O.K., what is risk analysis? How does this apply to privacy issues and possible misuses of the UPSTREAM communication flows that FBI is gathering? How can NSA's PRISM system open up avenues for criminal behavior on the part of people with access to these systems?
If you had to write an insurance policy to cover UPSTREAM and PRISM, what would you have to consider?
What all is at risk here? What happens when Murphy's Law rides into town?
We need help with this problem. We're a democracy, so we all have a need to know. More below on requesting a Commission and trying to get an unclassified report at the tail end of it.
Let's imagine we're an insurance company and we have an order for liability insurance to cover a privatized srvice provider.
Do we have frequency and severity estimates for negative impacts, assuming that known patterns recur that involve theft and fraud?
In actuarial problems you worry about accidents; if it's casualty insurance, or diseases and injuries if it's health care. You want to know the frequency for the different types of events. You also want to know the severity for the types of event in terms of how many dollars are going to have to be paid out for each event.
This is routine work for commercial IT departments. “What damage can a System Administrator do? Or a Vice-President of Security?” These are critical questions.
FBI UPSTREAM and NSA PRISM systems warrant independent downside analysis. We know that millions of these phone records were copied to an FBI employee’s laptop. Similar crimes range from politically motivated cell phone taps to the Watergate “Plumbers” conspiracy.
Assuming the future replicates known “dirty trick” crime patterns, what new hazards for theft or blackmail are now at hand?
Here is a White House petition:
Appoint a FBI and NSA Risk Analysis Commission to report most likely impacts of criminal misuse of personal information
Looks like FBI and NSA avoided doing the management work on UPSTREAM and PRISM.
Better late than never.