Wednesday, April 18, 2007

I'm not a lawyer, but....

It's been said that a little bit of knowledge can be a dangerous thing.

As I slowly learn more and more about the law, I start to have these ideas. From a computer security standpoint, they're brilliant - as they get around the problem creatively. However, as I've been told before, the law is not a machine, and it's not as simple to find the legal equivalent of a security flaw.

I had a fairly interesting idea today. Its probably rubbish, however, I think it's worth posting it - if just to stimulate discussion:


As I mentioned in my post yesterday, most state data breach laws only kick in upon the disclosure/loss of data that includes the full last name, and either the full first name, or first letter of the first name.

Lets step back for a moment. Consider the fact that all credit cards include a check digit within the card number. Thus, computer programs can be written that will tell you (without having to send the card number to a bank) if the card number is a 'valid' card number or not. That doesn't mean that the program can tell you that the card is active - merely that the card number has been typed in correctly.

Interestingly enough, if you leave off 1 digit from the credit card number, using the built-in checksum, the programs can figure out what that last digit is - due to the fact that every other combination of digits will not result in the same check digit.

This can be seen as a form of an error correction

With that explained, lets get back to the idea:

What if instead, companies kept customer info in the form of:

Complete last name: soghoian
All of first name but first letter: hristopher
Checksum of full first name: 7

There are 26 possible letters that could go at the beginning of 'hristopher' to make up my full name. However, only one of these ('c') would result in the correct calculation of check digits.

Thus, any time the company needed to look up my data, they would simply calculate the check digits for all 26 possible combinations of my first name, and would thus be able to obtain my full first name and last name.

How practical is this? It would require some time/money to implement, and wouldn't be as useful as storing the full first name due to the requirement to calculate ~13 checks (assuming random choosing of letters) each time a name is needed, but if I am right (regarding the law), then any company that implemented such a system would be able to avoid all the negative publicity and work that is associated with data breach disclosure. Perhaps this would outweigh the implementation costs?

3 comments:

Anonymous said...

There are 26 letters in the alphabet and only 10 digits, so based on the pigeonhole principle, wouldn't more than one letter map to a check digit of 7?

Unknown said...

I'm also not a lawyer, but it seems to me that would demonstrate _massive_ bad faith. Anyone who does this is putting engineering time & effort into avoiding the consequences (to them only, not to their customers) of data breach; that's time & effort which could go into avoiding data breach in the first place, which would have the same good effects for themselves as well as actually protecting their customers.

I'd hate to have to try to defend this in a lawsuit from the leaked customers.

Anonymous said...

That is so evil.

Patent it right away.