Judges Approves $9.5 Million Facebook ‘Beacon’ Accord: Via Threat Level.

A federal judge on Wednesday approved a $9.5 million settlement to a class action lawsuit challenging Facebook’s program that monitored and published what users of the social networking site were buying or renting from Blockbuster, Overstock and other locations.

The case concerned allegations Facebook’s now defunct “Beacon” program breached federal wiretap and video-rental privacy laws. Terms of the settlement, in which Facebook denied any wrongdoing, require the site to finance what the deal calls a “Digital Trust Fund” that would issue more than $6 million in grants to organizations to study online privacy.

The social networking site will have a seat on the fund’s three-member board — a fact that was a big bone of contention (.pdf) in the privacy community, but one U.S. District Judge Richard Seeborg in San Jose, California, said Wednesday was immaterial.

“There has been no pervasive showing that the foundation will be a mere publicity tool for Facebook,” (.pdf) Seeborg wrote.

Seeborg gave preliminary approval to the deal last year, but finalized it Wednesday after reviewing objections. [ Read more ... ]

Court: State Can Dump Non-Sex Offenders Into Registry: Via Threat Level.

Georgia’s Supreme Court is upholding the government’s right to put non-sex offenders on the state’s sex offender registry, highlighting a little-noticed but growing practice nationwide.

Atlanta criminal defense attorney Ann Marie Fitz estimated that perhaps thousands of convicts convicted of non-sexual crimes have been placed in sex-offender databases. Fitz represents a convict who was charged with false imprisonment when he was 18 for briefly detaining a 17-year-old girl during a soured drug deal. He unsuccessfully challenged his mandatory, lifelong sex-offender listing to the Georgia Supreme Court, which ruled against him Monday.

Under the Adam Walsh Child Protection and Safety Act of 2007, the states are required to have statutes demanding sex-offender registration for those convicted of kidnapping or falsely imprisoning minors. The Georgia court ruled that the plain meaning of “sex offender” was overridden by the state’s law.

“Rainer’s belief that the term ’sexual offender’ may only apply to offenders who commit sexual offenses against minors does not change the fact that the definition provided in the statute, and not the definition that Rainer wishes to impose upon the statute, controls,” the court’s majority said. [ Read more ... ]

How Privacy Vanishes Online: Via NYT > Privacy.

Using innocuous bits of data from Web sites like Facebook and Twitter, researchers gleaned people’s names, ages and even Social Security numbers.

Yet people often dole out all kinds of personal information on the Internet that allows such identifying data to be deduced. Services like Facebook, Twitter and Flickr are oceans of personal minutiae — birthday greetings sent and received, school and work gossip, photos of family vacations, and movies watched.

Computer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number.

“Technology has rendered the conventional definition of personally identifiable information obsolete,” said Maneesha Mithal, associate director of the Federal Trade Commission’s privacy division. “You can find out who an individual is without it.” [ Read more ... ]

Undercover Feds on Social Networking Sites Raise Questions: Via Threat Level.

The next time someone ties to “friend” you on Facebook, it may turn out to be an undercover fed looking to examine your private messages and photos, or surveil your friends and family, according to an internal Justice Department document obtained by the Electronic Frontier Foundation.

The 33-page document shows that law enforcement agents from local police to the FBI and Secret Service have been logging on to MySpace and other sites undercover to communicate with suspects, read private postings and view photos and videos that are restricted to a user’s friends, according to the Associated Press.

The document also describes techniques for verifying alibis — such as checking messages posted by a suspect on Twitter disclosing his whereabouts at the time a crime was committed — and uncovering information that might point to illegal activity, such as photos depicting a suspect with expensive jewelry, a new car or even a weapon.

The document says that evidence from social networking sites can: [ Read more ... ]

EFF Posts Documents Detailing Law Enforcement Collection of Data From Social Media Sites: Via EFF.org Updates.

EFF has posted documents shedding light on how law enforcement agencies use social networking sites to gather information in investigations. The records, obtained from the Internal Revenue Service and Department of Justice Criminal Division, are the first in a series of documents that will be released through a Freedom of Information Act (FOIA) case that EFF filed with the help of the UC Berkeley Samuelson Clinic.

One of the most interesting files is a 2009 training course that describes how IRS employees may use various Internet tools -- including social networking sites and Google Street View -- to investigate taxpayers. [ Read more ... ]

Smackdown: Consumer Privacy vs. Advertiser Revenue: Via CDT - Center for Democracy & Technology..

I attended Smackdown: Consumer Privacy vs. Advertiser Revenue and was expecting to hear good discussion about how advertising and targeting firms are battling with privacy groups to meet the needs of the consumer. I was a little disappointed in how little representation from the privacy end there was in the room. The panel opened with moderator Alan Chapell from BlueKai asking whom in the room represented the business side of consumer data and who was from the advocacy end. I was one of three people representing the advocacy end.

The talk began with defining what data they were talking about as panelists tiptoed around exactly what data is being taken by marketers and commented that nothing used is personally identifiable and is used to tailor a better online experience; however, the panel didn’t really discuss one of the most important questions of user data being used for marketing - how long this data is kept and stored?

Discussion from the panelists turned to how advertisers can adapt their industry practices and data practices in the changing legislative environment. The FTC’s public roundtables, in which CDT participated, were discussed as was legislation in Congress being proposed by Rep. Boucher. [ Read more ... ]

Investigators: Businesses buying your credit card number: Via NorthWest Cable News.

$10 here. $15 there. 

By putting little charges on your credit card  some companies are making tens of millions of dollars a year. These are businesses that you never gave your credit card number to.

Some consumer groups call it fraud, but it may be perfectly legal.

Christie Frison-Thornton, of Rainier, spotted a $19.95 charge just a few weeks ago.   A company called "Privacy Matters" billed her credit card.

"I thought what the heck is this? Cause I really did not have a clue," said Frison-Thornton. [ Read more ... ]

To Stop Crime, Share Your Genes: Via NYTimes.com ( Op-Ed Contributor ).

PERHAPS the only thing more surprising than President Obama’s decision to give an interview for “America’s Most Wanted” last weekend was his apparent agreement with the program’s host, John Walsh, that there should be a national DNA database with profiles of every person arrested, whether convicted or not.Emphasis added: Many Americans feel that this proposal flies in the face of our “innocent until proven guilty” ethos, and given that African-Americans are far more likely to be arrested than whites, critics refer to such genetic collection as creating “Jim Crow’s database.”

In truth, however, this is an issue where both sides are partly right. The president was correct in saying that we need a more robust DNA database, available to law enforcement in every state, to “continue to tighten the grip around folks who have perpetrated these crimes.” But critics have a point that genetic police work, like the sampling of arrestees, is fraught with bias. A better solution: to keep every American’s DNA profile on file. [ Read more ... ]

NetFlix Cancels Recommendation Contest After Privacy Lawsuit: Via Threat Level.

Netflix is canceling its second $1 million Netflix Prize to settle a legal challenge that it breached customer privacy as part of the first contest’s race for a better movie-recommendation engine.

Friday’s announcement came five months after Netflix had announced a successor to its algorithm-improvement contest. The company at the time said it intended to expand the amount of information it gave to researchers in hopes that its recommendation system — a key part of Netflix’s customer retention strategy — would get even better. That was then followed with a warning by prominent data privacy lawyers that the new dataset was easily de-anonymized.

Those fears were highlighted in December, when an in-the-closet lesbian mother sued Netflix for privacy invasion, alleging the movie-rental company made it possible for her to be outed when it disclosed insufficiently anonymous information about nearly half-a-million customers as part of its $1 million contest. [ Read more ... ]

Best Practices for Government Datasets: Wrap-Up: Via Freedom to Tinker.

[This is the fifth and final post in a series on best practices for government datasets by Harlan Yu and me. (previous posts: 1, 2, 3, 4)]

For our final post in this series, we'll discuss several issues not touched on by earlier posts, including data signing and the use of certain non-text file formats. The relatively brief discussions of these topics should not be interpreted as an indicator of their importance. The topics simply did not fit cleanly into earlier posts.

One significant omission from earlier posts is the issue of data signing with digital signatures. Before discussing this issue, let's briefly discuss what a digital signature is. Suppose that you want to email me an IOU for $100. Later, I may want to prove that the IOU came from you—it's of little value if you can claim that I made it up. Conversely, you may want the ability to prove whether the document has been altered. Otherwise, I could claim that you owe me $100,000. [ Read more ... ]

TJX Hacking Conspirator Gets 4 Years: Via Threat Level.

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. [ Read more ... ]

The Beginning of the End of Data Retention: Via EFF.org Updates.

Last week, the German Constitutional Court issued a much-anticipated decision, striking down its data retention law as violating human rights. It was an important victory for Europe’s Freedom Not Fear movement, which was formed to oppose the EU Data Retention Directive. But it was also a reminder of the political work which remains to be done to defeat it.

When the European Union first passed the Data Retention Directive in 2006, despite a hard-fought campaign by European activists, it seemed like the beginning of the end for Internet privacy. The directive sought to require telecommunications service providers operating in Europe to retain a detailed history of each of their customers' activity for up to 2 years for possible use by law enforcement; including phone calls made and emails sent and received.

The response from European citizens was swift and outraged. Under the banner of Freedom Not Fear, mass protests were held in cities all across Europe and beyond. [ Read more ... ]

Feds: TSA Worker Tried to Sabotage Terror Database: Via Threat Level.

A former Transportation Security Administration contractor is being charged in Colorado for allegedly injecting malicious code into a government network used for screening airport security workers and others.

The malicious code, a logic bomb installed last October, was designed to cause damage and disrupt data on servers on an undisclosed date but was caught by other workers before it delivered its payload.

Douglas James Duchak, 46, had worked as a data analyst at the TSA’s Colorado Springs Operations Center, or CSOC, since 2004. The CSOC is used to vet people who have “access to sensitive information and secure areas of the nation’s transportation network,” according to the indictment. A source involved in the case said this involved screening of both passengers and workers at airports and other transportation facilities.

He pleaded not guilty in a Denver federal court on Wednesday and was released on a $25,000 unsecured bond. The indictment did not say whether the malware was crafted to erase or alter data, or simply disable servers.

The CSOC network stores updated information from the government’s terrorist watchlist as well as criminal histories from the U.S. Marshal’s Service Warrant Information Network. [ Read more ... ]

Hi-tech governments growing keener on snooping, says report | Pinsent Masons LLP: Via Pinsent Masons LLP at Out-Law.com .

Western industrial countries are becoming more willing to spy on their citizens, according to an analysis of snooping that says that the UK is sixth in a world ranking for electronic state surveillance.

Privacy technology company CryptoHippie has produced its second annual report on surveillance trends and says in it that countries that previously showed restraint in their monitoring of individuals have lost some of that self-control.

"When we produced our first Electronic Police State report, the top ten nations were of two types: those that had the will to spy on every citizen, but lacked ability [and] those who had the ability, but were restrained in will," it said in its 2010 report. "This is changing: the able have become willing and their traditional restraints have failed." [ Read more ... ]

Classmates.com’s Facebook Mimicking Prompts Privacy Suit: Via Threat Level.

The long-lost pal locating site, Classmates.com, has been hit with a class action privacy lawsuit alleging the company violated the law when it decided to make user profiles public in order to compete with Facebook.

The suit alleges that Classmates.com duped its paying customers in late January when it sent them an e-mail saying that members would have to opt-out of new Facebook and iPhone apps to keep their data private. That’s a massive change to the site’s privacy policy and violates federal and Washington State privacy and fairness laws, according to the suit (.pdf) filed in a Washington State federal district court March 5.

Classmates.com has long kept user information non-public, and only paying members can read e-mails sent to them by others, see ‘old friends’ on a map, and see who has been looking at their profile. While the site has some 3 million paying users, it’s been eclipsed by sites like Facebook and MySpace, which have more members, more public profiles and don’t charge.

In order to keep up, Classmates.com decided to make “public Classmates content available to people using a variety of sites and devices, including Facebook and the iPhone,” according to a January 30 e-mail sent to users. [ Read more ... ]

Government No-Fly List Includes the Dead: Via Threat Level.

You may be dying, figuratively, to get off the government’s no-fly list, but death won’t guarantee removal.

The government’s no-fly list includes the names of dead suspects, according to government officials who spoke with the Associated Press, to help catch people who may try to assume the suspect’s identity.

The no-fly list has been shrouded in mystery since it was first developed after the 9/11 attacks. How people get on the list or get off it has been a closely guarded secret, with only bits of information made public during congressional hearings.

The AP has pieced together the broad steps it takes for someone to get on the list, and some of the changes the list has undergone since it was first created nine years ago. [ Read more ... ]

New "Smart Meters" for Energy Use Put Privacy at Risk: Via EFF.org Updates.

The ebb and flow of gas and electricity into your home contains surprisingly detailed information about your daily life. Energy usage data, measured moment by moment, allows the reconstruction of a household's activities: when people wake up, when they come home, when they go on vacation, and maybe even when they take a hot bath.

California's PG&E is currently in the process of installing "smart meters" that will collect this moment by moment data—750 to 3000 data points per month per household—for every energy customer in the state. These meters are aimed at helping consumers monitor and control their energy usage, but right now, the program lacks critical privacy protections.

That's why EFF and other privacy groups filed comments with the California Public Utilities Commission Tuesday, asking for the adoption of strong rules to protect the privacy and security of customers' energy-usage information. Without strong protections, this information can and will be repurposed by interested parties. It's not hard to imagine a divorce lawyer subpoenaing this information, an insurance company interpreting the data in a way that allows it to penalize customers, or criminals intercepting the information to plan a burglary. Marketing companies will also desperately want to access this data to get new intimate new insights into your family's day-to-day routine–not to mention the government, which wants to mine the data for law enforcement and other purposes. [ Read more ... ]

The N.Y.P.D. Is Watching Certain People: Via NYTimes.com .

From 2004 through 2009, in a policy that has gotten completely out of control, New York City police officers stopped people on the street and checked them out nearly three million times, frisking and otherwise humiliating many of them.

Upward of 90 percent of the people stopped are completely innocent of any wrongdoing. And yet the New York Police Department is compounding this intolerable indignity by compiling an enormous and permanent computerized database of these encounters between innocent New Yorkers and the police.

Not only are most of the people innocent, but a vast majority are either black or Hispanic. There is no defense for this policy. It’s a gruesome, racist practice that should offend all New Yorkers, and it should cease. [ Read more ... ]

Supreme Court Takes ‘Informational Privacy’ Case: Via Threat Level.

The U.S. Supreme Court is agreeing to decide how much personal information the federal bureaucracy may acquire on its workers.

The justices, without comment, decided Monday to review a lower-court decision surrounding the concept of so-called “informational privacy.” The 9th U.S. Circuit Court of Appeals in San Francisco struck down intrusive background checks last year on nearly three dozen National Aeronautics and Space Administration contractors as being too invasive — calling them an unconstitutional, “broad inquisition.”

The checks sought information from any source surrounding their sex lives, finances and even drug use. The contractors being investigated were not privy to classified information. [ Read more ... ]

Major ISPs Help Fund BitTorrent User Tracking Research: Via Slashdot YRO.

An anonymous reader writes "I was scanning conference proceedings to come up with ideas for a reading group I run at my workplace, and I noticed an interesting paper from the new IEEE WIFS forensics conference. Researchers from the University of Colorado have published a technique for tracking BitTorrent users (PDF) by joining and actively probing torrent swarms using low-cost cloud computing services. They claim their methods allowed them to monitor the entire Pirate Bay torrent set for as little as $13/mo using EC2. But that's not even the interesting part. Their work appears to have been 'funded in part through gifts from PolyCipher' — a broadband ISP consortium. That's right; three major national ISPs funded this round of BitTorrent tracking research, not the MPAA/RIAA. Could this be evidence of ISP support for ACTA and a global three-strikes law?"

Read Original Article:(Via Slashdot.)

Worker ID Card at Center of Immigration Plan: Via Wall Street Journal.

Lawmakers working to craft a new comprehensive immigration bill have settled on a way to prevent employers from hiring illegal immigrants: a national biometric identification card all American workers would eventually be required to obtain.

Under the potentially controversial plan still taking shape in the Senate, all legal U.S. workers, including citizens and immigrants, would be issued an ID card with embedded information, such as fingerprints, to tie the card to the worker.

The ID card plan is one of several steps advocates of an immigration overhaul are taking to address concerns that have defeated similar bills in the past.

The uphill effort to pass a bill is being led by Sens. Chuck Schumer (D., N.Y.) and Lindsey Graham (R., S.C.), who plan to meet with President Barack Obama as soon as this week to update him on their work. An administration official said the White House had no position on the biometric card. [ Read more ... ]

"Your Papers, Please!" - Get Your Fingerprints Ready! Cross-Party Senate Alliance Pushing National ID Card: Via Lauren Weinstein's Blog.

Greetings. According to the Wall Street Journal, U.S. Senate immigration reform advocates Chuck Schumer and Lindsey Graham are proposing a mandatory biometric (e.g. fingerprint-based) National ID Card system, and are attempting to brush away privacy concerns as trivial and irrelevant.

Touted as "merely" a "right-to-work" card aimed at addressing illegal immigration concerns, there's simply no fast-talking around the fact that this plan will set in motion a massive national ID infrastructure that will ultimately penetrate every aspect of our lives. Anyone who suggests otherwise is -- sorry to say -- either a liar or a fool. [ Read more ... ]

The Cell Phone Network: Law Enforcement's Surveillance Dream: Via Blog of Rights: Official Blog of the American Civil Liberties Union.

Yesterday, WNYC's On the Media (OTM) profiled our cell phone tracking case. In this case, the ACLU, Center for Democracy and Technology and the Electronic Frontier Foundation (EFF) asked the court to require that the government at least show probable cause before it can ask a wireless provider to fork over information about your whereabouts using GPS or cell tower tracking via your cell phone. We won in the district court (PDF); the government appealed that decision to the 3rd Circuit. [ Read more ... ]

Correcting Errors and Making Changes: Via Freedom to Tinker.

[This is the fourth post in a series on best practices for government datasets by Harlan Yu and me. (previous posts: 1, 2, 3)]

Even cautiously edited datasets sometimes contain errors, and even meticulously produced schemas require refinement as circumstances change. While errors or changes create inconvenience for developers, most developers appreciate and prepare for their inevitability. Agencies should strive to do the same. A well-developed strategy for fixes and changes can ease their burden on both developers and agencies.

When agencies release data, developers ideally will interact with it in creative new ways. Given datasets containing megabytes to gigabytes of data, novel uses will reveal previously unnoticed errors. Knowledge of these errors benefits the agency as well as other developers using the data, so agencies should take steps to encourage error reporting. Labels in a dataset allow developers to specify errors efficiently and unambiguously. An easy-to-find channel for reporting errors, such as a prominently provided email address or web form, is also critical. Tracking down the contact information of the person responsible for a dataset can be difficult, and a well-known channel reduces this barrier to feedback. [ Read more ... ]