Privacy Digest

Total Election Awareness: Via Freedom to Tinker

Ed recently made a number of predictions about election day ("Election 2008: What Might Go Wrong"). In terms of long lines and voting machine problems, his predictions were pretty spot on.

On election day, I was one of a number of volunteers for the Election Protection Coalition at one of 25 call centers around the nation. Kim Zetter describes the OurVoteLive project, involving 100 non-profit organizations, ten thousand volunteers that answered 86,000 calls with a 750 line call-center operation ("U.S. Elections -- It Takes a Village"):

The Election Protection Coalition, a network of more than 100 legal, voting rights and civil liberties groups was the force behind the 1-866-OUR-VOTE hotline, which provided legal experts to answer nearly 87,000 calls that came in over 750 phon  read more »

Bookmark/Search this post with:

• Delicious
• Digg
• Reddit
• Google
• Yahoo
• Technorati

IG: Lack of Enforcement Places Health Information at High Risk - Via CDT - PolicyBeta:

Ineffective oversight has led to “numerous, significant vulnerabilities” in the system that safeguards electronic protected health information (EPHI), according to a government report released last week. In addition, the report found that the agency charged with oversight of HIPAA’s Security Rule had not conducted a single compliance review nor levied any civil penalties at the time of publication. The report also warned that poor enforcement has placed confidentiality of EPHI at “high risk.”

No wonder nearly two-thirds of Americans distrust the privacy of electronic medical records.

The Inspector General (IG) for the Department of Health and Human Services (HHS) issued the study on implementation of HIPAA’s Security Rule. The findings were alarming in what they suggested about the integrity of American medical records. The report also reinforced CDT’s repeated calls for stronger enforcement of the HIPAA Privacy and Security Rules.  read more »

ES&S Voting Machines in Michigan Flunk Tests, Don't Tally Votes Consistently - Via Threat Level:

Optical-scan machines made by Election Systems & Software failed recent pre-election tests in a Michigan county, producing different tallies for the same ballots every time, the top election official in Oakland County revealed in a letter made public Monday.

The problems occurred during logic and accuracy tests in the run-up to this year's general election, Oakland County Clerk Ruth Johnson disclosed in a letter submitted October 24 (.pdf) to the federal Election Assistance Commission (EAC). The machines at issue are ES&S M-100 optical-scan machines, which read and tally election results from paper ballots.

Johnson worried that such problems -- linked tentatively to paper dust build-up in the machines -- could affect the integrity of the general election this week.  read more »

Australian Government Ignoring Problems With Proposed Filters - Via Slashdot:

halll7 writes with an update to the proposed Australian national firewall we discussed recently. According to the BBC, "The official watchdog, the Australian Communications and Media Authority (ACMA), has been conducting laboratory tests of six filtering products, and the government plans a live trial soon. ... After its recent trials, ACMA reported significant improvements on earlier studies. The network degradation on one product was less than 2%, although two products were in excess of 75%." Now, Ars Technica reports that "an Australian newspaper has uncovered documents showing that the government minister responsible for the program has ignored performance and accuracy problems with the filters, then tried to suppress criticism of the plan by private citizens." The EFA has a great deal to say in opposition of these plans.

(Read Original Article - Via Slashdot .)

EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond - Via RSA Security Laboratories:

Citation: Citation: K. Koscher, A. Juels, T. Kohno, and V. Brajkovic. EPC RFID Tags in Security Applications: Passport Cards, Enhanced Drivers Licenses, and Beyond. 2008. Draft manuscript. In submission.

Abstract: EPC (Electronic Product Code) tags are industry-standard RFID devices poised to supplant optical barcodes in many applications. They are prevalent in case and pallet tracking, and also percolating into individual consumer items and border-crossing documents.

In this paper, we explore the systemic risks and challenges created by increasingly common use of EPC for security applications. As a central case study, we examine the recently issued United States Passport Card and Washington State "enhanced" drivers license (WA EDL), both of which incorporate Gen-2 EPC tags. We explore several issues:  read more »

Piracy Statistics and the Importance of Journalistic Skepticism - Via Freedom to Tinker:

If you've paid attention to copyright debates in recent years, you've probably seen advocates for more restrictive copyright laws claim that "counterfeiting and piracy" cost the US economy as much as $250 billion. When pressed, those who make these kinds of claims are inevitably vague about exactly where these figures come from. For example, I contacted Thomas Sydnor, the author of the paper I linked above, and he was able to point me to a 2002 press release from the FBI, which claims that "losses to counterfeiting are estimated at $200-250 billion a year in U.S. business losses."

There are a couple of things that are notable about this. In the first place, notice that the press release says counterfeiting, which is an entirely different issue from copyright infringement. Passing stronger copyright legislation in order to stop counterfeiting is a non-sequitur.

But the more serious issue is that the FBI can't actually explain how it arrived at these figures. And indeed, it appears that nobody knows who came up with these figures and how they were computed. Julian Sanchez has done some sleuthing and found that these figures have literally been floating around inside the beltway for decades. Julian contacted the FBI, which wasn't able to point to any specific source. Further investigation led him to a 1993 Forbes article:  read more »

Average privacy policy takes 10 minutes to read, research finds - Via OUT-LAW.COM :

Website privacy policies take on average 10 minutes to read and sometimes run into thousands of words, researchers have found. While some are short, others would take over half an hour to read, researchers said.

Researchers Aleecia McDonald and Lorrie Faith Cranor of Carnegie Mellon University looked at online privacy policies and how long it would take to read them. While one policy they looked at was just 144 words long, they found one policy on a popular site that ran to 7,669 words, around 15 pages of text.

The average length of privacy policies used by the 75 most popular US websites is 2,500 words, the research found. Using the reading speed of 250 words per minute which is typical for those who have completed secondary education, the average policy would take 10 minutes to read.

The length of privacy policies is often cited as one reason they are so commonly ignored. "Studies show privacy policies are hard to read, read infrequently, and do not support rational decision making," said the researchers, acknowledging the fact that the policies are rarely read.  read more »

Privacy Policies are Great — for PhDs - Via Technology Industry Blog | BNET:

Major Internet companies say that they inform their customers about privacy issues through specially written policies. What they don’t say is that more often than not consumers would need college undergraduate educations or higher to easily wade through the verbiage.

When the House sent letters to 31 major Internet-related companies asking them about their privacy practices, included was a question of whether the businesses tell clients what they are doing. The common answer was, “Certainly, we proudly post our privacy policy.” I wondered about how user friendly those policies might be, so ran many through online readability software. The result: consumers need a whole lot of education to be able to casually read through what they find.  read more »

Survey: IT staff would steal secrets if laid off - Via ITworld(Computerworld UK) :

Most IT staff would steal sensitive company information, including CEO's passwords and customer details, if they were laid off, according to a new survey from Cyber-Ark.

A staggering 88 percent of IT administrators admitted they would take corporate secrets, if they were suddenly made redundant. The target information included CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords.

The research also revealed that, of that 88 percent, a third would take the privilege password list to gain access to valuable documents such as financial reports, accounts, salaries and other privileged information.  read more »

ITRC: Breaches Blast ’07 Record - Via PogoWasRIght - Privacy News Headlines:

With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for all of 2007.

As they note, the 449 is an underestimate of the actual number of reported breaches, due in part to ITRC’s system of reporting breaches that affect multiple businesses as one incident.

.... More important than the individual numbers, perhaps, are the details of a breach, something that is often lacking or glossed over in reports. As one example, when third party benefits administrator Administrative Systems, Inc., disclosed that its office had been burgled in December 2007, it did not reveal the total number of clients affected, nor the total number of individuals whose unencrypted data were on the stolen computer. Given that just one of the dozens of clients informed this site that it had to notify 250,000 of its customers, the numbers for that breach might be staggering.  read more »

Still Big Threats Online, But Slowly Improving - Via CDT - PolicyBeta:

The newest State of the Net report from Consumer Reports has concluded that several major online risks- including spyware infections- are declining in precedence. Unfortunately, spyware still cost the country 3.6 billion dollars over the last six months, with over half a million households being forced to replace computers because of spyware.

While this is an intimidating figure, it in fact represents a 54% decline in the rate of serious spyware problems, even though a third of respondents didn’t install anti-spyware programs (about the same as last year). Unfortunately, the rate of serious spyware infections is not falling at the same rate as serious spam and virus incidents.

Consumer Reports credits the progress being made against spyware and other online threats to consumer education, improved user tools, and government involvement. Of course, the spyware developers are working to come up with new ways to circumvent consumer precautions. One in 14 households had a serious spyware incident, and spyware developers are taking advantage of new platforms, such as cell phones.

Like last year, we are pleased to see progress being made in the flight against spyware, and hope that legal and technical solutions to spyware continue to be pursued.

(Read Original Article - Via CDT - PolicyBeta.)

Boston Subway Board Member Delivers Scathing Criticism -- "System Is a Mess" - Via Threat Level:

A member of the Massachusetts Bay Transportation Authority's board seized a report by three MIT student about flaws with the Boston subway's fare collection system and delivered a scathing indictment of the subway system and its general manager, calling the system "a mess" and saying she had "lost all confidence" in the system's general manager, Daniel A. Grabauskas.

The students, who were set to deliver a presentation last Sunday at the DefCon hacker conference about security vulnerabilities in the MBTA's CharlieTicket and CharlieCard payment cards, were barred from speaking about the vulnerabilities at a hacker conference after the MBTA obtained a temporary restraining order last Saturday, gagging them for ten days.

But on Wednesday at the MBTA's monthly board meeting, board member Janice Loux distributed copies of a report the students wrote about flaws that would allow someone to fraudulently increase the fare on a CharlieTicket or clone the tickets and CharlieCards, and told fellow board members that the report (.pdf) was just another example of why the automated system is a mess, according to the Boston Globe.  read more »

Study: State AGs Fail to Adequately Protect Online Consumers - Via Center for Democracy and Technology:

State attorneys general received thousands of complaints about online fraud and abuse in 2006 and 2007. Yet, with the exception of several notable standouts, few states brought significant cases in response to those complaints, according to a report released today from the Center for American Progress and the Center for Democracy and Technology. The study finds online fraud and abuse aren't given a high priority by most attorneys general. The report recommends several steps state attorneys general can take to protect online consumers, such as: assess the applicability and adequacy of state laws; develop computer forensic capabilities; train investigators and prosecutors to identify Internet fraud; and devote greater resources to enforcement efforts.

• Study: Online Consumers at Risk and the Role of State Attorneys General [PDF] August 12, 2008
• Report Press Release August 12, 2008

(Read Original Article - Via Center for Democracy and Technology.)

EFF Releases "Switzerland" ISP Testing Tool - Via EFF.org Updates:

San Francisco - Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications.

The FCC action, expected later today, is a response to formal complaints regarding efforts by Comcast to interfere with its subscribers' use of BitTorrent to share files over the Internet. These interference efforts were first documented and disclosed in October 2007 by EFF, the Associated Press, and a concerned Internet user, Robb Topolski. EFF subsequently urged the FCC to declare Comcast's efforts inconsistent with the Commission's 2005 "Internet Policy Statement," which sets a benchmark for neutral treatment of Internet traffic.

"The sad truth is that the FCC is ill-equipped to detect ISPs interfering with your Internet connection," said Fred von Lohmann, EFF Senior Intellectual Property Attorney. "It's up to concerned Internet users to investigate possible network neutrality violations, and EFF's Switzerland software is designed to help with that effort. Comcast isn't the first, and certainly won't be the last, ISP to meddle surreptitiously with its subscribers' Internet communications for its own benefit."  read more »

Congress Should Demand Answers from Attorney General - Via American Civil Liberties Union:

FOR IMMEDIATE RELEASE
CONTACT: (202) 675-2312; media@dcaclu.org

WASHINGTON, DC - The American Civil Liberties Union urges the House Judiciary Committee to demand accountability from Attorney General Michael Mukasey during the Department of Justice oversight hearing scheduled for today.

"Mukasey was supposed to come in and clean up the Justice Department, but instead he seems to be intent on burying any evidence of wrongdoing by the Bush administration," said Caroline Fredrickson, director of the ACLU Washington Legislative Office, "In addition to asking Congress to rubberstamp failed administration policies on torture and wiretapping, he's offered at least one new bad policy of his own by paving the way for the FBI to use racial and ethnic profiling as a factor in deciding whether to open up investigations," she said.  read more »