Released Tuesday in San Francisco, the document (PDF file) warns that a combination of technological innovation and weakened privacy protections is "feeding a surveillance monster that is growing silently in our midst."

GPS, biometrics, cameras, wireless communication, implantable microchips and other systems that identify, track and record people's activities need to be held in check by legislation to protect Americans' privacy rights, the report argues.

"The kind of surveillance society that people have been talking about since George Orwell is now technically possible," said Jay Stanley, of the ACLU's Technology and Democracy Program, who co-authored the report. "Too many people still do not understand this danger."

Since Sept. 11, the government has invested heavily in technology to combat terrorism, but the ACLU charges that many of the Justice Department's new tools will lead to racial profiling and widespread monitoring of ordinary, innocent Americans.

The ACLU isn't the only group questioning the efficacy of government's tech arsenal.

CNET NEWS.COM Perspective By Whitfield Diffie - Decrypting the secret to strong security.

Is open-source software better for security than proprietary software?

The open-source movement argues that it's better because "lots of eyes can look at it and find the bugs." Those who favor proprietary software offer two counterarguments: The first is that a lot of hostile eyes can also look at open-source code--which, they say, is likely to benefit attackers more than anyone else. The second point is that a few expert eyes are better than several random ones; a dedicated organization with responsibility for the software is a better custodian than the many eyes of the open-source community.

There is probably some truth to the notion that giving programmers access to a piece of software doesn't guarantee they will study it carefully. But there is a group of programmers who can be expected to care deeply: Those who either use the software personally or work for an enterprise that depends on it.

If anyone has both the right and the need to study the code and be assured of its correct functioning, it is users. In fact, auditing the programs on which an enterprise depends for its own security is a natural function of the enterprise's own information-security organization.

CNET NEWS.COM - Security flaw may threaten cell phones.

Microsoft and U.K. carrier Orange are investigating whether hackers are sending rogue software to cell phones using Microsoft's Smartphone 2002 operating system.

Instructions about avoiding the security catches inside the smart phone, which Orange sells and calls the SPV, were made public the last few days, Orange spokesman Stuart Jackson said Wednesday. The SPV is the only wireless device on sale that uses Microsoft's operating system for advanced phones.

A source familiar with the situation said most SPV owners won't know whether they have been affected. To launch the rogue programs, an SPV owner will have to know how to "unlock" a cell phone, a difficult process that sometimes involves taking the phone apart. "It's not something that my granny is about to do," said the source who requested anonymity.

CNET NEWS.COM - Old hard drives yield data bonanza.

Two Massachusetts Institute of Technology graduate students have uncovered a treasure trove of personal and corporate information on used disk drives.

Simson Garfinkel and Abhi Shelat, students at MIT's Laboratory of Computer Science, said Wednesday that they bought 158 disk drives for less than $1,000 on the Web and at swap meets.

Scavenging through the drives, they found more than 5,000 credit card numbers, medical reports, detailed personal and corporate financial information, and several gigabytes worth of personal e-mail and pornography.

CNET NEWS.COM - Pentagon database plan hits snag on Hill .

A Pentagon antiterrorism plan to link databases of credit card companies, health insurers and others--creating what critics call a "domestic surveillance apparatus"--is encountering growing opposition on Capitol Hill.

Sen. Russ Feingold, D-Wisc., is planning to introduce a bill on Thursday to halt the Pentagon's Total Information Awareness program. A representative said on Wednesday that if passed, the legislation would suspend the TIA program until Congress can "review the data-mining issues."

Even if Congress never acts on Feingold's proposal, the unusual step of trying to suspend a military program may prompt the Defense Department to review the TIA program in a way few other tactics could. The bill will also provide TIA critics with a focal point for activism.

searchSecurity.com - Companies creating more chief privacy officer jobs.

The chief security officer (CSO) position has matured to the point where the title isn't particularly jarring when you see it on a business card. However, the same probably cannot be said for the chief privacy officer (CPO) job.

Yet as companies face increasing pressure from the public to keep data protected, they are creating CPO positions. The move has both organizational and public relations value. For example, IBM Corp. got a lot of coverage in 2000 when it named Harriet Pearson CPO in order to, in the company's words, "lead initiatives across IBM that will strengthen consumer privacy protection."

CPOs are the public point people for a company's privacy initiatives. In other words, they function as the human face that is responsible for protecting the customer data that's collected and stored by companies.

Some companies may be tempted to create a position with combined security and privacy duties because the areas are undoubtedly interlinked. However, the CPO position has a different posture than the CSO job. CPOs tend to be more outward facing, while CSOs look more inward. For example, a CPO may argue against selling customer data to another company because of privacy concerns. "They function as the customer advocate within a company," said Peter H. Gregory, a consultant with the Woodinville, Wash.-based HartGregory Group.

By contrast, CSOs probably wouldn't question selling customer data. Their concern would be about safely transmitting the data to ensure security. "Their job is to protect company information and assets," Gregory said.

CPOs need to know technology, but they also need good public relations and policy skills. Federal regulations such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) have forced companies to face privacy head-on.

PCWorld.com - Discarded Drives Yield Private Data.

The study, which is detailed in a report called "A Remembrance of Data Passed: A Study of Disk Sanitization Practices," analyzed 158 disk drives purchased through EBay's online auction site, at computer stores, salvage companies, and swap meets.

The study found that 117 (74 percent) of the drives contained old data that could be recovered and read. Twenty-eight of the drives (17 percent) contained fully installed, functional operating systems with user data that required no particular effort to recover.

Another 57 (36 percent) had been freshly formatted but still contained old data that could be recovered, according to the report.

Only 12 disk drives (9 percent) had been properly cleaned (or "sanitized") before being purchased by the students, while 29 of the 158 drives purchased did not work.

NASA Office of Inspector General (OIG) - Protect Yourself and NASA Before Getting Rid of That Old Home Computer .

Thinking about upgrading or replacing your old home computer? While this purchase will invoke considerable choices, let's not forget about that old PC you may be looking to replace. Many of these systems are candidates for resale, charitable donation to schools or churches, or perhaps setting out for trash collection. Unfortunately, your good intentions can be where your nightmare begins.

Unless you take the proper precautions, getting rid of your home computer might be your personal introduction to one of the fastest growing crimes in America--Identity-theft. This theft, or fraud, is the taking of the victim's identity to open credit card accounts, make purchases, take out loans, or order false checks and ATM cards in your name. Basically, all that an identity "thief" needs is your birth date, social security number and any other identifying information, such as your address and phone number.[ ... ]

San Francisco Gate - Discarded computer hard drives prove a trove of personal info.

So, you think you cleaned all your personal files from that old computer you got rid of?

Two MIT graduate students suggest you think again.

Over two years, Simson Garfinkel and Abhi Shelat bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned, 69 still had recoverable files on them and 49 contained "significant personal information" -- medical correspondence, love letters, pornography and 5,000 credit card numbers. One even had a year's worth of transactions with account numbers from a cash machine in Illinois.

[ ... ]

Last spring, Pennsylvania sold used computers that contained information about state employees. In 1997, a Nevada woman bought a used computer and discovered it contained prescription records on 2,000 customers of an Arizona pharmacy.

Garfinkel and Shelat, who reported their findings in an article to be published Friday in the journal IEEE Security & Privacy, said they believe they are the first to take a more comprehensive -- though not exactly scientific -- look at the problem.

[ ... ]

Even reformatting a drive, or preparing the hard drive all over again to store files, may not do it. Fifty-one of the 129 working drives in the MIT study had been reformatted, and 19 of them still contained recoverable data.

Slashdot | Data Mining Used Hard Drives.

linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."