Tuesday, January 9, 2007

Computer theft may have exposed patient data across five states. Computer theft may have exposed patient data across five states. A computer stolen from the office of Cincinnati-based Electronic Registry Systems has exposed sensitive health care data belonging to tens of thousands of patients in five health care firms. [Computerworld Privacy News] 10:13:12 PM  PermaLink   / trackback []

Medical identity theft can kill you (Page 1 of 3) Financial identity theft might wound your wallet, but medical identity theft can kill you. Medical identity theft occurs when criminals obtain information such as a health insurance identification or Social Security number and use it to get health care or to obtain reimbursement from insurers and others for false claims. That means your medical history and health care records can include someone else's information. This can be life threatening: for example, causing a transfusion of the wrong blood type. "People can die from this crime," says Pam Dixon, executive director of the World Privacy Forum, a privacy rights group. "It is a potentially huge issue. It's an incredibly intransigent problem and victims are finding that they have to sue health care providers to have their records corrected." As paper-based, medical-record-keeping systems evolve toward electronically based interconnected systems, the potential for catastrophic errors is on the rise. Hospitals and insurance companies face enormous expenses when it comes to medical identity theft, as they are forced to write-off charges incurred by the thieves. But its victims find that the financial aspects of this type of identity theft are the easiest to deal with -- it's the potential medical consequences that are much tougher to correct. Because health privacy and access laws lag behind credit access and reporting laws, victims frequently have little recourse to correct errors in their reports, and even when corrected, errors are apt to pop up again years later. Often victims are unaware for years that their medical identities have been stolen, according to the World Privacy Forum. Health care providers, concerned about possible liabilities, are reluctant to correct errors in medical records and in some cases inform victims that the identity of the thief is protected under federal privacy laws so the victim can't even view the part of their records that is wrong. 10:10:45 PM  PermaLink   / trackback []

Aetna to offer patients access to online data. Aetna to offer patients access to online data. Aetna next month plans to begin rolling out the Aetna Care Engine Powered Personal Health Record to its members, giving them online access to their health records. [Computerworld Privacy News] 10:05:37 PM  PermaLink   / trackback []

U.S. may check Web use The federal government wants your Internet provider to keep track of every Web site you visit. For more than a year, the Justice Department has been in discussions with Internet companies and privacy rights advocates, trying to come up with a plan that would make it easier for investigators to check records of Web traffic. The idea is to help law enforcement officials track down child pornographers. But some see it as another step toward total surveillance of citizens -- joining warrantless wiretapping, secret scrutiny of library records and unfettered access to e-mail as another power that could be abused. "I don't think it's realistic to think that we would create this enormous honeypot of information and then say to the FBI, 'You can only use it for this narrow purpose,' " said Leslie Harris, executive director of the Center for Democracy & Technology, a Washington, D.C.-based group that promotes free speech and privacy in communication. "We have an environment in which we're collecting more and more information on the personal lives of Americans, and our laws are completely inadequate to protect us." 10:03:50 PM  PermaLink   / trackback []

Sentinel & Enterprise - Bush violating personal privacy rights again The White House denies it, but personal privacy has taken another big hit at the hands of the Bush administration. The president has decreed that his agents do not need a search warrant to open and read first class mail. Traditionally -- and by law -- the government has had to go before a judge to justify a request to open a private letter. But in one of the president's notorious signing statements -- and he has issued more than 750 of them, more than all other presidents combined, according to the ABA -- the president said he could order warrantless searches of the mail in "exigent" circumstances. "Exigent" is a spongy word, meaning urgent. And who gets to decide when circumstances are urgent? The Decider himself. In signing statements that the president appends to bills Congress has passed, Bush reserved the right to interpret the legislation as he sees fit or even ignore it altogether. He has earlier asserted the right to eavesdrop electronically without warrants. 9:59:26 PM  PermaLink   / trackback []

Viewpoint: Existing IT Tools Can Keep Cost of Real ID Compliance Down. Viewpoint: Existing IT Tools Can Keep Cost of Real ID Compliance Down. There's no such thing as a foolproof ID system, and this act contains chasmic loopholes through which even the dumbest terrorist could slip. [GT: Security and Privacy] 9:56:33 PM  PermaLink   / trackback []

Virginia Governor Signs Consumer Privacy, Security Orders. Virginia Governor Signs Consumer Privacy, Security Orders. "We must make sure [security standards] are appropriate and that they are rigorously enforced to protect against accidental access and deliberate hacking as well." [GT: Security and Privacy] 9:52:44 PM  PermaLink   / trackback []

Smith Reintroduces the Global Online Freedom Act. Smith Reintroduces the Global Online Freedom Act. "By blocking access to information and providing secret police with the technology to monitor dissidents, American IT companies are knowingly and willingly enabling the oppression of millions of people." [GT: Security and Privacy] 9:51:11 PM  PermaLink   / trackback []

EMI reviewing CD content protection technology Reuters.com LONDON (Reuters) - EMI Group Plc said on Monday it was reviewing its use of the controversial content protection technology used on CDs, known as digital rights management (DRM), but has not scrapped it altogether. Music companies launched DRM in a bid to curb piracy but the software means that the discs are incompatible with the iPod, the market-leading digital music player made by Apple Computer Inc. Critics also argue that the system has not worked as consumers could be driven to illegal sites to download music to the popular iPod instead. A spokeswoman for EMI said it had not manufactured any new disks with DRM, which restricts consumers from making copies of songs and films they have purchased legally, for the last few months. 9:47:34 PM  PermaLink   / trackback []

EMI Considers Abandoning DRM on CDs. EMI Considers Abandoning DRM on CDs. jOmill writes "EMI Netherlands has announced that it is considering no longer using DRM on CDs, because it isn't worth the cost. According to Reuters the company is still reviewing the decision. From the article: 'Critics have argued that the system has not worked as consumers could be driven to illegal sites to download music to the popular iPod instead. A spokeswoman for EMI said it had not manufactured any new disks with DRM, which restricts consumers from making copies of songs and films they have purchased legally, for the last few months.'"  [Slashdot: Your Rights Online] 9:44:57 PM  PermaLink   / trackback []

Microsoft Plugs Ten Security Holes. Microsoft Plugs Ten Security Holes. Microsoft Corp. today issued free software updates to plug at least 10 security holes in its Windows operating system and other software. Windows users can download the patches directly from Microsoft Update or by using the Windows Automatic Updates feature. Probably the most important patch in the January batch is a fix for a Windows flaw that Microsoft said is being actively exploited by bad guys, who can use it to break into vulnerable computers just by tricking a Windows user into merely visiting a malicious Web site or opening a specially crafted e-mail. The bug, resident in Microsoft's implementation of a computer graphics rendering language known as "VML," exists in fully patched Windows XP computers and is similar in nature to a flaw that forced the company to issue an emergency update last fall outside of its normal second-Tuesday-of-the-month patch cycle. In fact, according to data compiled by Security Fix, Microsoft devised a patch for last September's VML flaw just eight days after it became clear bad guys were exploiting it. In addition to the VML patch, Microsoft today pushed out three updates to fix problems in its Office suite. Last week, Microsoft said it planned to issue at least eight patches to fix an unspecified number of security flaws, but over the weekend the company revised that number to four without explanation. Unaddressed by this month's batch patch are two flaws in Microsoft Word that bad guys are actively exploiting, and a third Word flaw for which instructions showing criminals how to exploit have been published online. While Microsoft's next version of its operating system -- Windows Vista -- technically doesn't hit retail stores until Jan. 30, security researchers have already uncovered a set of fairly serious security holes that could expose customers to attacks. Last week, instructions for taking advantage of a Vista flaw to potentially seize control over computers running the new software were published online. Microsoft said it also was investigating rumors that this exploit was previously offered for sale in the hacker underground. Microsoft has spent a great deal of time and effort making security a front-and-center concern in the development of Vista, even going so far as to consult with hacker teams at the National Security Agency to harden the operating system. In a note that accompanied today's patch release, Microsoft said it "developed Windows Vista with the highest attention to security; however, it is important to note that no software is 100% secure. Windows Vista is not a silver bullet- security issues will continue even with more secure operating systems, because the threat bar will continue to be raised and hackers will become more aggressive and that is why Microsoft is taking a defense in depth approach to helping protect users from malware." One final note: Today's patches fix at least nine vulnerabilities in different versions of Office, but they are most serious for users of Office 2000. While users of newer versions of Office can also get Office updates from the Microsoft Update site, Office 2000 users will need to fire up Internet Explorer and pay a visit to the Office Update site and let the site scan their system for any missing patches. [Security Fix] 9:41:47 PM  PermaLink   / trackback []

PrivSec News Briefing (1/9/07). PrivSec News Briefing (1/9/07). RFID Strategy -- RFID Privacy And Security Issues: A look at the evolving state of tag security. By Paul Faber (Industryweek.com, 1/9/07) Technology Companies Are Exposed to Security Breach Litigation. Some Cyber Policies, By Themselves, Can Leave Gaps in Protection (PRNewswire, 1/8/07) Airport scanners allow some to skip security lines -- for a price. By Stephen Majors (The Associated Press, Published in the Seattle Post Intelligencer, 1/8/07) Is privacy important? Posted by Ed Burnette (zdnet.com, 1/8/07) Identity bandits. By Bob Keefe (Cape Cod Times online, 1/9/07) Risks unknown for `registered traveler' participants By Jeff Jonas (San Jose Mercury News, 1/7/07) Adapt, Change Or Die: The Sept. 11 Proposals Are Just a Start. By Tim Roemer (Washington Post, 1/9/07) [Privacy and Security Law Blog] 9:27:42 PM  PermaLink   / trackback []

Supreme Court Won't Hear Secret Law Case. Supreme Court Won't Hear Secret Law Case. The Supreme Court has denied a request to review Gilmore v. Gonzales, a case challenging a government order that requires travelers to show ID before boarding planes at American airports. The Transportation Security Administration has refused to let the public see the order, claiming that it's "sensitive security information." EFF filed a "friend of the court" brief in November urging the Supreme Court to take the case. The brief argued that Congress never meant for agencies to have unchecked power to regulate the public with secretive rules, and was was joined by the American Association of Law Libraries, American Library Association, Association of Research Libraries, Center for Democracy and Technology, National Security Archive, Project on Government Secrecy of the Federation of American Scientists, and Special Libraries Association. [EFF: Deep Links] 8:52:33 PM  PermaLink   / trackback []

CES 2007: DRM, Device "Integration," HD Cable on the PC. CES 2007: DRM, Device "Integration," HD Cable on the PC. Michael Gartenberg sums up one theme of CES nicely: "A few years ago, it was all about convergence, the merging of all functionality into a single device. This year, it's all about how to integrate the diversity of devices that consumers are using into a whole that allows for the information and content they want to flow seamlessly from device to device[sigma]. "DRM restricts the flow of content seamlessly. Likewise, home networks are still a huge issue (but lots of stuff being shown at CES that can help potentially overcome some of this stuff)." On the one hand, we've seen devices like Sling's new Sling Catcher, which will help you send video from your PC to your TV. Netgear and Bittorrent are also teaming up to help you download video and move it around your digital home. On the other hand, there are also some clear DRM fault lines. For instance, quite a few companies at CES are showing off devices that will let you receive digital cable on PCs running Microsoft Vista. These CableCARD-compatible devices allow you to do away with your cable company's proprietary set-top box and receive and record HD straight to your computer. That's great news, but there's a catch. As explored in our article about TiVo Series 3 for HD, all CableCARD-compatible devices are forced to add DRM shackles. So with these Vista devices, you'll be limited in how you stream around the home, and you won't be able to copy recordings to other devices. In other words, you've already invested a good chunk of change in your cable subscription, but it seems you'll have to pay again for the same content if you want it on another device. When you ask product representatives when new CableCARD-compatible devices will be approved to help with portability around the home and beyond, they say "soon." (The same answer you get when you ask when you'll be allowed to rip that HD-DVD you bought to your iPod with the DRM vapor-ware known as "AACS Managed Copy.") At a convention that hypes up devices that aren't even close to the market (let alone ready for mass adoption), "soon" translates to "a very long time." [EFF: Deep Links] 8:50:27 PM  PermaLink   / trackback []

CES 2007: The (Hopefully) Eternal Analog Hole. CES 2007: The (Hopefully) Eternal Analog Hole. If you want to liberate your media from its DRM chains without circumventing them, you are increasingly dependent on the analog hole (all your digital outputs are belong to Hollywood, right?). We've already talked up the Neuros MPEG4 Recorder on this blog, and at CES we found a similar device called the iRecord. You can record any analog video or audio output direct to your iPod or PSP using this gadget. While Hollywood says it's illegal for you to rip your DVD to your iPod, you can copy the DVD this way. (And how else are you going to get your shows from your TiVo Series 3 to your iPod? Hollywood and the cable companies killed TiVoToGo on the Series 3, you'll recall.) Here's another cool CES product that depends on the analog hole: the Slingbox Pro (now with component analog inputs, so you can digitize and sling your HD video content to yourself over the internet). And one more: the SanDisk V-Mate Video Memory Card Recorder SDVM1, a video memory card recorder similar to the Neuros MPEG4 Recorder we reviewed. All these devices are about placeshifting (aka spaceshifting), and all of them depend on the analog hole. Hollywood doesn't want you to have this capability (at least until you pay extra for it). So we expect Hollywood will be back at work in DC this year trying to get laws passed to plug the analog hole. Stay tuned. [EFF: Deep Links] 8:48:48 PM  PermaLink   / trackback []

Germany checks 22M credit cards for child porn payments. Germany checks 22M credit cards for child porn payments. German credit-card companies are working with police in that country to scan the records of over 22 million customers, looking for anyone who might have used their plastic to purchase child pornography. So far, 322 customers have drawn suspicion. [Computerworld Data Mining News] 8:45:07 PM  PermaLink   / trackback []

Hack Will Help Kill HD DVD Copy Protection. Hack Will Help Kill HD DVD Copy Protection. New video decryption software is "the first step in the meltdown of AACS," Princeton researchers say. [PC World: Latest Technology News] 8:43:35 PM  PermaLink   / trackback []

Government drops iris scan plan. Government drops iris scan plan. Fingerprints only Iris scans will not form part of the UK Government's planned identity card system the National Identity Register (NIR). The only biometric information to be held on ID cards will now be fingerprints, in contrast to previously stated plans. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 8:41:38 PM  PermaLink   / trackback []

US admits privacy breach on airline data. US admits privacy breach on airline data. Information grab The US Government has admitted that it broke privacy laws in its domestic airline passenger data scheme. The Homeland Security Department has admitted that it gathered more information than it had said it would. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 8:40:22 PM  PermaLink   / trackback []

Scary Blogspam Automation Tools. Scary Blogspam Automation Tools. As the de facto administrator of the Security Fix blog, I've spent many an hour deleting spammy links left in the comments section -- comments that usually lead back to the same kinds of Web sites you most commonly see advertised in junk e-mail. Like regular spam, a great deal of "blogspam" is sent with the help of automated tools, such as personal computers that cyber crooks have commandeered with Internet worms that allow the bad guys to control them remotely. It is rare, however, that we get a glimpse of just how sophisticated this type of automation has become. Consider this longish video (requires Macromedia Flash player) posted at the boldly named "Botmaster.net" Web site. (Botmasters, or "bot herders" as they are sometimes called, are the criminals who control the large, distributed networks of compromised personal computers used to send spam.) The video touts the wonders of a blogspam tool called "xRumer," which sells for $450 (the price includes online tech support). The authors of this software package claim their product can evade a variety of technologies designed to defeat blogspam, such as requiring users to register an account before posting comments, or passing online "Turing tests" through the use of captchas. The software also boasts the ability to post blogspam comments anonymously using a feature that automatically sends the postings through computers that for one reason or another are configured to act as relays for Web traffic, much the way the long-running spammer tool "Send-Safe" has done for years. Anyway, the feature list is pretty extensive and (if accurate) pretty astounding. [Security Fix] 8:38:28 PM  PermaLink   / trackback []

EFF Defends Right to Link from Internet Wiki. EFF Defends Right to Link from Internet Wiki. Legal Battle Over Controversial Prescription Drug Zyprexa San Francisco - The Electronic Frontier Foundation (EFF) today defended the First Amendment rights of a citizen-journalist to link from a public "wiki" to electronic copies of damaging internal Eli Lilly documents relating to the controversial prescription drug Zyprexa. At today's hearing, federal district Judge Jack B. Weinstein refused to change his order blocking publication of material that would "facilitate dissemination" of the Lilly documents. A further hearing on the issue is set for Tuesday, January 16. EFF's client, an anonymous citizen-journalist, posted the links on the wiki located at http://zyprexa.pbwiki.com. Eli Lilly complained, and Judge Weinstein issued his order on January 4. EFF went to court today to challenge this order as an unconstitutional prior restraint on free speech in violation of the First Amendment and to ensure that the right of nonparties in the litigation to link to publicly important information remains protected. "Preventing a citizen-journalist from posting links to important health information on a public wiki violates the First Amendment," said EFF Senior Staff Attorney Fred von Lohmann. "Eli Lilly's efforts to censor these documents off the Internet are particularly outrageous in light of the information reported by The New York Times, which suggests that doctors and patients who use Zyprexa need to know the information contained in those documents." According to The New York Times reports, the Eli Lilly documents show that the company intentionally downplayed the drug's side effects, including weight gain, high blood sugar, and diabetes, and marketed the drug for "off-label" uses not approved by the Food and Drug Administration (FDA). The documents were leaked from the ongoing Zyprexa products liability lawsuit, where Weinstein is the presiding judge. Copies of the leaked Eli Lilly documents have appeared on a variety of websites and other Internet sources. The links to the documents that were posted on the wiki at http://zyprexa.pbwiki.com were part of extensive, in-depth analysis from a number of citizen journalists. A wiki is a website that allows many users to collaborate on its content, creating a kind of simple database for collecting information -- in this case, about the controversy surrounding Zyprexa. Zyprexa is Eli Lilly's best selling drug, used to treat schizophrenia and bipolar disorder. Last week, Eli Lilly agreed to pay up to $500 million to settle claims relating to Zyprexa. This latest settlement brings the total paid by Eli Lilly to resolve lawsuits involving Zyprexa to more than $1.2 billion. For the full motion filed in the Zyprexa products liability litigation: http://www.eff.org/legal/cases/zyprexa/zyprexa_motion.pdf For the court's order of January 4: http://eff.org/legal/cases/zyprexa/jan4_order.pdf Contact: Fred von Lohmann Senior Intellectual Property Attorney Electronic Frontier Foundation fred@eff.org [EFF: Breaking News] 8:35:59 PM  PermaLink   / trackback []

Florida Voters Challenge Judge's Shutdown of Election Investigation. Florida Voters Challenge Judge's Shutdown of Election Investigation. Ruling Impedes Search for Answers in Sarasota County Congressional Race Tallahassee, Fla. - A bipartisan group of Florida voters today challenged a court ruling that is preventing a thorough, independent investigation into alleged voting machine failures in the state's 13th congressional district race. The appeal asks for a reversal of last week's ruling that allowed electronic voting machine vendor Election Systems & Software (ES&S) to keep its software, hardware, and related documentation hidden from the voters -- even though experts from both sides agree that something went seriously awry during November's election. "The court wrongly decided that the voters' legitimate demand to determine who won their election was less important than the remote possibility that an independent investigation by nationally-recognized experts would harm the trade secrets of the vendor," said Electronic Frontier Foundation (EFF) Staff Attorney Matt Zimmerman. "The court could easily have addressed the vendor's concerns the same way trade secret concerns are usually handled in litigation -- by simply issuing a protective order that set limited use of the information to the litigation. The judge had the power to protect the interests of all parties. Unfortunately, in this case, he decided not to use it." According to the electronic voting machines used during the November general election, more than 18,000 people in Sarasota County -- approximately 15% of the voter turnout -- did not cast a vote for any congressional candidate for the hotly contested seat. Instead of performing a robust analysis of the county's voting machines and software, the Florida Elections Canvassing Commission certified Vern Buchanan as the winner by 363 votes. The voter plaintiffs' appeal comes days after a key member of the House of Representatives weighed in on the disputed Florida congressional election, saying that not only the litigants but the House of Representatives itself would benefit from more open discovery. On Thursday, the incoming Chairwoman of the House Administration Committee -- which has the responsibility for evaluating any House election contest -- submitted a letter to the Florida First District Court of Appeal noting that the House's evaluation would be assisted by the creation of a complete record, including all relevant and critical evidence. EFF, VoterAction, People for the American Way Foundation, and the ACLU Foundation of Florida represent 11 Sarasota voters seeking an investigation into likely voting machine malfunctions and a revote if lost votes cannot be recovered. The suit is nonpartisan and not affiliated with either candidate from the race. For the full request for appeal: http://www.eff.org/Activism/E-voting/florida/plaintiffs_joinder.pdf Contact: Matt Zimmerman Staff Attorney Electronic Frontier Foundation mattz@eff.org [EFF: Breaking News] 8:34:21 PM  PermaLink   / trackback []