
What I'm Telling US Congress about Data Breaches - robin_reala
https://www.troyhunt.com/heres-what-im-telling-us-congress-about-data-breaches/
======
GrinningFool
Something I would have liked to see - but perhaps this letter wasn't the right
place.

Let's talk about how the ubiquitous use of SSN and credit reports puts a
massively unfair burden on every US citizen.

Right now, it's _all on me_. I need to safeguard everything related to my
government-issued nine digit ID that I never asked for - yet is somehow
accepted as my financial identity, well beyond its intended scope.

If I fail to do so, or if I fail to aggressively identify fraudulent use of it
by monitoring reports from 3-4 different agencies, it's _on me_. It's _my_
credit that's screwed.

It's hard to emphasize enough how unreasonable that is. This isn't a house or
other peace of real property that's in my control - it's 4 bytes of data that
is assigned to me, but that I fundamentally have no control over.

In spite of that, I am accountable for any and all uses of that data. It's
hours of my life each time a breach occurs - more if it's actually misused.
The assumption of 'bad credit risk unless and until you convince the reporting
agencies that fraud has happened' is a fundamentally flawed one.

I can't opt out. I can only keep spending my time and money to play the game -
because it's the only one in town.

~~~
jaredandrews
Indeed! I have recently been trying to come up with a new term to use instead
of "identity theft" (open to suggestions). As the term itself seems almost
Orwellian to me.

My identity wasn't stolen! You gave a loan/credit card/whatever to someone and
didn't verify who they were. How is your organization not doing the proper
work a "theft" of my identity? I'm not involved and I don't want to be!

~~~
LambdaComplex
"Identity theft" isn't real. It's a term the banks et al. use so that they can
have less responsibility.

Example: Someone opens a bank account using your information. That's fraud.
Someone lied to the bank, and the bank believed them. That's the bank's
problem. But by pointing at you and saying "Your identity was stolen" (using
the term "stolen" to make it seem like this is similar to the theft of a
physical object), it suddenly seems like it's your problem.

~~~
LeifCarrotson
> It's a term the banks et al. use so that they can have less responsibility.

I agree that it's misleading, but have to concede that whoever first came up
with that term must have been an expert in framing and spin. There are few
words that so effectively distort the discussion as "identity theft".

~~~
romwell
Indeed. When one thinks of "identity theft victims", one doesn't think of a
bank.

But it is the bank, it should be! When a bank is robbed, its clients aren't
the victims. The bank is. The clients aren't giving money to the bank for
nothing in return; what they get in return is assurance of safety and
availability (otherwise, that would be a loan, not a deposit). Spinning the
failure to deliver on that obligation as the client's problem is indeed great
PR work.

------
thisisit
In case someone is wondering, the previous post - "I'm Testifying to Congress
about Data Breaches – What Should I Say? " was discussed here:

[https://news.ycombinator.com/item?id=15751344](https://news.ycombinator.com/item?id=15751344)

Some of the replies really touch upon what can go wrong with government
regulation.

That said, I do really want something done about this:

> An attitude of “data maximisation” is causing services to request extensive
> personal information well beyond the scope of what is needed to provide that
> service

Stop collecting information which is not required. Most of this information
ends up in some form of advertisers/advertisement in guise of creating "more
engagement with users".

~~~
ashark
IMO there should be expensive data breach bond/insurance requirements for any
company storing data about people, scaled by how much and possibly which kinds
of data are stored. Discourage holding a bunch of stuff "just in case".

And FFS, at least outlaw the required arbitration BS for data breaches. Let
the bond or insurer pay out when it happens, then jack up their prices on the
breached company until they cry.

~~~
pc86
By "until they cry" I assume you mean "until they can no longer continue
passing the costs directly to the consumer, at which point they simply go into
bankruptcy and reincorporate 6 months later at the lower insurance rate?"

~~~
abakker
If the data you hold as a business is so valuable that the insurable risk of
loss is too expensive for your business, then ask, "do we really need to hold
that data?" If your business needs to pass that on to consumers because you
can't afford the hit to your margins, then consumers need to ask, "is
[service/product] really worth that much to me?"

The downside is that the most critical components of information which tie to
identity itself, are the ones that businesses most commonly need to hold to
verify identity. More challenging is that without a way to modify identity
data (i.e. change your SSN), the insurable risk is huge because it needs to
include a discounted cost of identity monitoring forever, and the cost of the
individual losses that someone might encounter for the loss of that data. Then
of course, if a person's identity is compromised more than once, how do you
discount the responsibility across multiple careless parties?

IMO it all comes down to never using immutable information (Name, DOB, etc) to
firmly define identity online. That information should be for display purposes
only. At the backend, we need an identity that is tolerant of change, and can
easily be updated if it is ever lost. In reality this will probably mean that
instead of an ID, we have ID probability, which would include photos,
addresses, ID numbers, Credit card account access, and companies that needed
to verify it would be able to evaluate how certain they were the identity was
real, and to insure against mishandling of the individual components of
information.

~~~
ashark
> The downside is that the most critical components of information which tie
> to identity itself, are the ones that businesses most commonly need to hold
> to verify identity. More challenging is that without a way to modify
> identity data (i.e. change your SSN), the insurable risk is huge because it
> needs to include a discounted cost of identity monitoring forever, and the
> cost of the individual losses that someone might encounter for the loss of
> that data. Then of course, if a person's identity is compromised more than
> once, how do you discount the responsibility across multiple careless
> parties?

If it gets expensive enough, maybe banks and CC companies and such will
finally get off their asses and fix the whole "identity theft" issue. That's a
feature, not a bug.

I think the US is too allergic to anything with even a whiff of "secure
national ID" for us to let the government fix it, so this is the next best
(or, better, depending on your perspective) option. I frankly don't care how
we do it, but it's really stupid this is still a thing people have to worry
about, and making it cheaper for the banks to fix it than not to fix it seems
like the most politically viable solution.

~~~
abakker
Agree completely. Personally, I was hoping that Visa, MC, and Amex together
could just create a new standard "financial ID number" or "Credit ID Number"
that they could collectively agree on and we could all just kind of ignore the
government. CC numbers themselves are almost good enough in the first place,
they just need to get a little more self-referential.

Hell, maybe they could even use a distributed ledger to do it and bring in the
credit reporting agencies too.

~~~
gizmo686
>we could all just kind of ignore the government.

You mean the government that spent 26 years printing "NOT FOR IDENTIFICATION"
on the bottom of every social security card.

------
ndesaulniers
Very cool to see Troy use my suggestion:

from [https://www.troyhunt.com/im-testifying-in-front-of-
congress-...](https://www.troyhunt.com/im-testifying-in-front-of-congress-in-
washington-dc-about-data-breaches-what-should-i-say/):

"Troy, to your point "Data breaches can take years to discover," I think it's
helpful to put in layman's terms that breaches are closer to making
photocopies where there are now two people in possession rather than a theft
where the owner is deprived of access. How do you detect that a document has
been photocopied?"

In the final (this link):

"However, unlike a physical commodity, the trading of data breaches replicates
the asset as each party retains their original version, just like making a
perfectly reproduced photocopy."

:)

To expand on my point and

> We Often Don’t Know Until Years Later

You notice someone's stolen physical property from you, because you are
deprived of it.

You don't notice someone's stolen digital property from you, because now there
are more copies of it.

(maybe "stolen" and "property" aren't the correct terms to use for digital
assets?)

~~~
dragonwriter
> (maybe "stolen" and "property" aren't the correct terms to use for digital
> assets?)

Stolen is _rarely_ the right word (that is, it's possible to steal digital
assets, notably if also stealing the physical medium on which they are stored,
but usually the term is used in only a loosely figurative sense), but
“property” is often correct; there are all kinds of nonphysical property that
share important features with physical property, and there are equally
important distinctions within classes of tangible property as between tangible
and intangible property.

------
glitcher
While he presents a great overview of all the problems with static knowledge
based authentication, I get the feeling that the very fact that this hearing
was called for implies there is already a strong consensus that the current
status quo is a big problem. To me it falls a bit short because he primarily
elaborates on the details of the problem without offering any suggestions on
how to move forward towards a solution. I mean, the details may help
understanding which could inform improved policy, but these politicians also
need guidance on what actions to consider.

~~~
mtgx
Indeed, and if impartial security experts won't offer them, the politicians
will have to rely on corporate lobbyists to write their own rules and
penalties affecting those companies.

~~~
kbenson
I believe the scope of what he was asked to address might not have included
suggested solutions, beyond the obvious "don't suggest all the stuff I'm
saying is causing a problem."

He does specifically go out of his way to say, in bold and isolated text, _Do
keep in mind that the context here is the impact on identity verification in
"a post-breach world"._

------
rrggrr
Nice overview, but more importantly, what will Troy say when members ask him
for solutions. Notably absent are details on whom to hold accountable, how to
hold them accountable, and what penalties should be in-place.

------
kinkrtyavimoodh
I don't mean to sound cynical (as in, this is a genuine question) but do these
hearings amount to anything more than political grandstanding so that the
relevant Congresspersons can claim to have been 'tough' on whatever topic was
discussed?

~~~
mythrwy
Off topic but I just have to say it.

There isn't a damn thing wrong with being cynical. Cynicism (at whatever
level) is a very valid philosophy and no one should have to apologize for
having it.

[http://richardbayan.typepad.com/the_cynics_sanctuary/cynicis...](http://richardbayan.typepad.com/the_cynics_sanctuary/cynicism/)

~~~
mythrwy
^^ For proof of cynicism's legitimacy see downvotes.

Some people think motive and human nature should be viewed with rose colored
glasses. Many people urging others to hold this viewpoint stand to gain by
advocating it. But not me. I expected.

Back to the original off topic point. Don't apologize for being cynical. It's
a mental model that is quite often accurate.

<edit because I really have to get this off my chest as it's so annoying>

Here's what I think. I think you have _observed_ a pattern of hearings that
appeared to be little more than political grandstanding. And maybe you haven't
_ever_ observed a hearing that was anything different, as in, designed to get
to the bottom of something and produce results. If the above is true you
understandably expect a continuation of the same pattern. Yet you feel the
need to apologize for this perfectly intelligent and rational expectation.
Why? Possibly because you have been conditioned against being "negative" and
led to believe that cynicism is somehow evil? Well I just have to say... Fuck
That! You are right from what I can see.

------
dstroot
Troy: HUGE kudos for how you managed such an open and transparent process.
Don’t recall any other examples of such inclusiveness and openness for a
senate testimony. Bruce Schnier did a good job sharing his testimony after the
fact but you went all in.

------
ChuckMcM
It is unfortunate that he uses "date of birth" and "home address" as exemplars
of information that is "of no use to the service." That is because these two
pieces of information are most frequently used to establish that the user is
of the age of majority (an adult) and under which set of licensing regimes is
the product operating. Both of which may be critical to the function of the
service.

Much better examples would be "Gender" and "telephone number".

I completely agree with the notion that data maximization (or aggregation of
meta data associated with a unique ID) are the roots of many evils and risks.

~~~
PeterisP
Verifying jurisdiction doesn't require you to know the whole address, just the
country code and possibly the state.

Verifying if someone is legally an adult doesn't require you to know the exact
age and definitely not the birthday, simply "yes" would be sufficient.

~~~
ChuckMcM
I don't disagree with your analysis, however I have been informed that there
are reasons for asking things this way. At a class for booth volunteers for
selling alcohol for example we were told to ask for someone's birthday rather
than their age. The reasoning in that training was that someone could quickly
lie about their age but they had to work at it to back compute a birth date
that would fall within the range of legal drinking age and not be ridiculous
for someone of their apparent youth.

I am not saying that this is a reason that everyone uses for asking these
questions obliquely. I am simply sharing a situation for which I was
explicitly told that was the reasoning behind asking the question in that way.

~~~
vageli
There is usually no time constraint when filling out an online form. And I'd
imagine the physical nature of the in-person alcohol exchange allows the booth
operator to evaluate the physical response of the person being asked. All of
this is to say, while I understand the idea in physical exchanges, to me the
logic breaks down when I can find a completely valid and full address on
Google maps in a couple of seconds (assuming one of the reasons they ask for
full address is the difficulty in generating at random a valid address that
exists).

------
btilly
I'm replying in the hope that Troy Hunt reads it, because I am commenting too
late for conversation to happen.

This presentation involves a lot of complex terminology from the get go. This
keeps it from engaging people's logical brains, and means that you are too
easy to ignore. Our first pass at analyzing people is to figure out whether
they can be safely ignored. This response is well before rational thought, and
the part of our brain that decides it is unable to handle complex language. It
doesn't matter how right you are, you are literally not heard.

You can't fix the document. But you'll be talking in person to lawmakers. You
can address the challenge there.

Don't open with something like, _Data breaches occur via a variety of
different “vectors” including malicious activity by attackers exploiting
vulnerabilities, misconfiguration on behalf of system owners and software
products intentionally exposing data by design._

Open with something like, _Anyone can steal your identity. Your wife 's as
well. My site shows you some of the security breaches that criminals can use
to pretend to be you. Nobody knows how many more are out there._

Make it simple and straightforward. Make the threat personal. This requires
their full attention to figure out what you are saying. That makes their
logical brains connect.

Good luck. You have an important message and I really hope that they hear you.

------
cabaalis
I hope some good comes from this testimony. I help run a product that works
with a tremendous amount of data. I welcome additional accountability as well
as the security that would come from knowing that any regulatory requirements
are properly met.

On a second note, will this be the historic first time anyone says the word
"Pwned" before congress?

------
maxxxxx
I hope they won't use the hearing for blaming foreign adversaries that need to
be fought with offensive capabilities. It should be made clear that the
problems are homegrown.

------
FiveSquared
I have a amazing idea. Why not let the companies be liable for their own data
breaches. Wow, what an amazing idea! /s

~~~
syshum
Liable how? And to what extent, the idea "let the companies be liable for
their own data breaches." sounds good until you think about for more than 10
seconds.

Identity Fraud is not normally carried out using just 1 breach, so it is
several breaches combined that give a criminal what they need to commit full
Identity fraud.

Credit Card Fraud can almost never be traced back to a single breach.

Are you holding the company that collected the data, or the company that the
data was stolen from liable, often times these are not the same entities.

I can probably come up with about 1000 other things to bring up in relation to
"let the companies be liable for their own data breaches."

------
sova
I'm glad you hit the main points, but you did not offer any solutions, and I
think partial encryption is one that is really important to lay out. Our
social security numbers and valued information (that cannot be changed, like
where you were born) need to be encrypted all the time, not just when
convenient.

~~~
loeg
Encryption doesn't really help when 1/3 of Americans' SSNs have been
publicized already. It's shutting the barn doors after the horses are long
gone. SSN needs to be at most a username, rather than a credential.

~~~
sova
True, but whatever supplants SSNs must be safeguarded via partial encryption.

------
cdevs
Clear and to the point, hopefully sparks conversations about how to fix these
issues moving forward.

------
feelin_googley
"4\. An attitude of "data maximisation" is causing services to request
extensive personal information well beyond the scope of what is needed to
provide that service. That data is usually then retained for perpetuity thus
adding to an individual's overall risk."

And HIBP is an example of this attitude because it collects data dumps and
then (at least) collects and retains user-submitted email addresses and a
record of presence/absence of such "live" email addresses in the data dumps.
This is beyond the scope of what is needed to provide the service, namely,
copies of the data dumps available for download. The user need not share their
search terms with any third party, such as HIBP. A means to search these dumps
locally (offline) without sharing the searches with third parties such as HIBP
exists. "Online tools" are vectors for gathering the sort of data that is
later the subject of "data breaches". Offline tools do not suffer from this
problem.

"6\. Data breaches are redistributed extensively. There's an active trading
scene exchanging data both for monetary gain and simply as a hobby; people
collect (and thus replicate) breaches."

HIBP is collecting and thus replicating data breaches for "monetary gain" or
"simply as a hobby"? Or is it something else?

As above, HIBP does not provide users with the data dumps they need to check
them locally (offline) without submitting contributing more data to third
parties in the process (e.g., working email addresses, associated search
terms, associated originating IPs, etc.).

Further, users are not provided with transparency into what HIBP is doing
i.e., what it is storing and how and where it is stored. Users cannot evaluate
the security practices of HIBP as yet another online repository of sensitive
user data that by virtue of its existence could be a target.

In summary, what he is not telling US Congress is that 1. "online services" or
so-called "online tools", HIBP being one, are a major part of the problem and
2. there are alternative solutions, i.e., offline service and offline tools,
and what HIBP provides is an excellent example of where an online service is
unnecessary and is collecting large amounts of user data, unnecessarily.

Addendum: "What I'm telling you" is that I believe the problem is _data
collection_. Any "solution" which collects data, and in this case data it is
not supposed to have (e.g., a data breach), then collects more data (e.g.,
metadata) from users and finally asks users to trust the "new collector" is
not a solution, IMO. Especially where the new collector shares no _technical
details_ about his operation (e.g. storage of user data). This practice
ignores simple, obvious solutions to the problem of data collection, such as
performance of tasks offline which if performed online would likely lead to
the collection of user data. It reinforces the mindset that perpetuates the
problem: that data collection and trusting third parties is _always_
necessary.

~~~
rrix2
> This is beyond the scope of what is needed to provide the service, namely,
> copies of the data dumps available for download.

you're telling us that you'd rather that HIBP act as a clearing house for
credentials and user information as a result of a data breach rather than
exposing a single bit of information per user ("have i been pwned?")

I, at least, completely disagree with you, regardless of Troy's motives or any
"monetary gain" he receives through HIBP. Troy has been incredibly
transparent, and in fact talks about this very issue on his blog
[https://www.troyhunt.com/here-are-all-the-reasons-i-dont-
mak...](https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-
passwords-available-via-have-i-been-pwned/)

