Out-bound Record-level Accountability in Information Sharing Systems

If you can’t remember to whom you told what; how could you possibly know who to inform if an earlier fact you reported needs to be revised?

When organizations transfer information between systems, they sometimes fail to retain the details about which records were transferred where and when.

What happens today in many systems, especially batch-oriented data transfers, is this: a selection process (e.g., males over 40 with account balances under $20,000) is run against a system of record. This process produces a specific number of output records. These output records are then transferred to the intended recipient. The original data holder, for billing purposes, often retains a record of the selection criteria used, date/time, quantity of records transferred, recipient of the data, etc. Notably, the original data holder does not record exactly which records were transferred.

Unlike Source Attribution which has more to do with the recipient of shared information retaining the pedigree/attribution of the information received, out-bound record-level accountability refers to the detailed logs of what records were sent to whom, when, etc., as maintained by the originating party.

Without out-bound record-level accountability … ensuring data currency across information sharing ecosystems can be problematic. The challenge being when a record changes in the originating system, how will one be certain which recipients of the original record need to be notified?

What’s the fuss?

What if a consumer says to his service provider, please stop using my data for bulk mailings AND anywhere you may have sent my data … either get it back or at least notify them of my wishes? Good luck! Many organizations have no way to account for which records they have transferred to whom.

While out-bound record level accountability is generally a good thing, not every mission will warrant the cost. On the other hand, some missions really should have this degree of accountability. In healthcare systems, for example, if a correction is made to a patient’s known allergies, any earlier dissemination of allergy data should trigger an immediate re-broadcast of the corrected values.

Systems engaged in transferring personally identifiable information (PII) as well as financial systems and surveillance systems are also great candidates for out-bound record-level accountability.

Without well-synchronized data … count on lots of poor outcomes as smart systems are not going to be so smart.

[BTW: One example of out-bound record-level accountability is how the US credit bureaus track inquiries on your credit report. Thanks to the Fair Credit Reporting Act (FCRA), this type of accountability makes it possible for consumers to enjoy transparency as to who has accessed their credit report.]

RELATED POSTS:

Data Tethering

Source Attribution, Don’t Leave Home Without It

How Many Copies of Your Data? Is Somewhat Like Asking: How Many Licks to the Center of the tootsie Pop?

The Vegas Asymmetric Threat

If you have not already seen my post entitled Takin’ Vegas, I recommend you read it first.

Guns don’t kill people. People kill people. And so it is. In Vegas, behind every scam there is a "who" … and it is always a who (or many whos) that lays out strategies, develops plans, recruits actors, trains, adapts, rehearses and ultimately executes the mission – all in hopes of taking home some loot. Undetected.

How do they do this?

For starters, if the actor believes he has already become known to casinos as a subject of interest, he will attempt to defeat recognition through the use of a disguise e.g., changing his hair style, growing a beard, sporting a bandana, slipping into some motorcycle apparel, etc. Some go so far as cross-dressing or pretending to be wheelchair-ridden.

Beyond a new look, opportunists will claim false identities and carry false credentials. There is one particular subject I am familiar with that has used over 30 very different aliases and a handful for different social security numbers and dates of birth. [On a funny but related note, check this out: Be Anyone in Vegas: Get Help Creating a Cover Story Here]

When actors want to expand their business, they recruit. Recruitment can be local or distant. New recruits are trained in rogue facilities so that by the time these new actors appear on the scene, they have superb tradecraft despite having never laid foot in a casino.

One insidious form of recruitment is the recruitment of a casino’s longstanding, high roller to participate in a coordinated covert scheme … or worse, the recruitment of the casino’s own employees. I know of one case where a dealer was coerced into assisting the scammers after being told his wife and children were going to be hurt.

The more significant the opportunity, the more organized the group, which means strategy meetings, business plans, capital raising, operating procedures, training guides, and so on. Attention to detail is essential to increased revenues and the sustainability of the group effort.

Larger teams may establish counter-intelligence measures to reduce the risk of being infiltrated by the establishment or scammed themselves by scammers. Their own team members may be placed under covert surveillance to ensure these trusted insiders have not gone bad over time as trust has a half-life.

Large teams have cells, sub-units that are expected to work together. Some cell members are members of several cells. As with any organization there are conflicting purposes and ideologies, thus membership in cells tend to morph over time.

Often, there is no apparent center of power. New groups emerge simply based on the inspiration of a movie, book, online chat rooms, etc. Groups form, merge, split and dissolve. Some groups just specialize in card counting while others specialize in a certain cheating methods e.g., "bet pressing" – adding to a bet after the outcome is known or the manufacturing of illegal cheating devices. Some groups start with one particular brand of cheating and then branch out into other specialties.

Imagine coordinating a team with 50, 100 and sometimes even more actors! What a challenge!

Well, actually, thanks to the Internet … training, recruitment, soft targets, etc. are at one’s fingertips. Some web sites maintain a level 1 area with limited revelation and benign chat rooms. There are level 2 areas which require the user first undergo a background check before being provided access. At level 3 the member is not only required to have a background check but is also required to have committed a felonious activity. And it is this group that shares even more sensitive information … for argument’s sake this might be viewed as equivalent to a government "Top Secret" clearance. Above this level, much like a military’s Special Access Program, very specialized knowledge is controlled to a minimum and known universe of folks. When the identities of the 12 Nevada dealers with subtle procedural defects in how they dealt hand held blackjack were discovered, such secrets are worthy of such extraordinary controls. The principle: if too many people knew about this weakness, it may be exploited at a pace that would have resulted in casino defection, prompting the casino to quickly close this vulnerability.

The latest challenge? Poker.

Poker is the problem these days. You think you are playing at a table with a fair shot. But unbeknownst to you, there is a team on that table working together against you – even though they make no outward appearance of knowing each other.

Is that slight twitch in the eye "natural" or "a signal"?

RELATED POST:

Takin’ Vegas

IEEE Spectrum Story: Vegas 911

IEEE Paper: Threat and Fraud Intelligence – Las Vegas Style

Web 2.0 – Al Qaeda’s Most Effective Force Multiplier

Ludicrous Speed Billionaires

Just wanted to point out that the speed with which organizations can go from zero to multi-billion dollar valuations is unprecedented.

Would love to see the graph of old school business velocity compared to today’s modern marvels like Google, Facebook, and YouTube.

If this trend continues, there is going to be the day where a company will open its doors for business and then do hundreds of millions in revenues in the first year.

And with this … we will see new billionaires being made in days not years.

Think China.