Home / Blogs

Regulation and Reason

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Bill Smith

Imagine living in a country where it was necessary to register with your community government by providing a copy of one of the following:

1. Driver's License
2. Birth Certificate
3. Passport
4. Immigration Card
5. Military identification
6. Any other state, local, national, or international official documents containing a birth date of comparable reliability

This may be necessary in perhaps a large number of nations. However, as a United States citizen and resident, I was quite surprised when my local community issued the request. I investigated and found much to my dismay, that my community in fact was required by regulation to survey its residents on a biennial basis.

Regulation

HUD 24 CFR Part 100, ยง100.307 Verification of occupancy, contains the above list of "reliable documents" but lists as well:

(7) A certification in a lease, application, affidavit, or other document signed by any member of the household age 18 or older asserting that at least one person in the unit is 55 years of age or older.

Being of advanced age, I was puzzled. Why would my community request one of a number of breeder documents when a "note from my mother" was sufficient? I went back to the form and realized that item six in the community-supplied list did contain language that permitted me to supply a signed certification. I hadn't read beyond "any other state, local, national, or official document containing a birth date".

I admittedly took poetic license by omitting the full text of item six to reflect my understanding when first attempting to comply with the request. Item six actually reads as follows:

(6) Any other state, local, national, or international official documents containing a birth date of comparable reliability or a Certification signed by any member of the household age 18 or older, asserting that at least one person in the unit is 55 years of age or older.

Having determined that I need not supply a breeder document to my Home Owners Association, I filled out the form, providing the bare minimum of information, and wrote a certification on the reverse complying with the HUD rule. Dropping off my form, I was pleasantly informed that I hadn't supplied a government document. I replied that the certification I had written was sufficient.

Reflecting back on the experience, even in my addled state, I realized that I was perhaps not alone in realizing that a simple statement would suffice to meet the HUD requirement. Others in my community, and throughout the US, might blindly comply with the request to provide any one of a number of breeder documents to their Association.

So I wrote to my Board suggesting that we might want to modify our form to plainly state that a signed certification of age was sufficient. Better yet, write the statement on the form itself with a signature line. I also suggested we might want to establish a policy and culture of minimal collection of Personally Identifiable Information (PII).

My Board Secretary and President helpfully informed me that this was an Association Management issue and that our General Manager would address it. The General Manager dutifully responded assuring me that "all documents collected are ... secured on servers" and that the "risk of not doing so may jeopardize the Association in other ways that may have far greater risk and consequences".

That made me feel better.

Of course I did pause to consider how the risk assessment was done, balancing the need to comply with a regulation against the potential of data breach, identity theft, fraud, fraudulent account creation, account takeover, creation of false passports, and the like. My calculus must be rather different than that used by First Services Residential, the management firm that services my Association.

The risk to individuals presented by storing copies of breeder documents "on servers" is well-known and substantial, as is the risk to the entity maintaining the data. Data breaches, even among "the best” are all-too-frequent. In states like California, breaches require notification and payment for identity protection services and may require forensic evidence to limit notification requirements and payments to only those whose data was exfiltrated. The real costs can be significant and the perception costs even higher.

... and the elderly are frequent targets of and high susceptible to fraud.

Institutional inertia is a powerful force and overcoming it can require Sisyphean effort. In this case, the institutions are the US Government and those that attempt to comply with its myriad rules and regulations. The HUD rule with the "list of seven" became final in 1999, well before data breaches were a serious concern. Hopefully if the regulation were written today, its language would be quite different and might even include an admonition against storing copies of breeder documents (if still listed),

Reason

Looking at the regulation, one wonders why it is necessary to repeatedly collect age information. Is HUD concerned that some of us might be getting younger and consequently no longer qualify as "over 55"? Could the goals of the survey and data collection be achieved through some other mechanism? Perhaps simple affidavits with a statistical sampling, either periodically or in case of question would suffice.

No doubt other mechanisms exist to achieve the goal, whatever it might be. Equally certain should be a recognition that minimal data collection by (quasi) governmental entities must be the norm. Requesting and obtaining copies of breeder documents is to my mind a questionable practice. Storing them "on servers", if not air-gapped, makes them accessible to malevolent actors; criminal, terrorist, or governmental.

We can, and must do better. Governments need to review regulations and strike rules requiring excessive information. Businesses must be encouraged to adopt polices and cultures that reduce collection of PII.

Security can enhance privacy, but only so much. Breaches are inevitable. Data will be exfiltrated. But if the data has little value, it becomes of little interest. Minimizing data collection will require institutional change. Effecting that change will require substantial effort. As Security and Privacy experts, we should encourage this change and enlist others in our efforts.

"Think Globally, Act Locally”.

By Bill Smith, Sr. Policy Advisor, Technology Evangelist at PayPal. (Disclaimer: While I am a PayPal employee, the opinions expressed here are my own.)

Related topics: Data Center, Policy & Regulation, Privacy, Security

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Michele Neylon Appointed Chair Elect of i2Coalition

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?