The Broken Window (22 page)

Szarnek pulled a heavy portable computer out of his satchel and set it on a table nearby. “Any chance I could get a… Oh, thanks.”

Thom was bringing around a coffeepot and cups.

“Just what I was going to ask for. Extra sugar, no milk. You can’t take the geek out of the geek, even when he’s a cop. Never got in the habit of this thing called sleep.” He dumped in sugar, swirled it and drank half while Thom stood there. The aide refilled the cup. “Thanks. Now, what’ve we got here?” He was looking over the workstation where Cooper was perched. “Ouch.”

“Ouch?”

“You’re running on a cable modem with one point five MBPs? You know they make computer screens in color now, and there’s this thing called the Internet.”

“Funny,” Rhyme muttered.

Page 120

“Talk to me when the case is over. We’ll do some rewiring and LAN readjustment. Set you up with FE.”

Weird Al, FE, LAN…

Szarnek pulled on tinted glasses, plugged his computer into ports on Rhyme’s computer and began pounding on the keys. Rhyme noticed certain letters were worn off and the touchpad was seriously sweat-stained. The keyboard seemed to be dusted with crumbs.

The look Sellitto shot Rhyme said, It takes all kinds.

The first of the two men who joined them in Andrew Sterling’s office was slender, middle-aged, with an unrevealing face. He resembled a retired cop. The other, younger and cautious, was pure corporate junior exec. He looked like the blond brother on that sitcom,
Frazier
.

Regarding the first, Sachs was near the mark; he hadn’t been blue but was a former FBI agent and was now head of SSD’s security, Tom O’Day. The other was Mark Whitcomb, the assistant head of the company’s Compliance Department.

Sterling explained, “Tom and his security boys make sure people on the outside don’t do anything bad to us. Mark’s department makes sure
we
don’t do anything bad to the general public. We navigate a minefield. I’m sure that the research you did on SSD showed you we’re subject to hundreds of state and federal laws on privacy—the Graham-Leach-Bliley Act about misuse of personal information and pretexting, the Fair Credit Reporting Act, the Health Insurance Portability and Accountability Act, the Drivers Privacy Protection Act. A lot of state laws too. The Compliance Department makes sure we know what the rules are and stay within the lines.”

Good, she thought. These two would be perfect to spread the word about the 522 investigation and encourage the killer to sniff out the trap on the NYPD server.

Doodling on a yellow pad, Mark Whitcomb said, “We want to make sure that when Michael Moore makes a movie about data purveyors we’re not center stage.”

“Don’t even joke,” Sterling said, laughing, though with genuine concern evident in his face. Then he asked Sachs, “Can I share with them what you told me?”

“Sure, please.”

Sterling gave a succinct and clear account. He’d retained everything she’d told him, even down to the specific brands of the clues.

Whitcomb frowned as he listened. O’Day took it all in, unsmiling and silent. Sachs was convinced that FBI reserve was not learned behavior but originated in the womb.

Sterling said firmly, “So. That’s the problem we’re facing. If there is any way SSD is involved I want to know about it, and I want solutions. We’ve identified four possible sources of the risk. Hackers, intruders, employees and clients. Your thoughts?”

Page 121

O’Day, the former agent, said to Sachs, “Well, let’s deal with hackers first. We have the best firewalls in the business. Better than Microsoft and Sun. We use ICS out of Boston for Internet security. I can tell you we’re a duck in an arcade game—every hacker in the world would like to crack us. And nobody’s been able to do it since we moved to New York five years ago. We’ve had a few people get into our administrative servers for ten, fifteen minutes. But not a single breach of innerCircle, and that’s what your UNSUB would have to get into to find the information he needed for these crimes. And he couldn’t get in through a single breach; he’d have to hit at least three or four separate servers.”

Sterling added, “As for an outside intruder, that’d be impossible too. We have the same physical perimeter protections used by the National Security Agency. We have fifteen full-time security guards and twenty part-time. Besides, no visitor could get near the innerCircle servers. We log everybody and don’t let anyone roam freely, even customers.”

Sachs and Pulaski had been escorted to the sky lobby by one of those guards—a humorless young man whose vigilance wasn’t diminished one bit by the fact they were police.

O’Day added, “We had one incident about three years ago. But nothing since.” He glanced at Sterling.

“The reporter.”

The CEO nodded. “Some hotshot journalist from one of the metro papers. He was doing an article on identity theft and decided we were the devil incarnate. Axciom and Choicepoint had the good sense not to let him into their headquarters. I believe in free press, so I talked to him… He went to the restroom and claimed he got lost. He came back here, cheerful as could be. But something didn’t seem right. Our security people went through his briefcase and found a camera. On it were pictures of trade-secret-protected business plans and even pass codes.”

O’Day said, “The reporter not only lost his job but was prosecuted under criminal trespass statutes. He served six months in state prison. And, as far as I know, he hasn’t had a steady job as a journalist since.”

Sterling lowered his head slightly and said to Sachs, “We take security very, very seriously.”

A young man appeared in the doorway. At first she thought it was Martin, the assistant, but she realized that was only because of the similarity in build and the black suit. “Andrew, I’m sorry to interrupt.”

“Ah, Jeremy.”

So this was the second assistant. He looked at Pulaski’s uniform, then at Sachs. Then, as with Martin, when he realized he wasn’t being introduced he ignored everyone in the room except his boss.

“Carpenter,” Sterling said. “I need to see him today.”

“Yes, Andrew.”

After he was gone, Sachs asked, “Employees? Is there anyone you’ve had disciplinary problems with?”

Sterling said, “We run extensive background checks on our people. I won’t allow hiring anybody who’s had any convictions other than traffic violations. And background checks are one of our specialties. But even if an employee wanted to get into innerCircle it would be impossible for him to steal any data.

Mark, tell her about the pens.”

“Sure, Andrew.” To Sachs he said, “We have concrete firewalls.”

Page 122

“I’m not a technical person,” Sachs said.

Whitcomb laughed. “No, no, it’s very
low
-tech. Literally concrete. As in walls and floors. We divide up the data when we receive them and store them in physically separate places. You’ll understand better if I tell you how SSD operates. We start with the premise that data is our main asset. If somebody was to duplicate innerCircle we’d be out of business in a week. So number one—‘protect our asset,’ as we say here. Now, where does all this data come from? From thousands of sources: credit card companies, banks, government-records offices, retail stores, online operations, court clerks, DMV departments, hospitals, insurance companies. We consider each event that creates data a quote transaction, which could be a call to an eight hundred number, registering a car, a health insurance claim, filing a lawsuit, a birth, wedding, purchase, merchandise return, a complaint… In your business, a transaction could be a rape, a burglary, a murder—any crime. Also, the opening of a case file, selecting a juror, a trial, a conviction.”

Whitcomb continued, “Any time data about a transaction comes to SSD it goes first to the Intake Center, where it’s evaluated. For security we have a data masking policy—separating the person’s name and replacing it with a code.”

“Social Security number?”

A flicker of emotion crossed Sterling’s face. “Ah, no. Those were created solely for government retirement accounts. Ages ago. It was a fluke that they became identification. Inaccurate, easy to steal or buy. Dangerous—like keeping a loaded gun unlocked around the house. Our code is a sixteen-digit number. Ninety-eight percent of adult Americans have SSD codes. Now, every child whose birth is registered—anywhere in North America—automatically gets a code.”

“Why sixteen digits?” Pulaski asked.

“Gives us room for expansion,” Sterling said. “We never have to worry about running out of numbers.

We can assign nearly one quintillion codes. The earth will run out of living space before SSD runs out of numbers. The codes make our system much more secure and it’s far faster to process data than using a name or Social. Also, using a code neutralizes the human element and takes the prejudice out of the equation. Psychologically we have opinions about Adolf or Britney or Shaquilla or Diego before we even meet them, simply because of their name. A number eliminates that bias. And improves efficiency. Please, go on, Mark.”

“Sure, Andrew. Once the name is swapped for the code, the Intake Center evaluates the transaction, decides where it belongs and sends it to one or more of three separate areas—our data pens. Pen A is where we store personal lifestyle data. Pen B is financial. That includes salary history, banking, credit reports, insurance. Pen C is public and government filings and records.”

“Then the data’s cleansed.” Sterling took over once again. “The impurities are weeded out and it’s made uniform. For instance, on some forms your sex is given as ‘F.’ In others, it’s ‘Female.’ Sometimes it’s a one or a zero. You have to be consistent.

“We also remove the noise—that’s impure data. It could be erroneous, could have too many details, could have too few details. Noise is contamination, and contamination has to be eliminated.” He said this firmly—another dash of emotion. “Then the cleansed data sits in one of our pens until a client needs a fortune-teller.”

Page 123

“How do you mean?” asked Pulaski.

Sterling explained, “In the nineteen seventies, computer database software gave companies an analysis of past performance. In the nineties the data showed how they were doing at any given moment. More helpful. Now we can predict what consumers are
going
to do and guide our clients to take advantage of that.”

Sachs said, “Then you’re not just predicting the future. You’re trying to change it.”

“Exactly. But what other reason is there to go to a fortune-teller?”

His eyes were calm, almost amused. Yet Sachs felt uneasy, thinking back to the run-in with the federal agent yesterday in Brooklyn. It was as if 522 had done just what he was describing: predicted a shootout between them.

Sterling gestured to Whitcomb, who continued, “Okay, so data, which contain no names but only numbers, go into these three separate pens on different floors in different security zones. An employee in the public records pen can’t access the data in the lifestyle pen or the financial pen. And nobody in any of the data pens can access the information in the Intake Center, and link the name and address to the sixteen-digit code.”

Sterling said, “That’s what Tom meant when he said that a hacker would have to breach all of the data pens independently.”

O’Day added, “And we monitor twenty-four/seven. We’d know instantly if someone unauthorized tried to physically enter a pen. They’d be fired on the spot and probably arrested. Besides, you can’t download anything from the computers in the pens—there are no ports—and even if you managed to break into a server and hardwire a device, you couldn’t get it out. Everybody’s searched—every employee, senior executive, security guard, fire warden, janitor. Even Andrew. We have metal and dense-material detectors at every entrance and exit to the data pens and Intake—even the fire doors.”

Whitcomb took up the narrative. “And a magnetic field generator that you have to walk through. It erases all digital data on any medium you’re carrying—iPod, phone or hard drive. No, nobody gets out of those rooms with a kilobyte of information on them.”

Sachs said, “So stealing the data from these pens—either by hackers outside or intruders or employees inside—would be almost impossible.”

Sterling was nodding. “Data are our only asset. We guard them religiously.”

“What about the other scenario—somebody who works for a client?”

“Like Tom was saying, the way this man operates he’d have to have access to the innerCircle dossiers of each of the victims and the men arrested for the crimes.”

“Right.”

Sterling lifted his hands, like a professor. “But customers don’t have access to dossiers. They wouldn’t want them anyway. innerCircle contains raw data and wouldn’t do them any good. What they want is our
analysis
of the data. Customers log on to Watchtower—that’s our proprietary database management system—and other programs like Xpectation or FORT. The programs themselves search
Page 124

through innerCircle, find the relevant data and put them into usable form. If you want to think of the mining analogy, Watchtower sifts through tons of dirt and rock and finds gold nuggets.”

She said in response, “But if a client bought a number of mailing lists, say, they could come up with enough data about one of our victims to commit the crimes, couldn’t they?” She nodded at the evidence list she’d shown Sterling earlier. “For instance, our perp could get lists of everyone who bought that kind of shave cream and condoms and duct tape and running shoes and so on.”

Sterling lifted an eyebrow. “Hm. It would be a huge amount of work but it’s theoretically possible… All right. I’ll get a list of all our customers who’ve bought any data that included your victims’ names—in the past, say, three months? No, maybe six.”

“That should do it.” She dug through her briefcase—considerably less organized than Sterling’s desktop—and handed him a list of the victims and fall guys.

“Our client agreement gives us the right to share information about them. There won’t be a problem legally but it will take a few hours to put together.”