Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Security Education Your Rights Online

Invading Privacy for School Credit 422

veryloco writes "Students in Prof. Avi Rubin's Security and Privacy course at the Johns Hopkins University completed a project where they gathered as much public data on residents of Baltimore City as possible. One interesting fact was that 50 deceased persons voted in the last election. Read on to find out what other interesting tidbits were discovered."
This discussion has been archived. No new comments can be posted.

Invading Privacy for School Credit

Comments Filter:
  • by Kittyflipping ( 840166 ) * on Wednesday May 18, 2005 @12:07PM (#12567393) Homepage
    You know what that means... Zombies!!!
  • by kevin_conaway ( 585204 ) on Wednesday May 18, 2005 @12:07PM (#12567400) Homepage
    Sorry this is off topic but is anyone else enamored with the way IHT formats their articles?
    • by Cecil ( 37810 ) on Wednesday May 18, 2005 @12:14PM (#12567480) Homepage
      Absolutely! Also, I love how you can click on the right half of the article to move to the next page, or left side to move back... it's completely contrary to web standards but it's so useful that I just love it anyway. The whole website's entirely Firefox compatable, has no shitty floating javascript toolbars or other garbage

      I regularly point to it as an example of excellent corporate webdesign, but I don't think it gets NEARLY enough credit. It's a fantastic website.
    • Enamored? No, more like "enraged" - if you are running Javascript disabled you simply cannot view any aspect of the story - unless you use the "View->Use Style->None" option of Mozilla to strip all the stupid formatting BS out.

      Once again: it is FINE to use JS to enhance your web site, but making it a REQUIRED part of your site is foolish.
    • Love it. And, it's nice that, at the end of the article, your 'back' button takes you back to the previous site [/.] rather than the previous page.

      I'm sure some won't like it b/c of some programming incompatibility, but as a reader, it was very nice.

  • by Nom du Keyboard ( 633989 ) on Wednesday May 18, 2005 @12:09PM (#12567423)
    50 deceased persons voted in the last election.

    But how many of them are still posting to Slashdot?

  • When did they die? (Score:5, Insightful)

    by millahtime ( 710421 ) on Wednesday May 18, 2005 @12:11PM (#12567445) Homepage Journal
    50 deceased persons voted in the last election

    Ah, but did they die right around election time. Could they have sent in an absentee ballot before they died? Or did they die on election day after they voted? Not having all the info can lead to misleading ideas in our overactive imaginations.

    Or, it could be like the earlier post... zombies or ghosts.
    • by Anonymous Coward
      They probably all had heart attacks when bush won.
  • by Kainaw ( 676073 ) on Wednesday May 18, 2005 @12:14PM (#12567483) Homepage Journal
    There is a lot of public data about everyone. Basically, any transaction you do with a government office or agency is public data. If someone views that public data, how are they invading your privacy?
    • This is called sensitive information. Public, but it should still only be made available to people who will not abuse it.

      There is enough public information about most people to destroy them. (mostly financially, but there are other ways to destroy someone, with or without killing them) Than information needs to be public, because there are honest uses for it. However it needs to be restricted who can access it because of the damage they can do.

      Cemetery records are public. They should not be availa

      • I understand you overall point, I disagree with you with respect to cemetery records. If they were readily available, it would (presumably) be easier for those in charge of voting to prevent the dead from voting than it would be for someone to use that dead person's name to vote.

        Additionally, those of us interested in genealogy find our research much easier where cemetery records are available.

        Being dead is one state of health that should not be considered private. :)

      • Either it's public or it's not. There's no such thing as "public, but sensitive." That just means that if someone wants to destroy you, they have to know their way around courthouses and city halls. Hardly a correct way to run a democracy.
    • by AAAWalrus ( 586930 ) on Wednesday May 18, 2005 @01:04PM (#12568107)
      If someone views that public data, how are they invading your privacy?

      Consider this metaphor: Someone is talking very quietly on their cellphone in a public park. If someone sits on the bench beside me and intently starts listening in on my conversation, at what point does that person's actions become an invasion of my privacy?

      You're getting caught up in the semantic differences between "public data" and "privacy". "Public data" is simply defined as information that can be obtained legally and freely. "Privacy" though means different things in the literal, personal, and legal senses. And then we wonder about exactly what it means to "invade" one's privacy. Regardless of whether the data about me is public or not, if someone learns something about me I don't want them to know, I can consider that an "invasion of privacy".
  • by GQuon ( 643387 ) on Wednesday May 18, 2005 @12:14PM (#12567487) Journal
    1500 dead people were registered to vote. But did they join those records on SSN or some other unique identifier? There might be some cases of people with the same name, right?
  • invasion? (Score:3, Interesting)

    by spoonyfork ( 23307 ) <spoonyfork&gmail,com> on Wednesday May 18, 2005 @12:15PM (#12567504) Journal
    How is a sustainable and legal business model of data warehousing and resale an "invasion" of privacy?

    • You should ask that question when some psycho you piss off figures out where you live. I'm sure after said psycho visits your house in the middle of the night and delivers you a flaming-hot UFIA [wikipedia.org], you'd probably be pretty pissed that your info was available to the public too.
      • According to your hypothetical situation the actual invasion of my house is the invasion which according to various state laws would be illegal.

        I fail to see how the possession and sale of legally obtained data is a threat to anyone. Like guns or automobiles it is the use of the product that determines the threat or legality. For example it is not illegal for me to own and drive a legally purchased and registered car. However it is illegal for me to drive the car in a way that violates traffic laws such as

        • Re:invasion? (Score:3, Insightful)

          For example it is not illegal for me to own and drive a legally purchased and registered car. However it is illegal for me to drive the car in a way that violates traffic laws such as running red light.

          For counter-example, in mosts states it is illegal for you to own lockpick tools, switchblade knives and machine guns. Such ownership causes no harm to anyone yet they are significant enough enablers for you to potentially do harm that your posession of them is outlawed.

          Similarly your acquisition of perso
          • Similarly your acquisition of personal information is a significant enough enabler for you to do harm to the owner of that information that such possession should be outlawed.

            A multi-million dollar industries of data collection and direct marketing completely disagrees with you. They believe personal information is a commodity to be collected, bought, and sold. This action is not illegal or harmful to anyone.

            For counter-counter-example, there are many perfectly legal and countless highly profitable re

  • by maczealot ( 864883 ) on Wednesday May 18, 2005 @12:16PM (#12567516)
    The "privacy battle" was over long ago. This article just shows how slow senators can be in figuring stuff out. Sadly no legislation is ever going to put the horse back in the barn. Granted, things like public offices handing over entire databases burned to CD MIGHT (depending on the data) be preventable. However as anyone who comes to slashdot should know, social engineering works great.
    So what is the solution? Just prepare for your identity theft now, keep good records and generally don't be a jerk to those you post about and email. Because its all out there.
    • "Sadly no legislation is ever going to put the horse back in the barn."

      True. What could have been more interesting is if the students in the class targetted legislators (state or federal) rather than generic residents of Baltimore.

      Regardless of whether one considers this data "private" or not, there is a lot of *personal* information available in the *public* domain. Maybe if lawmakers were themselves targets and it was shown just how much information can be collected, organized and collated they would
    • If you maintain a totally horrendous credit rating, no one can steal your identity...
  • Necromancy (Score:5, Interesting)

    by Doc Ruby ( 173196 ) on Wednesday May 18, 2005 @12:17PM (#12567534) Homepage Journal
    Rubin has been one of the people screaming the past few years about how easy the elections would be to hack. Now it seems that he's widened his scope, showing how much of a joke is any attempt at precise counting of so many people.

    We need election laws that guarantee the margin of victory is larger than the sampling error. In fact, we need a law that requires the office get at least a simple majority (50%) of the eligible voters, or it goes unfilled. With so few eligible voters actually voting, that would force districts to hold runoffs, and parties to get out the vote. Or just get outnumbered by the representatives from districts which do turn out. Put a little competition into our rotten voting system, and cut out the deadwood.
    • How about forcing people to vote, make it mandatory. Fine them if they decide to stay home on election day, in the way of income taxes. Don't Vote? Fine.. You get $250 less this april (or you end up paying $250 more.)
      • Re:Necromancy (Score:4, Insightful)

        by Doc Ruby ( 173196 ) on Wednesday May 18, 2005 @12:52PM (#12567952) Homepage Journal
        Paying or forcing people to vote makes them hate the system even more. People get a lot back from paying taxes, but they're universally hated. Voting is mainly a way to get people to accept the winner, secondarily (by a large margin) useful as a way for people to chose the best government. Instead of a big carrot/stick apparatus that alienates people from our government, lets see simple competition get people to back their own interests - or abandon them, if that's their level of apathy. They can always "take back" their representation just by going to the polls. Just like now, except it's not so obvious that people get motivated.

        Of course, leaving unpopular seats empty isn't a silver bullet. People should be able to cast votes anytime in the month of November. A floating federal holiday, schedulable any time in November, should be validated with a poll receipt. And the feds should allocate each voter a unique, one-time voter ID# discarded upon authentication at the polling place - even if that's a telephone. That would at least make voting as convenient to modern voters as the old way was for ancient voters.
      • Then you'll get the occasional person not listed who is prevented from voting so they are now criminals.

        Happened to some people in Brazil, where it is mandatory to vote.

        Link not handy.

      • Internet voting is the key. Many more people would participate if it took only 2 minutes to do so. I really hope they figure this out soon.
    • This has got to be the dumbest thing I've seen on /. for a while. Speaking of the dead, why not dig up Jefferson and ask him what he thinks of this idea? If somebody doesn't care enough to vote then I don't want them to vote, and obviously they don't want to vote either. What good purpose would your idea achieve?

      I would hope that if your idea ever gets any serious consideration that those pushing for it will be unhypocritical enough to insist that their method of voting be used to pass such a law. Put

  • multitiered privacy (Score:2, Interesting)

    by Felgerkarb ( 695336 )
    I suppose this is a good opportunity to suggest an idea I have about protecting private information. There is a whole spectrum of sensitive information about a person, and a similar range of people who want every last tidbit of information completely private to those who are clueless or just unconcerned. There obviously should be a middle ground that allows for reasonable exchange of reaosnable information, but protects that which is truly sensitive.

    I've thought, and I'm interested in (constructive) comme

    • This sounds like a good idea, but I don't think it would work very well in real life. As you noted, a central repository would have some major concerns. If the information is stored in different systems then it could be difficult figuring out who to contact to inform that x information should be tiered up. Also, what limit would you have in being able to move things into more sensitive areas? I'm sure that there are privacy advocates who, under this system, would want ALL their information "red" "I want
    • And what about those who don't wish to participate? Is there a black level which indicates that the data is not in the data base, and should the data become available to the database through whatever means then the data is rejected (ie, not inserted into the database)?

      The problem most people have with the data being publicly electronic is not that it's available - the problem is that it becomes easy to correlate with other public (or private) information.

      Your 'solution' pre-correlates all that data,
  • Misleading Title (Score:4, Informative)

    by shancock ( 89482 ) * on Wednesday May 18, 2005 @12:19PM (#12567553)
    This article appears in the NY Times today http://www.nytimes.com/2005/05/18/technology/18dat a.html? [nytimes.com]
    and the primary focus of the article is on how easy it is to steal identities on line using legal methods and less than $50.

    The slashdot title implies that a college course was used to invade the privacy of Baltimore individuals. This is most misleading. While this is nothing new to most readers here, the significant thing is that this article is in a mainstream media publication and may help to strengthen some of the right to privacy laws that are currently under the gun.

  • Engineering (Score:5, Funny)

    by COMON$ ( 806135 ) on Wednesday May 18, 2005 @12:20PM (#12567558) Journal
    "or simply "asked nicely" - sometimes receiving whole databases burned onto a CD"

    once again proves that geek security is compromized by cleavage or the promise that someone likes you.

  • by Close_Enuf ( 870643 ) on Wednesday May 18, 2005 @12:20PM (#12567565)
    Bart: "Oh my God...the dead have risen and they're voting Republican!"
  • One interesting fact was that 50 deceased persons voted in the last election.

    That's the kind of thing that makes you proud of being an American.
  • ...completed a project where they gathered as much public data on residents of Baltimore City as possible

    Where's that? Is it near Baltimore?

    • Re:Baltimore City (Score:4, Informative)

      by Jurph ( 16396 ) on Wednesday May 18, 2005 @12:34PM (#12567715)
      "Hons" (residents of Baltimore) make the distinction between "Baltimore City" and "Baltimore County" in their writing. Hearing just one can be confusing unless you know the local geography, and realize that just the word "Baltimore" refers to a large number of towns (like Towson) that are part of Baltimore but are actually in "the county". This map [bcinfobank.com] shows the difference.
      • by Tassach ( 137772 ) on Wednesday May 18, 2005 @01:14PM (#12568245)
        "Hons" (residents of Baltimore)
        Not all residents of Baltimore are "Hons". Hons are folks with a distinctive accent, who generally reside in east Bawlmer neighborhoods like Dundawk and Hollinton, and watch the Owes and go bohlin.

        The true moniker applicable to any resident of Baltimore is, of course, Baltimoron.

  • Privacy for the rest of us.

    The only benefit of openness comes with elected officials, government appointees, government contracts, campaign financing etc being available to us.

    Everyone else deserves privacy.
  • B'More! (Score:2, Interesting)

    by srock2588 ( 827871 )
    It's actually true, the city has more then just crabs, heroin, and hospitals! Not mention syphilis and a yearly contender for US murder capital. Now they are a hot spot for identity theft, yippee! Its still better then moving to Virginia.
    • How could you possibly leave out rat fishing. I don't think you really live there. ;-)

      Now, if you told me you were going 'downeoshun' this weekend, I might believe you.

      And, yes, living in VA sucks, but the part I'm in is mighty pretty most of the year, and that partially makes up for the high total tax bill and the lack of any though of consumer protections.
    • Ouch, you sound like me during my freshman year at Hopkins. B-more is okay once you find the good bars.
  • by Jumbo Jimbo ( 828571 ) on Wednesday May 18, 2005 @12:31PM (#12567694)
    I think that the original headline to this article isn't the most informative - Invading Privacy for School Credit

    I'd say that the opposite is true - this information is in the public domain, and the students were able to demonstrate how easy it is to access and collate, thus stimulating debate (look, we're having a real debate, on Slashdot!).

    Invasions of privacy, in my mind, constitute one of two things. 1) Attempting to make someone reveal personal information about themselves that they may not want to, or 2) revealing data on someone else that you have not been given permission to reveal.

    While some of the original sources of the data that the students used could have invaded privacy to get the data, by using data already in the public domain the students weren't invading privacy.

    If they'd acted illegally or persuaded someone to breach someone else's privacy as part of the project, that would be another thing, but the students weren't allowed to do that as part of this project.

    • or 2) revealing data on someone else that you have not been given permission to reveal.

      And I think that's just what we're talking about here. Whenever you reveal personal information to a 3rd party, there's an implied contract that they won't post it publically. Let's say I give out my SS# to a creditor. That doesn't mean the credit card company has the right to give that information out to just anyone who asks for it.

      While some of the original sources of the data that the students used could have i
  • by bubba_ry ( 574102 ) on Wednesday May 18, 2005 @12:32PM (#12567700)

    This reminds me a news item I saw/read about 1-2 years ago where a student wanted to see if he could map out the U.S.'s infratructure given public records/information. He was extremely successful in that he mapped out whole power grids, telecom lines, subways, etc and overlayed them all. Much to his dismay, he was held from presenting this (his doctorate thesis, I believe) by the Feds who worried that terrorists would want to get their hands on the info.

    And if you're a terrorist, that makes sense; someone else has already done the work for you and provided additional instructions on how to do so. On the other hand, this poor guy can't complete his work. And all he did was what any Tom, Dick, or Harry could've done.

  • by Anonymous Coward on Wednesday May 18, 2005 @12:33PM (#12567713)
    Privacy vs. openness: A data dilemma in U.S.
    By Tom Zeller Jr. The New York Times

    WEDNESDAY, MAY 18, 2005
    BALTIMORE Ted Stevens wanted to know just how much the Internet has turned private lives into open books. So the U.S. senator, a Republican from Alaska and the chairman of the Senate Commerce Committee, instructed his staff to steal his identity.

    "I regret to say they were successful," the senator reported at a hearing he held last week on data theft.

    His staff, Stevens reported, came back not just with digital breadcrumbs on the senator, but also with insights on his daughter's rental property and some of the comings and goings of his son, a student in California. "My staff provided me with information they got from a series of places," he said. "For $65, they were told, they could get my Social Security number."

    That would not surprise 41 graduate students in a computer security course at Johns Hopkins University in Maryland, who, with $15 less than that, became mini data brokers themselves over the last semester.

    Working with a budget of $50 and a strict requirement to use only legal, public sources of information, groups of three to four students set out to vacuum up not just tidbits on individuals, but whole databases - death records, property tax information, campaign donations, occupational license registries - on citizens of Baltimore. They then cleaned and linked the databases they had collected, making it possible to enter a single name and generate multiple layers of information on individuals.

    The Johns Hopkins students demonstrated - as has a growing chorus of privacy advocates around the United States - that there is plenty of information to be had on individuals without ever buying it (or stealing it) from big database companies like ChoicePoint and LexisNexis. And as concerns over data security mount, the inherent conflicts between a desire for convenience, openness and access to public records on the one hand, and for personal privacy on the other, are beginning to show.

    The Johns Hopkins project was conceived by Avi Rubin, a professor of computer science and the technical director of Johns Hopkins's Information Security Institute. Rubin has used his graduate courses in the past to expose weaknesses in electronic voting technology, digital car keys and other byproducts of a society that is increasingly dependent on computers, networks and software.

    "My expectations were that they would be able to find a lot of information, and in fact they did," Rubin said.

    In some instances, students visited local government offices and filed official requests for the data - or simply "asked nicely" - sometimes receiving whole databases burned onto a CD.

    In other cases, they wrote special computer scripts, which they used to slurp up whole databases from online sources like Maryland's registry of occupational licenses (barbers, architects, plumbers), or from free commercial address databases.

    "I think what this professor and students have done is a powerful object lesson in just how much information there is to be found about most of us online," said Beth Givens, the director of the Privacy Rights Clearinghouse in San Diego, "and how difficult it is, how impossible it is, to control what's done with our information."

    David Bloys, a private investigator in Texas, has helped craft a bill now pending in the state legislature there that would prohibit the bulk transfer and display over the Internet of documents filed with local governments.

    There are real dangers involved, Bloys said, when such information "migrates from practical obscurity inside the four walls of the courthouse to widespread dissemination, aggregation and export across the world via the Internet." However convenient online access made things for legitimate users, the information is equally convenient for "stalkers, terrorists and identity thieves," Bloys said.

    The bill, which was introduced in Austin by Representative Carl Isett, a Rep
  • I love this quote: (Score:2, Insightful)

    by Anonymous Coward
    "If some citizen is concerned about dead people remaining registered to vote, he can simply obtain the database of deaths and the voter registration database and cross-correlate," said Joshua Mason,

    Umm, you know, maybe the government should do that as part of the electoral process? If felons can be removed from voting lists, so can dead people.
    • I'm sorry, which national death database, updated daily, were you expecting to use on the first Monday in November, and how were you planning to offer "dead people who aren't really dead" to prove they're still alive and able to vote?
  • I think this little test should be run in every state. First, let's find out just how many deceased people voted. Find out when they voted, find out their official date of death. If the vote came before their death date listed on the certificate, it's a valid vote. If not, vote stricken down.

    To add to this, Every voter should be confirmed as a valid vote by linking with their SSN. There's only so many SSN's out and active today, and if the vote tally goes over the amount of SSNs available, you know somethi
    • And how would you adjust the vote once you found out who voted? Search the records to determine who they voted for? Must be a new data field in the Diebold boxes.

      How about abandoning the SSN problem and get your national voter ID number. Make it illegal to use, request, record, or distribute the number for anything but voting. Require that you bring it to the polling place.

      But what happens when the id muber is used twice? Do you cancel both votes (there's a strategy)? Do you only take the first one (anot
  • Personal addresses (Score:4, Interesting)

    by Husgaard ( 858362 ) on Wednesday May 18, 2005 @01:02PM (#12568074)
    In the country where I live it is extremely hard to get the address of somebody from any government (or other public) office. The only place where you can get an address is from our public cencus office. They will give you the address for a small fee unless they have been asked to keep the address secret (in which case you cannot get the address at all).

    You may ask why. This came about after a few cases of abused women trying to flee husbands and starting a new life in another part of the country, but being found and battered by their former husbands. When the media found out that the former husbands had gotten the new address of their former wifes from public offices, we had a sensible political reaction.

    But then, I live in a european country. In Europe we have a very different attitude to, and better laws [eu.int] on the treatment of personal information compared to the US.

  • by xplenumx ( 703804 ) on Wednesday May 18, 2005 @01:09PM (#12568181)
    I'm all for open government and the freedom of information, but there certainly comes a point where it can harm the individual.

    Where I live now, anyone and their mom's dog can look up the tax records of my property. This database is searchable by either name or address and returns how much a given property has been accessed for (plus the five year history), how much the current taxes are, a picture of the property (which is often the front of the house), and sometimes the floorplan of the house. Not only would I never provide this information to any of my friends (much less a stranger), but I'd consider it rude if they were to ask.

    Another invasive database, which has been mentioned several times here on Slashdot, is Fundrace. I work very hard to make sure that my political views are not know at the workplace. However Fundrace allows anyone to search by name or address who gave how much to a given political candidate or party. I understand the value of tracking political donations, I really do. Should my employees or peers have the capability to track me specifically? It somewhat defeats the point of the secret ballot. I'd love to contribute money to those candidates which I support, but I won't.

    My colleagues don't need to know how much I make, pay in taxes, or contribute to a given political organization. At best the information simply satisfies some misplaced curiosity, but more likely this information is used to judge (often incorrectly) without any opportunity for a rebuttal or explanation on my part.

    • Where I live now, anyone and their mom's dog can look up the tax records of my property. This database is searchable by either name or address and returns how much a given property has been accessed for (plus the five year history), how much the current taxes are, a picture of the property (which is often the front of the house), and sometimes the floorplan of the house. Not only would I never provide this information to any of my friends (much less a stranger), but I'd consider it rude if they were to ask.
  • zerg (Score:3, Interesting)

    by Lord Omlette ( 124579 ) on Wednesday May 18, 2005 @05:34PM (#12571205) Homepage
    I fail to understand how any discussion of privacy can possibly take place w/out mentioning ZabaSearch [zabasearch.com].

    I even submitted it to /. the other day, but I guess the editors didn't want any random /.er to search for their home phone numbers and every single place they've ever lived.

The shortest distance between two points is under construction. -- Noelie Alito