Thursday, April 27, 2006

Donald Rumsfeld Charged in Recruitment Database Lawsuit The New York Civil Liberties Union has filed a lawsuit in federal court in Manhattan that alleges the U.S. Department of Defense violated the law by improperly collecting data on potential military recruits, according to wire service reports. The lawsuit filed on behalf of six teenagers charges that the Pentagon collected data on individuals as young as 16, and kept records on race, ethnicity, gender and social security numbers illegally. Such data included students' grades. [...] Students were reportedly approached by recruiters, after they asked that their personal information be deleted from the government database. 11:21:46 AM  PermaLink   / trackback []

Calif. Senate Approves Pretexting Bill. Calif. Senate Approves Pretexting Bill. "Californians have a right to privacy and pretexting not only violates that right, it makes every single one of these victims a prime candidate for identity theft." [GT: Privacy] 11:18:55 AM  PermaLink   / trackback []

Universities need a privacy refresher course | Perspectives | CNET News.com Unbelievable but true: While most higher educational institutions engage in e-commerce, most also engage in practices that present potential privacy risks--and less than 30 percent bother posting privacy notices on their home pages. When it comes to privacy, universities and colleges need to go back to school. Bentley College and Watchfire, a company specializing in online risk management, just surveyed 236 institutions on their online privacy policies. The list was culled from universities and national liberal arts colleges appearing in the 2004 U.S. News and World Report ranking of America's best colleges. This survey is timely, as most educational institutions use the Internet to process electronic admissions applications. They also engage in other types of e-commerce transactions, such as the online sale of athletic tickets, alumni donations over the Internet, and the sale of textbooks, clothing and other items online. With a growing number of universities and colleges suffering data breaches, the need for privacy attention clearly is heightened. 11:17:02 AM  PermaLink   / trackback []

Bill seeks to inform drivers of black box in vehicles Many new cars are equipped with an event data recorder, or EDR, a small box containing a microchip that records automobile-related data covering the last five seconds before an auto accident. It can help investigators learn how an accident occurred. But some are concerned about the use of the boxes in lawsuits and say that they constitute an unwarranted intrusion on privacy rights. Most car buyers don't even know their car has an EDR, because neither the dealer nor the owner's manual mentions it, said state Sen. J. Barry Stout, D-Washington, who along with other senators is trying to protect Pennsylvania car owners from what they see as the latest version of Big Brother. He is a co-sponsor of a bill that would require car dealers to tell buyers about the existence of a black box and give the car owner greater control over release of the data on the recorder in case of an accident. "The public doesn't want someone to spy on them or to snoop on them," said Mr. Stout. "Drivers should have a right to privacy. It's a consumer-protection issue." Without such a law, Mr. Stout said, the EDR information could be used against a driver if he is sued by the other driver in a car crash. 11:13:20 AM  PermaLink   / trackback []

Consumers Worldwide Overwhelmingly Support Biometrics for Identity Verification, Says Unisys Study; More Than Two-Thirds Also Favor Biometrics as Preferred Method to Combat Fraud and ID Theft Nearly 70 percent of consumers worldwide support using biometrics technologies such as fingerprints or voice recognition administered by a trusted organization (e.g., a bank, healthcare provider or government organization) as a way to verify an individual's identity, according to new global research from Unisys Corporation (NYSE:UIS). In the first worldwide survey of its kind to study consumer security preferences, the Unisys research also found that 66 percent of consumers worldwide also favored biometrics as the ideal method to combat fraud and identity theft as compared to other methods such as smart cards and tokens. This finding shows a slight increase from separate research that Unisys conducted in September 2005, which found 61 percent of consumers worldwide favored biometrics as the preferred method to fight fraud and identity theft. "This research is revealing since many headlines today seem to question biometric adoption because of legitimate privacy concerns," said Mark Cohn, vice president, homeland security solutions, Unisys Corporation. "System developers and owners must address those concerns so that these technologies can move toward the mainstream on a large scale w 11:10:06 AM  PermaLink   / trackback []

Why VOIP Needs Crypto. Why VOIP Needs Crypto. Internet phone calls can be wiretapped in ways that would have made Richard Nixon giggle with glee. It's time for strong encryption to become the rule, rather than the exception. Commentary by Bruce Schneier. [Wired News: Security Blanket] 11:05:16 AM  PermaLink   / trackback []

Your Thoughts Are Your Password. Your Thoughts Are Your Password. Scientists hope that mind-reading computers will one day replace typed passwords, making fingerprint readers and retina scans obsolete. Skeptics say don't count on it. By Lakshmi Sandhana.  [Wired News: Security Blanket] 11:01:54 AM  PermaLink   / trackback []

Privacy needs to be baked into systems, experts say WILLIAMSBURG, Va. - To be as effective as possible, agency privacy officers should not act as a Dr. No. Rather, they should be an important part of the team that helps focus a system, two privacy officials said. Kenneth Mortensen, senior adviser to the Homeland Security Department's privacy officer, speaking at the IRMCO conference, said the department is trying to institutionalize privacy by making privacy impact statements part of how the agency does business. The goal for privacy is to bake it into the system, said Barbara Symonds, director of the Internal Revenue Service's Office of Privacy and Information Protection. Privacy issues are harder to address when organizations treat them as an afterthought. When they consider privacy throughout a system's development, they rarely encounter additional costs or slower growth, she said. 11:00:15 AM  PermaLink   / trackback []

Desktop-search risks deserve close management scrutiny. Desktop-search risks deserve close management scrutiny. As more end users download and experiment with desktop search tools, IT managers must establish policies, standardize tools and protect their networks from data exposure, compliance breaches and poor performance, experts say. [Computerworld Privacy News] 10:55:46 AM  PermaLink   / trackback []

Wells Fargo, AOL to join Symantec antiphishing effort. Wells Fargo, AOL to join Symantec antiphishing effort. Symantec Corp. is planning to revamp the Phish Report Network, an online project aimed at cutting down on "phishing" identity theft attacks, and will add a number of new partners for the project. [Computerworld Privacy News] 10:52:52 AM  PermaLink   / trackback []

New phishing scam model leverages VoIP. New phishing scam model leverages VoIP. Presented with a nearly irresistible combination of low cost and lower end-user awareness, phishers are making use of a new tech angle for infotheft: voice-over-IP phone numbers. [Computerworld Privacy News] 10:50:48 AM  PermaLink   / trackback []

Disclosure meant less pain in data theft. Disclosure meant less pain in data theft. After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive. [Network World on Privacy] 10:48:44 AM  PermaLink   / trackback []

Potential Security Vulnerabilities of a Wireless Network in a Military Healthcare Facility. Potential Security Vulnerabilities of a Wireless Network in a Military Healthcare Facility. This paper, submitted by Jason Meyer, will look into the regulations governing data security on a military network as well as a military healthcare network. By Jason Meyer. [Infosec Writers Latest Security Papers] 10:44:17 AM  PermaLink   / trackback []

BBC mulls database of kids. BBC mulls database of kids. Blue Peter's got your number Still plotting ways to root out Blue Peter benefits cheats, puritanical BBC producers are chewing over plans for an intelligence database that petty officials can use to keep an eye on pesky kids. Producers of Blue Peter, the hit children's TV magazine show, have been considering options to prevent imposters from buying the privileges conferred to Blue Peter badge winners (such as free entry to tourist attractions), since discovering the badges were being sold on eBay. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:39:06 AM  PermaLink   / trackback []

LIRR loses records of virtually everyone who has ever worked for the agency-- Newsday.com Box containing employee data is lost going into storage; railroad downplays risk of identity theft The Long Island Rail Road said Wednesday that it has lost personal information -- names, addresses, Social Security numbers and salary figures -- of virtually everyone who has ever worked for the agency. Editor: This is todays cover story at the paper. 10:32:36 AM  PermaLink   / trackback []

Groundwork for cybersecurity R&D agenda begins The Bush administration has drafted a federal plan to improve cybersecurity research and development. Yesterday, the National Science and Technology Council, a Cabinet-level body that coordinates governmentwide science and technology policies, issued a preprint release of the "Federal Plan for Cyber Security and Information Assurance Research and Development." In addressing gaps in the country's current cybersecurity activities, the 121-page report recommends setting R&D priorities and strengthening coordination between agencies and the private sector. The plan also calls for implementing emerging technologies, road maps and metrics. It does not address specific funding levels or budgets. Industry officials and lawmakers had been urging the administration to improve federal cybersecurity and information assurance R&D. Officials are billing this plan as the first step toward developing a federal agenda. Members of more than 20 government organizations prepared the document as part of the Interagency Working Group on Cyber Security and Information Assurance. The report responds to several recent cybersecurity documents, including a memorandum on fiscal 2007 administration R&D budget priorities, a 2005 report by the now-defunct President's Information Technology Advisory Committee (PITAC) and the 2002 Cyber Security Research and Development Act. 10:27:28 AM  PermaLink   / trackback []

Bugs Put Widely Used DNS Software at Risk. Bugs Put Widely Used DNS Software at Risk. Researchers point to vulnerabilities in software that runs the Net's domain name servers. [PCWorld.com - Latest News Stories] 10:22:35 AM  PermaLink   / trackback []

Aussies to get pseudo-ID Card. Aussies to get pseudo-ID Card. Monkey see, monkey do It looks like an ID Card. It smells like an ID Card. Heck, it even spooks you like an ID Card. But, as Australia's carbon copy Commonwealth Prime Minister says, "it ain't no ID card" [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:20:37 AM  PermaLink   / trackback []

Getting off the UK DNA database: ACPO explains how. Getting off the UK DNA database: ACPO explains how. Or not... The UK is something of a DNA record kleptocracy, with a national DNA database now well in excess of three million records, and with new sampling opportunities available to the police on remarkably easy terms. These days it's ever so easy to get onto the UK database, but how do you get off? [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:18:33 AM  PermaLink   / trackback []

The Season of Bad Laws, Part 2: Criminal Copyright Infringement, Drug War Style. The Season of Bad Laws, Part 2: Criminal Copyright Infringement, Drug War Style. The Department of Justice is pushing for legislation that would expand the scope of, and stiffen the penalties for, criminal copyright infringement. The legislation has not yet been introduced, but the relevant subcommittee of the House Judiciary Committee has quietly circulated a draft bill based on the DoJ wish list. (A similar bill was circulated in November 2005, along with a "section-by-section" analysis apparently prepared by DoJ to explain their requests. The new bill goes farther than the previous version.) The DoJ proposal is an outrage. Keep in mind that criminal copyright infringement is no longer limited to situations involving commercial piracy. Thanks to laws like the No Electronic Theft (NET) Act and the Family Entertainment and Copyright Act (FECA), the feds can now bring criminal charges against people for simply uploading a single "pre-release" song (as two Ryan Adams fans discovered last month when they were brought up on federal charges for uploading tracks from pre-release promotional CDs). Most of the changes sought by DoJ fall into two broad categories: (1) making it easier to convict people of criminal copyright infringement by eliminating the inconvenient necessity of proving that actual infringement took place; and (2) increasing the financial and penal penalties when someone is convicted. This guarantees one result: more innocent people will be convicted. After all, if you're wrongly accused, but you know the feds don't have to prove their case and you're facing serious jail time, you're more likely to accept a plea bargain. In fact, DoJ will have an easier time convicting you of criminal charges than civil litigants will have suing you for money. This is exactly backwards. Before they throw people in jail for copyright infringement (especially where the infringement does not involve a commercial motive), the feds should have to prove their case, just like copyright owners in civil cases. They should have to prove, among other things, that infringement took place, that it took place within the applicable statute of limitations, and that the work was properly registered. Is it too much to ask that DoJ actually do its homework and prove its case before it imprisons people and seizes their assets for uploading a Ryan Adams song? The draft bill includes the following changes to copyright's criminal provisions: Makes attempted copyright infringement a criminal offense. This is unprecedented in American copyright law. Makes conspiracy to commit copyright infringement a criminal offense. Aiding and abetting is already prohibited under existing law, as is contributory infringement, so this appears designed to enable prosecutions where no actual infringement ever took place. Empowers law enforcement with the same criminal and civil forfeiture powers used in drug prosecutions. Authorizes FBI wiretapping (including of email, internet activity, etc.) in criminal copyright infringement cases. Stiffens penalties in the "anti-bootlegging" statute that prohibits recording of live concerts, despite the fact that the law has been declared unconstitutional by a New York federal court (the government has appealed). For criminal prosecutions, eliminates the requirement that a work be registered before a case can be commenced. Dramatically increases the maximum prison sentences applicable to most criminal copyright provisions, including the anti-camcording laws enacted just last year. In addition to the criminal provisions, the DoJ proposal also makes the following general changes, which would be available in both civil (think RIAA, MPAA) and criminal cases: Expands existing ex parte seizure remedies available to copyright owners to include seizure of "records documenting the manufacture, sale, or receipt of [infringing] items." You can expect the MPAA and RIAA to argue that this includes server logs, email, customer lists, and similar records. Prohibits exports of goods that are infringing or would have been infringing if the U.S. Copyright Act had applied. Current law already prohibits imports, as well as domestic reproductions, distributions, and performances. So targeting "exports" really addresses exports of works that would not otherwise be infringing under U.S. law. Another example of expanding a copyright owner's rights without any justification. Defines "traffic" under the DMCA to mean "to transport, transfer, or otherwise dispose of, to another, or to make, import, export, obtain control of, or possess, with intent to so transport, transfer, or otherwise dispose of." By explicitly adding "possession" to the definition of "traffic," this expands the DMCA (when experience tells us the DMCA needs to be narrowed). [EFF: Deep Links] 10:16:37 AM  PermaLink   / trackback []

The Season of Bad Laws, Part 3: Banning MP3 Streaming. The Season of Bad Laws, Part 3: Banning MP3 Streaming. The Washington Post reports that Senators Feinstein (D-Cal.) and Graham (R-S.C.) have introduced S. 2644, dubbed the PERFORM Act, that is aimed at punishing satellite radio for offering its subscribers devices capable of recording off the air. Buried in the bill, however, is a provision that would effectively require music webcasters to use DRM-laden streaming formats, rather than the MP3 streaming format used by Live365, Shoutcast, and many smaller webcasters (like Santa Monica's KCRW and Seattle's KEXP). The streaming radio stations included in iTunes also rely on MP3 streams (since Apple isn't about to license the Real or Microsoft streaming codecs). Today, webcasters that want to transmit major label music are entitled to do so under a statutory license (administered by SoundExchange) set out in section 114(d) of the Copyright Act. So long as they follow the rules and pay a royalty, webcasters can play whatever music they like, using whatever streaming format they like. [EFF: Deep Links] 10:09:30 AM  PermaLink   / trackback []

Top Canadian Artists Oppose DRM, Suing Fans. Top Canadian Artists Oppose DRM, Suing Fans. Remember when all of those Canadian record labels recently walked out on CRIA, the Canadian equivalent of the RIAA? Well, a bunch of them just launched a new coalition for Canadian musicians called the "Canadian Music Creators Coaltion," and their founding principles are pretty rad: 1. Suing Our Fans is Destructive and Hypocritical 2. Digital Locks are Risky and Counterproductive 3. Cultural Policy Should Support Actual Canadian Artists This remarkably reasonable and consumer-friendly stance is backed by some big artists, too. For example: Barenaked Ladies, Avril Lavigne, Sarah McLachlan, Chantal Kreviazuk, Sum 41, Stars, Raine Maida (Our Lady Peace), Dave Bidini (Rheostatics), Billy Talent, John K. Samson (Weakerthans), Broken Social Scene, Sloan, Andrew Cash and Bob Wiseman (Co-founder Blue Rodeo). [EFF: Deep Links] 10:06:01 AM  PermaLink   / trackback []

The Critical First Steps in a Successful Incident Response Program. The Critical First Steps in a Successful Incident Response Program. This paper, contributed by Stephanie Hight, discusses the first steps in an Incident Response Program. Topics such as policy, teams, communication and others are covered. By Stephanie Hight. [Infosec Writers Latest Security Papers] 9:59:38 AM  PermaLink   / trackback []