Roger Clarke's ICAC '92

Practicalities of Keeping Confidential Information on a Database With Multiple Points of Access : Technological and Organisational Measures

Roger Clarke

Director, Community Affairs Board, Australian Computer Society

Vice-Chairman, Australian Privacy Foundation

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of September 1992

© Xamax Consultancy Pty Ltd, 1992

This paper was invited for a Seminar of the Independent Commission Against Corruption of the State of N.S.W. on 'Just Trade? A Seminar on Unauthorised Release of Government Information', Sydney Opera House, 12 October 1992

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/PaperICAC.html


Abstract

The nature of unauthorised releases of personal data is analysed. Technological measures are described which can assist in restraining such abuses. Security cannot be achieved by technical means alone, and organisational measures necessary to complement the technical devices are discussed. Established information privacy standards demand that organisations establish, implement and monitor a data security strategy and procedures.

Any organisation with a will to permit unauthorised access, or a lack of will to prevent it, can readily undermine all of the other measures by tolerating one faulty link in the chain. Organisations in both the public and private sectors have shown themselves to be unable to exercise effective self-restraint. Governments which seek to protect their citizens against abuse of individuals' information privacy interests are left with no option, other than to establish legislative standards, empower a permanent watchdog, and make officers and directors personally responsible for action and inaction which results in significant abuse.


Introduction

Between 1990 and 1992, the N.S.W. Independent Commission Against Corruption (ICAC) conducted an investigation into allegations concerning widespread unauthorised access to personal data. It concluded that "information from a variety of State and Commonwealth government sources and the private sector has been freely and regularly sold and exchanged for many years ... A massive illicit trade in government information ... has been conducted with apparent disregard for privacy considerations, and a disturbing indifference to concepts of integrity and propriety ... Laws and regulations designed to protect confidentiality have been ignored ... [Even where criminal sanctions existed], information ... has been freely traded" (ICAC 1992, pp. ix, 3, 4).

The Commission found 155 identified individuals to have engaged in corrupt conduct (p.92-94), and 101 others in conduct liable to allow, encourage or cause the occurrence of corrupt conduct (p.94-95). Many of these were private investigators, who facilitated the trade in personal data. Many others were employees of government agencies who passed data to unauthorised recipients. Some substantial corporations, listed in Exhibit 1, were also found to have been directly involved.

Exhibit 1: Substantial Corporations Which ICAC Found To Have Engaged in Corrupt Conduct

 Citicorp Australia Ltd              Toyota Finance Aust. Ltd

Which ICAC Found To Have Engaged in Conduct Liable To Allow, Encourage Or Cause The Occurrence of Corrupt Conduct

Advance Bank Aust. Ltd              Government Ins. Office
ANZ Banking Group Ltd               Manufacturers' Mutual Ins. Ltd
Commonwealth Bank                   New Zealand Insurance
National Australia Bank             NRMA Insurance Limited
Westpac Banking Corp.               Caltex Oil (Aust.) Pty Ltd
Custom Credit Corp'n Ltd            Mayne Nickless Trans. Mgt
Esanda Finance Corp'n Ltd           Telecom Australia

Which ICAC Found To Have Been Sources of Unauthorised Releases of Data

N.S.W. Dept of Motor Transport      Australian Customs Service
  (now Road and Traffic Authority)  Australia Post
N.S.W. Police                       Department of Immigration
Prospect County Council             Department of Social Security
Sydney County Council               Health Insurance Commission
Telecom                             Credit Reference Association

This paper's purpose is, at the invitation of ICAC, to consider the technological and organisational measures necessary to protect personal data against unauthorised access. The paper addresses only that narrow purpose. It therefore remains silent about the many other aspects of a comprehensive strategy for information privacy protection, such as data collection, data retention, public access to information about data practices, and subject access to data about themselves. It even excludes discussion of topics closely related to data security, and in particular data integrity, data quality, and how and why data access by third parties is authorised.

The paper commences by presenting an analysis of the unauthorised releases of personal data, drawing upon material throughout the Report and in the summary (pp.157-162). The remainder of the paper discusses technological and organisational measures whereby unauthorised release can be minimised. The interdependence of the two kinds of measure is stressed. The need is underlined for data security strategy and procedures to be established at both the levels of individual organisations and of Government.


An Analysis of Unauthorised Releases

There is a variety of ways in which data can reach a person or organisation not authorised to receive it. The release of personal data involves an action by a Person performing a Role, with one or more Motivations, and on behalf of one or more Beneficiaries. Categories of Role, Motivation and Beneficiary are shown in Exhibit 2, with those categories which are in themselves unauthorised shown in boldface type.

A release is unauthorised if any of the role, motivation or beneficiary is in an unauthorised category; for example, a disclosure is unauthorised if it is by an employee acting on behalf of an authorised recipient, under a data interchange agreement, but to an organisation which does not have authority to receive the data. Categories of unauthorised access which are documented in the ICAC Report are identified with an asterisk.

It is noteworthy that no instance appears to have come to light in ICAC's investigations in which new access mechanisms were involved; all cases involved active breach of safeguards by the staff of an organisation authorised to directly access the data, negligence (in the sense of failure to implement safeguards), and/or exploitation of the inadequacies of safeguards.

A data security strategy must of course address the risk of active breaches by outsiders using 'high-tech' approaches. The empirical evidence provided by ICAC's investigations makes clear, however, that strategies must also address breach by outsiders using simple techniques, and abuse by insiders of the power they have as a result of the positions they occupy.

Exhibit 2: The Release of Personal Data
A Classification Scheme

Role

Motivation(s)

Beneficiary/ies

Notes.

  1. Bold type indicates unauthorised categories.
  2. An access is unauthorised if any aspect of it is in an unauthorised category.
  3. An asterisk indicates categories documented in ICAC (1992).

Alternative Data Security Strategies and Measures

Exhibit 3 identifies a range of approaches which can be adopted in establishing a strategy whereby data security risks can be managed. In order to implement a data security strategy, an appropriate set of measures must be selected from the wide range of control procedures which are already documented and well understood, or which can be devised to meet particular needs. A (far from exhaustive) list of generic measures is shown in the Appendix to this paper. It is not suggested that all of these are needed in any particular organisation; some are alternatives, some are more expensive than others, and some are only applicable in particular circumstances.

Exhibit 3: Generic Risk Management Strategies

Proactive data security strategies can be implemented through such measures as the following:

Examples applicable to reactive strategies include the following:

The one generic strategy which has little place in a personal data security strategy is tolerance of errors and abuses. This is because the data-holder is in a poor position to judge the degree of sensitivity of data to each of the many data subjects.


The Granularity of Data Security Measures

Differing degrees of protection can be achieved, depending on the rigour with which security measures are implemented. The effectiveness of login-id protections, for example, vary from meaningless to substantial. To be more than merely a placebo, login-ids must have data access restrictions associated with them which are appropriate to the functions the individual performs; for example, an attempt by a staff-member to access data about a person whose address is outside the staff-member's legitimate area of geographical interest should be subject to additional control measures, such as exception logging followed by investigation of staff-members who exhibit a pattern of out-of-area accesses, and on-screen warning to the staff-member to that effect. Moreover, login-ids should not be the only filtering mechanisms to restrain data access; the location of the workstation at which the person has logged in should also be a criterion.

An effective data security strategy must also embody control mechanisms over login-id usage. Multiple concurrent uses of the same login-id should be subject to controls, at the very least exception reporting and investigation. So too should significant variations in patterns of use, and use from unusual locations, especially distant ones. Login-ids should be disabled during periods of absence, and after significant periods of non-use. Use by persons other than the individual to whom it belongs should be actively discouraged, through the organisation's disciplinary mechanisms.

Beyond the limited protection given by login-ids, organisations need to give serious consideration to the use of a token which staff-members must use in order to gain access to the system. Although it is tenable to design such a system using magnetic-stripe cards, chip-card (smart-card) technology is potentially superior. A further alternative is physiological or 'biometric' forms of identification, which can make the use by a person of another person's login-id still more difficult.

Even with chip-cards, passwords are necessary, to ensure that the person in possession of the token also knows something that only the owner of the card should know. But even passwords provide very limited protection, unless they too are subjected to controls. A significant literature exists concerning password selection and password compromise (e.g. Jobusch & Oldehoeft 1989, Riddle et al 1989). Some of the key requirements are that individuals be automatically forced to change their passwords periodically, and that there be active measures in place to discourage trivially discoverable passwords, e.g. ones which are excessively short, repetitive, or spell common words or names (especially the name of the person concerned or their login-id).

And yet the simplest ways in which workmates' passwords can be discovered are to look in their top, right-hand drawers or on the sides of their workstations, express curiosity over whether they use a 'sneaky' code, watch them key it, or just ask them. Technological means must be considered, whereby the risk of captured passwords can be addressed. One example is keying dynamics, whereby not only what is keyed is tested against pre-recorded data, but also how it is keyed, e.g. the delays between the keys being struck.


Application to Weaknesses Identified in the ICAC Report

Focussed as it necessarily was on matters involving corruption, the ICAC investigation may not have discovered all of the ways in which personal data is leaking from the organisations concerned, and certainly did not address all of the databases which are access in an unauthorised manner. Nonetheless, it is important to assess the extent to which the ICAC-revealed sub-set of abuses could be addressed by conventional or readily contrived data security measures.

Persons normally without access to the data are gaining access by acquiring or assuming an id, most commonly by telephone-call into a location which does have access. Without studying the details of the particular cases, it is apparent that various counter-measures could be applied; for example:

Cases in which persons who normally do have access, but who abuse their position of trust, are more challenging to control. Nevertheless, various possibilities exist; for example:

Finally, all of these measures require subsequent action. Breaches must be detected. When a breach is detected, action must be taken to deal with the offender, and to publicise the sanctions applied to the offender, thereby achieving a deterrent effect on others. Sanctions can only be applied where there is a legal, employment agreement or other contractual basis. Sanctions will only be applied where the organisation has a data security strategy, measures in place to implement that strategy, and a genuine commitment to enforce it.


Technological and Organisational Measures

It is apparent from the above discussion that some protective measures necessarily involve automated activities, such as testing of login-ids, testing of the degree of logging of accesses and analysis of logs. Caelli (1992) explains the large amount of work which has been undertaken in relation to the formalisation of security requirements in computer-based systems. Many other measures, however, are, or involve, human actions.

Technological measures alone can never be a sufficient implementation of a data security strategy; they must be complemented by organisational measures. Similarly, organisational measures can be easily forgotten, abused and subverted; technology needs to be applied to address those human weaknesses. An organisation's data security strategy must comprise an integrated set of technological and organisational measures.


Establishing a Data Security Strategy and Measures

Because of the importance of personal data security, a professional approach must be adopted. Objectives need to be defined, a strategy devised in order to achieve those objectives, measures designed and deployed to implement the strategy, and a monitoring mechanism established and maintained to assess performance against the objectives, and modify the strategy and measures as necessary.

Under such key terms as risk assessment, risk management, contingency planning and accounting controls, a substantial body of knowledge has developed in recent years. Data security is seldom the sole focus of risk assessment; indeed neither is security generally. Instead, risks to the continuity and quality of services and the integrity and security of both data and operations are generally all considered in an integrated fashion. In addition to specialist books on the topic, data processing audit texts provide discussions of the issues involved, and frameworks for establishing data security strategy and procedures.


Controls Over Controls

The 'corporate citizenship' philosophy claims that organisations can be expected to be responsible for the propriety of their own activities. Quite apart from the alarming contrary evidence in the ICAC Report, many other instances have become public during the last few years in which corporations and government agencies have acted in manner more cavalier than responsible. For many, if perhaps not all, organisations, an external control is necessary to ensure that internal controls are created and maintained.

The 'industry self-regulation' philosophy claims that the excesses of corporate transgressors can be controlled through self-regulation, either by the marketplace (transgressors will be found out by and disciplined by customers, who will take their trade elsewhere) or by their peers (the relevant industry and/or professional association will feel itself and its other members to be disadvantaged by the transgressor's actions, and will have and use the power to discipline them). In competitive industries, the evidence is that neither of these mechanisms provides adequate protection against abuses of personal data.

Unless stimulated to do so, organisations will not spend the money and effort necessary to protect personal data. Industry self-regulation must be bolstered by statutory requirements on all organisations. Such requirements will only be meaningful, however, if they are enforced. Overseas experience has demonstrated quite clearly that leaving enforcement to data subjects (by suing transgressors in the courts) is largely futile (Flaherty 1989). If it judges the personal data privacy of its citizens to be a matter if importance, the Parliament of N.S.W. must not only establish statutory requirements, but establish, empower, and ensure funding for, a specialist body to enforce the law.


Conclusions

As a result if its investigations, the ICAC Report makes a series of recommendations to the N.S.W. Government (ICAC 1992, summarised at pp. 217-221). Of direct relevance to the question of data security are:

  1. Security of all information storage and retrieval systems should be constantly monitored, and where necessary updated and improved.
  2. Access to protected information should be strictly limited, and an efficient system maintained to enable the persons responsible for all accesses to be identified.
  3. Unauthorised dealing in protected government information should be made a criminal offence.

The Report reinforces the necessity for all organisations which handle personal data to establish data security strategies. Such strategies must not focus on 'high-tech' intrusions at the expense of abuse of their position by insiders and straightforward breaches by outsiders.

This paper has further argued that each organisation's strategy must reflect the considerable body of knowledge about data security. It must also incorporate a web of organisational measures, complemented by technological measures. Because failure to implement or enforce key elements can be expected to compromise data security, the strategy must also include internal control mechanisms to detect, and facilitate the investigation of, errors and abuse.

Particularly after the ICAC Report, it would be naive to expect that organisations will devise and enforce such strategies of their own accord. It is essential that the Parliament of N.S.W. create external controls to encourage organisations to comply with society's expectations. In the absence of externally imposed standards, and enforcement of those standards, improvement in the present privacy-invasive practices cannot be expected.


Bibliography

Caelli W. (1992) 'Evaluating System Security - Now A Requirement' Two-part article in Professional Computing 78 and 79 (July/August and September 1992) 24-28 and 13-19

Caelli W., Longley D. & Shain M. (1989) 'Information Security for Managers' Macmillan, 1989

ICAC (1992) 'Report on Unauthorised Release of Government Information' Independent Commission Against Corruption, Sydney, 3 Volumes, August 1992

Jobusch D.L. & Oldehoeft A.E. (1989) 'A Survey of Password Mechanisms: Weaknesses and Potential Improvements' 2-part paper in Computers & Security 7 and 8 (1989)

Longley D. (1989) 'Data Security' in Caelli et al, 1989, pp.1-80 and 383-4

Riddle B.L., Miron M.S. & Semo J.A. (1989) 'Passwords in Use in a University Timesharing Environment' Computers & security 8 (1989) 569-579


Appendix: A Smørgåsbord of Technological and Organisational Measures To Reduce Unauthorised Access

Legal / Contractual Context

Physical Access Restrictions

Logical Access Restrictions

Immediacy of Warning As To the Legality of the Action and Consequences

Positive Acknowledgement

on a routine basis, or only when an exception has been encountered

Audit Trail of Accesses

Audit Trail Analysis


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 6 May 1996

Last Amended: 22 August 1998


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916