A legal case against Wisconsin's largest utility has provided a candid glimpse into a world where employees use detailed company records to snoop on celebrities and ex-lovers. According to this recently published article by the Associated Press, a massive database maintained by Milwaukee-based WE Energies has been routinely …
I worked for a local communication services provider (trying not to definitively identify the company in question here) for a while, and this was not uncommon there either. I didn't do it on purpose but I did actually have to access a prominent local politician's records at one point as part of my duties, and couldn't help but notice rather a lot of adult video on demand purchases...
given that quite a lot of 'Hollywood' film work goes on up here in Vancouver (it's cheaper), people would just search for film stars' names. Quite a lot of them have homes and accounts here.
I suspect this happens at just about *any* company of this kind - electric, gas, hydro, cable, internet, whatever. It's pretty hard to clamp down on basic human curiosity, though it would obviously be better if people didn't do it.
Good old US integrity
Picture this scenario, data collected from all over the EU passed by the ever loyal spooks of England to their US masters. There it sits languishing on servers in the US. The data of USAians is protected by law but Johnny foreigners info is less protected, if at all. What would stop an EU citizen from getting info from that database on another EU citizen via some poorly paid US state employee. Not much apparently.
Why so much information?
Sounds like the real issue is that the database contains way too much information in the first place. Is this another example of marketing wonks over-extending their reach? That seems to have been a lot of the reason TJX was hanging onto too much information for way too long and ended up losing 50 million CC numbers. (Or was it 100 million?)
And why weren't individuals with access restricted as to what data they could retrieve and for which customers? Sounds like everyone had 100% access to everything.
Was this system designed by experienced professionals or did they find the design as a prize in a box of Cracker Jacks?
1. Your systems ***will*** be hacked, no matter what you do, and data stolen from them.
2. Anyone who has legitimate access to your systems ***will*** misuse that access.
*cough* Auditing *cough*
>>>[Milwaukee-based WE Energies' vice president of customer service] Shafer testified that it would be "difficult, if not impossible" to uncover all the instances of misuse.<<<
Excellent audit trail.
>>>A[n unnamed] spokesman said the company has safeguards in place to clamp down on the practice. He declined to name them.<<<
I'm sorry, I have to run and fix my BSometer. It just broke.
Video surveillance example
I work at a company that provides among other things, video surveillance systems, mainly to larger industrial customers. This small EU country that we operate in has clear legislation that dictates who can for example view recorded content etc. I think I recall exactly one case when the customer has actually enforced these rules. We do a lot of these jobs and I've worked for 5+ years in the industry...
Sad, really. It seems that most people here don't even fully understand the consept of privacy.
Not just private utilities in the US
FOAF works for a large public sector IT contractor. He is convinced that the July 7th bombing was some kind of inside job, because he searched the comprehensive government database system he's tasked with maintaining and couldn't find any of the named suspects.
Your first truism; I thought it was more like:
You could be cracked; no matter what you do. The likelihood of this happening is determined by the (apparent) value of the data, combined with the relative difficultly of performing the crack. Sometimes there is 'kudos' element (see yesterdays police attack).
The usual technique for avoiding being cracked is to raise the cost of performing the cracking so that it doesn't represent a good economic value to the cracker. So they go to some lower-hanging fruit. e.g. In the UK the Customs and Revenue service are pretty good at giving the data away...
Oh but the gov. would never has this problem..
They know how to keep your children's fingerprints and dna and medical records and social development profile safe from curious civil servants...
No really, it's not funny.
Want to snoop on your neighbors? Come and work in Wisconsin
Not much use to me. If I have to move to Wisconsin, I'll have different neighbours.
not really a problem though
"While the case focused on the utility, it's not hard to imagine other companies - say, large search engines whose business model depends on storing huge amounts of information about its millions of users - having similar problems."
yes, but the information on search engines is largly publically available, and you can search your own name to find out what is available...
in fact it's the entier business model of search engines to catalog information and make this available for people to search.
Re: Good old US integrity
"Picture this scenario, data collected from all over the EU passed by the ever loyal spooks of England to their US masters.(...)"
Why worry about it...? The disks will get lost by the Royal Mail so they'll never get here.
gee, you think it's only them?
wonder why no one looks into the data storage and usage of the social services/welfare system/socialist wealth redistribution system? There's data in there that NSA would looove to get their hands on.
but just like voting practices in California, no one dares look into fraud and irregularities lest they offend their socialist masters.
Anything for that free handout. All their personal data, account details, spending and grocery habits, criminal records, allegations of crime and even anyone who's been a victim of crime (either on the dole themselves or their attacker was on the system)...and all the same for their dependents, anyone who's ever been in a relationship with them, and their parents and/or former guardians. Plus anyone involved in the foster care system.
All stored in nice State databases, processed by race, age, or even geographical location. Dug thru by contractors and "social workers" who are usually college kids who either finished their MSW, or are "interns". Lots of them (male and female) looking up stuff to "help a friend" or suss out a potential love interest, or worse-to assist a private business whether for skip tracing or some other reason.
But we'll ignore that big elephant. Don't want public trust in the "victim trough" to be damaged, we want people to be afraid of Eevil corporations and Republicans instead. So pay no attention to the Man behind the curtain, hmm?
And don't ask why e-voting hardware was denied by the California public, still installed anyways, and has never come up again to be decertified even with public demand...or why verification of ID for voting is still limited to volunteers checking sheets of printout instead of verifiying thru SS number and ID card...keep looking at Florida instead!
income & medical records ????????
Why in the name of god would an electricity supplier have ANY need to hold income & medical records for its customers ???
RW / Eugene
"And why weren't individuals with access restricted as to what data they could retrieve and for which customers?"
People working support in a call center obviously need access to the records of every customer, because they could potentially have to provide support to any customer. And in most cases you can't restrict what information they have access to see because they need to see it in order properly to support the customer.
Eugene, what he says is perfectly true.
Any time any agent accesses information on a customer he's not actively dealing with, that is basically misuse.
So, how do you detect it all?
You have to go through every instance of access to any customer's records. i.e., you have to audit *every single operation performed* by every customer service agent ever. That is *technically* possible but not practically possible.
It's trivial to, say, find out if anyone inappropriately accessed one given person's records. If Arnold Schwarzenegger thought someone at California Television had improperly accessed his record that'd be easy to check: you look at Arnie's account, note every instance of access to it, and check whether that access was made for a legitimate reason. For a single-customer scenario like that, of course it's easy to check.
But that's not what the guy said. He said it was difficult or impossible to uncover "all the instances" of abuse. This is perfectly true, because *any* customer's account could potentially be accessed improperly, and it is not practical to check every single access to every single account in the system.
Those Darn Socialists!
They are so darn sneaky. To really mess with people they intentionally manipulated the election not once, but twice! Just so the Republic(ans) would win and no one would suspect that the socialists were messing with things. Then, to be really realy sneaky they went and manipulated the Repubic(ans) into wiretapping without court orders! Then they try to deflect our attention on whether a woman is using food stamps by causing poor company executives to commit $billions of dollars of fraud. Yeppers, those darn socialists sure are sneaky. Thank God we have clear thinking and rational people able to lay it all out for us.
Pardon the flame, but I am so tired to inane rhetoric being passed off as rational political discourse.
"Is this another example of marketing wonks over-extending their reach? "
None of the information they listed as being accessible is out of the scope of any utility that supplies on a "use now, pay later" basis - especially an energy supplier: credit information, payment history, income in some cases, bank account numbers (probably enough to steal from them, eh Jazzer :> ), addresses for supply and billing, contact phone numbers, whether they have a dog (not mentioned in the article but standard for every electricity/gas supplier I've ever known), social security number (from what I've read, every business in the USA seems to require that) and, yes, medical information - like "relies on respirator - DO NOT, under any circumstances, switch off their power no matter how far behind they get". (A woman actually died in New Zealand because the power company cut off her electricity, thus shutting down her oxygen machine - and left her family "to grieve in the dark".)
All of that, and possibly more, information LONG before the room-temperature-IQ marketroids start gathering "demographic information" to better assist them in bombarding the client-base with targetted advertising.
Sadly, even with information limited to what is necessary to conduct business (safely, without killing anyone) the potential for abuse by unscrupulous (or just plain nosey) employees is quite high. "Demographic surveys" conducted by some mag-biting barketroid are a whole different can of worms on top of that.
As has been mentioned: Where are their audit trails? Where are the differential access levels to ensure only those who need the data have access to it?
Unfortunately, while charity begins at home, IT security begins next door so many organisations have no proper Information security policies worth a cup of cold puke and everyone down to the janitor has full access to the client database.
The average company is loath to spend money on IT. Upgrading the staff PCs is a low-enough priority, without "wasting money" on determining who needs what access, locking the system down to provide only the appropriate access, setting up audit trails and checking for inappropriate access. Most use outside contractors and the head bean-counter decides that the profit margin is best served by only getting the contractor to throw in a server, cable up a few PCs and printers and make a few generic accounts. Then it gets handed over to an under-paid employee with no formal IT training to create other login accounts as required.
Then something like this happens or the government sends out a team of professional IT auditors (as per the relevant Act) and, surprise, surprise, they find the security is attrocious and the system has been abused for years.
Then, like as not, that same bean-counter (untouched by any semblance of accountability) skimps on the funding again at the behest of the shareholders (also untouched by accountability) when it comes to bringing the system up to compliance.
So long as large amounts of data are held by companies whose primary concern is delivering increased profits to the owners/shareholders rather than delivering quality service and peace-of-mind to their clients, we will have major problems like this.
Tightening up the database and keeping access logs will not prevent unscrupulous staff from misusing information - but it will limit the scope of what they do by ensuring they only ever do something major once (before finding themselves on the client database of the local Welfare organisation...)
Who the fuck needs to worry about intruders?
sorry, socialists are long gone here in Milwaukee
As much as I admire what the socialist mayoral administrations did in their time in Milwaukee, especially Mayor Daniel W. Hoan's capable leadership during the Great Depression, they're long, long gone. The hard right has a lot of power in the media here, although the voters in the city of Milwaukee reject them. (The suburbs are another story.)
As for "Weenergies," well... that's no surprise to hear. I doubt the "open" records had much to do with interim Mayor Pratt's non-reelection, as beloved Congressman Tom Barrett ran for mayor, and is now our very capable mayor. (Granted, it couldn't have helped.) Barrett is certainly not a socialist, but he makes a very good mayor.
>> And don't ask why e-voting hardware was denied by the California public, still installed anyways, and has never come up again to be decertified even with public demand...or why verification of ID for voting is still limited to volunteers checking sheets of printout instead of verifiying thru SS number and ID card...keep looking at Florida instead! <<
Actually, ALL the e-voting hardware was decertified by the California Secretary of State in 2007... Over major objections from many Registrars of Voters. Everybody was forced to go "back" to paper ballots. Our election last month took a few extra days to get the last of the ballots counted, but with the exception of the November mayor's race in Vallejo, I haven't heard of any complaints about it. And THAT race is being questioned because the vote was so close... less than 50 votes separating them. The loser demanded a recount, and when the recount didn't swing the votes back to him, he chose to go to court to have the election nullified. Think he lost that too.
Actually, he should be glad he didn't get the position... Vallejo is trying to figure out how to close a $6 million budget deficit for THIS year, and a probably $12 million deficit next year...
Paris, because she has more sense than to run for public office.
Late Night Larry
@ Jon Tocker
I retired last year from a US government agency which takes IT very seriously. With the exception of the MS Office programs, virtually every other program available throughout the system was on a "need to know" basis to get access. Your immediate manager could not authorize your access, he/she could only send a request up to a higher level, sometimes a VERY high level in the food chain, to get approval. The computers required a login and password to even get on them, and then you would only have access to MS Office. The computers were locked down so that only administrators could install any software, and the only administrator logins were at the district office and the Hell desk. Even to have email access required second level approval. And any program dealing with personnel information was only available to HR staff in the district office or higher. My login was canceled by midnight on the day I retired.
Late Night Larry
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Review Vulture trails claw across Lenovo's touchy N20p Chromebook
- Adobe spies on readers: EVERY DRM page turn leaked to base over SSL
- Analysis The future health of the internet comes down to ONE simple question…