Last week, I wrote a little ditty about why companies like Universal Music should be held accountable for poor code that allows millions of their users' real names, email addresses, and clear-text passwords to be distributed around the Internet. There was quite the reaction, with many people (presumably coders) yammering that this was the worst idea in the history of ever.
But I too am a developer. I've personally coded dozens of account-based Web applications, and not a single one ever stored a clear-text password. At the very least (back in the day), passwords were hashed during registration and simply matched upon login. I think it might have been 1998 when I wrote my first password-hashing function. And here we are, 13 years later and Universal Music can't be bothered to implement literally a few lines of code to at least obfuscate the sensitive information of their users. That's all it really is -- a few lines of code.
[ Also on InfoWorld: Neil McAllister's classic "Developer error: The most dangerous programming mistakes." | When he isn't stirring up trouble, Paul Venezia likes to explain all about server virtualization. ]
So now that the cat's out of the bag and all those accounts are floating around the Internet, why shouldn't they be held accountable for this negligence? Why should they escape any penalty whatsoever for such egregious corporate practices? I vehemently disagree.
In the United States, at least, very specific laws govern patient information and how it is stored, accessed, and disseminated. HIPAA regulations were put into place to ensure that sensitive patient information isn't distributed to just anyone -- that is, only to the people who need that information. They also prevent health care providers from discussing any type of patient information with anyone else. They were explicitly designed to protect patients, and each patient must sign a waiver to authorize the release of that information to another person or party. Yet we have no regulations on the storage, access, and dissemination of sensitive user information on public websites -- none. Thus, there's almost no business case for providing any form of high-level security for customer accounts.