{"id":1134,"date":"2010-06-21T14:39:50","date_gmt":"2010-06-21T22:39:50","guid":{"rendered":"\/?p=1134"},"modified":"2010-06-21T22:29:00","modified_gmt":"2010-06-22T06:29:00","slug":"digital-copiers-a-privacy-and-security-timebomb","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1134","title":{"rendered":"Digital copiers &#8211; a privacy and security timebomb"},"content":{"rendered":"<p><a href=\"http:\/\/www.cbsnews.com\/video\/watch\/?id=6412572n\" class=\"broken_link\"><img class=\"alignright\" style=\"margin: 10px; float: right;\" src=\"\/wp-content\/images\/2010\/06\/cbs_copier.jpg\" alt=\"\" \/><\/a>Everyone involved with software and services should\u00a0watch this\u00a0<a href=\"http:\/\/www.cbsnews.com\/video\/watch\/?id=6412572n\" class=\"broken_link\">remarkable investigative report <\/a>by CBS News and think about what it teaches us.<\/p>\n<p>Nearly every digital copier built since 2002 contains a hard drive storing an image of every document copied, scanned, or emailed by the machine.\u00a0\u00a0Because of this,\u00a0the report shows,\u00a0an office staple has turned into a digital time-bomb packed with highly-personal or sensitive data.\u00a0 To quote the narrator, &#8220;If you&#39;re in the identity theft business it seems this would be a pot of gold.&#8221;<\/p>\n<p>In the video, the\u00a0investigators purchase some used machines and\u00a0then\u00a0John Juntunen of <a href=\"http:\/\/www.copiersecurity.com\/\">Digital Copier Security<\/a>\u00a0shows them what is still stored on them when they are resold.\u00a0 As he says,\u00a0&#8220;The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms&#8230; would be very valuable.&#8221;\u00a0\u00a0\u00a0He&#39;s been trying to warn people about the potential risk, but &#8220;Nobody wants to step up and say, &#8216;we see the problem, and we need to solve it.'&#8221;<\/p>\n<p>The results\u00a0obtained by the investigators in their random sample\u00a0are stunning, turning up:<\/p>\n<ul>\n<li>detailed domestic violence complaints;<\/li>\n<li>a list of wanted sex offenders;<\/li>\n<li>a list of targets in a major drug raid;<\/li>\n<li>design plans for a building near Ground Zero in Manhattan;<\/li>\n<li>95 pages of pay stubs with names, addresses and social security numbers;<\/li>\n<li>$40,000 in copied checks; and<\/li>\n<li>300 pages of individual medical records including\u00a0everything from drug prescriptions, to blood test results, to a cancer diagnosis.<\/li>\n<\/ul>\n<p>Why are these records sitting around on the hard disk in the first place?\u00a0 Why aren&#39;t they deleted once the copy has been completed or within some minimal time?\u00a0 If they are kept for audit purposes, <em>why aren&#39;t they encrypted for the auditor?<\/em>\u00a0<\/p>\n<p>Is this &#8220;rainy-day data collection?&#8221; <em>Gee, we have a hard disk, why don&#39;t we keep the scans around &#8211; they might come in useful sometime.\u00a0<\/em><\/p>\n<p>It becomes clear that addressing privacy and security threats\u00a0was never a concern in designing\u00a0these machines &#8211; which are actually computer systems.\u00a0\u00a0This was an example of &#8220;privacy chernoble by design&#8221;.\u00a0 Of course I&#39;m speaking not only about individual privacy, but that of the organizations using the machines as well.\u00a0\u00a0\u00a0The report makes it obvious\u00a0that digital copiers, or anything else that collects or remembers information, must be designed based on the <a href=\"\/?p=317\">Law of Minimal Disclosure<\/a>.<\/p>\n<p>This story\u00a0also casts an interesting light on\u00a0what the French are calling &#8220;le droit \u00e0 l&#39;oubli&#8221; &#8211; the right\u00a0to have\u00a0things forgotten.\u00a0\u00a0 Most <a href=\"http:\/\/www.lemonde.fr\/technologies\/article\/2009\/11\/12\/la-delicate-question-du-droit-a-l-oubli-sur-internet_1266457_651865.html\" class=\"broken_link\">discussions I&#39;ve seen <\/a>call for this principle to be applied on the Internet.\u00a0 But as the digital world collides with the molecular one, we will see the need to build information lifetimes into all digital systems, including smart systems in our environment.\u00a0 The current and very serious problems with copiers should be seen as profoundly instructive in this regard.<\/p>\n<p><small>[Thanks to Francis Shanahan for heads up]<\/small>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Everything copied is recorded to hard disk and can be extracted by anyone with access to the machine and some readily available software<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[17,40,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1134"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1134"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1134\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}