Tuesday, December 19, 2006

State AGs Reach Settlement on Sony BMG Rootkit Debacle. State AGs Reach Settlement on Sony BMG Rootkit Debacle. Over a year since infecting CD purchasers' computers with flawed copy protection software, Sony BMG has reached a settlement with several state attorneys general (AGs) over the rootkit debacle. We've reviewed the Texas settlement agreement, which appears to be similar to agreements reached in other states, and it looks like the AGs used their investigatory and enforcement powers to obtain important additional relief for consumers. Among other things, the settlement requires Sony BMG to compensate consumers whose computers were damaged by the XCP or Media Max software and to continue providing the settlement benefits obtained in the private litigation for an additional six months (through June 30, 2007). Equally important are Sony BMG's future obligations. If Sony uses DRM on its CDs in the future, it will have to provide detailed pre- and post-sale disclosures to customers, provide an easy uninstaller, and notify consumers if it finds security flaws in the software. Well done, AGs! The Texas agreement is available here. Background regarding the Sony BMG litigation is available here. [EFF: Deep Links] 10:08:00 PM  PermaLink   / trackback []

Lawsuit Demands Answers About Government's Secret 'Risk Assessment' Scores. Lawsuit Demands Answers About Government's Secret 'Risk Assessment' Scores. Millions of U.S. Travelers Affected by Giant Data-Mining Program Washington, D.C. - The FLAG Project at the Electronic Frontier Foundation (EFF) filed suit against the Department of Homeland Security (DHS) in federal court today, demanding immediate answers about an invasive and unprecedented data-mining system deployed on American travelers. The Automated Targeting System (ATS) creates and assigns "risk assessments" to tens of millions of citizens as they enter and leave the country. In November, DHS announced that the program would launch on December 4, but Homeland Security Secretary Michael Chertoff later admitted that the program had already been in operation for several years. "The news of this secret program sparked a nationwide uproar. DHS needs to provide answers, and provide them quickly, to the millions of law-abiding citizens who are worried about this 'risk assessment' score that will follow them throughout their lives," said EFF Senior Counsel David Sobel. Under ATS, individuals have no way to access information about their "risk assessment" scores or to correct any false information about them. But while you cannot see your score, it will be made readily available to untold numbers of federal, state, local, and foreign agencies. The government will retain the data for 40 years. While the publicly available information about ATS is disturbing enough, there are many critical details the government did not disclose. For example, DHS has not announced what the consequences might be of a "risk assessment" score that indicates an individual might be a threat. EFF's suit demands an urgent and expedited response to the Freedom of Information Act (FOIA) request filed earlier this month, including all Privacy Impact Assessments for the ATS, all records that describe redress for individuals who believe the system includes inaccurate information, and all records that discuss potential consequences for travelers as a result of the system. "ATS is precisely the sort of system that Congress sought to prohibit with the Privacy Act of 1974," said Sobel. "DHS needs to abide by the law and give Americans the information they deserve about this dangerous program." Congressional leaders have indicated that they are likely to convene hearings on ATS when the new Congress convenes in January. Today's lawsuit cites that pending oversight as an additional reason why DHS must release details about the system on an expedited basis. For the FOIA complaint filed against the Department of Homeland Security: http://www.eff.org/Privacy/ats/ats_complaint.pdf For more on the ATS program and other travel screening issues: http://www.eff.org/privacy/travel/ Contacts: David Sobel Senior Counsel Electronic Frontier Foundation sobel@eff.org Marcia Hofmann Staff Attorney Electronic Frontier Foundation marcia@eff.org [EFF: Breaking News] 10:05:42 PM  PermaLink   / trackback []

Facial-recognition software makes finding Web photos easier. Facial-recognition software makes finding Web photos easier. Polar Rose AB plans to offer free software to make photos searchable on computers and the Internet by analyzing the contents of pictures with facial-recognition technology to locate specific faces. [Computerworld Data Mining News] 10:01:31 PM  PermaLink   / trackback []

EFF sues DHS over travel data-mining system. EFF sues DHS over travel data-mining system. The Electronic Frontier Foundation, a privacy rights group, has filed a lawsuit seeking answers about a U.S. Department of Homeland Security "risk-assessment" system for travelers. [Computerworld Data Mining News] 9:56:09 PM  PermaLink   / trackback []

Fight to Unseal Critical Evidence in AT&T Surveillance Case. Fight to Unseal Critical Evidence in AT&T Surveillance Case. Thursday Hearing on Public Release of Documents San Francisco - On Thursday, December 21, at 2 p.m., a federal judge in San Francisco will consider requests from media groups to unseal critical evidence in the Electronic Frontier Foundation's (EFF's) class-action lawsuit against AT&T. EFF's suit accuses the telecom giant of collaborating with the National Security Agency (NSA) in illegal spying on millions of ordinary Americans. The sealed evidence includes a declaration by Mark Klein, a retired AT&T telecommunications technician, as well as several internal AT&T documents and portions of a declaration from EFF's expert witness. Some of the evidence was previously released in redacted form, while other evidence is still completely unavailable to the media and the public. U.S. District Court Judge Vaughn Walker will also consider whether two state court lawsuits against AT&T and Verizon over NSA access to phone records, which were recently transferred to his courtroom, should be transferred back to state court. WHAT: Hepting v. AT&T and other NSA telecommunications records lawsuits WHEN: 2 p.m. Thursday, December 21 WHERE: 450 Golden Gate Ave., Courtroom 6 San Francisco, CA 94102 For more on EFF's case against AT&T: http://www.eff.org/legal/cases/att/ Contact: Rebecca Jeschke Media Coordinator Electronic Frontier Foundation press@eff.org [EFF: Breaking News] 9:53:33 PM  PermaLink   / trackback []

Entrenchment of Non-Privacy Norms Online. Entrenchment of Non-Privacy Norms Online. Gaia Bernstein, an Associate Professor at Seton Hall University School of Law (and guest blogger over at Law & Technology Theory) has a thoughtful post about how particular diffusion characteristics made the Internet vulnerable to the establishment of what she calls [base "]non-privacy norms.[per thou] She writes: I believe two diffusion characteristics made the Internet vulnerable to this paradox and may make other technologies that share these qualities susceptible to the same paradox. First, the Internet is characterized by a critical mass point quality. This characteristic is prevalent among interactive technologies. A critical mass of people needs to adopt them before they are of value. For example, the telephone was far less useful before there were many people to call. Once the critical mass point is reached the rate of diffusion accelerates. At that point a technology is less likely to be affected by a privacy threat. It is less likely to be abandoned because of the threat. When the critical mass point is reached and diffusion accelerates, social norms become quickly entrenched. The Internet reached its critical mass point in 1990 with 4 million users worldwide. The privacy threats appeared around the mid-1990s at a time of rapid diffusion, and non-privacy norms became quickly entrenched. The second relevant diffusion characteristic is decentralization. The entrenchment of non-privacy norms is also enhanced where a technology is decentralized. Where a technology is decentrally diffused all users can re-invent it. In the case of the Internet, many users could act to develop privacy threatening tools, such as cookies. This exacerbated the entrenchment of non-privacy norms. I suggest that where a technology is characterized by a critical mass point and decentralized diffusion the window of opportunity for intervention is much narrower. Privacy protection, whether through technological design or legal rules, is likely to be effective earlier before social norms are entrenched. This is important work, and Gaia has two papers that develop these ideas further: The Paradoxes of Technological Diffusion: Genetic Discrimination and Internet Privacy and When New Technologies are Still New: Windows of Opportunity for Privacy Protection. [michaelzimmer.org] 9:51:05 PM  PermaLink   / trackback []

DoH sticks to 'opt out' for patient e-records. DoH sticks to 'opt out' for patient e-records. Patients have a 'realistic' period to opt out The Department of Health (DoH) has stuck by the "implied consent" model for the central collection of electronic patient records in England, but will provide support for those who want to opt out [The Register - Internet and Law: Digital Rights/Digital Wrongs] 9:48:51 PM  PermaLink   / trackback []

Coming in January: "Month of Apple Bugs". Coming in January: "Month of Apple Bugs". A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it. The "Month of Apple Bugs" project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias "LMH." This is the same researcher who in November ran the "Month of Kernel Bugs" project. LMH's partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years. The current craze for featuring a new bug each day for a specific time period began this summer with researcher HD Moore's "Month of Browser Bugs," which highlighted unpatched security holes in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari browser, and even Opera. With most of the browser bugs, Moore alerted the affected software vendors prior to publishing his findings. To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message. LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security. "Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way," LMH said. It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation. [Security Fix] 9:47:13 PM  PermaLink   / trackback []

Worm Spreading via Skype Chat? Worm Spreading via Skype Chat?  Password-stealing Trojan horse may--or may not--be targeting popular VoIP feature. [PC World: Latest Technology News] 9:45:23 PM  PermaLink   / trackback []