I think the internet just exploded. At least, that’s what I’m thinking based on the number of articles I’ve seen come out in the last few days on the latest hacking scandal involving the Apple iCloud storage system involving “private” stolen celebrity photos of their, uhm, privates. You would think the world was coming to an end, that Russia really had started World War III, that North Korea finally nuked the South (or themselves accidentally). These are not the most important hacking stories or concerns by far, certainly not compared to the massive security breaches of Target, Neiman Marcus, Amazon’s cloud service (that now defunct inBloom was planning to use to store all student data), defense contractors, and various banking institutions around the world at the hands of Russian mobsters, Iranian Hacktivists or Chinese “State sponsored” hacking consortiums. Researchers had even discovered as far back as 2011 that it was possible to use Google Search to hack (or access without authority) various clouds throughout the world, so the term “Cloud security” has really always been more of an oxymoronic concept, not a legitimate claim anyone with any IT background should really make – except in assisting the marketing department with lawyerly vetted, non-binding, sales literature.

To me it looks like the media and the public are much less concerned about coverage of those stories than the lack of “coverage” of various celebrities.

For those of you unsure what a “cloud” is let me define it in what may be an overly simplistic way but which will help you understand why cloud computing is both powerful and dangerous. Most of you know what a hard drive is. Most of you know what a local network is. Some of you may know what a “shared” network drive is. A cloud service is simply a shared network drive that everyone in the world has access to from anywhere all the time. Additionally the “clouds” we are talking about from Google, Amazon, Microsoft, store redundant copies of data throughout the world, on actual physical servers throughout the world and often in foreign countries because it’s cost effective to do so. Imagine taking the hard-drive from your computer or memory form your cell phone and making 100 copies of it and shipping it to 100 different countries. You can access your data with your password. So can anyone else who intercepts your password or guesses it, or hacks directly into one of the various servers throughout the world hosting your data or intercepts it enroute (from your phone or computer) like the NSA does by tapping directly into the physical backbone of the internet. Any of those hundreds of thousands of employees might have access to your data too. There are thousands of Edward Snowdens out there, but not all of them are using their access to tell us how vulnerable we really are.

The backbone of the internet is made up of hundreds of underwater fiber-optic cables that stretch for thousands of miles across the ocean. The cables shoot information around the networked world at super-high speeds, up to 19 terabits per second—nearly the speed of light. In fact, light is exactly what’s being transmitted. Fiber-optic cables work by converting electrical signals into waves of light, and then back again at the other end.

It’s pretty nuts when you stop to think about it. The 21st century global economy is being built on strands of glass the size of a garden hose, resting on the ocean floor. And we’ve known for years these cables can be hacked or vulnerable to breaks—if, say, a ship drops anchor in the wrong place, or a natural disaster ruptures the cable.

Via Submarine Cable Map

Google and Yahoo have massive data centers around the globe that are connected via these fiber-optic cables—many of which the companies either own or privately lease to assure (or so they thought) a secure route for their internet traffic. Now it seems the NSA is taking advantage of the inherent weakness in the web’s infrastructure

In 2010 Google e-mail servers were actually hacked by Chinese hackers, but you can be sure it’s happened long before then, and almost assuredly even now transpiring undetected.

But it doesn’t take a sophisticated organization or mastermind to hack into your account and ruin your life as this journalist found out and documented. A kid basically acting alone or a freak living in their mother’s basement, like the latest Celebrity iCloud hacker probably is, can do a lot more by themselves than most people realize.

So you might be asking yourselves, what is the solution here? It sounds hopeless. Hackers are even making clones of silly games that might be attractive to children to download video and image content from phones. How can we keep sensitive information from hackers so determined to violate laws, privacy and just plain decency? I’ve heard of a number of different proposals including multi-tier authentication and physical keys or biometric authentication and/or only storing data in encrypted formats.

There are problems with these methods:

  • These methods are often costly; and some exceedingly so
  • They are cumbersome (negating much of the convenience of conducting business electronically)
  • Most of the public doesn’t understand the risks well enough to protect themselves (especially in such an swiftly evolving environment)
  • Without regulations to mandate universal adoption of strong security measures many businesses report they won’t undertake these measures on their own dime while their competitors lure customers away with cheaper prices and more convenience
  • These measures are not foolproof; and hackers constantly evolve their tactics and techniques to match countermeasures
  • Encryption is not permanent. Technology processing speed has been increasing exponentially. Recognizing this, the NSA is simply storing encrypted data in massive warehouses for a few years while they wait for or build processors powerful enough to decrypt data using brute force processing methods.

So to answer my own question about how to protect your information in a foolproof way . . . the answer is you can’t. If you store data, pictures, anywhere it can be acquired. In fact, when you make a “record” you should plan for the eventuality that it will be seen by someone and exploited. The more places your information is stored, the more likely it will be exposed to hacking by someone, somewhere. The more attractive your target (because of their celebrity status or financial exploitability potential) the more at risk your data and information is. We must assume what we create on our private phones and networks will be seen by someone else (so keep that in mind the next time you take some pictures thinking they are just for yourself or your spouse.)

This is why Louisiana’s recently signed and strongest is the nation student privacy bill (HB1076 by Representative Schroder) that passed in the 2014 legislative session is so important. This bill prevents the State of Louisiana from collecting Social Security Numbers in most cases and requires that the state introduce a student identifier system not tied into SSNs in any way. (it appears parents must sign a form allowing the state to collect SSN’s and other necessary data for the Student Transcript System which is used to award TOPS scholarships and determine financial aid and admissions determinations for students attending institutions in-state. Parents will need to remain vigilant to ensure this data is not merged with the rest of the student data and provided to other databases like the one created for the Workforce Commission or other third party vendors that might follow undetected in inBloom’s footsteps.)

The state is also reportedly purging their existing data bases of legacy SSN’s. The bill also includes civil and criminal penalties for negligent or intentional mishandling of student data. This law became very important recently when the public learned that the State’s Superintendent of Education, John White, shared SSNs and other personal data with third party vendor inBloom (because of yours truly) with no guarantees of privacy, no guarantees of security, no legal liability for intentional or unintentional disclosures. The now defunct inBloom project, which was built with 100+ million in seed money from Bill Gates, even planned to store hundreds to thousands of points of very private, very sensitive data, pictures, medical records, discipline records, psychological profiles of all children (in their ideal scenario) on a cloud computing platform hosted by Amazon. Amazon’s own subsidiary, Living Social, was hacked on Amazon’s very own cloud resulting in the theft of over 50 million users’ information while this proposal was being floated.

Computers and the internet is not going anywhere, and we should not fear it to the point of not using it. However it appears very clear to me that laws, regulators and legislators are not keeping up with the changes as fast as they need to be. We can make ourselves safer by educating our leaders to make more responsible choices on our behalf and by taking some common sense steps ourselves to protect ourselves and our families. Louisiana parents took a very important step this summer by engaging our legislature. Regrettably most legislatures across the country failed their citizens on the student privacy issue, succumbing to lobbyists and pressure from Google, Apple and Microsoft. Louisiana was the first state to boot inBloom due to privacy concerns. We were also the first state, to my knowledge, to pass some very meaningful privacy legislation to address many of the weaknesses introduced by Arne Duncan to FERPA. For a state so often labeled and maligned (often rightly so) as backward and trailing in public health issues, education policy, infrastructure and economics it’s nice to see us acting as the leaders and trailblazers we know we are, and know we should be.

 

Advertisements

7 thoughts on “The recent visual and virtual reminder of the need for strong student privacy laws

    1. I hope so too. They haven’t spoken to employees about it? Employees can be held liable for 10k per disclosure or up to 3 years in jail even if authorized by a superior report or share and it turns out to be illegal.

    1. I was waiting until it was signed by Jindal and I heard LDOE was actively working on it. I think the department will have trouble meeting the timeline and may claim it is too difficult or too expensive. That’s why I waited for some new widespread hacking scandals to come out before explaining how strong this law is…by necessity. Good work getting this done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s