Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy The Internet Your Rights Online

Outsourced Confidential Data On Children Posted 438

Kataire writes "MSNBC exposes a grievous blunder in which an outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York. Yes, this person did this not once, or twice, but three times, with two different data sets. Even worse, the data was out there, publicly 'visible' for months. Just because RentACoder finally discovered and yanked it, after a coder 'stuck with a tricky formatting issue' posted the specific database he was working on to their messageboards, doesn't mean the damage is undone. The ramifications reach beyond the painfully obvious privacy issues, touching on outsourcing and peer ethics."
This discussion has been archived. No new comments can be posted.

Outsourced Confidential Data On Children Posted

Comments Filter:
  • Who do you trust? (Score:5, Insightful)

    by DarkHelmet ( 120004 ) * <.mark. .at. .seventhcycle.net.> on Monday February 09, 2004 @05:34PM (#8231311) Homepage

    Who do you trust? And who do you get to solve something like this?

    Do you say, "Only certain government approved facilities can deal with this sort of information?" Seriously, should I feel that someone "government sponsored" is better off with my information than an outsourced programmer in India? Who gets to play Big Brother? And what will they do with what they know?

    You can take this to the extreme, and be wary of anyone to handle private data about you. But then, if there's that sort of outcry, nobody would be able to handle it, would they?

    I suppose it's better than having the Smoking Man from the X-Files having a file about you, and a blood sample. I find most programmers to have a certain level of professionalism to what they do.

    I personally have access to roughly 10,000 credit card numbers. I'll never abuse the fact that I have access to them. But on the other hand, I'm not stupid enough to post all of them on the net for everybody to see, either.

    I hope anybody who ends up doing something that stupid becomes a victim of identity theft. That'll really open their eyes to respecting other people's privacy.

    By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at.

    • Re:Who do you trust? (Score:5, Informative)

      by segment ( 695309 ) <sil AT politrix DOT org> on Monday February 09, 2004 @05:46PM (#8231487) Homepage Journal
      Who gets to play Big Brother? That's an easy one ... Choicepoint [choicepoint.com] gets to play Big Brother. They tout 40 billion records... 40 billion records on about 300million Americans?...

      And what will they do with what they know? They claim to be able to pinpoint every move you made from college to getting tossed out your duplex etc.,

    • Re:Who do you trust? (Score:5, Interesting)

      by Skyshadow ( 508 ) on Monday February 09, 2004 @05:55PM (#8231609) Homepage
      Posting anon for reasons which will become clear:

      I work for a large healthcare organization. A while back, we caught some heat because we were transferring a lot of patient data over to India for use in one of our offshore projects and a local newspaper found out about it. Our official response was "Hey, Americans do this work too. It's not necessarily safer there than here."

      A month later, one of the outsourced programmers took off with a couple of backup tapes and blackmailed my company.

      This exposed the real issue at hand here: Offshore workers aren't in America, which means that we found ourselves unable to bring the weight of American law enforcement to bear on this person. In America, we would have had the FBI kicking in this guy's door within the hour. Instead, this individual simply moved to a different part of India, which is apparently like moving to another planet for the purposes of getting them arrested. The issue was clamped down on by management before the resolution, but the word around the water cooler is that we just paid them off -- really, the amount of money they wanted was insignificant against the massive PR damage we were looking at.

      So while it's true that a worker in America can spill private data just as easily as a worker in the third world, *getting away* with it is a completely different matter. Companies which offshore private data deserve the lawsuits they'll face when something like this actually plays out wrong...

      • Oops.... (Score:5, Funny)

        by Skyshadow ( 508 ) on Monday February 09, 2004 @05:57PM (#8231631) Homepage
        Shit. So much for that anon thing. (cringe)

        Guess my sig goes double now...

      • by Greyfox ( 87712 ) on Monday February 09, 2004 @06:14PM (#8231826) Homepage Journal
        Posting anon for reasons which will become clear:

        Dibbs on his 3 digit user ID when his company has him killed!

      • Re:Who do you trust? (Score:4, Informative)

        by Anonymous Coward on Monday February 09, 2004 @06:15PM (#8231838)
        C'mon, give it up! Do you work for UCSF, Sausalito Transcription Stat, Sonya Newburn or Tom Spires?


        And was it India or Pakistan? And was the "Indian" really a Pakistani woman named Lubna Baloch? And was the problem really because UCSF required such little control over the custody of the medical records that it allowed them to be handed of to a chain of at least four levels of subcontractors before they ended up in Pakistan?


        Oh, and was it really Sonya Newburn who paid off Baloch?


        It's not so super-secret as you think. And the real issue (in your hospital's case) isn't that you couldn't bring the weight of American law enforcement to bear, it's that your organization completely lost control of the data that was entrusted to it.


        Incidentally, UCSF has revised its contracts to require its transcriptions firms to reveal who they subcontract with.


        P.S., if you click on the little "Post Anonymously" checkbox, your /. ID won't be revealed. Although I don't think that you'll be in much trouble given that the whole business is splattered all over Google.

      • "In America, we would have had the FBI kicking in this guy's door within the hour."

        Ha! Highly unlikely. If you really want something done, and done right, you don't call the cops or the lawyers, you call the guy who knows dis guy and he "does this favor for you."

        -cp-

        President Bush to Liberate Alaska [alaska-freegold.com]

      • I'm surpised someone didn't end up in prison. That is a direct violation of HIPAA Privacy rulings...your supposed to have a chain of trust agreement, specifically a Business Associate Contract. This states that your company is HIPAA compliant in all areas where you deal with PHI (protected health information). If you outsource, your company is supposed to get a BAC from the people you outsource to.

        Your company could probably get hit with a violation of 42 U.S.C. 1320D-6(a), which is a federal law. If m
    • The issue with giving sensitive data to outsourcing agencies (who give it to outsourcing agencies (who give it to .... is that after a while, the chain of accountability gets pretty tenuous. When it's your client's sensitive information, it's pretty clear that you should protect it. When it's your boss' client's client's ... client's boss' sensitive information, you're really disconnected from the parties who would be damaged if the information was disclosed.
    • Some notes (Score:3, Insightful)

      by MAXOMENOS ( 9802 )
      Do you say, "Only certain government approved facilities can deal with this sort of information?" Seriously, should I feel that someone "government sponsored" is better off with my information than an outsourced programmer in India? Who gets to play Big Brother? And what will they do with what they know?

      The difference is that a government employee is easier to discipline. Both can be fired, but the regular employee can be prosecuted more easily than an off-site subcontractor who may be out of state (or co

    • Re:Who do you trust? (Score:5, Interesting)

      by pwtrash ( 593047 ) on Monday February 09, 2004 @06:24PM (#8231958)
      Yep, your example would have been worse.

      However, the article suggested that these kids are foster kids, which means that at a minimum they were victims of neglect to the extent that the state stepped in and removed them from their birth parents.

      It's likely that a number of these kids were victims of sexual abuse. Needless to say, many of them have views on sexual issues that are warped by their experience. A predator would likely know how to take advantage of their experience.

      Also, typically, the goal is to re-unite them with their parents. Obviously, some of these parents are not worth anything. But a number of them are genuinely trying to do whatever they can to make their family right. This doesn't help.

      My wife works with kids in this situation, and I don't know any names ever. I don't want to know, and she takes her commitment to their confidentiality very seriously.

      I hope we get to hear what becomes of Mr. Mark Dennis, the fine bleeding-edge developer who had to ask RentACoder for database formatting help. It would only be fitting if we all got to experience his worst or most vulnerable moment. I'll turn it into HTML for $15.

    • by cait56 ( 677299 )

      I would prefer to trust someone who has enough sense not to provide confidential data to anyone that has not been properly trained in its handling.

      It is all too likely that the person that "released" the data had no real understanding of whether the data was real or what it meant.

      This is just plain sloppy procedure. It doesn't matter if the development staff is in-house, local out-sourced, or out-sourced to the other side of the world -- they still don't need the real data in order to develop code.

    • Re:Who do you trust? (Score:5, Informative)

      by orthogonal ( 588627 ) on Monday February 09, 2004 @06:58PM (#8232332) Journal
      Who do you trust? And who do you get to solve something like this?

      In this particular case, you needn't trust anyone.

      Nothing that Mark Dennis wanted to do -- build the database structure, build the front-end, or get help with his "tricky formatting problem" required that he use supply real data to RentaACoders or other sub contractors

      And furthermore, nothing the Livingston County Social Services Commission wanted required that Mark Dennis ever see live data.

      This one's simple, folks -- sure, Mark (or someone) needed to do a requirements analysis, sure, somebody had to decide what data entities to capture -- but very little real data was needed.

      First, make some dummy data for the developers' use: run through your real data -- if you even need to base the dummy data off the real data --, and replace every name with a random dictionary word. Do the same thing for addresses, and replace Social Security and other id numbers with randomly chosen numbers. In all cases, maintain a constant map of real to dummy, to preserve relations within the data: "Mike Smith" is always translated to "Armchair Landowner" and "1450 Main Street" to "3321 Crumpet Sponge".

      Once you've finished your translation, throw away the map.

      Now the coder has data that's exactly as diverse as the real data, shows the same frequencies and inter-relations as the real data, is as internally self-consistent as the real data, and yet is (nearly) completely meaningless in terms of the real world, and (nearly) impossible to link to any real persons, places, or identifying information.

      (It's possible one could still do traffic analysis on the data, and come up with aggregate data: either more male or more female (but which?) children are in the Social Services system; two zip codes out of six produce 70% of the cases (but which two?). If this is a problem you have to take a weighted slice of the data, and provide the developer with only this weighted slice; that (intentionally) skews your frequencies, but still preserves diverse data and any inter-relations among that data, closely enough to be representative for almost all design and coding needs.)

      No trust involved. Just a simple and mechanical translation process that has to take place only once.

      (If you really have a situation where the developer must base his requirements and code against gradually accumulating real world data -- and you shouldn't if you've planned at all well -- let one non-out sourced person hold the translation map -- and be held responsible for keeping it secret.)

      And a process like I've outlined should be standard for any organization dealing with sensitive data.
      • Re:Who do you trust? (Score:3, Informative)

        by afidel ( 530433 )
        Thank you, thank you, thank you. That is EXACTLY the kind of thoughts which HIPPA et al are supposed to foster. Real patient data should never be acessible except by people whos jobs it is to use that data. The people whos job it is to track and store the data have no need to see it. Now if only we could get an anti-PATRIOT act passed that forbade the government from accessing an private database for purposes of following its citizenry.
    • by R2.0 ( 532027 ) on Monday February 09, 2004 @07:05PM (#8232407)
      "By the way, I hate how everybody gets up in arms over the fact that this is data from children. This is horrible for ANYBODY to have their information posted on the net like this. And it could have been worse. It could have been a list of women tying them to the current Battered Women's Shelter they were staying at."

      Yes, it would suck if my daily schedule was put up in the internet. Then I'd have to worry about pedophiles or my crazy parent with the restraining order snatching me up.

      Oh, wait - I'm an adult male who carries a cell phone, "pocket knife", and just enough martial arts experience to get me out of (okay, into) trouble.

      Stories like this about children ARE different. Adults might have the means and methods to deal with the consequences of such a massive blunder. Children DO NOT! Especially lists about kids in day care: children who are pre-selected to be literally unable to take care of themselves.

      Oh, and your "even worse" example sucks too. At least women in shelter are somehow connected with help. Think instead of a database of phone calls to an abuse hotline - lots of women who are totally vulnerable.

      To borrow from the pigs in "1984": All privacy breeches are equally bad, but some are just way effin' worse than others.
  • by The_Rippa ( 181699 ) * on Monday February 09, 2004 @05:34PM (#8231313)
    I'm sure the "it professionals" on alt.pedophiles were more than happy to check out the db issues for him.
  • Today's lesson: (Score:5, Insightful)

    by American AC in Paris ( 230456 ) * on Monday February 09, 2004 @05:34PM (#8231315) Homepage
    When you're looking to cut corners, be careful who you give the scissors to...
  • by Anonymous Coward on Monday February 09, 2004 @05:35PM (#8231331)
    Talk of identity theft, damaged credit, and so on may not rile up the Soccer Moms of the world, but once something affects the children, watch and admire as their mouths begin to froth!
  • I'm not surprised (Score:4, Interesting)

    by samsmithnz ( 702471 ) on Monday February 09, 2004 @05:35PM (#8231332) Homepage
    Myself, I'm always careful about 'stripping' any information when posting code samples or looking for help in Forums. I'm surprised this isn't reported more often...

    I wonder if the parent company that hired this 'outsourcer', even knows that their data has been compromised...
    • the dumbasses... (Score:5, Informative)

      by SHEENmaster ( 581283 ) <travis&utk,edu> on Monday February 09, 2004 @05:46PM (#8231486) Homepage Journal
      Who the hell thought to give him REAL information about these children in the first place? A fake datase would've worked just as well for development purposes.
      • by johnnyb ( 4816 ) <jonathan@bartlettpublishing.com> on Monday February 09, 2004 @06:07PM (#8231752) Homepage
        Actually, I've found that they don't. Fake databases usually are well-organized and thought out. The real deal usually has many, many inconsistencies that have to be dealt with. I always require real data to test any program I develop with, because otherwise it's just a nightmare at go-live time.
        • Re:the dumbasses... (Score:5, Informative)

          by SirSlud ( 67381 ) on Monday February 09, 2004 @06:25PM (#8231971) Homepage
          actually

          1. It's bad to develop with real data, because you make assumptions about what kinda of data you have to process. You should unit test the code, by *trying* to break it by using known invalid formats or invalid data to ensure that your software handles such input inconsistancies gracefully. As in, the only way to be sure your software won't core, or fork bomb, or enter an infinate loop is to test it on test data, which should be created by the developer.

          2. You're right about going live tho. You'd never go live with software before you QA'd it in the final go-around with the real data just to ensure you're not going to spend 2 hours upgrading a platform, and 2 hours backing out.

          Neither of these points has any bearing on the fact that, as a developer, you will (most of the time) have/need access to the real data at some point, so it really is up to the developer and the contractor to set out rules for the usage of the data, and even to have the developer sign an NDA of sorts to put the accountability where it should belong.

          What stories like this really highlight is the sorts of losses that can occur from outsourcing or contracting that dont often show up on a cost analysis of the project. The less control and supervision you have over your 'employees', the higher the likelihood that those employees may do something with their relationship with you that may damage the company. I've had numerous higher-ups in other companies pass me sensitive data just because they need something fixed as soon as possible, and they can't find the experience/ability in house, and I just think its a completely irresponsible way of conducting business. But if I did something dumb with that data, it wouldn't be my ass on the line, because I was handed that data with no legal documentation concerning how I can use it and what I can do with it. Then again, maybe lawyers might see that differently.

          All I know is that when it comes to outsourcing, its usually a gain in labour flexbility and cost effectiveness at the expense of a higher risk for the disclosure of sensitive information, be it data or security rights. It's a cost that employers can willfully ignore if they so choose, but again, I think its just bad business practices. Full employees have a far greater vested interest in the success of their employer and are far less likely to do stoopid things that one-off contractees have been known to do. That is, full time employees are more likely consider the legal and financial implications of how they go about providing solutions for product development. Employers hate that to admit it, tho, because it highlites the downside of a their utopian flexible labour force in which there exists little job security for the people actually doing the gruntwork.
          • "It's bad to develop with real data, because you make assumptions about what kinda of data you have to process. You should unit test the code, by *trying* to break it by using known invalid formats or invalid data to ensure that your software handles such input inconsistancies gracefully."

            That's not really what I'm talking about, though. For example, I've worked with databases where the CS department entered in all X's instead of physically deleting an address. Their programmers had simply coded to ignor
  • by Rosco P. Coltrane ( 209368 ) on Monday February 09, 2004 @05:37PM (#8231348)
    outsourced programmer posts highly confidential data to a public website, concerning the daily whereabouts of hundreds of children in upstate New York.

    In other news: Michael Jackson to move to NY soon.
  • by johndiii ( 229824 ) * on Monday February 09, 2004 @05:37PM (#8231351) Journal
    When you outsource, you run the risk that the individuals doing the work do not share your company or even cultural values. If you are not willing to take the time to make sure that your outside contractors are what you expect, this is the kind of thing that will happen. Few companies really understand this.
    • I'd have to say, and the article didn't indicate whether or not the originating company had indicated that the data was private and confidential. I've done data cleaning, analysis, report creation, etc. as an outsourced contract for a slew of organizations, nonprofits, government, and corporate--and I can't say the number of times I've been handed confidential data without any type of NDA or even a brief conversation stating this data is confidential. In fact, it happen so much, that we developed our own po
  • by wan-fu ( 746576 ) on Monday February 09, 2004 @05:38PM (#8231370)

    ... before everyone starts bashing on outsourcing, let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer. This could just as well happen on usenet with someone asking for programming advice from any company. It is the programmer who was not careful with data and the fault is on his side (and possibly the company who gave him the data and did not give him specific instructions for care of the data).

    • by sporty ( 27564 ) on Monday February 09, 2004 @05:47PM (#8231507) Homepage
      Yes, but when you sue, you can either sue the employee which you have a direct contract with for damages, or the company from which you outsource. With the case of the developer, he has a closer relationship, so is less likely to do wrong since he's not under the protection of a company. With the case of a company, you sue the company and the worse the company may do is fire them. Less vested intereste in what the big boss might say -- depends on who your big boss is.
    • by Dimwit ( 36756 ) * on Monday February 09, 2004 @05:48PM (#8231513)
      That's true - this could have happened with any company. However, to play Devil's advocate:

      Since this is an outsourced job, there is very little, if any recourse that can be taken against the person in question. Perhaps US companies will see this and think "whoa, if this happens to me, and somebody sues me...who can I sue?"

      It's sad that corporations are sending jobs overseas in the name of cheap labour. I frown upon the implications of the term "human resources". However, it's also sad that there are countries in the world poor enough that they can offer labour at those prices. I wish everyone had a standard of living equal to what I enjoy here, and I'm afraid outsourcing may be the way to do it. At this point, all I can hope is that the outsourcing is done in an ethical way - no sweatshops, no gang-ruled factories, no government corruption. Unfortunately, since money is involved, it suffers from all those things and more...
    • by Saeed al-Sahaf ( 665390 ) on Monday February 09, 2004 @05:48PM (#8231515) Homepage
      "let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer."

      Unscrupulous? No, just incompetent. Posting credit card numbers to some hacker site is unscrupulous; this guy's just too stupid to do his job.

      • by Frater 219 ( 1455 ) on Monday February 09, 2004 @06:20PM (#8231908) Journal
        Unscrupulous? No, just incompetent.
        No -- unscrupulous: lacking in moral measure; unable to discern the moral weight of one's actions.

        (A "scruple" is a unit of weight, don't you know.)

        Publicly posting government records of children's whereabouts is not a morally neutral act; it is a reprehensible one. The programmer in question was not, it is claimed, ignorant of the nature of the data he had in hand; he simply did not correctly value that data. He failed to make a necessary value judgment: that to post masses of information on children's whereabouts is, in our world, a wrong thing to do.

        It is not simply a stupid or ignorant thing to do. It is not simply incompetent, like writing C code with gets() in it, or turning in code to one's boss which won't compile. Rather, it is a form of carelessness that shows that one places no value upon that with which one has been entrusted.

        If you're the sysadmin of a mail system, reading other people's mail for fun is an unethical act. However, leaving the mail-system password lying around, so that random hooligans can read other people's mail, is also an unethical act. Not just stupid. Wrong. It shows that you don't value your users' privacy -- that your values do not match up with your users' values. That, while you may be competent to operate a system for them, you are not trustworthy to do so.

        That is a very different way to be bad at one's job.

    • by laird ( 2705 ) <lairdp@gm a i l.com> on Monday February 09, 2004 @05:49PM (#8231536) Journal
      "let's not forget that this problem isn't a result of outsourcing, but an unscrupulous programmer"

      I'm not sure it's "unscrupulous" as clueless. Whether he's paid as an employee, a consultant, or a sub-contractor, he's just as responsible to treat sensitive data appropriately. He should have been fired the first time, or at least warned in writing and fired the second time. Allowing this to happen three times exposes both the agency (who's responsible for managing its vendors) and the vendor to tremendous liability because they've obviously not taken this issue seriously.
    • My guess is that is incorrect. Programmers can certainly make mistakes like this one did. But when you hire programmers and staff to do things so cheaply, you give up the quality control. When you are dealing with personal information, quality control is extremely important. Its also not to say that that kind of thing can't happen in the US. But its unsettling for people to know that they can't even meet the person who is working with their personal information.

      If one of the programmers at a children's hos
    • by Kris_J ( 10111 ) * on Monday February 09, 2004 @05:54PM (#8231596) Homepage Journal
      You might think it looks like this on the outside, but the environment of outsourcing creates events like this by making it impossible to determine who's competent and who's not. There are so many degrees of separation between the company needing the work and the individual doing it that it's impossible to keep track of what's going on until it's obviously gone wrong or right. Also, outsourcing is so awful that the turnover is very high. This leads to excessive pressure on each new outsourcee as they get employed closer and closer to the deadline -- forcing them to take risks like these in order to do the job "on time". Outsourcing incubates problems like these.
    • by Perl-Pusher ( 555592 ) on Monday February 09, 2004 @06:11PM (#8231795)
      Didn't read the article eh? I'll post the important part.

      County attorney David Morris said that programming work for the day-care center had been outsourced to the locally-based Genesee Community College. The manager of the college's program refused to speak to a reporter, but Morris said Dennis was a third party consultant hired by Genesee. Dennis, in turn, used RentACoder to once again subcontract the database work, which ultimately fell to a New Jersey-based programmer. By that time, the programmer actually working on the day-care data was four steps removed from the county's social services program.

      So the gist is they outsourced to a CommunityCollege who then outsourced it to a website. The coder who answered the website not only didn't know what he was doing and tried to get someone else to help him, he probably had no idea the significance of the data to begin with. Since nobody who had a clue actually hired him. Outsourcing something that important is exactly what is wrong. I've seen companies outsource jobs that were essential to the well being of the company and nobody in charge (CEO,CIO) will admit that the reason the business failed was due to putting something critical in the hands of others who didn't have the same priorities as them. You should only outsource when the task is not critical and doing it yourself is too expensive. If it's important and you don't have the expertise, hire employees who do. Then when something is needed, you get it when you want it and how you want it. If neither is possible choose another line work.

  • Sad to say.... (Score:5, Interesting)

    by Tangurena ( 576827 ) on Monday February 09, 2004 @05:38PM (#8231373)
    Folks are too busy cutting back on employees to even think straight. This sort of thing has gone on before and will go on again. Just think of the hospital in Florida that outsourced medical transcription to someone, who outsourced it again, until eventually, some Pakistani woman was upset that that she was not getting paid, and threatened to release all of the info onto the web.

    This, and the Florida case will be brought up again and again. And I am sad to say that these are just the beginning of a long decline.

  • by Anonymous Coward on Monday February 09, 2004 @05:38PM (#8231375)
    I have seen some people spread data via slashdot comments encoded with base64 and encrypted. (anyone have a link to a specific occurance - at least one time someone decypted it and posted it) Could slashdot be used as a way to anonymously leak information like this, and use slashdot's general policy of "just mod to -1, don't delete" towards comments as an advantage? Unlike other forums, posting anonymously leaves nothing but a MD5SUM of your ip to be used in court. Also, if you "post anonymously" while logged in, slashdot caches your username. You can verify if you have mod points by noticing that even when you post anonymously AND change your ip address, you can't mod up/down the comment.
  • by Rosco P. Coltrane ( 209368 ) on Monday February 09, 2004 @05:39PM (#8231384)
    Officials at the New York State Office of Children and Family Services and in Livingston County, where the incident occured, are investigating. Livingston County's social services office is located in Lima, just a few miles south of Rochester, N.Y.

    If it's an outsourced programmer, shouldn't it be Lima, Peru?
  • by teetam ( 584150 ) on Monday February 09, 2004 @05:39PM (#8231390) Homepage
    Couldn't a "non-outsourced" developer make the same mistake? What does this have to do with outsourcing at all? Seems to be a very leading post to me, designed to generate the usual angry, anti-outsourcing replies.
    • I have tried so far to be patient and tolerant. To be patient and tolerant is to be a good person.

      But there is a line.

      Every person who is reading this article, every person who wrote this article, is wearing an "outsourced" shirt (maybe even made in India! look at your textile tag!), looking at an "outsourced" watch (usually Taiwan), staring at an "outsourced" computer monitor (again, Taiwan), and ready to drive home from their job which is "threatened by outsourcing" in their "outsourced" Japanese car. T
    • by totatis ( 734475 ) on Monday February 09, 2004 @05:49PM (#8231534)
      Well, yes and no.

      In theory, a non-outsourced developer can do the same mistake. But there is something important called relationship and trust.

      If a developer is in-house, if he has talked to clients, project manager, if he had be given a lecture on how the data is sensitive, you can bet that this developer will not mistakenly post that data on the web. Sure he can be corrupted, but that's not what happened here.

      On the other hand, if some code-monkey receives some coding to do for an unknown company, in an unknown place, for an unknown application, and he is given a set of data not knowning what it is, then he might publish his data without knowning what he is doing.

      The "outsource" stuff is important, not because of some "save jobs" issue, but because it implies the developer should never had received this data in the first place.

      If some company/government entity outsources some programming job, it should give said developers only fake datas. And administration jobs with access to the real datas should be done by trusted guys.
    • by L-Train8 ( 70991 ) <Matthew_Hawk@ho[ ]il.com ['tma' in gap]> on Monday February 09, 2004 @05:53PM (#8231582) Homepage Journal
      Government agencies deal with sensitive data all the time, and have carefully developed practices and policies in place. These have been developed over years and are part of the culture of the workplace.

      When you outsource to a company that specializes in IT work, and that gets outsourced to a database contractor, the sensitive data is no longer in an institution used to handling it. Yes, you might have an unscrupulous or incompetent coder in your orginzation, but you are far more likely to have a problem when you hire someone because they are cheap and they can code. The instititional controls and culture that protect the data are not in place after 3 degrees of outsourcing.
    • The morons who gave the september 11 hijackers visa extensions AFTER 9/11 are still working for the government. That wasn't outsourcing. I don't see how a worker for the government agency involved couldn't have made the same mistake.
  • by RedHat Rocky ( 94208 ) on Monday February 09, 2004 @05:41PM (#8231412)
    As much as I feel the outsourcing trend is not a good move, both for my career path and the US industry in general, this 'news' neither adds nor subtracts from the debate.

    It would be better titled:

    "Idiot makes mistake, exposes private data to Net. Sound thrashing in progress."
    • "Idiot makes mistake, exposes private data to Net. Sound thrashing in progress."

      Of course, the thrashing could be inflicted faster & with less preliminary legal wrangling if the culprit had been a regular employee & not an outsourced "consultant."

      Regular employees take employers to court after the thrashing. Outsourced consultants have to be taken to court before the thrashing.

      • Interesting, but neither case affects the main thrust of the sensationalism: "Private Child Data on Net, posted by moron".

        In both cases, a person made an error in judgement. The relation of that person to their employer does not have an impact on their judgement, IMO; regular employees and consultants are both equally capable of making bad decisions.

        Yes, it was bad that the data was posted. That the individual was outsourced is irrelevant.
      • "Of course, the thrashing could be inflicted faster & with less preliminary legal wrangling if the culprit had been a regular employee & not an outsourced "consultant.""

        Actually, it's far easier in most states to manage a consultant or vendor than an employee, because employees are covered by labor protection laws, while vendors have to live up to their contract. So if the contract is at all reasonable, their should be immediate, significant financial penalties for their violating professional ethi


  • How do you feel about outsourcing the programing done on medical record programs?

  • Is it really gone? (Score:5, Interesting)

    by AndroidCat ( 229562 ) on Monday February 09, 2004 @05:41PM (#8231415) Homepage
    I wonder if they've checked the wayback machine at archive.org.
  • Medical Industry (Score:4, Insightful)

    by jamonterrell ( 517500 ) on Monday February 09, 2004 @05:41PM (#8231417)
    Those in the medical industry such as myself have a deep understanding of these issues. The government of the United States identified the amount of this kind of sensitivy in the information that we keep, and decided to pose some restrictions on how we handle it. For those who are interested, feel free to google for "HIPAA," and be sure to read over the consequences for disclosing "PHI" to unauthorized sources. Perhaps these kinds of sensitive information handling rules should be global, and not industry-based?

    Jamon
  • Peer ethics (Score:5, Insightful)

    by Montreal Geek ( 620791 ) <marcNO@SPAMuberbox.org> on Monday February 09, 2004 @05:41PM (#8231421) Homepage Journal
    Ethics are hardly involved. This is a question of raw stupidity.

    That he has even tought of posting his customer's true dataset is inforgivably moronic. Whether it was data on children's whereabouts, credit card information, or even "just" accounting information on some business.

    While it is true that not revealing your customer's data is the ethical thing to do, it's also just plain ol' common sense.

    Though I should perhaps say vintage common sense. Seems that product has been discontinued for some years now.

    -- MG

  • Shock, horror (Score:2, Insightful)

    by donnz ( 135658 )
    OMFG an "outsourced" programmer makes a mistake. Well if case this doesn't protect your holy US of A jobs then nothing will. Pesky foreigners.

    a user named Mark Dennis, stuck with a tricky formatting issue, posted his question to RentACoder.

    Chist, they're even stealing our anglo saxon names, is there no end to this perfidious threat?
  • I see several problems:

    1) Looks like the IT work was being done on a budget. I mean they are not hiring Anderson to do this stuff right (OK, bad example, I know...)

    2) But someone was paying SOME money if it could be subcontracted multiple times and the work was getting done...or was it.

    3) It looks like it was contracted DOWN past someone's ability to do the job. It is kind of the opposite of the Peter's principle. Non interesting IT work keeps getting pushed down the chain until it is in the hands of
  • Yikes! (Score:4, Insightful)

    by eli173 ( 125690 ) on Monday February 09, 2004 @05:48PM (#8231518)
    County officials have not yet determined if they will tell the families involved about the incident.


    "It's kind of a shock," said Morris, the county attorney. "Right now we are consulting with the state office ... to find out what we've got to do."

    "not yet determined"!?! Those parents should be informed so they can be alert for trouble.
  • by ezraekman ( 650090 ) on Monday February 09, 2004 @05:49PM (#8231535) Homepage

    The fact that the data went through multiple levels of subcontractors doesn't bother me, so long as each has signed the appropriate waivers and so long as each have been checked out enough to be trusted with the data. But there's no excuse for leaving proprietary and/or sensitive information out there, unprotected.

    Password-protecting an entire directory is trivial. 20 seconds to a seasoned user, or a few minutes in a web interface for a newbie. This info wasn't just accidentally left unprotected; it was intentionally posted to a public-facing site, in an attempt to attract programming assistance. This, on it's own, could easily be called criminally negligent. But after being warned of the potential consequences and posting it again the following day... that's verging on knowing child endangerment. Use dummy data, for crying out loud!

    Everyone makes mistakes, myself included. I'll admit to posting members-only data in a public area once or twice. But once you know about it, there's no excuse to not fix it. This guy should probably be prosecuted. And while I hope the families get notified... I seriously doubt most of the affected families will ever find out.

    Oh... and write this story down, boys and girls. This is yet one more nail in the coffin for TIA-styled programs. "Oh, we're very careful with our data." Right.

  • by hellfire ( 86129 ) <deviladv AT gmail DOT com> on Monday February 09, 2004 @05:49PM (#8231539) Homepage
    First of all, the article is fanning the flames by saying this is a database of children's whereabouts. Okay, this is a problem, but then again it doesn't matter if its children or anyone, it just gets "oh please save the children!" sympathy clicks.

    It also doesn't address what I think the biggest problem is. It's obvious to me someone assumed this bozo of a programmer had some not-so-common-sense about posting information to a website. I deal with customer data all the time, and my company has taken some steps to make it a little harder for people who should not need the data to not get the data, and our data exchange policy clearly states "Do not give this data to anyone outside of this company or you will be beheaded!"

    I get to this day accountants in our company saying "why can't I peek at this customer's data" to which I reply "Do you have a signficant need? If so, tell your manager to talk to my manager, and I'll be happy to give it to you." I get nothing after that. The customer data we have is for support and development use, not an accountant who has no use for inventory and sales information (at least not in this company). It is also freely accessible amongst those people, who typically only share it within others in their department.

    One day a manager might get an idea that looking at a customer's data might give them an idea of their open bills, but that might be unethical or illegal so until a manager says to give access, I won't.

    My point is, it could be that the policy was not pounded into this dolt's head, or that a proper data exchange policy even existed. If so, he's still a dumbass, but companies frequently hire dumbasses, which is why you sometimes need a policy to help prevent dumbass behavior. The article puts full blame on the programmer and doesn't really give any blame to the company who hired him.
  • by Anonymous Coward on Monday February 09, 2004 @05:50PM (#8231549)
    I work at a company that makes software for viewing printer protocols (PCL, HPGL, etc.) As such, we often receive problematic files from customers which do not view properly in our viewer.

    You would not believe the sensitive information we receive. People don't even think about the ramifications when they send us, for example, somebody's high school transcript, or mortgage closing documents, or people's credit reports. We have secret inventory lists for competing companies, each of which would probably kill to get their hands on that information. We have "insider" information on the international banking industry. We have medical records. Prison records. It goes on and on.

    Because of this, we have an extremely tight document policy. Data exists on paper only long enough for testing purposes, then it is destroyed. The bug tracking database is purged of old test cases on a regular basis. Customer files never leave this office, in paper form or otherwise.

    In fact, as I write this message, I can think of several ways that we should probably be even more paranoid. Fortunately, the officers of the company take our responsibilities very seriously, and there has never been any serious breach of customer confidentiality. I hope there never is.

    The programmer who posted identifiable information to a public web site, because he was too incompetent to solve his own problems, is an idiot who should be fired and beaten with a wicker cane.

  • by forand ( 530402 ) on Monday February 09, 2004 @05:53PM (#8231575) Homepage
    I hope that the police in upstate New York correlate the kids whose information was posted and missing children reports.

    Also for everyone who says: "This could happen with an American programmer just as easily." Yes that is true but you could punnish that programmer but you will have a hard time punishing programmers in other countries.
  • by Saeed al-Sahaf ( 665390 ) on Monday February 09, 2004 @05:53PM (#8231579) Homepage
    Unscrupulous coder? No, just incompetent. Posting credit card numbers to some hacker site is unscrupulous; this guy's just too stupid to do his job. But look at this part of the MSNBC story:

    "It's not likely all those visitors unzipped the attached database, but there's no way to know how many did, according to RentACoder CEO Dan Ippolito."

    This company is so damn stupid they don't know how to check their logs to see how many times that file was downloaded,

  • by belmolis ( 702863 ) <billposer@@@alum...mit...edu> on Monday February 09, 2004 @05:56PM (#8231619) Homepage

    What happened here is certainly appalling, but I'm not so sure that outsourcing is the main problem. Outsourcing arguably increases the risk of problems of this sort because an in-house programmer is more likely to know the rules of the game, but this seems to me to be a fine point. On the one hand, in-house IT staff are not necessarily going to be well-informed about privacy issues and the nature of the data they are working with. On the other hand, it is perfectly possible to make such constraints clear to contractors and to make them part of the contract.

    It seems to me that there are several other issues here as well. For instance, why would any programmer be working with the whole, real database? I can see that if the job is convert an irregularly formatted text file into a usable database, but that is about the only situation in which the programmer needs the real data. Otherwise he or she just needs to know what the data looks like. If sample data is needed, it can be a small subset, and critical information can be camouflaged. Of course, the same applies to the programmer asking for help on RentACoder. There's no need for him to post his whole database.

    It seems to me that the real problems here are:

    • the programmers shouldn't have been working with the full, real database in the first place
    • confidentiality requirements weren't spelled out.
  • by andy1307 ( 656570 ) * on Monday February 09, 2004 @05:56PM (#8231622)
    That's how personal details about hundreds of children ended up on the Internet. A user named Mark Dennis, stuck with a tricky formatting issue, posted his question to RentACoder -- and attached a zipped copy of the database he was working on.

    This work was outsourced, not offshored. This article has obviously been posted to show how outsourcing threatens the future of our children. This work wasn't offshored. It was done by an American programmer. If outsourcing is bad, why did the navy outsource a 5billion $ chunk of IT work to EDS?

  • by FunkyOldD ( 633953 ) on Monday February 09, 2004 @05:57PM (#8231630)
    [paranoia]

    This is one of the things that really concerns me about offshoring. As US corporations keep outsourcing software development to another countries, the confidential data will inevitably move there too.

    How long before private information like credit histories, medical records etc. is leaked out from some company in Bangalore?

    Imagine being blackmailed by someone in a third world country. Given the state of law enforcement over there, you would have no legal recourse.

    [/paranoia]
  • by gokubi ( 413425 ) * on Monday February 09, 2004 @05:57PM (#8231634) Homepage
    It's great to see how different news orgs handle headlines. MSNBC makes pains to name the Government as the offender in it's headline, "Government agency exposes day-care data". Slashdot is a little less breathy and indicates the true source of the leak, the out-sourced coder.

    Both could be called correct, but more interesting is how the positioning of the story indicates the inclination of the news source. MSNBC is part of the mainstream news establishment that has been telling us for years that the government hasn't done a good thing since kicking the British out of Yorktown.

    Slashdot speaks to a lot of developers who don't ever want to work for a place called "RentaCoder", and don't have a lot of respect for anyone who would.

    Personally, I much prefer the Slashdot take on the story.

  • The Real Kicker (Score:4, Interesting)

    by stoolpigeon ( 454276 ) <bittercode@gmail> on Monday February 09, 2004 @05:58PM (#8231642) Homepage Journal
    is this little bit at the end of the article

    County officials have not yet determined if they will tell the families involved about the incident.

    If that isn't sick I don't know what is. I thought it might be more like 'haven't decided how to tell....' not IF they would tell

  • by John Murdoch ( 102085 ) on Monday February 09, 2004 @05:59PM (#8231655) Homepage Journal

    If you're an independent consultant, your insurance agent has probably mentioned "Software errors and omissions" insurance to you. Software E&O coverage is written to protect your ass(ets) in the event that you colossally screw up and do something that gets your client's client answering awkward questions from major news organizations. (A colleague once observed that, "if, when you walk in the door in the morning, your secretary says that a CBS producer is on the phone trying to schedule you for an interview with Mike Wallace, it's probably a bad day.")

    Suffice it to say that if Mark Dennis doesn't have Software E&O coverage, he's going to wish he did. Because he's going to get so sued. Along with the community college, the government agency, and everybody else involved.

    Getting sued, however, is the least of this bozo's worries
    If he has insurance, it might cover his liability exposure. However, his real problem is the civil fines he is going to have to pay--and no insurance policy in the world will protect you from a criminal court sentence. He'll get a whopping fine--but I doubt he'll do jail time. Unless, that is, somebody can demonstrate that a child molester used the database to identify a victim and attacked him.

    There's an important point here
    The software community should make it ABUNDANTLY CLEAR that this dumb cluck should have the book thrown at him. We have absolutely zero sympathy--and when his attorney (with nothing else to argue) says "it was all a tragic mistake..." somebody needs to stand up and yell, "LIES! LIES! DAMNABLE LIES!" This was willful, deliberate, with knowledge aforethought stupidity. And this jerk deserves to get run up the (proverbial) yardarm for it.

  • Simple... (Score:4, Informative)

    by Vrallis ( 33290 ) on Monday February 09, 2004 @06:00PM (#8231671) Homepage
    :%s/[A-Za-z]/X/g :%s/[0-8]/9/g

    Simple. Just obfuscate it, and you can pass it around for people to help with formatting issues all you want. I've done that with payroll data plenty of times.

    Just two lines or vi commands could have saved this guy so much trouble....
  • by LilMikey ( 615759 ) on Monday February 09, 2004 @06:06PM (#8231739) Homepage
    But it is about outsourcing in general. Any company with a good amount of highly sensitive data should maintain a chain of trust across their IT personel. Everyone working on the data should have at least some idea of how sensitive it is and what has to be done to protect it. You don't get that from shoving the work off on the lowest bidder. There's a reason they ARE the lowest bidder...

    And Rent-a-coder? Come on... it's looking for trouble when there are thousands of out of work programmers of varying quality and you're asking for the cheapest? Crikey! Programmers working on crap data are getting slammed with soul-stealing NDAs and these wankers are forking off kid's names to some shmuck on a glorified web-board? Again I say outsource the management, keep the programmers.
  • by Satan's Librarian ( 581495 ) * <mike@codevis.com> on Monday February 09, 2004 @06:07PM (#8231753) Homepage
    From the speed of the RentaCoder site, I'd say a lot of unemployed slashdotters want to be 'outsourced programmers' too....

    I looked too... I'm not sure which is worse though - the fact that the prices on the projects are beneath a living wage for me to consider bothering with them (I'd make more as a barista or a dishwasher), or that half of them seem to be helping some dishonest schmuck in a CS class cheat on his assignment so there will be more clueless dorks that can't program their way out of a paper bag holding CS degrees out there applying for jobs.

    I'm cool with competing with Indians - for the most part the Indian coders I've met worked their asses off and knew their stuff, even if they might be willing to do it for half the price I'm used to commanding. If I was in their shoes, I suspect I'd do the same. Feeding your family is a good thing....

    It's all the people that fill their resumes with keywords for technologies they don't understand and couldn't use if their lives depended on it that clutter up the application inboxes that annoy me. HR departments encourage that behaviour, as do hiring managers that can't tell the difference, but it still pisses me off - both when I end up having to interview such cluebags and show them to the door, and when I'm competing with them for a job.

  • by fatray ( 160258 ) on Monday February 09, 2004 @06:10PM (#8231784)
    OK the coder screwed up.

    The primal problem is that the government agency gave the data to their outsourcing provider. That data should have never left the secure area of the government. Once it is out, it is out. It doesn't matter whether it has gone to Gennessee CC or RentaCoder. Posting it on the web is just a matter of degree.

    Everybody is ready to hop all over this clueless coder and blame everybody's favorite boogie man of outsourcing. There is a manager back in the government that originally disclosed the data.

    Don't tell me about NDCs. The first rule of confidential data is NEED TO KNOW. It would have taken someone 15 minutes to put in some dummy data for the programmer to work with, but they couldn't be bothered. Now that person wants to crucify the programmer.

    The programmer who screwed up is only the last (and most visible) in the chain of screw ups.
  • by Anonymous Coward on Monday February 09, 2004 @06:26PM (#8231982)
    You get what you pay for.
  • by bugnuts ( 94678 ) on Monday February 09, 2004 @06:42PM (#8232166) Journal
    If the kids were under 13yo, the programmer could have violated COPPA, the Children's Online Privacy Protection [ftc.gov] Rule.

    In other words, this guy could not only have given a black-eye to the county, but he could even go to jail for it.

    If the information lost can be linked to a crime against one of the kids (no matter what age), he better have a good attorney. Gross Negligence and Reckless Endangerment come to mind.

  • Ewwwwwwwwww (Score:3, Informative)

    by GoMMiX ( 748510 ) on Monday February 09, 2004 @07:13PM (#8232491)

    "County officials have not yet determined if they will tell the families involved about the incident.

    It's pathetic that they even question whether or not to inform the parents. That's like publicly saying; "Hey, we know we screwed up BIG, we know the media knows, but we're not quite sure if we're going to try and cover our own asses yet or not."

    Knowingly endangering a child in any form is a felony. This is simply more proof that allowing the government to act with relative impunity results in criminal acts against citizens. The county is responisble for the leaked information and should be responsible for securing the daily activities of those children, to ensure the leaked data does not allow any harm to come to them.

    When I was seven years old, my day-care center had 'accidently' released confidential information about myself and several other children in their care. The day-care center cared for somewhere around 70 children. The leaked information was found in the posession of a convicted child molestor. By the next day, the day-care center was shutdown and the city had filed criminal charges against it's owner and two employees at the facility.

    Why is it that when the government does it, everything is not only OK -- but they're not even sure they should bother wasting their time to inform the parents/guardians that their children have been placed at risk.

    This bogus trash needs to stop, the government has to be responsible for it's actions. They violate laws on a regular basis as a part of their daily operations. Enron is almost perfect compared to our own government.

    That's pitiful.
  • California SB 1386 (Score:5, Insightful)

    by JohnsonWax ( 195390 ) on Monday February 09, 2004 @07:38PM (#8232736)
    California has a bill designed to deal with these situations, though it's not clear if it would apply to this specific situation.

    http://info.sen.ca.gov/pub/01-02/bill/sen/sb_135 1- 1400/sb_1386_bill_20020926_chaptered.html

    The problem is that the bill is designed for data theft, not for dipshits giving it away for free. Nevertheless, the bill requires that consumers whose data has been stolen be notified through viable means - email, letter, public notice if they can't be identified. Fines to the company for not doing this and the person responsible for the data is open to civil action.

    The main problem I see from the article is that the impacted individuals may not be notified, which is just wrong. Granted, this kind of thing probably can't prevented (minimized, yes, stopped, no) but there's a right way to address the problem and a wrong way. At least notify the affected people of what's happened.
  • by openmtl ( 586918 ) <polarbear@btintern e t . com> on Monday February 09, 2004 @10:31PM (#8233975) Journal
    This lack of personal privacy is very much a US-centric concept which divides the EU-US. The EU has a lot more stringent personal privacy and it would be in the interests of slashdotters to read the contents of the e.g. UK Data Protection Act [hmso.gov.uk] and petition your own local legislators to get this mapped into US law. (substitute President for Majesty and Senate for Lords and Congress for Commons - the law is quite clear). Companies will squeal but its a fantastic law for citizens (voters).

    Like many others I'm down as a Data Controller within the meaning of the Data Protection Act. I take this role very seriously even though I have just a few personal details, but also because I have access to a lot of other records and I view it from the point of view of: what if it was MY personal data that was being copied about ? My declaration also states that any data never leave the EU. Personally I see any data sent to the US as secure as posting it on the Internet. Good to see the actual US government confirming my views.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...