MP3 privacy breach exposes government's privacy liability

Reports on Tuesday of a New Zealand man who purchased a secondhand MP3 player containing the personal information of U.S. soldiers highlighted the federal government's continuing inability to protect private information on unauthorized, third-party storage devices.

New Zealander Chris Ogle bought a used MP3 player in Oklahoma about a year ago, according to New Zealand's public television station, ONE News. A few weeks ago, when he plugged the player into his computer to download a song, Ogle found 60 military files stored on the device, which included names, addresses, and phone and Social Security numbers of U.S. soldiers. The files also contained what appears to be a mission briefing and lists of equipment deployed to Iraq and Afghanistan. Most of the files are dated 2005. ONE News reported that some of the phone numbers on the player are still active.

"The more I look at it, the more I see and the less I think I should be," Ogle told ONE News. Ogle offered to return the MP3 player to U.S. officials if requested.

Privacy experts say the breach is just the latest example of the federal government's inability to manage the security risk posed by removable storage devices. In November the Defense Department banned the use of removable storage devices after reports that hardware that can be inserted into a USB drive could infect the computer with viruses and worms. A Pentagon spokesman said the military is aware of the latest report form New Zealand, but does not know of any action the department has taken.

Michael Maloof, chief technology officer for the information security firm TriGeo Network Security in Post Falls, Idaho, said individuals do not view devices like MP3 players as computers that can store large amounts of private data. "Myself and security experts have been saying for some time that phones and MP3 players are really mass storage devices," he said. The military should "ban all mass storage devices. It may make some people unhappy, but you see the risk. They can store massive amounts of data."

Marc Rotenberg, executive director of Electronic Privacy Information Center, an advocacy group based in Washington, said, "This is an ongoing problem with the federal government. We think more needs to be done to safeguard the information collected, notify people when the information is improperly collected and limit the collection of personal information where possible. It's almost that simple."

Rotenberg and Maloof called the ban on removable storage devices a first step to protecting private information.

"Congress is debating the creation of an electronic health records system for American citizens," Rotenberg said. "Clearly, the same risks that occur with USB drives for Army personnel are also going to arise with medical data. This is a problem that needs to be addressed across the federal government."

The onus is on the government as an employer to secure its employees' sensitive personal information, said Lewis Maltby, president of the National Workrights Institute, which advocates for worker privacy.

"From an employment rights perspective, the employer ought to design their computers so sensitive personal data cannot be downloaded," he said. "There's rarely, if ever, a reason for an employee to be downloading personal information onto their personal computers."

In addition to banning all removable storage devices, Maltby said the federal government should restrict access to all databases containing sensitive information and keep track of who accesses and downloads data. Maloof noted that data leak prevention software could help agencies by tagging sensitive information and allowing them to monitor access in real time.

"I think it's extremely likely that this wasn't intentional," he said. "It's far more likely this is someone who understands their MP3 player is a file system that can be used to transport data and took a shortcut. If you put all the pieces together you can do something about it -- kill the connection, disable the account, notify someone or trigger an incident. When it comes to a USB device, you know it was inserted, you can track and see what files are copied."

Rotenberg said Congress should act on a privacy bill introduced by Sen. Patrick Leahy, D-Vt., in October 2007. "Apart from the legislative front, I hope [the federal government] will do more to think about how to accomplish their mission while minimizing the collection of data," he said. "The push is to get data online, but they don't want to slow down to consider privacy and security."