Sniffing out the crooks

Tom Ilube Tom Ilube is the CEO of Garlik, the online identity company which he helped found in 2005. He is also the former CIO of the internet bank Egg and he spoke to Henry Tucker about identity theft, professionalism and securing software.

Having left Egg, Tom said that Garlik's founders wanted to build another large-scale consumer-focused technology business and looked at two things: what was happening to consumers in the digital world, and what would be the interesting trends over the next few years? The main thing that struck them as interesting, he said, was the sheer amount of personal information that was appearing in the digital world about consumers.

What Garlik does is to look around the digital world, particularly focusing on those areas that are considered to be high risk - sites that trade personal information - scanning for personal information about the person who has commissioned the search, to see if it turns up in there.

Having done this they go back to the user and advise them of the information they've found and what they should do about it. The next step is often to get the data removed, but this isn't always possible. However, there may be other possible steps.

'One example I like to give is that banks often ask you for your mother's maiden name as a security word,' said Tom. 'You will discover that your mother's maiden name is publicly available on the internet along with everyone else's because the births, marriages and deaths records have been published.

'The bank doesn't care after all. So why give them the precise word that's on that list that anyone can see? So even when you can't get the source information removed, sometimes there are smart things that you can do.'

Having discovered data that's out there, sometimes Garlik can trace how it was compromised as it's obvious. However, often they can't do so at an individual level, but because they have seen so much information from so many similar sources, they can tell that various people are in the same situation.

‘For example there was one case we came across where someone had used an online retailer to buy something and that site had parted company with its system administrator. It turned out that on leaving, he made a couple of changes that altered all of the details that were held in secure form on their server into open text and made them publicly available.

'Now this system administrator clearly did something wrong. Whether he committed a crime is not clear; he didn't use the information for personal gain, he was just really irritated at the way that things had come to an end and so put a tick box there where there wasn't one before.'

According to Tom, the problem now is companies don't appreciate just how valuable the personal information they hold is and that they are holding the information on trust for the people.

'The mindset in the bank traditionally has been that it is looking after the money but it's not their money. Companies though don't have the same sort of mindset when it comes to personal information. They feel that people have given them their personal information and they can use it to run their business. They just have the view that "we've harvested Tom's information, that's mine now and I can do whatever I like with it." Fundamentally though it still belongs to the individual and the company has a duty of care to look after it in the same way as if it were something else valuable.'

Tom feels that if companies adopted the above mindset, the controls that companies would put around their use and their management of that personal information would get a whole lot tighter.

To back up this theory, Garlik did some research into the government, issuing 30 freedom of information requests across almost every major government department. It asked a series of questions about how they handle their information. Garlik asked if departments had ever been independently audited to see whether they comply with the data protection act? None have.

'They are not required to have audits, but if they did and they don't cost a huge amount, but just said once a year: "We want our existing auditors to also check that we are compliant", you would just see people reacting,' said Tom. 'People would say: "The auditors are coming, let's have a look at our processes and procedures and so forth." And they don't do that at the moment.'

Another question they asked was to see if the information held by the organisation was correct. This is very important because if the information is wrong and decisions are being made about an individual based on it, how can they put it right? Garlik asked what policies and procedures these departments had in place to check that the information that they hold is correct and how a person can correct it if something goes wrong.

Garlik soon found out that hardly any of them have got these basic procedures in place. None of them keep statistics on the error rates in their information, none of them have budgets put aside for error correction.

Duty of care

'I think it comes back to the issue of companies and government and owners of big databases not treating these databases as things that they have a duty of care to look after. If the systems administrator in that company really felt "I've got a duty of care to look after this information" it would have some double checks in place and procedures when people leave so that someone else checks things. If data is lost, the organisation still has it, unlike when money is stolen, so they don't feel a sense of loss.'

When asked if embracing professionalism would help improve this situation Tom agreed. 'I think professionalism within IT security is really important. One of the challenges for us in the IT industry is to build systems that are secure by design. What often happens is the emphasis on the facing functionality and at the end of the cycle the security guys get involved and have to almost patch up the security as best they can, given that it has already been built and you have business guys standing there saying: "Put it live, put it live."

He feels that if you can get security people involved in the design process right from the start and if you can get software engineers educated in how to build secure systems, it just becomes a part of what they do.

With this in place you would end up with the whole industry building much more secure systems and that feeds through into trust in an age when the mainstream consumer uses the systems. It's not just the professionals using the system, it's also about our parents and the man on the street and so forth who will be attracted to things that they can trust and trust comes through security, so security gives a competitive edge as well.

Systems built securely will avoid data breaches too. If breaches happen and a company deals with them very professionally, it has an impact on the business. People see security and the professional approach to developing software that results in secure systems as a constraint on a business, the speed at which they can move and get things done.

'What I say to people is look at it like the brakes on a Formula One car,' said Tom. 'The reason why Lewis Hamilton can go faster is because he knows that he is in control with those brakes, he can accelerate because he knows he can tweak those brakes and come round the corner. So those controls aren't stopping him, they are enabling him to go that fast.

'In Egg one of the things I did as CIO was to introduce an agile programming approach and agile development. Sometimes people can misunderstand that agile approach and say either you can have a professional waterfall approach or you can through caution to the wind and go agile.

'But actually an agile approach is extremely professional as you get all of those people involved right from the start before anything has been created. I think we need to think broader about what is professionalism and not get stuck on professionalism always looks like this. The idea that we as an industry need to get more professional in what we do - I definitely agree with that.'

This article first appeared in the Spring 2009 issue of ISNOW.

April 2009