Friday, April 21, 2006

The Anti-ID-Theft Bill That Isn't. The Anti-ID-Theft Bill That Isn't. Congress is debating a bill that would follow state laws in forcing companies to come clean on security breaches. But Washington's version would help criminals more than victims. Commentary by Bruce Schneier. [Wired News: Security Blanket] 1:39:41 PM  PermaLink   / trackback []

The Raw Story | Five civil rights groups, business leaders join suit seeking to stop wiretaps Five major civil rights organizations and six business leaders announced their support for a suit filed against President Bush to stop the National Security Agency's warrantless wiretap program today, RAW STORY has learned. 1:37:56 PM  PermaLink   / trackback []

BBC NEWS | Technology | Concerns over GPS child tracking Parents using new products which allow them to track their children may develop an "unhealthy and destructive" relationship with their child, a privacy group has warned. Earlier this month, two new, low-cost devices which use Global Positioning Systems (GPS) were launched in the US, with both retailing for under $50. One is a miniature mobile phone, the other is built into a shoe. And entertainment giant Disney is planning a mobile phone, targeted at up to 30 million children, which uses GPS to monitor where they are. But Simon Davis, director of campaign group Privacy International, told BBC World Service's Culture Shock programme that he feared parents using GPS would find it both ineffective and dangerous. "What this can result in - and we've seen this through visual surveillance technology and bugs that can be put into children's bedrooms - is parents becoming obsessed, to the point of having an unhealthy and destructive relationship with their children," he said. 1:35:10 PM  PermaLink   / trackback []

Congress seeks to alter legal landscape for data breaches Recent large-scale data security snafus and thefts haven't gone unnoticed by lawmakers. Passage of data privacy legislation by two House committees in March increases the likelihood that Congress will approve a bill this year imposing new requirements on data brokers such as ChoicePoint Inc., LexisNexis Group and Acxiom Corp. Both the Financial Data Protection Act of 2005 (H.R. 3997) and the Data Accountability and Trust Act (H.R. 4127) passed through committee by whopping, bipartisan margins of 48-17 and 41-0, respectively. House bill 4127, which derives from the House Energy & Commerce Committee version and was passed in March, requires notification only if the theft or loss of consumer data is judged to pose a "reasonable risk of identity theft to the individual to whom the personal information relates." The committee approved the "reasonable risk" standard after toughening language in a subcommittee bill that had a higher threshold of "significant risk." Data brokers prefer the "significant risk" tripwire. Deborah Platt Majoras, chairman of the Federal Trade Commission, told the Senate Judiciary Committee in 2005, "We are grappling with the issue of over-notification. We have learned that consumers become numb to too many notifications." House bill 3997, approved by the House Committee on Financial Services, requires data brokers to notify law enforcement agencies and businesses in the transaction chain if a data security breach "may result in harm or inconvenience to any consumer." If the potential breach may result in financial fraud against consumers causing harm or inconvenience, then the consumers must be notified through a uniform mailing. The bills have significant differences, but both address problems highlighted early in 2005 when California's Security Breach Information Act (SB-1386) forced ChoicePoint and LexisNexis to disclose that identity thieves had pilfered data on more than 450,000 customers combined. Already in play are two additional bills passed last year by Senate committees that are intended to shore up corporate data security: the Personal Data Privacy and Security Act (S. 1789), and the Identity Theft Protection Act (S. 1408). 1:31:28 PM  PermaLink   / trackback []

U.S. attorney general calls for 'reasonable' data retention | Tech News on ZDNet The failure of some Internet service providers to retain user logs for a "reasonable amount of time" is hampering investigations into gruesome online sex crimes, U.S. Attorney General Alberto Gonzales said Thursday, indicating that new data retention rules may be on the way.  "The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers," Gonzales said in a morning speech to staff at the National Center for Missing and Exploited Children headquarters here. "Record retention by Internet service providers (that is) consistent with the legitimate privacy rights of Americans is an issue that must be addressed," he added. CNET News.com was the first to report last June that the Justice Department was quietly shopping around the idea of legally required data retention. In a move that may have led to broader interest inside the United States, the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers. Congress is now considering policy changes, as News.com reported last week. At least one U.S. House of Representatives leader indicated he is mulling legislation that would require data retention. The topic surfaced at two hearings--convened recently by a House subcommittee--about online sexual exploitation and child pornography. Investigators of Internet sex crimes said they would like to see at least several months--and ideally, a year or more--of mandatory records retention. 1:25:16 PM  PermaLink   / trackback []

Identity Management: On the "Identity = Data + Policies" Model. Identity Management: On the "Identity = Data + Policies" Model. Digital identities are fundamental to enable digital interactions and transactions on the web. The current digital identity model, based on the "identity = data" paradigm, starts showing its limitations when addressing people's expectations about their identities (in terms of preferences, privacy, trust, etc.) and providing them with degrees of assurance that expectations will be met. An alterative model is introduced, based on the "identity = data + policies" paradigm, along with an underlying policy management framework. Details are given on how this model can address the above issues and how the framework can be implemented. [ITPapers.com - Recent Privacy Issues White Papers] 1:12:25 PM  PermaLink   / trackback []

DHS, HHS make secret pact to share airline passenger info The departments of Health and Human Services and Homeland Security have a secret agreement to exchange airline passenger information as part of a Centers for Disease Control and Prevention plan to help combat pandemic flu, the Air Transport Association (ATA) said in a filing with the CDC. Barry Steinhardt, director of the Technology and Liberty Program at the American Civil Liberties Union said that such an agreement raises serious privacy concerns and appears to violate an agreement between the United States and the European Union. That agreement limits the exchange of foreign carrier passenger information to help combat terrorism and crime. Steinhardt added that the secret agreement between DHS and HHS also raises concerns hat the highly detailed passenger information CDC wants to collect could ultimately be shared with DHS. "I'm very concerned this is a two-way data sharing agreement," Steinhardt said. The existence of the secret agreement between DHS and HHS surfaced in a filing the ATA made last month with its comments on proposed CDC regulations that would electronically track more than 600 million passengers a year traveling on more than 7 million flights through 67 hub airports. Katherine Andrus, assistant general counsel at the ATA, said in her filing with CDC last month that DHS and HHS recently executed a memorandum of understanding (MOU) that "though not publicly available...reportedly includes provisions for data sharing, including allowing CDC access to passenger information, including passenger name records, through" Customs and Border Protection. Steinhardt said passenger name record files include a large amount of data besides personal identifiers, such as meal preferences, which could help determine a passenger's religion. The sharing of information between DHS and CBP appears to violate a passenger data sharing agreement between the European Union and the United States executed in May 2004, Steinhardt said. That agreement limits DHS to using data it obtains from EU airline reservation and departure control system databases to prevent and combat terrorism and other serious crimes, including organized crime, that are transnational . Steinhardt said this agreement does not cover the exchange of passenger name record data to help combat pandemic flu. 1:10:21 PM  PermaLink   / trackback []

TSA | Transportation Security Administration | TSA Announces Next Steps for Registered Traveler Program (Press release) The Transportation Security Administration (TSA) today announced its intent to proceed with Registered Traveler (RT) in the second half of 2006. TSA will be prepared for a roll-out at 10 to 20 airports. These airports will come on line as the private sector operators make the necessary business arrangements with host airports and air carriers and get security approval from TSA for the proposed configuration. A phased approach to implementation will allow the agency to confirm the private sector's ability to provide interoperability among RT airports, evaluate the impact of alternate checkpoint processes on screening and wait times, and ensure that RT maintains the agency's high security standards. Subject to public demand for the RT Program, TSA would expect RT to operate on a national scale next year. "TSA is working with airports and private sector providers, and we will enable the private sector to launch Registered Traveler programs as soon as this summer," said Assistant Secretary for TSA, Kip Hawley. "Security will be maintained, the program will be paid for by the private sector, and it will not disadvantage the general public when they fly." As part of this decision, Department of Homeland Security (DHS) and TSA leadership have approved a basic business model for Registered Traveler. Key elements include a strong operational role for the private sector, mandatory interoperability among airport locations, an open technological platform that facilitates competition, a central information management system (known as the Transportation Security Clearinghouse managed by the American Association of Airport Executives) with robust safeguards to protect personal privacy, and substantive benefits linked to enhanced checkpoint screening measures. TSA retains responsibility for setting key program standards and security measures - such as physical screening at the TSA checkpoint. Participants will experience a passenger screening process that is modified to afford greater customer service. At those checkpoints where the layout and traveler volumes permit, RT participants will have a dedicated RT lane and will receive additional screening benefits. While the combination of benefits and security measures available at each participating airport may vary, all RT travelers should receive an expedited and more convenient checkpoint experience. 1:06:39 PM  PermaLink   / trackback []

Skype uses peer pressure defense to explain China text censorship. Skype uses peer pressure defense to explain China text censorship. Following orders and examples VoIP firm Skype has admitted that its Chinese partner filters instant messages sent using its software to comply with local censorship laws. Tom Online, Skype's joint venture partner in China, has "implemented a text filter, which is what everyone else in that market is doing. Those are the regulations," Niklas Zennstrom, Skype's chief executive, told the Financial Times. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:57:54 PM  PermaLink   / trackback []

Mandatory Labeling, ISP Data Retention Proposal Raises Concern. Mandatory Labeling, ISP Data Retention Proposal Raises Concern. Attorney General Gonzales today called for mandatory data retention requirements for Internet service providers, asserting that such requirements would be useful in online child pornography investigations. Data retention requirements would be burdensome, raise serious privacy concerns, and be of questionable value given existing laws that require ISPs to preserve data at the request of law enforcement. The proposed legislation would also require mandatory labeling of sexually explicit content, a provision CDT believes would be ineffective in protecting kids, as well as being a form of forced speech that violates the First Amendment. [Center for Democracy and Technology] 12:52:18 PM  PermaLink   / trackback []

Philips Patents DRM To Stop Commercial Skipping, Changing Channels. Philips Patents DRM To Stop Commercial Skipping, Changing Channels. According to DesignTechnica, Philips has patented a "technology ... [that] would prevent users from changing channels to avoid watching television commercials as well as prevent viewers from fast-forwarding through recorded advertisements." Why would Philips invent such an absurd restriction when it will never be voluntarily licensed? After all, in a competitive market, technology companies who adopt Philips' patented system will be shunned by customers; no one wants a device that says, "Now improved -- blocks changing channels during commercials!" Perhaps Philips believes that, at some point in the future, Hollywood might push for a government mandate forcing technology companies to incorporate anti-skipping technology. If that happens, this patent could be the federally-set standard, and tech creators would have to pay Philips every time they want to sell a new device. Instead of wasting its time with this anti-user opportunism, Philips should focus on building technologies that satisfy its customers. [EFF: Deep Links] 12:50:25 PM  PermaLink   / trackback []

OASIS releases SPML Version 2 into the wild. OASIS releases SPML Version 2 into the wild. At the Catalyst conference in 2001, provisioning rivals Business Layers and Access360 sat on different sides of the conference meeting room (the ballroom of the Marriott hotel in San Diego) and hurled catcalls and invective at each other. A year later, they'd matured, as had the technology, and - under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS) joined to help form the Provisioning Services Technical Committee. A year after that, in 2003, the committee demonstrated the first release of the Provisioning Services Markup Language, soon changed to the Service Provisioning Markup Language (SPML), in action. [Identity mangement news] 12:47:37 PM  PermaLink   / trackback []

Sun streaks ahead in open source DRM and CAS. Sun streaks ahead in open source DRM and CAS. DReaM to come true? We can see from last week's story on Sun Microsystems DReaM DRM that it is rapidly honing in on a future open source DRM market, with a completely new vision of how DRM should work, and it's running at least six months ahead of schedule by our reckoning. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:45:06 PM  PermaLink   / trackback []

German court rules moderators liable for forum comments. German court rules moderators liable for forum comments. Lawyers on the edge A Hamburg court has ruled that moderators of internet forums are liable for content posted on their sites. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:43:26 PM  PermaLink   / trackback []

Disgruntled employees and Intellectual Property Protection. Disgruntled employees and Intellectual Property Protection. A well written paper submitted by Dan Morrill discusses the very real threat of disgruntled employees and the potential impact they may have on an organization. Dan provides some excellent references to drive this home. By Dan Morrill. [Infosec Writers Latest Security Papers] 12:42:04 PM  PermaLink   / trackback []

Researcher: Major Banking Sites Insecure. Researcher: Major Banking Sites Insecure. Sites do not use authentication technology to prove they are genuine, researcher says. [PCWorld.com - Latest News Stories] 12:40:21 PM  PermaLink   / trackback []

Vendors left waiting on ID scheme details. Vendors left waiting on ID scheme details. "Market soundings", little consultation Just three weeks since after overcoming opposition to ID cards in the House of Lords the Home Office has already published "10-year plan" for implementing the scheme. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:38:42 PM  PermaLink   / trackback []