CLEC - Technical - DSL Prime: Scandals and Politics

Sections

• Best of the Lists
• Business
• CLEC-Planet
• Equipment
• Executive
Perspectives
• Fixed Wireless
• Investor
• Marketing
• Market Research
• News
• Notable Quotes
• Politics
• Profiles
• Resources
• Technology
• Value-Added
Services
• Webhosting
Also ...
• About Us
• Authors
• Letters
• Site Map
• Technology Jobs

internet.com

IT
Developer
Internet News
Small Business
Personal Technology

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

internet.commerce

Partner With Us

DSL Prime: Scandals and Politics

If they care, telcos can do any of several obvious things to improve the way they protect the privacy of their customers. Until then, leadership failures ensure that telecom headlines about privacy are bad news.

by Dave Burstein
of DSL Prime and Future of TV
[September 13, 2006]

Hewlett-Packard Scandal, continued
Larry Babbio should have resigned from the Hewlett-Packard board as soon as he learned they were making business policy by phone-phreaking. That's what Tom Perkins did. The President of Verizon should be setting an example on issues like privacy. "We must maintain the confidentiality of every customer's telephone calling and other account information" promises SBC in their official privacy statement.

"How is this story about ATT?" flamed one industry veteran. "Seems quite clear the information was gotten under false pretenses. Your biases are showing." Apparent negligence, I counter, and unacceptable security design. I also got some very supportive letters, but several that suggested follow-up.

Legal Issues: California Attorney General Lockyer insists, "In this case, clearly a crime has been committed,' he said. 'The question is by whom. How far does the liability extend?" David Lazurus of the Chronicle adds "Lockyer said he's now focusing on whether HP's chairwoman, Patricia Dunn, is a party to the crime. � 'At the very least, there's a potential conspiracy case,' Lockyer said." If a crime was committed, and Larry Babbio knew it, he might nominally be an "accessory after the fact" but almost certainly would not be prosecuted.

Similarly, AT&T is unlikely to face criminal penalties, even if proven grossly negligent. They might be sued, however. The strongest evidence I've found they might be liable ironically comes from their own official privacy policy: "Protecting the confidentiality of your Customer Proprietary Network Information is your right and our duty under federal law." They may in fact be mistaken about whether they have a "duty under federal law." If not, however, that privacy statement sure sounds to me like cause for a suit. A reader e-mails "I have seen nothing mentioning [AT&T's] need for legal help," nor have I. But sure sounds like they should be ready with a good lawyer.

AT&T pointed out I was careless in my choice of words when I wrote "AT&T leaked the phone records." The word seemed fine to me; a roof leaks when water gets through, and in this case information certainly went through. But "leak" is also used to describe a deliberate process of giving information to a reporter. There's no reason to believe AT&T did anything deliberately. They were hacked. Happy to clarify.

John Ashcroft, until recently Attorney General, has had no involvement in this AT&T privacy problem. Researching the story, I discovered he had been hired by AT&T to lobby on privacy, so suggested they put him to work. Of course there was a hint of satire in that, like Jonathan Swift's "modest proposal." What AT&T is doing about the incident is releasing minimal details about what happened, how, and their procedures to prevent things like this. If they don't want to be accused of contributory negligence, one thing they should do is a serious public investigation. As head of the Justice Department, he certainly has the experience.

Ashcroft leaving government and collecting millions from companies needing favors from his former colleagues is typical DC behavior with offenders from all parties. His working for AT&T on privacy is particularly ironic. AT&T is under investigation in at least two states for their releasing records to the government without a subpoena. Whether that was right or wrong is a different story. But these actions took place during Ashcroft's term in office, and he was probably involved. Ashcroft shouldn't be representing AT&T, and Jim Cicconi shouldn't have hired someone he knew might be a witness if George Bush can't shut down the suit.

Readers can guess I disagree strongly with Ashcroft on unrelated civil liberties and human rights issues. I promise to go after some Democrats in future issues as well.

Editorial: How telcos can better protect their customers
Instead of inviting legislation and legal cases, the right next step is for telcos to voluntarily do a better job. I have a friend who can crack a Class Five switch remotely, and another who in three years tiger teaming never hit a system he couldn't enter. But talent like that is rare; from what's in the public record, an amateur or a script kiddy could have broken into AT&T.

WSJ columnist Terri Cullen suggests "If the companies you do business with have lax privacy guards, demand better protection—or take your business elsewhere." If a million customers left AT&T, or even 100,000, they'd get the message. Unfortunately, most Americans only have two choices for broadband, and I've no reason to believe cablecos do a better job.

Here's some practical suggestions on how to "maintain the confidentiality of every customer's telephone calling and other account information." Whether lousy security is illegal I don't know, but it's stupid customer relations. I am certain AT&T is no worse than many others on this issue. They just happened to get caught. A few ideas—readers are invited to improve on this.

Eric Rabe of Verizon suggested to Ms. Cullen, "About a year ago we stopped using Social Security numbers because we felt they were just too readily available." Now Verizon customer-service reps require a specific account code on the customer's monthly paper bill before giving out account information or making changes to the account. (WSJ)

Telcos could check the log-in e-mail against their record of the customer e-mail. Verizon asked my e-mail recently, and AT&T has on record e-mail for the 30 percent of customers who take DSL.

A follow-up e-mail or letter to all or just a statistical sample afterwards would identify patterns and point out to the company (or the cops) when trouble is brewing. A small sample could even be telephoned, to pick out emerging attacks to solve.

When things go bad, a serious investigation. Using John Ashcroft might be a joke, but I'd insist on knowing the cause. The FCC Chairman seems to agree; Martin asked AT&T for a report already.

Public answers should come from the company's security pros, not PR people unless they truly understand the issues. Few do, and uninformed comments become contradictory and seem to be lies.

If security was ignored, was it bad decisions from the CTO, flawed execution from the staff, or pressure from the Controller's office cut the budget? In whichever case, the carrier should make the information public, and publicly fire a few incompetents.

Regularly use professional tiger teams to test for vulnerabilities, to see how open you are. Standard practice as corporations, and just as appropriate here.

When opening an account, customers should be given an option to lock the record and not make them available. The internet registries provide that as a free option for domains.

"The power of the printing press belongs solely to those who own the presses"
—A.J. Leibling

The Internet is the cheapest printing press ever invented.

1. DSL Prime: Apple Video = IPTV Crisis

2. DSL Prime: $0.25 to Stream a DVD Quality Movie

3. DSL Prime: Greece, Paris, Tokyo

4. DSL Prime News Briefs

5. DSL Prime: Scandals and Politics

Feedback

ISP-Planet's RSS feed

The Network for Technology Professionals

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Intel Whitepaper: 2010 Intel Core vPro Processors Overview
Article: Adobe Helps PHP Developers Create Rich Internet Applications
Article: Reduce Your Infrastructure Costs with Microsoft System Center
Intel Brief: Five-Star IT Support--Intel Core 2 processor with vPro Delivers ROI of 524 Percent
Article: Security Enhancements Abound in Windows Server 2008
Intel Whitepaper: Implementing Intel vPro Technology to Drive Down Client Management Costs
Microsoft Whitepaper: Improve Communications and Collaboration

Intel Article: Intel Core i5 vPro Brings Intelligence to the Processor
Microsoft Personalized Whitepapers and Resources for You
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
Microsoft Whitepaper: Make Better Decisions - SQL Server 2008 Business Intelligence.
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Micro Focus Webcast: Boosting the Impact and Effectiveness of Software Development QA and Testing
Microsoft Webcast: Simplified Access and Single Sign-On

Intel Video: 2010 Intel Core Processor Technologies
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Adobe Download: Tour de Flex Application and Explore Flex
Get Started: Create Applications Without Infrastructure Limits with the Windows Azure Platform
HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us

Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Free Adobe Online Flex Training: Check Out this Video Training Course Here
Develop Cloud Applications - Get Started Now with the Windows Azure Platform
Learn Unified Communications
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products

Learn Forefront
Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES