in Mark with 'ke' and the 'nnis ' in Dennis with 'epshiticancause thecompanyiamabouttoquit' then you have "Make Deepshiticancausethecompanyiamabouttoquit" sounds like an inside job to me.

Re:Really, this is not OT

[MaineCoon]

However, in this case, all the outsourcing was within US borders, as is evident from the contents of the article.

Procedure, Procedure, Prodecure

[hellfire]

First of all, the article is fanning the flames by saying this is a database of children's whereabouts. Okay, this is a problem, but then again it doesn't matter if its children or anyone, it just gets "oh please save the children!" sympathy clicks.

It also doesn't address what I think the biggest problem is. It's obvious to me someone assumed this bozo of a programmer had some not-so-common-sense about posting information to a website. I deal with customer data all the time, and my company has taken some steps to make it a little harder for people who should not need the data to not get the data, and our data exchange policy clearly states "Do not give this data to anyone outside of this company or you will be beheaded!"

I get to this day accountants in our company saying "why can't I peek at this customer's data" to which I reply "Do you have a signficant need? If so, tell your manager to talk to my manager, and I'll be happy to give it to you." I get nothing after that. The customer data we have is for support and development use, not an accountant who has no use for inventory and sales information (at least not in this company). It is also freely accessible amongst those people, who typically only share it within others in their department.

One day a manager might get an idea that looking at a customer's data might give them an idea of their open bills, but that might be unethical or illegal so until a manager says to give access, I won't.

My point is, it could be that the policy was not pounded into this dolt's head, or that a proper data exchange policy even existed. If so, he's still a dumbass, but companies frequently hire dumbasses, which is why you sometimes need a policy to help prevent dumbass behavior. The article puts full blame on the programmer and doesn't really give any blame to the company who hired him.

These violations are RAMPANT.

I work at a company that makes software for viewing printer protocols (PCL, HPGL, etc.) As such, we often receive problematic files from customers which do not view properly in our viewer.

You would not believe the sensitive information we receive. People don't even think about the ramifications when they send us, for example, somebody's high school transcript, or mortgage closing documents, or people's credit reports. We have secret inventory lists for competing companies, each of which would probably kill to get their hands on that information. We have "insider" information on the international banking industry. We have medical records. Prison records. It goes on and on.

Because of this, we have an extremely tight document policy. Data exists on paper only long enough for testing purposes, then it is destroyed. The bug tracking database is purged of old test cases on a regular basis. Customer files never leave this office, in paper form or otherwise.

In fact, as I write this message, I can think of several ways that we should probably be even more paranoid. Fortunately, the officers of the company take our responsibilities very seriously, and there has never been any serious breach of customer confidentiality. I hope there never is.

The programmer who posted identifiable information to a public web site, because he was too incompetent to solve his own problems, is an idiot who should be fired and beaten with a wicker cane.

The answer is simple:

Outsourced moderators, of course.

Oops....

[Skyshadow]

Shit. So much for that anon thing. (cringe)

Guess my sig goes double now...

Does even outsourced matter?

[Uber+Banker]

The fact is this person revealed details against their contract code and more importantly, if they are in this position they should have the moral/ethical decency not to do this.

Whether they were outsourced or not outsoured does not matter (IMHO) - they still have a personal moral/ethical judgement... FT government contractors are not great saviours, rather this individual is one with poor/sick ethical judgement (it is in no way 'freedom of speech' to disclose confidential/sensitive information about young kids).

I do not believe outsourcing creates a more or less trustworthy/moral/ethical situations/employees (well, they just have less benefits rights and more legal liability if somethinggoes wrong), it is the individual who makes a better individual and avoids being a piece of scum.

Re:the dumbasses...

[SirSlud]

actually

1. It's bad to develop with real data, because you make assumptions about what kinda of data you have to process. You should unit test the code, by *trying* to break it by using known invalid formats or invalid data to ensure that your software handles such input inconsistancies gracefully. As in, the only way to be sure your software won't core, or fork bomb, or enter an infinate loop is to test it on test data, which should be created by the developer.

2. You're right about going live tho. You'd never go live with software before you QA'd it in the final go-around with the real data just to ensure you're not going to spend 2 hours upgrading a platform, and 2 hours backing out.

Neither of these points has any bearing on the fact that, as a developer, you will (most of the time) have/need access to the real data at some point, so it really is up to the developer and the contractor to set out rules for the usage of the data, and even to have the developer sign an NDA of sorts to put the accountability where it should belong.

What stories like this really highlight is the sorts of losses that can occur from outsourcing or contracting that dont often show up on a cost analysis of the project. The less control and supervision you have over your 'employees', the higher the likelihood that those employees may do something with their relationship with you that may damage the company. I've had numerous higher-ups in other companies pass me sensitive data just because they need something fixed as soon as possible, and they can't find the experience/ability in house, and I just think its a completely irresponsible way of conducting business. But if I did something dumb with that data, it wouldn't be my ass on the line, because I was handed that data with no legal documentation concerning how I can use it and what I can do with it. Then again, maybe lawyers might see that differently.

All I know is that when it comes to outsourcing, its usually a gain in labour flexbility and cost effectiveness at the expense of a higher risk for the disclosure of sensitive information, be it data or security rights. It's a cost that employers can willfully ignore if they so choose, but again, I think its just bad business practices. Full employees have a far greater vested interest in the success of their employer and are far less likely to do stoopid things that one-off contractees have been known to do. That is, full time employees are more likely consider the legal and financial implications of how they go about providing solutions for product development. Employers hate that to admit it, tho, because it highlites the downside of a their utopian flexible labour force in which there exists little job security for the people actually doing the gruntwork.

California SB 1386

[JohnsonWax]

California has a bill designed to deal with these situations, though it's not clear if it would apply to this specific situation.

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_135 1- 1400/sb_1386_bill_20020926_chaptered.html

The problem is that the bill is designed for data theft, not for dipshits giving it away for free. Nevertheless, the bill requires that consumers whose data has been stolen be notified through viable means - email, letter, public notice if they can't be identified. Fines to the company for not doing this and the person responsible for the data is open to civil action.

The main problem I see from the article is that the impacted individuals may not be notified, which is just wrong. Granted, this kind of thing probably can't prevented (minimized, yes, stopped, no) but there's a right way to address the problem and a wrong way. At least notify the affected people of what's happened.