disLEXia

Friday, 22. November 1996

Danish government puts its own records on the Web, illegally

Many of the requests processed by local government offices are requests for information from government records. This fact has given the Danish Ministry of Research a seemingly brilliant idea: Making government records available on the World Wide Web would free local government officials from processing these requests.

The first government records were made public on October 1 on <http://ditdanmark.nethotel.dk/vurdering/>. The information was taken from the land and building property evaluation records of the Danish Tax Ministry. These records are used by employees in the tax offices of the local government for taxation of land and building property. The published information included the following for each piece of land and building property in Denmark: Location, owner, estimated value, date and price (including down payment) of last sale (if sold since last evaluation of the property in 1992), debts to local government, rental value for non-residential property (if rented) and further notes intended to assist evaluation.

On the October 15 the records were made inaccessible when the large, reputable Danish newspaper Berlingske Tidende published a critique by professor Erik Frøkjær from the Department of Computer Science at Copenhagen University. Two thing were criticized:

1. The records could be copied without explicit permit by anyone with access to the Internet, something which is not allowed according to the Danish Public Authorities' Registers Act.

2. The last three items in the list above were confidential information and could not legally be published under Danish law.

Access to the records was reestablished the next day when the offending items had been removed. At that time the publisher, Kommunedata, assured the public and the Danish Data Surveillance Authority ("Registertilsynet") that the records could not be copied. The company also publicly explained that Erik Frøkjær could not possibly have copied the records except by means that were not entirely legal.

Soon after this a group of researchers contacted the Danish Data Surveillance Authority to demonstrate that the records are easily copied (with entirely legal means), but the offer of a demonstration has been declined by the Authority. Copies of the case obtained from the Authority under the Danish Freedom of Information Act show that the Authority has been made aware by other means that copying is possible. Despite this the Authority refuses to take action based on this evidence so WWW access is still possible. The only change since the reopening has been removal of most of the information about sales when the Court in Århus informed the Authority that this information is not and should not be publicly available.

This is the first case known to me of government records being published on the World Wide Web. The case is instructive: There has been repeated valid objections to the legal basis on which the records are made available. This and the fact that the continuing operation of this service is not important for anything but the reputation of the parties involved, leads me to expect that access ought to be at least temporarily suspended until the questions were resolved.

This case demonstrates a large collection of security problems inherent to World Wide Web publication of government records as well as a lot of legal problems that will not be mentioned here. These problems are probably compounded because both the Danish government and Kommunedata wants to be perceived as technologically advanced and "Internet-friendly".

1) The original records were used by the employees in local tax offices, so information that was not meant to be disclosed publicly was maintained together with the evaluation of each piece of property. When the records were made available on the World Wide Web without cleanup, confidential information was disclosed. Moral: When sensitive information is put to use in a new way it should be checked to make sure that all information is appropriate for the new use.

2) The Danish Data Surveillance Authority does not have its own technical staff, so it wasn't able to asses the correctness of the claim made by the publisher, Kommunedata, that the records could not be copied. Moral: Government authorities should not rely on experts employed by the companies that are checked. When new types of problems are encountered the government should use their own or independent security experts to assess the claims made by companies.

3) It is not possible to prevent information published on the Internet from being copied, so information that must not be copied should not be available on the Internet.

4) Until now the companies and government authorities involved has ignored criticism from computer professionals. Moral: Government officials does not automatically listen when professionals criticize security. If the critique goes against official policy you might very well be ignored or worse, no matter how serious the problem is.

5) Denmark prides itself on its large information systems in the public administration. These information systems have been accepted by the public because of a set of very restrictive laws governing these records and strict attention to security. Other governments may be tempted to publish similar records on the World Wide Web because when the security-conscious Danes do it, it must be OK.

6) To add insult to injury the programs used by Kommunedata to control access to the records performs no parameter validation which shows that this publication probably has yet more security problems in store.

Despite the problems with publication of the records the Ministry of Research and Kommunedata wants to make even more sensitive and personal data available on the World Wide Web in the future. I shudder as I contemplate the consequences.

Ketil Perstrup (ketil@diku.dk) [ketil@diku.dk (Ketil Perstrup) via risks-digest Volume 18, Issue 63]
14:28 | permanent link | mail this

Risks of believing what you read: Re: Irish rock band (RISKS-18.62)

... first group to be burglarized on the Internet [?]

The story seems to have got very quickly elaborated to include hackers. The hacker aspect appears to have come from the quote in the Sunday Times from a "former hacker":

Hackers may have used the camera as a door into the studio's computers where the new songs are stored.

The real risk here is that it seems that newspapers don't employ anyone qualified to proofread and follow up their Internet related stories. (Also c.f. the recent Observer story about pornography on the Internet). [stuart@gol.com (Stuart Woodward) via risks-digest Volume 18, Issue 63]
17:13 | permanent link | mail this

Massive NY tax fraud

Hacker Scheme, By KAREN MATTHEWS, Associated Press Writer NEW YORK (AP) -- City workers, in exchange for bribes from property owners, falsified computer records to eliminate nearly $13 million in unpaid taxes in a scheme called the largest tax fraud case in New York City history. [Associated Press news wire via CompuServe's Executive News Service, AP US & World, 22 Nov 1996]

The author makes the following key points:

o Some tax records erased. o Other records falsely indicated as paid using funds from legitimate payments by innocent victims. o So far, 29 people charged in federal court. o 200 more expected to be charged. o $13M of debts erased. o $7M in interest lost. o Fraud thought to have started in 1992. o Investigation started in 1994. o In a section particularly intriguing for RISKS and NCSA FORUM participants, the author writes, ``Three employees of the city collector's offices exploited computer "glitches" to make it appear that unpaid taxes had been paid, officials said.

More, no doubt, as the case unfolds.

M. E. Kabay, Ph.D. (Kirkland, QC), Director of Education National Computer Security Association (http://www.ncsa.com) [Mich Kabay <75300.3232@CompuServe.COM> via risks-digest Volume 18, Issue 63]
17:36 | permanent link | mail this

disLEXia, a research project by Maximillian Dornseif