Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> the "OMG Postgres exposes my information" crowd is not going to
> distinguish leaks that only expose MCVs from those that trivially
> allow sucking out the entire table.
Well, I'd be in the crowd that would go "OMG" over one but not the
other. At least in our case management software I can't think of
any MCVs which would be a problem, while exposing entire tables
would be a big problem.
If you get the name, address, birth date, or even the social
security number in isolation, it doesn't mean much. If you get all
of those for one party, it does. I suppose that if you could find
that a particular name was used somewhere in the Party table but it
was not visible in the public record, you could guess that someone
by that name (which is certainly not guaranteed to be unique!) was
somehow involved in some role in a juvenile, mental commitment,
adoption, sealed, or other confidential case -- but what role in
what kind of case would still be a complete mystery, making it much
less of a leak than the row in its entirety, much less the entire
table (which could expose, for example, who adopted whom --
information not available from a single row).
If you are arguing that the ability of someone to know that someone,
somewhere, who has had contact with the Wisconsin court system has
social security number 987-65-4321 is the same as knowing who has
that social security number, and all the demographics about that
person, you're dangerously mistaken.
-Kevin