When I was in college I had the best campus job of anyone I knew. I worked for the adminstration as a programmer doing data processing. It paid two dollars more than minimum wage, I could work on my own schedule and best of all, it came with a key to the computing center, which in those prehistoric times had an entire air-conditioned room to house the Dec-10. It can get awfully hot and muggy in Connecticut in the summer and there were places to hide a sleeping bag, so this was no small perk.
The job also came with some responsibility. I had unrestricted access to academic, personal, and financial information for the entire student body and alumni. For a nineteen-year-old, on top of being recognized as an alpha geek, this was heady stuff.
So one day, just for fun, I printed out a sorted listing of the entire student body and their birthdays. It seemed a harmless opportunity to show off. I showed the listing to a friend and she immediately noticed that a roommate of hers had a birthday that week but hadn't mentioned it. She decided to get a suprise party together.
The party was a disaster. It turned out that her roommate was deeply embarrassed about her age, enough to lie about it and never mention her birthday. When the suprise was announced she was mortified and, crying, asked everyone to leave.
There are two lesons here. One, my intention may have been innocent enough but it had unintended consequences that hurt someone. Two, by breaking the rules about disclosure of this information I had violated the trust placed in me when I took the job. The consequences were a good illustration of why the rules were there in the first place.
I was reminded of this story the other day when I came across the affidavit of Badak Pasdar. This statement, which he made on Feb. 28 of this year tells a very disturbing story.
Acting as a computer security consultant in the data center for an unnamed wireless telecommunications company, he comes across a large (DS3, 45Mb/s), unaudited, unsecured network connection leading from inside the wireless telco's secure internal network to undisclosed recipient(s). This is referred to by telco employees as the "Quantico Circuit" (Quantico VA is the location of a 100 square mile marine corps base, including their research center). This pipe gives people on the other side access to everything: they can listen in to any client's phone in real time, track the physical location of their GSM phone, billing records (including who they call), everything. There's no auditing or tracking implemented so no one at the telco can tell precisely what the people at the other end are doing. When he asks where it goes and objects that this really can't be considered an acceptable practice WRT commonly accepted industry security standards, he's told to shut up or get fired.
There's been lots of discussion already (but not enough, IMHO) about the current administration's use of eavesdropping, wiretaps, etc. and the legal, constitutional issues involved. This story affects me in a personal way however because I am (on a smaller scale) often in positions of trust and responsibility with regards to the personal information of other people and I have to make decisions about the specifics of confidentiality all the time. As someone working in medical research I've been to more HIPAA compliance training classes and confidentiality seminars than I care to remember (I have another one coming next week, in fact). And I can tell you, there's a lot of thought and work involved in protecting people's information. Concerns about the identity and medical condition of study participants percolates all the way back up into database schemas and applicaion codes in a "non-trivial" (as we nerds like to say) way. Think separate, secured database instances. The question I have to ask all the time is "where's the line?" How far do I have to go? How much extra work should I do? I have a very simple, effective rule for this:
I follow the law.
A lot of smart, well informed people put a lot of work into drafting the applicable law. It may not be perfect but that's where my society has drawn the line for me. I'm not going to second guess them because I accept the fact that I'm not smarter than the combined efforts of all those administrators, scientists and legislators and because I accept the responsibility that comes with my well-paying, fascinating and enjoyable job.
So now I'm thinking about the people who work in that data center. I can only imagine what it must be like to have access, not to the academic records of two thousand or so students, but to the voice and data communication in real time of millions of American citizens. Intimate conversations, their location, their routines. Are they calling their stockbroker? A lover? A triple X chat line? Where are they? What are they doing? Who else do they talk to? Knowing as I do (something about) how one could use that data it's a scary, almost vertiginous thing to contemplate. What are they thinking when they walk past that network interface unit?
Maybe they're convinced they're doing the right thing. It may be illegal but it's for the greater good. They're informed participants in a critical struggle for the nation's secuirty. The nation has secrets too, and they're trying, to the best of their ability as professionals, to keep those secrets. I'd expect them to be ready to take responsibility and the consequences. Perhaps they (quite) reasonably expect a legal pardon if they were to be prosecuted for breaking the law.
Or maybe not. Consider this exchange from the affidavit:
When DS left, I asked C1 again, "Is this what I think it is?"
"What do you think?," he replied again, smiling.
I shifted the focus. "Forgetting about who it is, don't you think it's unusual for some third party to have completely open access to your systems like this? You guys are even firewallng your internal offices, and they are part of your own company!"
C1 said, "Dude, that's what they want."
I can almost see the smirk. They know. Their bosses know. They don't want to know the details, and they certainly don't want to be held accountable. It's one big wink and the folks at the other end of the cable will cover for them. That's the part I can't accept. I understand the terrible necessities of national security and I'm not so stupid or naive as to think we don't need spies or wiretaps. But this goes over the line that our society has, with considerable debate and effort, defined in law. You can't break the law and violate the public trust that severely because someone with a badge tells you to. The people who've done this are not showing any sense of responsiblity or the gravity of what they're engaged in. There's no sign of remorse. Hell, they told a visiting consultant where the cable goes. No, they're just going along to get along. And maybe showing off a little.
They should go to jail.
I'm not saying ruin their lives. Maybe just for six months. Maybe for one day, sentence suspended. But these individuals, from the tech who hooked up the box to the CEO that approved it, should be "film at eleven." I want to see them perp-walked in handcuffs out of the courthouse by marshalls. They should stand up in front of the whole society and acknowledge what they've done. "Yes, I broke the law, and failed to comply with the ethical standards of my profession. I'm sorry." They should be ashamed of themselves.
Not likely.
No comments:
Post a Comment