Many years ago, before Web 2.0, web services and XML, Sun proposed the idea of a Net computer, a thin client that would interact with web-based applications and data stored on remote servers. Responding to concerns about storing personal information on a disk controlled by another company, Bill Joy held up his laptop and said, "Now this scares me." The meaning was that having all your personal data on a portable, lose-able, steal-able hunk of black plastic should create much more concern that the fact that a web host has custody of your data.
Joy's prescience is apparent now, with the VA laptop theft just being the latest example of very insecure it is for employees to carry millions of personal data records around on hard disk encased in plastic.
The Washington Post reports today that public anxiety over laptop thefts is clearly rising.
In the past six weeks, laptop thieves have found themselves holding thousands of credit card numbers from Hotels.com, birthdates from District pensioners who put their retirement funds in ING, addresses of nuclear power plant employees, account numbers of Mercantile Potomac Bank customers -- or even the Social Security numbers of people who work for Equifax, the credit reporting giant.
What seems to be a common thread in all these incidents, as well as the VA theft, is how "line" employees have access to millions of sensitive records, while formal security protocols are falling away.
"Quite often, you see the line worker has more data than the upper echelons of the company or agency," [security consultant Scott] Larson said. "The secretary for the CEO has more data on a laptop than the CEO of the company. That's the person doing the memos, doing the spreadsheets. And that's where the sensitive information is."
The saving grace seems to be that laptop thieves aren't interested in becoming identity thieves. There's still no indication that the guys who stole the VA laptop have done anything with those millions of records.
If someone wants to be an identity thief, it's far easier to go on overseas-based Web sites that auction off blocks of stolen credit card numbers, eBay-style, said Michael Vatis, a lawyer and executive director of the Markle Foundation's Task Force on National Security in the Information Age.
Vatis said it would be laborious, time-consuming and a gamble for identity thieves to target middle managers, follow them and steal their laptops, hoping a database would be there.
"If this is your business, stealing people's identity, you're better off with a business model where you're not looking for a needle in a haystack but you're looking for hay, and there are haystacks everywhere," he said.
That's hardly an acceptable security policy for goverment agencies or banks, though.