============================================================
Kirk Bailey, Exposed
Kirk Bailey, a privacy-rights advocate, invited researchers to use
any legal means to dig up as much personal data on him as they could.
Here is a sample of the results, including the potential dangers
should such legal information fall into the wrong hands.
FOUND: Birth certificate, from court for $14.
DANGER: Has mother's maiden name, which is often used as a password.
Certificate could be used to get a passport.
FOUND: Natural gas billing records, obtained by calling gas company
and pretending to be Bailey.
DANGER: Enemy could make trouble by ordering gas service turned off.
A burglar could deduce vacation patterns.
FOUND: Bailey's Social Security number, obtained from Lexis-Nexis
and other sources.
DANGER: Could be used to open bank or credit card accounts or create
a new identity.
FOUND: Divorce decree, for $2 copy fee at court.
DANGER: Could be used to get information on credit card and other
debt, number of children and salary information.
December 13, 1999
An Expert in Computer Security Finds His Life Is a Wide-Open Book
By TINA KELLEY
As the theme from "Mission Impossible" played in the background, Kirk
Bailey and a crowd of about 150 other computer security experts
waited for the results of a high-technology treasure hunt. The prize?
Bailey's most personal information.
Bailey, whose job includes protecting the privacy of medical records,
considers himself an average citizen, though somewhat more careful
about what he calls the "fragile condition" of privacy today. In
October, Bailey dared a group of security experts to spend two months
trying to dig up as much as they could about him. Their only
constraints were to stay within the confines of the law and to avoid
asking his family or friends for help.
The results surprised even Bailey, who as manager of information
security at the Regence Group, an alliance of health insurance plans,
has forced him to think like an information thief to better protect
the privacy of medical records.
Without his cooperation, permission or knowledge, the researchers
found a scannable sample of his signature; his speaking schedule over
the last two years, courtesy of an Internet search engine; and
details of his cat's diet by "Dumpster diving." They got copies of
his home phone bills, though not cell phone records, learned the
value of his home and even discovered that he had been born by
Caesarean section on April 30, 1951, and got a C in English at the
University of Washington.
The nine researchers were all members of the Agora, a group of more
than 550 information managers from some 120 companies and at least 60
government agencies, founded to improve the security of personal
information.
"It was an enormous invasion on my comfort," said Bailey, who founded
the group in 1995 and named it after the marketplace where ancient
Greeks gathered to exchange information and gossip. "Here I can be
sitting in my warm living room by the fireplace with my wife, and I
think my privacy is protected, but in fact that's just a thin veneer
and illusion."
Some information his colleagues gathered proved embarrassing, some
potentially dangerous to his financial security.
"Now everyone knows I'm overdue on a couple of my bills," he said,
"and they have information on my birth, with the necessary three
pieces of information: name, Social Security number and date of
birth."
The last four digits of a Social Security number, he noted, are often
used as a default personal identification number.
The accumulated information cost less than $100 and required no
special training to find. Researchers collected it while holding down
full-time jobs, said Kristina Laidler, an information technology
supervisor with the Regence Group who had been designated the event's
"raid controller."
She was surprised how easy it was to get Bailey's birth certificate
and college transcript. "Those things just took no effort. It was
like punching through tissue paper," she said.
The investigators did occasionally resort to what they called "social
engineering," more commonly known as schmoozing.
"Computers are great, but computers are not going to give you all the
information you need," said Brett Kappenman, another Agora
investigator.
Separately, no single bit of information was particularly dangerous.
But in aggregate -- and in the wrong hands -- it could be ruinous.
"We could cut and paste his signature from his marriage license or
divorce decree and put his signature on anything," Ms. Laidler said.
"We could've closed his bank account that day. We could've turned off
his lights, we could've refinanced his house, and we could've gone
out and purchased a Mercedes Benz" using easily obtainable banking
information and a few well-placed fake references.
Rep. Jim McDermott, D-Wash., who is sponsoring a federal bill to
protect the privacy of medical records, attended the presentation.
"As someone in political life, I know I have very little privacy," he
later said in an interview. "But the ordinary citizen ought to be
scared to death by what we saw today."
Consumers can make themselves less vulnerable to such invasions of
their privacy by obtaining an annual credit report on themselves,
adding a "firewall" to their home computer's Internet connection or
buying $50 software that can make them invisible to other computers
online, Ms. Laidler said.
Online consumers should also read the privacy policies of Web
retailers to make sure they do not distribute personal information.
And home buyers should ask real estate agents not to send financial
information by e-mail, which is easily intercepted, she said.
"People have to understand their information doesn't just live at the
bank," Ms. Laidler said.
In exposing his vulnerabilities so publicly, was Bailey just giving
crooks free pointers?
"The bad guys have already started to demonstrate they know how to do
this," he said.