-Caveat Lector- http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2002/05/19/MN244573.DTL
Oracle contract raises issues of security, privacy Auditor, critics warn single database puts state at risk Robert Salladay, Chronicle Staff Writer The furious political debate over California's botched contract with Oracle Corp. has overlooked a critical question: Why let one company's software dominate the state's vast information databank? The 2001 deal, which the state is trying to cancel, would provide Oracle software for every state agency -- an astonishing 270,000 database licenses running warrants, prison records, Medi-Cal files, fishing permits, gun registration and everything else in the government databank. Oracle says the huge purchase could save the state money by cutting down on training and allowing the free flow of information, with security safeguards, between agencies. But state auditor Elaine Howle has questioned why the Davis administration would want to make Oracle Enterprise Edition 8i software the standard for the next decade, and risk losing "innovation and flexibility" in its computer systems. And privacy experts worry about potential security breaches and the notion of a totalitarian state, as Oracle founder Larry Ellison dreams of creating a central "national file" linking all government information with Oracle database software to monitor citizens. "The richer the database, the more attractive a target it is for hackers, spies, government investigators and private litigants," said Jason Catlett, a consultant with Privacy International based in London. "It's one-stop shopping for privacy invasion." The Oracle contract was the first attempt by the state to buy a single product for all its 127 agencies and departments, so it could save money and bring continuity to the huge bureaucracies. But instead of starting with pencils or bulldozers, the state started with database software -- a critical government function. COMPATIBILITY CAN BE A PROBLEM Computer security experts say Oracle makes a good product, but they wonder about putting too much reliance on a single database software to process so much important information. In "mission critical" situations, diversity of software programs provides security if there is a breakdown. The space shuttle, for example, uses five onboard computers that are configured in different ways from each other. "Oracle is running in so many different places, but I don't necessarily think that is a bad thing," said computer security expert Jahan Moreh with Sigaba Corp. of San Mateo. "But in a mission-critical situation, I would agree you need redundancy and having one software could be a bad thing." Moreh nevertheless said the state could effectively use a single database, but only with an adequate disaster recovery plan, backup software and redundant systems. In her highly critical audit, Howle calculated that taxpayers could have spent an unexpected $6 million to $41 million for Oracle software. She also questioned the efficiency of locking the rest of government into a single database software, particularly when a new version, Oracle Enterprise Edition 9i, was released for sale a few weeks after the state signed the Oracle contract. The inherent message, she said, may be that Oracle is the de facto standard and that future computer contracts should be with Oracle because the agency would be looking for compatibility. This push for compatibility eventually feeds on itself, Howle said, and Oracle could get more business. "It may create some reluctance in going outside and using vendors other than Oracle," Howle said in an interview. Moreh said big organizations are better off getting the "best of breed" for each department rather than trying to standardize and get a cheaper price, especially since new advances in database technology are allowing different programs to share information. Only after these questions were raised by a few Capitol budget writers did the Department of General Services tell state agencies, colleges and the public pension system that they were free to "select the technology solution that best meets their database needs," not simply Oracle. The state, however, had just purchased the 270,000 Oracle software licenses. ECONOMY, SECURITY IN SHARING Mary Ann Davidson, chief security officer at Oracle, said standardizing Oracle software allows the state to save on training, because employees won't have to learn several database systems as they move from department to department. And Oracle database software, she said, has been certified 15 times by the federal government to handle highly classified information, in part because it allows different agencies to compartmentalize and share only the information they want. That built-in security, called "granularity," saves the state money as well on security upgrades, Davidson said. "The reality is that most commercial databases, except Oracle, don't have this level of granularity," she said, "which means they have to build security someplace else." Why did the state purchase so much Oracle software? Catlett, the privacy expert, said the reason may just "be a case of a wildly lucky salesperson finding an easy mark." ELLISON'S NATIONAL PLAN But the statewide contract also may be another piece in the national database plan of Ellison, Oracle's CEO, who made his first sale in 1977 to the Central Intelligence Agency and whose company gets about a quarter of its revenue from government contracts. Ellison has been compared by privacy advocates to a high-tech Orwellian father figure because of his central database idea. He has complained that "legislation and policies" make it impossible for the CIA, FBI and National Security Agency to do their jobs. In a Wall Street Journal piece, Ellison called for fewer databases and said the best way to fight terrorism would be if "all the information in myriad government databases was integrated into a single national file." In an interview with the New York Times Magazine, Ellison followed up: "If the system designed to catch terrorists also catches bank robbers and deadbeat dads, that's OK." Ellison then called for overturning a 1974 law prohibiting the government from sweeping searches and surveillance like the ones that monitored Vietnam protesters. Catlett said Ellison is creating "a recipe for a global corporate police state." Oracle database software already is being used in important state agencies, including the state Department of Justice, the Department of Insurance and the Department of Health Services, all of which keep sensitive information on file. Nothing in the 2001 Oracle contract requires state agencies to share information. That would probably take the Legislature or a court. Oracle, too, believes its software is "agnostic" and only shares information that its users want it to share. But standardizing the database software gets the state closer to Ellison's dream of a central file. Privacy experts say the government must keep a necessary tension between the free flow of information and privacy. "That built-in tension is what other people call accountability and oversight," said Mihir Kshirsagar, a policy fellow with the nonprofit Electronic Privacy Information Center. "Because if all systems are linked, it's opaque to you, and you don't know what information is being pulled up about you." <A HREF="http://www.ctrl.org/";>www.ctrl.org</A> DECLARATION & DISCLAIMER ========== CTRL is a discussion & informational exchange list. Proselytizing propagandic screeds are unwelcomed. Substance�not soap-boxing�please! These are sordid matters and 'conspiracy theory'�with its many half-truths, mis- directions and outright frauds�is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRLgives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://peach.ease.lsoft.com/archives/ctrl.html <A HREF="http://peach.ease.lsoft.com/archives/ctrl.html";>Archives of [EMAIL PROTECTED]</A> http:[EMAIL PROTECTED]/ <A HREF="http:[EMAIL PROTECTED]/";>ctrl</A> ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
