'Secure' U.S. Site Wasn't Very
By Declan McCullagh Declan McCullagh 02:00 AM Jul, 06, 2001 EDT Link(dead as of 10/22/06): http://www.siliconvalley.com/docs/news/tech/047021.htm Link(active as of 10/22/06): http://www.wired.com/news/technology/0,1282,45031,00.html A U.S. government website devoted to helping businesses keep sensitive information private instead revealed confidential information about American firms. A Commerce Department privacy website exposed proprietary information -- such as revenue, number of employees, and the European countries with which the firm does business -- that U.S. companies provided to the government in strict confidence. This information has been publicly accessible since the site went online last year. Casual visitors even could modify information stored in the agency's database, permitting anyone to delete, for instance, Microsoft, Intel, or Procter & Gamble from a government-certified list of companies that can freely exchange information with European firms. In response to queries from Wired News, the Commerce Department plugged the security hole at 5 p.m. EDT on Wednesday. "We are aware of the concerns, and are taking all necessary steps to identify and resolve the issue," a department official said. The irony of gaping security holes in a Commerce Department "Safe Harbor" site established to aid U.S. firms in offering adequate privacy protection wasn't lost on some privacy advocates. "If the government can't control its own information, why is it asking the private sector to do any better?" says Jim Harper, editor of Privacilla.org. "When it comes to information management, government is the gang that couldn't shoot straight." A Wired News reader reported the problem on Wednesday. Anyone who went to the web.ita.doc.gov homepage saw a list of links to Lotus Domino databases -- and one of those led to the confidential files. To sign up for the Commerce Department's Safe Harbor program, U.S. businesses must answer detailed questions. For responses to queries about financial or other sensitive information, the government promises that "this information will not be posted on the website." A Commerce Department privacy statement says: "We will not share any personally identifying information you give us with any other government agency, private organization or the public, except with your consent or as required by law." The Commerce Department also retains information on companies like Adaptec that appear to have aborted the online registration process. But the government's stated policy says the opposite: "Because you have chosen not to submit your organization's self-certification to the safe harbor, your certification information will be deleted." The "safe harbor" scheme is designed to satisfy the European data directive, which limits the transfer of personal data to non-EU countries that do not meet certain information standards such as notice, access, choice, integrity and consent. If a U.S. firm signs up and is certified, the idea is that European officials will be satisfied that it follows reasonable privacy-protection measures. Fewer than 100 U.S. businesses have signed up so far, although that's still a remarkable improvement over the dozen firms that were participating as of January. The embarrassing federal gaffe is part of an inauspicious trend: Purportedly private and secure databases aren't designed with security and privacy in mind. [snip...]