Topic 51

Accountability of the negative social effects caused by insecure databases by Haider

Although it is hard to provide one definition of the term database that encompasses all types of databases and contexts the term is used in, one accurate definition that can be used in this discussion is that a database is a collection of records stored in a computer in a systematic way, allowing for efficient retrieval of data when required, the key word being records.

Databases were developed because people needed efficient ways to store and retrieve information whenever desired. Databases first started as index cards and the like, and slowly evolved into high-speed high-load computer databases. In modern computer databases, records can be of anything, ranging from SAT scores to complete personal profiles to spy photos of somebody. This versatility often entails a great deal of privacy and confidentiality, which has lead to the development of database security systems. Although there are a number of security systems for databases, the most common and practical security system is the traditional username and password prompt that allows exclusive access to privileged data. There are, however, fundamental problems with the system. Without going into technical details, such systems are easy to hack. Hacking is essentially the penetration of a security system to gain unauthorized access to privileged information. Other security systems, which are often considered to be more secure but less practical in some cases, are fingerprint, voice, and retina matching, among many others.

A number of social issues arise from insecure databases. Databases are seldom free for access to the public, and usually contain data that can be accessed by a privileged few. Insecure databases hence threaten the privacy and confidentiality of such data. Also, in many cases, data is often of economic value. In such cases, the access rights are sold or rented for profits. Hence, in the case of insecure databases, data of economic value can be accessed by unauthorized persons, resulting in economic failure. Often, databases contain sensitive information which, in the hands of the wrong people, can result in disasters. For example, an insecure government database containing the records of all people living in a certain area can end up catalyzing terrorism if the wrong people gain access to it.

The issue of accountability was briefly touched on in my previous discussion (http://itgsbasicsnetworks.blogspot.com/2006/11/networks-pt-3.html). Just like in the case of networks, “who is accountable?” has no definite answers when database security is concerned. One point of view, of course, is that the people who “break in” to protected databases are at fault for legal and privacy breaches. This, however, does not result in anything constructive. People who want access to your data will try to gain access to your data in any way possible. Another, more interesting point of view is that highly confidential records and data should not be stored on databases that are located on networks that can easily be accessed by the public. For example, a sensitive government database should not be accessible over the Internet, even if it is protected. Hence, if there is a data leak and negative social implications do arise, the people or organization that set up the database are at fault for not taking into account the security risk. Understanding this, almost all major organizations allow access to sensitive databases to employees over local, secure networks, as opposed to the Internet.

Secure databases are desired because records and data are often sensitive information. As long as such information exists, there will be attempts by unauthorized persons to access it. If the database’s security system is breached and it results in negative social effects, instead blaming the developer of the database, we should all accept the responsibility as a community and take that as an opportunity to understand the implications of insecure databases and the importance of investing in the development of effective security systems.