Paul Hardwick: Database

Administrivia: Possible unscheduled upgrade of Privacy Digest

Sun, 18 Mar 2007 01:39:04 GMT

Administrivia: Possible unscheduled upgrade of Privacy Digest.

I might be implementing an unscheduled upgrade of the site due to some problems with the software I am currently using to run the site. I had been working on upgrading the software to implement some new features but may have to implement sooner than originally planned. If you would like to take a peek at the planned software take a visit to http://www.PrivacyDigest.com/index.php Yes the full URL will have to be entered until I have completed the switch over.

There may be some hiccups during the process as the XML/RSS location will change along with access to the sub-topics. I plan to create mod-rewrite rules to take of this but they may not all be ready on day one.

Please let me know what you think.

Governor Announces Florida First in Nation to Access National Crime Database.

Fri, 16 Mar 2007 19:50:03 GMT

Governor Announces Florida First in Nation to Access National Crime Database. "This powerful tool will help protect both the victims of child abuse and neglect and the public servants charged with protecting them." [GT: Security and Privacy]

Visa Chief: Customer Data Theft Neither Random Nor Unavoidable - Software Technology News by InformationWeek

Fri, 16 Mar 2007 19:39:19 GMT

Although the use of the Internet to buy and sell online has introduced a slew of security concerns within the payment services industry, Visa USA president and CEO John Philip Coghlan insists that technology is the solution to combating fraud -- not the cause of it. Coghlan also pointed out during Visa's security summit in Washington, D.C., Thursday that data breaches are neither random nor inevitable if proper security measures are taken.

The TJX data breach "was a stark reminder to all of us that such events can have vast reach and consequences," Coghlan said. Such breaches create mistrust and can undermine efforts make to build a good brand image. But, he made clear, "the majority of compromises come from storage of prohibited data and using vulnerable systems to process data."

TJX, the parent company of retailers T.J. Maxx, Marshalls, HomeGoods, and others, made headlines in February when it revealed an attack on its systems had resulted in the theft of customer information. Just as the headlines were threatening to die down, TJX announced a few weeks later that intrusions into its system actually began as early as July 2005, rather than beginning in May 2006 as the company had originally reported.

While the exact nature of the TJX data breach has not yet been revealed, in general, financial information is stolen in a number of ways, including the physical theft of a wallet, checkbook, or credit card; theft of information from one's home from friends, relatives, or in-home employees; phishing messages that trick people into divulging information to fraudsters; hacks, viruses, and spyware on a PC or ATM machine; and a corrupt business employee with access to your records.

But data theft is not random. Instead, it's perpetrated against businesses with the weakest security and the most valuable information, Coughlin said Thursday, adding, "More than 80% of all dollars lost come from 20% of fraudulent transactions."

Security Watch - Visa - customer data theft neither random nor unavoidable

Fri, 16 Mar 2007 19:36:34 GMT

Very revealing speech last week by John Coughlan, Visa USA's CEO, who insists that the technology is available to prevent cardholder data falling into the wrong hands.

In a speech at Visa's security summit in Washington late last week, Coughlan said that cardholder data breaches are neither random nor inevitable if proper security measures are taken.

The TJX (TJ Maxx) data hack, he said, "was a stark reminder to all of us that such events can have vast reach and consequences."

According to Coughlan, such hacks can create mistrust and undermine efforts to build a positive brand image. But, he said, the majority of system compromises result from the storage of prohibited data and using vulnerable systems to process data.

More Than 100 Security Breaches Reported Under Law to Thwart ID Thieves.

Fri, 16 Mar 2007 19:31:47 GMT

More Than 100 Security Breaches Reported Under Law to Thwart ID Thieves. "Consumers who get notice can act fast to protect their good names." [GT: Security and Privacy]

PATRIOT Act Apologist Site Didn't Get the Memo.

Fri, 16 Mar 2007 18:45:28 GMT

PATRIOT Act Apologist Site Didn't Get the Memo.

Last week, the Department of Justice Inspector General's office released a damning report documenting the FBI abusing its powers under the PATRIOT Act and violating the law to collect Americans' telephone, Internet, financial, credit, and other personal records about Americans without judicial approval.

It appears that not everyone at the DOJ got the memo. The DOJ's Life and Liberty website, a site dedicated to defending the honor of the PATRIOT Act during the re-authorization process last spring, still reads as if nothing has changed. Particularly in the light of the newly revealed truth, many of the quotes now seem (at best) naive.

Under the headline of "Examining the Facts", the DOJ asserts that PATRIOT has "four-year track record with no verified civil liberties abuses." The site quotes an op-ed by former House Judiciary Committee Chairman James Sensenbrenner:

Zero. That's the number of substantiated USA PATRIOT Act civil liberties violations. Extensive congressional oversight found no violations. Six reports by the Justice Department's independent Inspector General, who is required to solicit and investigate any allegations of abuse, found no violations.

Wow, that sure sounds good. Unfortunately, the new report reveals that is is simply not true: the inspector general identifies dozens of instances in which extra-judicial demands for personal information -- known as National Security Letters -- may have violated laws and agency regulations.

In the Archive section, the site includes quotes from an op-ed by Senator Pat Roberts responding to critics like ourselves:

I regret to say it, but the rhetoric of those opposed to permanently authorizing the act has no substance and borders on paranoia. Opponents have criticized the act for years but can cite only hypothetical abuses. Facts are stubborn things. The actual record is quite clear - there have been no substantiated allegations of abuse of Patriot Act authorities, period.

Critics could only point to hypothetical abuses because the fox was guarding the hen house. Senator Roberts also opined that:

Through aggressive congressional oversight, we know the FBI uses Patriot Act authorities within the law.

It's now clearer than ever that the oversight was not aggressive enough, with the report documenting that the FBI decieved Congress about its use of the letters. The report is likely only the tip of the iceberg. Immediate and thorough oversight hearings are necessary to uncover the truth and hold the Administration accountable.

Tell Congress to defend your privacy now.

[EFF: Deep Links]

Chertoff: Security and privacy not at odds.

Thu, 15 Mar 2007 19:12:44 GMT

Chertoff: Security and privacy not at odds. Calling privacy groups "Luddites," DHS head Michael Chertoff defends the Real I.D. Act. He claims that the data-chipped drivers licenses, which will be linked to a numbers of databases around the country, will actually protect privacy Editor:And down is up, black is white, and I have a bridge I'd like to sell you.

[...]

The head of the Department of Homeland Security on Thursday downplayed privacy concerns raised by the government's efforts to create standardized, data-chipped drivers licenses across the country.

The same technology that makes information on identification cards more reliable can also protect privacy, DHS Secretary Michael Chertoff said during a speech to the Northern Virginia Technology Council. "It's my contention that properly used technology ... actually protects privacy," he said. "We should not allow folks to be captivated by the argument that every time we do something with a computer, it invades privacy."

Chertoff was referring to privacy concerns surrounding the Real ID Act, a law passed by Congress in 2005 that would require states to create machine-readable ID cards containing the name of the holder, the data of birth, a digital photograph and other information.

Privacy groups, including the Electronic Privacy Information Center (EPIC), have said that the DHS hasn't come up with rules on how the information on the cards should be protected. DHS has made only "vague" plans for card security and for restricting which state motor vehicle agency employees would have access to the information, EPIC says.

"On security and privacy standards for the card, state motor vehicle facilities, and the personal data and documents collected in state motor vehicle databases, DHS shows little interest," EPIC says on its Web site.

But Chertoff said those raising privacy concerns about the use of IT in the U.S. government's domestic security efforts create a false tension between security and privacy. "This kind of Luddite attitude ... is exactly wrong," he said. "Security and privacy are very much the same type of value. I don't think they're mutually exclusive, they're mutually reinforced."

Chertoff also talked about how DHS is using IT. Technology plays a part in nearly all the agency's efforts, including machines that read fingerprints at border crossings, databases that link law enforcement investigations and scanning technologies for containers coming into the U.S.

[Computerworld Privacy News]

Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed.

Thu, 15 Mar 2007 19:05:57 GMT

Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed.

After years of criticism from EFF and other privacy advocates, Google announced yesterday a new policy on how it handles logs of its users' searches: after 18-24 months, it will delete key information in its server logs that could be used to link particular users to records of their search queries.

This is a big change from Google's previous policy, which was essentially to keep all of those logs forever in identifiable form, and we're certainly glad to see that Google is starting to limit its retention of such sensitive data. Your Google search history can paint an intimate portrait of your most private interests and concerns. Particularly in light of the disastrous AOL search terms disclosure, recent scandals involving government surveillance, and Google's own recent court fight with the government over a subpoena for search records, it seems that Google has finally realized that limiting the retention of such records is essential to protecting your privacy.

Hopefully, Google's change in policy will spur other online service providers to consider how they can minimize the amount of personal data that they store, and perhaps even prompt competition between service providers to offer the most privacy-protective services. However, we hope that this new announcement is only Google's first step in changing its privacy practices, because additional changes would better protect user privacy and set an even better example for the industry:

Google should shorten the retention period for identifiable logs to six months at the outside, and ideally to only thirty days (which is AOL's retention limit for similar logs). Barring this, it should at least justify why it needs such records for up to two years, beyond offering one-sentence platitudes about how such records are used to improve Google's service.
Google should also shorten the retention of the "anonymized" logs, which Google apparently still intends to keep forever. As Google itself admits, the new policy changes still don't guarantee users' anonymity, and holding onto those records indefinitely still poses a serious private threat.
Therefore, Google should consider more robust anonymization techniques, up to and including scrubbing entire IP addresses rather than just the last quarter or "octet" of such addresses.
Finally, Google should expand its new anonymization policy to include the search records of users with Google Account log-ins, and to records generated by their myriad other services, rather than limiting the policy change to regular search logs.

Beyond making these additional policy changes, there's one more thing that Google should be doing[~]something we think it actually has a duty to do as a good corporate citizen and as a preeminent Internet powerhouse[~]and that is using its considerable political clout to fight for better Internet privacy laws on Capitol Hill. Right now, there are significant questions as to whether or how Internet search logs are protected by existing federal privacy laws, and Google owes it to its customers to publicly advocate for updating those privacy laws for the 21st century.

[EFF: Deep Links]

Google adding search privacy protections | CNET News.com

Thu, 15 Mar 2007 18:21:06 GMT

Google is changing its data retention practices to make it harder to identify the specific computers used in searches.

Google's servers log information every time someone conducts a Web search, keeping data such as the keywords used, the Internet Protocol address or unique number assigned to that person's computer, and information from Web cookies, which are small bits of data exchanged between a server and a Web browser each time the browser accesses the server. Cookies are used to authenticate the user and maintain information such as the user's site preferences.

Currently, Google maintains the search data logs indefinitely. Under the new policy announced on Wednesday, which Google expects to have fully implemented by the end of the year, the company will anonymize the final eight bits of the IP address and the cookie data after somewhere between 18 months and 24 months, unless legally required to retain the data for longer. The information on specific searches will remain indefinitely, but it will be much harder to tie the searches to specific individuals or computers.

"Logs anonymization does not guarantee that the government will not be able to identify a specific computer or user, but it does add another layer of privacy protection to our users' data," the company said.

The policy change will apply to future Web search data as well as archived logs and all copies of the data stored on other servers, Google said. Users will be able to opt out of the practice and request that their search data be maintained indefinitely.

Privacy advocates in general said Google's policy change is a step in the right direction but not nearly enough to really protect Web searchers from overzealous law enforcers. Keeping the search histories could enable investigators and governments to get to all sorts of personal information about people, they argue.

"I don't think the Google proposal is adequate. This period is too long and it's not in fact data destruction, it's more data de-identification, and that should be happening in 18 to 24 hours, not months," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "I'm not persuaded that this isn't still a ticking time bomb for Google's search engine."

Richard M. Smith, an Internet security and privacy consultant at Boston Software Forensics, said Google should never be archiving the IP address and cookies on servers. "Google should not be in the spy business," he said. "By logging IP addresses and search strings they are running the largest intelligence operation in the world."

Anonymizing the last eight bits of the IP address effectively would enable investigators to narrow the IP address down to 256 possible computers or users. That would be similar to obscuring the last digit in someone's street address.

[...]

Kevin Bankston, staff attorney at the Electronic Frontier Foundation, said he would like to see Google scrub the entire IP address within six months, but praised Google for making this "positive first step."

"We hope other online service providers will heed this example and work to minimize the amount of data they keep about their customers," Bankston said.

[...]

The risks associated with Web search data were highlighted last August when AOL inadvertently exposed on the Internet the search history of more than 650,000 of its users. The move prompted widespread criticism from privacy advocates and Congress and the filing of a complaint against AOL with the Federal Trade Commission, as well as the firing of two AOL employees and the resignation of its chief technology officer and a class action lawsuit.

Google To Anonymize Data -- Updated WIRED Blogs: 27B Stroke 6

Thu, 15 Mar 2007 18:15:53 GMT

Googleis reversing a long-standing policy to retain all the data on its users indefinitely, and by the end of the year will begin removing identifying data from its search logs after 18 months to two years, depending on the country the servers are located in.

Currently, Google retains indefinitely detailed server logs on its search engine users, including user's IP addresses - which can identify a user's computer, the query, any result that is clicked on, their browser and operating system, among other details. Even if a user never signs up for a Google account, those searches are all tied together through a cookie placed on the user's computer, which currently expires in 2038.

The new policy will be global, but there will be variances by country, especially in Europe where a data retention rule passed in 2005 requires ISPs and phone companies to keep data from six months to two years. After that time period, Google will "anonymize" the search data from web and image searches by dropping either the second half or last quarter of I.P. addresses, thus turning an address such as 127.0.34.35into127.0or127.0.34. The goal is to make it technically impossible to retroactively tie a query back to a computer, unless the query included identifying information.

User logs from services that require log-ins, such as personalized search, Google Documents and Gmail will not be subject to this policy. Those services are governed by their own privacy policies. More can be found on this at Google's official blog announcement.

Civil libertarians have long criticized the search giant's hoarding for data, saying that the data store created an attractive target for law enforcement and civil suits. Google successfully quashed a Justice Department request for large chunks of user data in 2005.

Google To "Anonymize" Personal Data after 18-24 Months.

Thu, 15 Mar 2007 18:12:41 GMT

Google To "Anonymize" Personal Data after 18-24 Months.

Google made a major announcement today that by the end of the year will begin removing identifying data from its search logs after 18 -24 months:

When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)--but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months.

They've released a log retention FAQ (PDF) with more details, including how they will "anonymize" the log data:

What does it mean to anonymize the logs?
We will change some of the bits in the IP address in the logs as well as change the cookie information. We're still developing the precise technical methods and approach to this, but we believe these changes will be a significant addition to protecting user privacy.

How do these anonymizing measures protect user privacy?
Changing the bits of an IP address makes it less likely that the IP address can be associated with a specific computer or user. Cookie anonymization makes it less likely that a cookie can be used to identify a user.

Do these changes guarantee anonymization?
It is difficult to guarantee complete anonymization, but we believe these changes will make it very unlikely users could be identified.

This is an important and promising step towards greater privacy and protection of personal search history records. But remember, AOL thought they had released anonymized data as well. Just because and IP and cookie has been modified doesn't mean that user privacy is ensured. The preferred solution would be for Google to purge the data altogether after, or just don't collect it in the first place.

Unfortunately I don't have much time for further analysis (baby, dissertation, oh my!), but 27B Stroke 6 is on top of it, and CNet has reaction from CDT, EFF, and others.

michaelzimmer.org]

Google to anonymize user data.

Thu, 15 Mar 2007 18:03:25 GMT

Google to anonymize user data.

It's about time

Google is to discard some of the information it stores about user search requests in an effort to address concerns by privacy watchdogs and defend itself against government demands for data.

[The Register - Music and Media]

Google to Make Search Logs Anonymous.

Thu, 15 Mar 2007 18:01:09 GMT

Google to Make Search Logs Anonymous. Google announced today that it will start making its records about users' searches anonymous after 18 to 24 months. [PC World: Latest Technology News]

FCW.com News - Bill would protect information about students from recruiters

Wed, 14 Mar 2007 19:54:06 GMT

An amendment to the No Child Left Behind (NCLB) Act seeks to keep military recruiters from accessing secondary students' personal data by requiring parents to choose to share that information rather than having to opt out of sharing it.

Rep. Mike Honda (D-Calif.) introduced the legislation March 6. The Student Privacy Protection Act would require local school systems to obtain written consent before releasing information on secondary school students to military recruiters or their agents.

The measure will next be referred to the House Education and Labor Committee sometime during this session, said a spokesperson for Honda. That committee's chairman, Rep. George Miller (D-Calif.), is a co-sponsor of the bill.

Because of a provision in the NCLB, school districts are directed to give information about students to military recruiters unless parents explicitly request that their children's data remains private. Since the enacting of NCLB, secondary schools have been supplying the names, addresses and telephone numbers of students to recruiters sponsored by the military services.

However, schools often failed to make parents aware of the option to keep that information private, Honda said.

Dispute surfaces over certification for personal health records

Wed, 14 Mar 2007 19:51:04 GMT

n a rare instance of public dissent, an American Health Information Community AHIC) workgroup has split over whether to recommend that product certification be available for personal health record software.

AHIC, a high-level advisory committee to the Department of Health and Human Services, sided with the majority on its Consumer Empowerment Workgroup and voted unanimously in favor of the certification recommendation.

A minority -- five members of the 23-person workgroup -- took the position that certification would be premature and the top priority should be privacy and security policies for PHRs. "The risks [of certification now] outweigh any potential benefits," the dissenters said in a letter to AHIC.

The workgroup's task is to foster widespread adoption of PHRs. One of its leaders, Dr. Rose Marie Robertson, told AHIC that the group believes PHRs will be more widely used if consumers do not have to sit at a computer and enter all their health information. Instead, the PHRs could be populated by data from doctors, health plans, drug stores, or elsewhere.

Medical data on Blue Cross members may be lost | CNET News.com

Wed, 14 Mar 2007 19:45:41 GMT

WellPoint, one of the nation's largest health insurers, has begun notifying 75,000 members of its Empire Blue Cross and Blue Shield unit in New York that a CD holding their vital medical and other personal information has disappeared.

The information was on an unencrypted disc that a subcontractor recently sent to Magellan Behavioral Services, a company in Avon, Conn., that specializes in monitoring and coordinating mental health and substance abuse treatments for insurance companies.

Empire began notifying the affected consumers by mail on Saturday that their records--including their names, Social Security numbers, health plan identification numbers and description of medical services back to 2003--had been lost.

[...]

Before shipping the information to Magellan, the coding and passwords that protect the privacy of the information was removed by a Magellan subcontractor, Lisa Ann Greiner, an Empire spokeswoman, said Tuesday.

Janlori Goldman, the director of the Health Privacy Center, a nonprofit organization in Washington, said the error was an "egregious breach of privacy." She said that insurance companies were responsible under a federal privacy law for ensuring that their contractors use adequate security procedures.

Greiner said that the subcontractor, Health Data Management Services, worked for Magellan, not Empire. "If any contract was breached, we are going to take direct action," she said.

Tracking the Password Thieves.

Wed, 14 Mar 2007 15:30:56 GMT

Tracking the Password Thieves.

The Washington Post today ran a story I wrote about an epidemic of data theft being fueled by password-stealing viruses and phishing attacks. In some ways, the story behind the reporting that went into the piece is just as interesting, so I'd like to share a few of those details.

I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states.

Using a custom-built application that makes use of the Google Maps API, I was able to chart the approximate locations of the victims. This was possible because at the beginning of each record was the virus's best guess of the longitude and latitude of the infected computer's Internet address. This so-called "geo-IP" process is far from perfect: Sometimes these automated guesses are disturbingly accurate, and other times they are miles wide or completely wrong.

The approximate location of the 3,221 U.S. residents victimized by this virus (Data gathered by washingtonpost.com; image courtesy Secure Science Corp. and Google).

Scammers collect information about the location of their victims because it becomes useful when they want to conduct fraud with a hijacked credit or debit card account. The idea here is to evade a key component of fraud detection in the financial industry -- transaction location tracking. If Joe in Georgia starts suddenly withdrawing money or making purchases in Nigeria or Europe when his last transaction was an hour earlier in Atlanta, Joe's bank is going to flag the transactions as fraudulent and in all likelihood cancel the card.

[Security Fix]

CDT Opposes Bill Expanding Pentagon Domestic Data Mining.

Tue, 13 Mar 2007 20:07:21 GMT

CDT Opposes Bill Expanding Pentagon Domestic Data Mining. CDT and other civil liberties groups are urging Congress to reject legislation that would exempt the Department of Defense from a key provision of the Privacy Act. The little-noticed amendment, already included in the Senate version of the Intelligence Authorization Act, would permit government agencies to disclose information on US citizens to the Defense Department. Such language could pave the way for entire databases of information to be transferred to the Defense Department without a clear purpose -- in turn opening the door to greater data mining by military agencies. [Center for Democracy and Technology]

Secure your enterprise data.

Tue, 13 Mar 2007 19:57:32 GMT

Secure your enterprise data. For DuPont, Gary Min may have seemed a model employee. A research chemist at DuPont's research laboratory in Circleville, Ohio, Min was a naturalized U.S. citizen with a doctorate from the University of Pennsylvania who had worked for DuPont for 10 years, even earning a business degree from Ohio State University with help from his employer. But Min's veneer of respectability began to crack on Dec. 12, 2005, when he told his employer he would be leaving his job. [CSO Online Data Security Briefing]

Making Sense of Census Data With Google Earth.

Tue, 13 Mar 2007 02:20:05 GMT

Making Sense of Census Data With Google Earth. mikemuch writes "Imran Haque has developed a mashup of Google Earth with data from the U.S. Census Bureau, called gCensus. The app uses the XML format known as KML (Keyhole Markup Language), which can create shapes and colors on the maps displayed by GE. Haque had to build custom code libraries (which he's made available as open source) that could generate KML for the project. He also had to extract the relevant data from the highly counter-intuitive Census Bureau files and store them in a database that could handle geographic data. gCensus lets you do stuff like create colorful overlays on maps showing population ages, race, and family size distributions." [Slashdot]

TorontoSun.com - Canada - Privacy swipe? New system would check IDs in stores

Mon, 12 Mar 2007 20:38:21 GMT

Convenience stores that check ID by swiping driver's licences could be violating privacy law, Government Services Minister Gerry Phillips said Wednesday.

The system called "We Expect ID," would see store clerks swipe licences through a lottery terminal to verify a customer's age when purchasing alcohol, cigarettes, adult magazines, lottery tickets or fireworks. The terminal will read age information from the magnetic stripe on the licence and display the person's age on the terminal.

Congress Targets Pretexting.

Mon, 12 Mar 2007 20:22:56 GMT

Congress Targets Pretexting. Legislation would add protections against the practice of posing as another to gain personal data. [PC World: Latest Technology News]

'Real ID' threatens everyone's privacy - Nashville, Tennessee

Sun, 11 Mar 2007 17:28:25 GMT

"We are, after all, for the first time in the history of a liberty-loving nation, creating a national identification card ... with all the ramifications of that. ... Real ID was stuffed into the supplemental appropriations bill for Hurricane Katrina and the troops in Iraq, so of course, we had to vote for the bill, but we had no chance to amend it -- no debate, no hearing, and no consideration of other alternatives, And now we impose on the states an $11 billion unfunded mandate. ... I would say we wouldn't be doing our job if we didn't stop and think about what we've done."

Sen. Lamar Alexander's recent comments about the Real ID Act echo the widespread bipartisan resistance to this new law.

In 2005, Congress passed the Real ID Act, a law that proposed a sea change in how states issue driver's licenses. In essence, the law would federalize all state departments of motor vehicles and turn our driver's licenses into national identity cards. The burdens of compliance are onerous and guarantee longer lines, higher fees and huge bureaucratic and financial nightmares for state government.

However, the real nightmare of Real ID is the law's assault on our privacy rights. The law mandates a central, interlinked database containing a wealth of personal information, including name, address, date of birth, biometric information and an assigned identification number. Over time, the database will inevitably become the repository for more and more of citizens' personal data and will be used for an ever-wider set of purposes, moving us closer to a surveillance society.

Chertoff Defends New Computer Project

Sun, 11 Mar 2007 17:18:50 GMT

A new Homeland Security program aims to analyze existing, legally collected computer data, not gather new personal information on U.S. citizens, Secretary Michael Chertoff said Friday in defending the program from congressional critics.

The project, still in pilot stage, will help investigators understand evidence gathered through subpoenas but won't troll computers for new, private information, Chertoff said in an interview with The Associated Press.

'It's an experiment to see how you can better analyze data that you already have, that you've already legally collected, to see if you can understand it, sort it and make use of it more readily than simply doing it manually,' Chertoff said.

Called ADVISE _ for Analysis, Dissemination, Visualization, Insight and Semantic Enhancement _ the program can be used to find 'relationships or patterns' from information including financial and telephone records, he said.

The dangers of DNA testing

Sun, 11 Mar 2007 17:15:40 GMT

DNA testing is in the news a lot these days, and not solely because of the saga of Anna Nicole Smith, whose burial was delayed amid a legal tussle over the paternity of her 5-month-old daughter, Daniellyn.

The growing success in obtaining convictions by genetic matching (since the O.J. Simpson trial anyway) has made it the preferred identification technology for law enforcement, as well as by other federal agencies. The U.S. military requires every serviceman to give blood for future DNA analysis, presumably for body identification.

States are among the most aggressive users of DNA testing. The New Jersey Supreme Court recently upheld a Garden State law requiring DNA testing of all felons, with the results maintained in a state database and submitted to the FBI.

Other states that have initiated extensive DNA collection policies include Virginia and Arizona -- the latter tests, collects, and stores the results not only from convicted felons but also from most people who are simply arrested for a felony. Florida is now considering collecting DNA from everyone convicted of a felony, as well as from those found guilty of certain misdemeanors.

Municipalities are climbing onto the DNA testing bandwagon, too. A blood bank in Seattle has begun collecting and analyzing DNA from donated blood without obtaining explicit permission, although donors may opt out. The program is funded by the U.S. military. To protect the privacy of donors, the Puget Sound blood bank labels the samples with codes instead of printed names. For the record, that's not a very secure strategy.

Race Traces

A little-noticed provision in the recently passed Violence Against Women Act may soon trigger the largest sweep of DNA information in this country. The Justice Dept. plans to collect DNA from anyone arrested or detained by federal agents. This will, by definition, include all illegal immigrants.

The increasingly widespread use of DNA testing opens a Pandora's Box of privacy issues. Technicians can extrapolate information about a person from the sample of their brother or son. In Houston last year, a man's conviction of rape was partially based on DNA evidence collected from his twin brother.

And the process isn't without its bizarre anomalies. For example, people who have received bone-marrow transplants can in certain cases match the DNA of a donor.

Don't like ID cards? Hand over your passport | the Daily Mail

Sun, 11 Mar 2007 16:56:16 GMT

Anybody who objects to their personal details going on the new "Big Brother" ID cards database will be banned from having a passport.

James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out - but in return they must "forgo the ability" to have a travel document.

With one in every eight people saying they will refuse to sign-up, up to five million adults could effectively be refused permission to leave the country.

Campaigners reacted to Mr Hall's remarks with fury, saying they were yet more evidence of the lurch towards "Big Brother" Britain.

Phil Booth, of the NO2ID group, said: "The idea that ID cards scheme is voluntary, and people can opt-out, is a joke.

"There are all sorts of reasons why people need to travel, not just for holidays. There is work, visiting relatives.

"What are these people supposed to do? It stretches the definition of voluntary beyond breaking point. They will go to any length to get personal information for this huge database. Who knows what will happen to it then?"

No Passport For Britons Refusing Mass Surveillance.

Sun, 11 Mar 2007 16:52:17 GMT

No Passport For Britons Refusing Mass Surveillance. UpnAtom writes "People who refuse to give up their bank records, tax records & details of any benefits they've claimed, and the records of their car movements for the last year, or refuse to submit to an interrogation on whether they are the same person that this mountain of data belongs to -- will be denied passports from March 26th. The Blair government has already admitted that this and other data will be cross-linked so that the Home Office and other officials can spy on the everyday lives of innocent Britons. Britons were already the most spied upon nation in Western Europe -- more so even than Sweden. Data-mining through this unprecedented level of mass-surveillance allows any future British government to leapfrog even countries like China and North Korea." [Slashdot: Your Rights Online]

Big Brother State - An animated short about public surveillance by David Scharf

Sun, 11 Mar 2007 03:06:35 GMT

please also download using Bit Torrent:
(Xvid Version, ca. 50 MB, 768 px x 432 px) ---> CLICK HERE
(Big FLV Version, 55 MB, 768 px x 432 px, use FLV Player to view) ---> CLICK HERE

Check the Internet Archive for other resolutions and formats: CLICK HERE

EFF Calls For Aggressive Congressional Hearings on National Security Letter Misuse.

Sun, 11 Mar 2007 02:52:46 GMT

EFF Calls For Aggressive Congressional Hearings on National Security Letter Misuse.

EFF is calling for Congress to hold aggressive hearings on the FBI's domestic intelligence authority after the release of a Justice Department report [PDF] showing the Bureau abusing its power to collect telephone, Internet, financial, credit, and other personal records about Americans without judicial approval.

Sen. Patrick J. Leahy, D-Vermont, has said the Senate Judiciary Committee will hold hearings into the report's findings. But the widespread abuse detailed in the report requires more than just a cursory examination.

"The Bureau's misuse of its intelligence authority is an ongoing critical problem," said EFF Staff Attorney Marcia Hofmann. "Congress must use its investigative power to find out what's really going on at the FBI -- and then rein in the Bureau's investigative authority to where is was before the USA PATRIOT Act."

In the report, the Justice Department's inspector general identifies four dozen instances in which demands for personal information -- known as National Security Letters -- may have violated laws and agency regulations. The report also found that the Bureau lied to Congress about its use of the letters.

The FBI has had limited authority to issue National Security Letters for many years. However, a controversial provision of the PATRIOT Act greatly expanded the Bureau's ability to use them to gather information about anyone, as long as the agency believes the information could be relevant to a terrorism or espionage investigation.

Today's report follows the inspector general's findings last year that the Bureau had disclosed more than 100 instances of possible intelligence misconduct to the Intelligence Oversight Board in the preceding two years, a number of which were "significant."

In 2005, EFF argued in a friend of the court brief that the FBI's "unfettered authority" to issue National Security Letters "is ripe for abuse." The danger of such abuse has now been documented.

"This is not simply about errors in 'oversight,'" said EFF Senior Staff Attorney Lee Tien. "This is about disregard for the law. For example, FBI terrorism investigators ignored their own lawyers' advice to stop using so-called 'exigent' letters for about two years."

For more information, read the full report from the Justice Department, as well as this brief description of National Security Letters .

[EFF: Deep Links]

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Sun, 11 Mar 2007 02:43:18 GMT

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Greetings. The release of a new report detailing massive FBI abuses of the PATRIOT Act (particularly in regard to National Security Letters), now confirms concerns that I and others have been long expressing about the potential abuse of retained Internet and other data, e.g.:

Sounding the Alarm on Government-Mandated Data Retention

An Open Letter to Google: Concepts for a Google Privacy Initiative

Broad abuses of retained data are now demonstrated to be real, not theoretical, as described in this Washington Post story.

We don't yet really know the full extent of these violations, but what has already been revealed is bad enough as a starting point.

I hope that these events will not only trigger considerable soul-searching by those firms who voluntarily retain user activity data, but also cause a renewed recognition of how broad mandated data retention can facilitate, and inevitably will facilitate, such abuses in the future.

--Lauren--

[Lauren Weinstein's Blog]

Justice: FBI misused Patriot Act powers - Yahoo! News

Fri, 09 Mar 2007 20:34:53 GMT

The FBI improperly and, in some cases, illegally used the USA Patriot Act to secretly obtain personal information about people in the United States, a Justice Department audit concluded Friday.

And for three years the FBI underreported to Congress how often it forced businesses to turn over the customer data, the audit found.

Attorney General Alberto Gonzales, who oversees the FBI, described the problems cited in the report as unacceptable and left open the possibility of criminal charges. He ordered further investigation.

"Once we get that information, we'll be in a better position to assess what kinds of steps should be taken," Gonzales told reporters following a speech to privacy officials.

[...]

The FBI also used so-called "exigent letters," signed by officials at FBI headquarters who were not authorized to sign national security letters, to obtain information. In at least 700 cases, these exigent letters were sent to three telephone companies to get toll billing records and subscriber information.

"In many cases, there was no pending investigation associated with the request at the time the exigent letters were sent," the audit concluded.

In a letter to Fine, Gonzales asked the inspector general to issue a follow-up audit in July on whether the FBI had followed recommendations to fix the problems.

"To say that I am concerned about what has been revealed in this report would be an enormous understatement," Gonzales told the privacy officials. "Failure to adequately protect information privacy simply is a failure to do our jobs."

Senators outraged over the conclusions signaled they would provide tougher oversight of the FBI -- and perhaps limit its power.

"The report indicates abuse of the authority" Congress gave the FBI, said Senate Judiciary Committee Chairman Patrick Leahy (news, bio, voting record), D-Vt. "You cannot have people act as free agents on something where they're going to be delving into your privacy."

The committee's top Republican, Pennsylvania Sen. Arlen Specter (news, bio, voting record), said the FBI appears to have "badly misused national security letters." The senator said, "This is, regrettably, part of an ongoing process where the federal authorities are not really sensitive to privacy and go far beyond what we have authorized."

Sen. Russ Feingold (news, bio, voting record), D-Wis., another member on the panel that oversees the FBI, said the report "proves that 'trust us' doesn't cut it."

The American Civil Liberties Union said the audit proves Congress must amend the Patriot Act to require judicial approval anytime the FBI wants access to sensitive personal information. "The Attorney General and the FBI are part of the problem and they cannot be trusted to be part of the solution," said Anthony D. Romero, the ACLU's executive director.

Pine Bluff - Scaled-back version of drug database passes Senate

Fri, 09 Mar 2007 16:33:58 GMT

LITTLE ROCK - Scaling back the scope of a statewide database to monitor some prescription drug purchases gained Senate approval of the measure Thursday. The bill's sponsor said the amendments were intended to address concerns about patient privacy.

[...]

By a 20-7 vote, the Senate approved a bill by Sen. Denny Altes, R-Fort Smith, that would allow the state Board of Pharmacy to establish standards for setting up the database on drug purchases. The database would track schedule II and schedule III narcotics, such as morphine or OxyContin.

"I think we've amended this about six times now," Altes said before the vote. "I think these changes should address all the concerns that were raised."

Altes originally called for a database to track virtually all prescription drug purchases in the state. The measure passed by the Senate allows the Board of Pharmacy to set the criteria for the information to be tracked by the database.

Sen. Jim Argue, D-Little Rock, said he still believed the database could be subject to abuse and could harm the privacy of some patients.

"There is no evidence that a database like this works, but there is evidence that databases like this could be violated," Argue said.

DNS Attack Factsheet Released.

Fri, 09 Mar 2007 16:30:25 GMT

DNS Attack Factsheet Released. Hoped to be first in a series. [GT: Security and Privacy]

Homeland Security Tests Snoop Computer System.

Fri, 09 Mar 2007 16:23:56 GMT

Homeland Security Tests Snoop Computer System. Parallax Blue writes "The Washington Times reports that Homeland Security has developed and is testing a new computer system called ADVISE (Analysis, Dissemination, Visualization, Insight and Semantic Enhancement) that collects and analyzes personal information on US citizens. Relevant data 'can include credit-card purchases, telephone or Internet details, medical records, travel and banking information.' The program apparently uses the same process as the Pentagon's Total Information Awareness project, which was aborted in 2003 due to privacy concerns."

[Slashdot: Your Rights Online]

Shred Your Data to Stay Ahead of the Pack.

Fri, 09 Mar 2007 16:09:28 GMT

Shred Your Data to Stay Ahead of the Pack. IBM's chief scientist has developed a data sharing system that hides what that data contains--by shredding it. [PC World: Latest Technology News]

Now on the menu at Ruby Tuesday: Better security.

Fri, 09 Mar 2007 03:30:36 GMT

Now on the menu at Ruby Tuesday: Better security. Spurred by the growing list of data breaches that have plagued other companies in recent years, restaurant chain Ruby Tuesday is moving to strengthen its credit card security efforts. [Computerworld Privacy News]

Image Gallery: Seven ways to keep your search history private.

Fri, 09 Mar 2007 03:22:29 GMT

Image Gallery: Seven ways to keep your search history private. Worried that Google and other search sites know too much about you -- and that the federal government can subpoena that data? Fear not -- we've got seven steps you can follow to keep your search history to yourself. [Computerworld Privacy News]

Managing Access to Critical Data for Protection and Privacy.

Fri, 09 Mar 2007 03:18:13 GMT

Managing Access to Critical Data for Protection and Privacy. (Source: Symantec) One common mistake that organizations make is by using Identity management solutions in isolation. Doing so risks access inflation, workarounds and coverage gaps. This white paper shows how comprehensive access management deploys identity management within a framework that includes disciplines for data protection, integration with hiring and promotion, and especially monitoring. [Computerworld Privacy News]

Credit firms hope to sell 'positive records' - 08 Mar 2007 - Personal Finance News - New Zealand Herald

Thu, 08 Mar 2007 23:34:43 GMT

Credit companies hope a possible change to privacy laws will make it easier for people with a good credit history to borrow money or get a mortgage.

A change to the Privacy Act, which is being reviewed by the Law Commission, could open the door for credit companies to sell both the positive and negative details of people's credit history.

Veda Advantage - formerly Baycorp - holds credit files for 2.4 million credit-active individuals and 800,000 companies in New Zealand, but cannot sell details about positive credit history.

The Credit Reporting Privacy Code does not allow positive reports, because such people should not be forced to reveal private financial dealings. Veda says a comprehensive credit service would benefit responsible consumers, who at present often have to borrow at the same rate as those with a poor credit history.

Telecoms.com - Telecoms industry "worst for consumer privacy"

Thu, 08 Mar 2007 23:27:48 GMT

The telecoms industry has been accused of collecting excessive amounts of personal data from its customers, with telecom firms faring worse for privacy than companies in other industries.

The accusations come in the "First Quarter 2007 Online Customer Respect Study of the Telecommunications Industry", from international research...

Editor: Just this teaser unless you register at their site.

Homeland Security revives supersnoop - The Washington Times

Thu, 08 Mar 2007 23:21:29 GMT

Homeland Security officials are testing a supersnoop computer system that sifts through personal information on U.S. citizens to detect possible terrorist attacks, prompting concerns from lawmakers who have called for investigations.

The system uses the same data-mining process that was developed by the Pentagon's Total Information Awareness (TIA) project that was banned by Congress in 2003 because of vast privacy violations.

A Government Accountability Office (GAO) investigation of the project called ADVISE -- Analysis, Dissemination, Visualization, Insight and Semantic Enhancement -- was requested by Rep. David R. Obey, Wisconsin Democrat and chairman of the House Appropriations Committee.

The investigation focuses on whether the program violates privacy laws, and the findings will be released after completion of the Iraq war supplemental spending bill, possibly as early as this week, a panel aide said.

The ADVISE and TIA data-mining projects rely on personal data to track individual behavior and consumer transactions to develop computer algorithms that create a pattern that some behavioral scientists say can predict terrorist behavior.

Data can include credit-card purchases, telephone or Internet details, medical records, travel and banking information.

Privacy concerns prompted lawmakers on both sides of the aisle to introduce legislation in January to require that government agencies disclose data-mining practices in regular reports to Congress.

"A serious discussion on the implications of data-mining programs is long overdue," Sen. Russ Feingold, Wisconsin Democrat and a sponsor of the bill, said yesterday. Sen. John E. Sununu, New Hampshire Republican, is also a bill sponsor.

Gates calls for new privacy law | InfoWorld | By Grant Gross

Thu, 08 Mar 2007 23:09:19 GMT

Microsoft Chairman Bill Gates asked the U.S. Congress to pass a comprehensive privacy law this year, allowing consumers to control how their personal information is used.

Gates repeated past Microsoft calls for a wide-ranging privacy law during a speech at advocacy group the Center for Democracy and Technology's (CDT) annual gala dinner Wednesday. A comprehensive privacy bill should allow consumers to control their personal data, should provide transparency about what their data is used for, and should notify them when their data has been compromised, Gates said.

Gates said he believes the U.S. can achieve a balance between privacy and protecting the country against terrorists and other criminals. But the balance will not be an easy one to create, Gates said.

While many U.S. residents would say they want as much privacy "as possible," law enforcement needs to be able to track criminals, Gates said. "These privacy issues are not as easy as you might think," he told the crowd.

FCW.com News - Census Bureau accidentally exposes personal data

Thu, 08 Mar 2007 23:04:50 GMT

The Census Bureau accidentally posted personal information on 302 households on a public server several times since October 2006, officials said.

The personal information, including names, addresses, phone numbers, birthdates, family income ranges and other demographic data, was contained in a file that was placed on a public server for the purposes of testing new software applications. The file included about 250 fake accounts in addition to the real information. The bureau found out about the mistake when it found the file on the server in mid-February.

heise Security - All Microsoft updates phone home

Thu, 08 Mar 2007 22:54:34 GMT

Possibly as a reaction to heise Security's report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not.

In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date. By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information.

With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself. The WGA package thus, among other things, sends back an event code. To calm the fears of users, alexkoc presents a graphic explaining the various fields of such a data packet.

When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users.

WGA Reports Back To MS Even If You Choose Not To Install - Aviran's Place

Wed, 07 Mar 2007 17:06:01 GMT

Heise online reports on a very interesting action Microsoft is taking during the installation of WGA.

When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send your info and the fact that you choose not to install WGA back to their servers.

In addition to that it seems that the setup program send some information stored in your registry to http://genuine.microsoft.com/. While it does not specifically identify the user, it looks like it does send some identification of your computer and Windows version (see picture) to Microsoft servers.

Microsoft WGA Phones Home Even When Told No.

Wed, 07 Mar 2007 17:00:00 GMT

Microsoft WGA Phones Home Even When Told No. Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers." [Slashdot]

Patient control of EHR data on network gets mixed reaction

Wed, 07 Mar 2007 15:56:32 GMT

The Health and Human Services Department has received mixed reviews for its decision to insist that the next iteration of the Nationwide Health Information Network (NHIN) allow patients to control who sees their electronic health records on the network.

Dr. Robert Kolodner, interim national coordinator of health information technology, said March 1 that trial networks funded by his office should give "people the capability to decide how they view, store and control access to their own information. A person could say how that information flows to specific entities or completely block the flow of information."

"If they do what they say, it's a tremendous thing for privacy," said Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation. "It's exactly what we've been talking about for a long time."

Peel said she talked with Kolodner and learned that he wants to give patients the ability to control what happens to their health information, "down to the data field level." "I think his intentions are fantastic," she said.

Asked whether such a network would be technically feasible, Peel said the existing technology would support that degree of granularity in controlling the flow of EHR data.

But Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, said he doubts the HHS move will make a difference. "I don't really have a lot of confidence that it would really have any effect whatsoever," said Rothstein, a member of the official National Committee on Vital and Health Statistics.

The reason Rothstein was less than enthusiastic about the HHS move: Privacy problems are primarily policy and legal issues in his view, not technology-based. Rothstein recently testified before a Senate subcommittee, criticizing HHS for failing to tackle privacy and other policy issues associated with development of the NHIN. Kolodner's announcement doesn't address many of the policy questions, he said.

Kolodner's office "has indicated no prior interest in this concept," Rothstein said, suggesting that there is no way to know how committed HHS is to its plans. Others have pointed out it is one of the first HHS health IT initiatives that deviates from plans outlined by Kolodner's predecessor, Dr. David Brailer.

Action Alert: Repeal the REAL ID Act!

Wed, 07 Mar 2007 01:24:48 GMT

Action Alert: Repeal the REAL ID Act!

The federal government has taken another step towards forcing you to carry a national ID in order to get on airplanes, open a bank account, enter federal buildings, and much more. But with state legislatures and Congressional representatives increasingly turning against the REAL ID Act, you can help stop this costly, privacy-invasive mandate -- voice your opposition now.

On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information.

REAL ID won't just cost you your privacy. The states and individual taxpayers bear the estimated 23 billion dollar burden of implementing the law, and that figure is probably low given that the necessary verification systems don't exist yet.

And what will you get in return? Not improved national security, because IDs do little to stop those who haven't already been identified as threats, and wrongdoers will still be able to create fake documents.

REAL ID is fundamentally flawed, and DHS' proposed regulations do nothing to change that. Thankfully, the tide is turning against REAL ID in a big way -- state legislatures around the country are passing or considering legislation rejecting its implementation, and Congress is considering repealing it.

The DHS regulations mean that states must have an implementation plan ready by October 2007. Make sure your Congressional representatives support the repeal of REAL ID before it's too late.

For more information, check out San Jose Mercury News' recent editorial opposing REAL ID as well as the ACLU's Realnightmare.org.

[EFF: Deep Links]

Good shoppers may find their info sold ( New Zealand and Australia )

Tue, 06 Mar 2007 16:15:46 GMT

Credit information companies will have the power to sell detailed records about responsible borrowers, not just those in serious debt, as part of a current review of privacy laws in New Zealand and Australia.

Veda Advantage chief executive Andrew Want says a sweeping review of privacy laws could see the company introduce a service by 2009 providing information about consumers who are a good credit risk.

Currently, it is illegal to sell such information.

But work by the Privacy Commission in Australia to streamline privacy rules between federal and state governments, and to bring them in line with the current developments with technology, could change that.

Tonight(Tuesday) on Nightline - The NSA at AT&T

Tue, 06 Mar 2007 15:55:07 GMT

Tonight(Tuesday) on Nightline is an episode on the NSA having a monitoring station in the AT&T wire room. They have the guy who originally broke the story being interviewed tonight.

Texas counties illegally posting Social Security numbers online, AG says.

Mon, 05 Mar 2007 20:38:14 GMT

Texas counties illegally posting Social Security numbers online, AG says. Texas Attorney General Greg Abbot has ruled that the posting of sensitive data online by county and district clerks is illegal. But the clerks are fighting back by pushing for a state law that would allow them to continue to do so. [Computerworld Privacy News]

WIRED Blogs: Danger Room - The Pentagon Wants TiVo (to Watch You)

Mon, 05 Mar 2007 02:34:51 GMT

Reuters yesterday reported on a recently issued study on future technologies written by the Pentagon's Defense Science Board. More than anything, it seems these outside advisers want a surveillance system that would put Big Brother to shame, and they're looking at the commercial sector to provide it:

Lawmakers get less combative on data-breach bills - USATODAY.com

Mon, 05 Mar 2007 01:44:27 GMT

SAN FRANCISCO -- It's Round 2 in Congress' bid to craft federal law that would require businesses to notify U.S. consumers about computer data-security breaches.

Legislation introduced in February soon could become law, given the cooperative tone of federal lawmakers, says Ari Schwartz, a privacy advocate and deputy director of the Center for Democracy & Technology. That would be a reversal from the previous few years, when members of the House and Senate could not agree on a national data-breach law, and dozens of states passed their own laws.

But the feds waited too long to act, and their actions now are unnecessary, say state legislators and privacy advocates. "With so many conflicting agendas from the financial industry, data brokers and security companies, there is the danger any bill could be watered down," says Evan Hendricks, editor of Privacy Times newsletter.

The fear is that a federal law would pre-empt stronger state laws. "A national standard that provides less protection than currently afforded is really a step backward, not a step forward," says state Sen. Joe Simitian, D-Calif., author of the first law in the USA that required companies to publicly disclose data breaches.

More than 100 million records containing personal information have been subject to some sort of security breach since February 2005, starting with data broker ChoicePoint, according to the non-profit Privacy Rights Clearinghouse.

There are at least four bills in Congress this year to address data-breach notification that would pre-empt 35 state laws on the books.

Concurring Opinions: The Rise of Customer Blacklists

Sun, 04 Mar 2007 03:55:39 GMT

Blacklists appear to be the rage these days. With the ease of storing and sharing personal information -- coupled with lax privacy law restrictions on such activities -- companies can increasingly create blacklists of bad customers. In this article from the Ottawa Citizen, hotels in Australia and Canada (and soon the United States) are signing up for a service that compiles a blacklist against "bad" hotel guests:

Telco customers at risk for online privacy breach.

Sun, 04 Mar 2007 03:51:07 GMT

Telco customers at risk for online privacy breach. A study released by the Customer Respect Group indicates that telecommunications companies are slipping when it comes to customer privacy, especially in comparison to retail and high-tech industries. A majority of companies surveyed were dound to ask for excessive, inappropriate personal data. [Computerworld Privacy News]

Breach of Personal Information at Calif. Dept. of Health Service Handled Quickly.

Sun, 04 Mar 2007 03:40:00 GMT

Breach of Personal Information at Calif. Dept. of Health Service Handled Quickly. "We are taking steps to notify you of this, consistent with our policy, and with the sensitivity around all HIV related issues." [GT: Security and Privacy]

FCW.com News - OMB: Agencies make headway with IT security

Sun, 04 Mar 2007 03:38:06 GMT

The state of the government's cybersecurity position has improved over the past year, but significant holes remain, especially in the areas of categorizing the risk level of systems and training, according to the Office of Management and Budget.

OMB found that more than 700 systems, including 397 managed by agencies, had not been categorized as high, medium or low risk. Also, the administration said more agency employees have received information technology security training -- up 10 percent since last year -- but more needs to be done.

In its fourth annual Federal Information Security Management Act report sent to Congress March 1, OMB said it will rely on the Security Line of Business effort to better train employees by using a standard program. OMB named three shared-service centers for security training in February: the Office of Personnel Management, the State Department and the U.S. Agency for International Development, and the Defense Department.

DoJ Mulls Tracking Picture Uploads.

Sun, 04 Mar 2007 02:57:23 GMT

DoJ Mulls Tracking Picture Uploads. Dominus Suus passed us a link to a C|Net article about a disturbing threat to privacy from the Justice Department. According to the article, a private meeting was held Wednesday between Justice officials and telecom industry representatives. With individuals from companies such as AOL and Comcast looking on, the officials continued overtures to increase data retention by ISPs on American citizens. This week, they were specifically looking to have records kept of photo uploads. In this way, and 'in case police determine the content is illegal and choose to investigate,' an easy trail from A to Z will be available. The article provides a good deal of background on the Bush Administration's history with data retention, with ties to events even older than the Bush presidency. --- "The Justice Department's request for information about compliance costs echoes a decade-ago debate over wiretapping digital telephones, which led to the 1994 Communications Assistance for Law Enforcement Act. To reduce opposition by telephone companies, Congress set aside $500 million for reimbursement and the legislation easily cleared both chambers by voice votes. Once Internet providers come up with specific figures, privacy advocates worry, Congress will offer to write a generous check to cover all compliance costs and the process will repeat itself." [Slashdot: Your Rights Online]

Homeland Security Offers Details on Real ID.

Sun, 04 Mar 2007 02:48:45 GMT

Homeland Security Offers Details on Real ID. pr0nqu33n writes "C|Net is running an article on the DHS's requirements for the Real ID system. Thursday members of the Bush administration finally unveiled details of the anticipated national identification program. Millions of Americans will have until 2013 to register for the system, which will (some would argue) constitute a national ID. RFID trackers for the cards are under consideration, as is a cohesive nation-wide design for the card. States must submit a proposal for how they'll adopt the system by early October of this year. If they don't, come May of next year their residents will see their licenses unable to gain them access to federal buildings and airplanes. The full regulations for the system are available online in PDF format. Likewise, the DHS has a Questions and Answers style FAQ available to explain the program to the curious." [Slashdot: Your Rights Online]

TIA becomes ADVISE | Free Government Information (FGI)

Fri, 02 Mar 2007 01:13:23 GMT

Congress killed the Total Information Awareness (TIA) program in 2003 and several new programs have been reported to take its place. (See Total Information Awareness just changed its name FGI, 2006-02-26.) A forthcoming GAO report looks at the use of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) system.

DHS Proposal for State Driver License Enhancements Posted for Public Comment.

Fri, 02 Mar 2007 01:04:53 GMT

DHS Proposal for State Driver License Enhancements Posted for Public Comment. DHS will grant states an extension of the compliance deadline until December 31, 2009. [GT: Security and Privacy]

National ID Card Rules Unveiled.

Thu, 01 Mar 2007 23:48:35 GMT

National ID Card Rules Unveiled. The DHS chief reveals how he'll turn state driver's licenses into internal passports. By Ryan Singel. [Wired News: Security Blanket]

DOD, Microsoft sign deal to data mine health records

Thu, 01 Mar 2007 23:46:58 GMT

The Defense Department has signed an agreement with Microsoft under which the software vendor will help develop tools and methods for analyzing the department's 9.1 million electronic patient records to find better ways to manage the health of DOD beneficiaries.

Under the cooperative research and development agreement, Microsoft will work with the Army's Telemedicine and Advanced Technology Research Center to extract, store and analyze data stored in DOD's Armed Forces Health Longitudinal Technology Application (AHLTA) electronic health record system.

The AHLTA clinical data repository (CDR) is "an untapped goldmine of health information, and the ability to draw upon and efficiently use this data will allow us to unleash the true power of AHLTA," said Dr. William Winkenwerder Jr., assistant secretary of Defense for health affairs. "This project has the potential to vastly improve our ability to provide both force health protection and population health improvement activities for every soldier, sailor, airman and Marine."

Microsoft and the Army center aim to develop a clinical data warehouse (CDW) that provides predefined queries of interest to clinicians and analysts. The warehouse also will support data mining, which uses clustering and pattern recognition techniques to discover previously unknown correlations in the data. Intel and HP are providing support on security, sizing, and scalability testing of the CDW architecture, Microsoft said.

Dr. Deborah Peel, chairwoman of the Patient Privacy Rights Foundation, views the patient information not as a goldmine ripe for exploitation but as a collection of personal and sensitive health information that needs to be zealously guarded and only accessed with express consent by the patient.

U.S. Bill Proposes E-Health Records Incentives.

Thu, 01 Mar 2007 23:19:07 GMT

U.S. Bill Proposes E-Health Records Incentives. Doctors would get $3 for every patient signed up to use an electronic health record under terms of a new House bill introduced today. [PC World: Latest Technology News]

DHS Issues REAL ID Regulations; CDT Urges Repeal of Law.

Thu, 01 Mar 2007 23:17:49 GMT

DHS Issues REAL ID Regulations; CDT Urges Repeal of Law. The Department of Homeland Security has issued proposed regulations implementing the REAL ID Act, which would require states to adopt tighter standards and create a networked system for driver's license issuance. Given the Act's fundamental flaws, CDT has joined other civil liberties groups in supporting legislation introduced in recent days in the House and Senate to repeal the hastily-enacted 2005 law and return to the driver's license reform process begun by the previous Congress. CDT is especially concerned that the Act would result in the creation of a linked network of government databases of personal information, without standards or limits on access and use. [Center for Democracy and Technology]

New Profiling Program Raises Privacy Concerns - washingtonpost.com

Wed, 28 Feb 2007 22:36:54 GMT

The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations. Similar to a Pentagon program killed by Congress in 2003 over concerns about civil liberties, the new program could take effect as soon as next year.

But researchers testing the system are likely to already have violated privacy laws by reviewing real information, instead of fake data, according to a source familiar with a congressional investigation into the $42.5 million program.

Bearing the unwieldy name Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), the program is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information, including audio and visual, and extract suspicious people, places and other elements based on their links and behavioral patterns.

The privacy violation, described in a Government Accountability Office report that is due out soon, was one of three by separate government data mining programs, according to the GAO. "Undoubtedly there are likely to be more," GAO Comptroller David M. Walker said in a recent congressional hearing.

The violations involved the government's use of citizens' private information without proper notification to the public and using the data for a purpose different than originally envisioned, said the source, who declined to be identified because the report is not yet public.

The issue lies at the heart of the debate over whether pattern-based data mining -- or searching for bad guys without a known suspect -- can succeed without invading people's privacy and violating their civil liberties.

German Antiterror Law Links Large Databases.

Wed, 28 Feb 2007 22:22:23 GMT

German Antiterror Law Links Large Databases. Law takes effect creating comprehensive pool of personal data in antiterrorist effort. [PC World: Latest Technology News]

Symantec: U.S. Data Breach Legislation Needed.

Wed, 28 Feb 2007 21:59:02 GMT

Symantec: U.S. Data Breach Legislation Needed. Officials from cybersecurity company tells the U.S. Congress that a data breach notification bill with reasonable security practice requirements would protect Americans. [PC World: Latest Technology News]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Tue, 27 Feb 2007 23:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 21:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

AHIC privacy co-chairman resigns in protest

Mon, 26 Feb 2007 23:10:39 GMT

Paul Feldman resigned on Feb. 21 as co-chairman of the American Health Information Community's Confidentiality, Privacy and Security (CPS) Workgroup, citing in a letter to Interim National Coordinator for Health Information Technology Robert Kolodner the panel's lack of "substantial progress toward the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network."

Intelligent Enterprise Magazine: How a Smarter Database Can Protect Your Data

Mon, 26 Feb 2007 22:48:06 GMT

Firewalls, intrusion detection systems, authorization and authentication all have their place in securing the enterprise, but these technologies rarely plug a hole that has leaked millions of records with sensitive information since the well-publicized ChoicePoint breach about two years ago, according to the Privacy Rights Clearing House. Data inside a database that is protected by all of the above is still easy plunder for a legitimate user or a hacker successfully masquerading as one.

"The database isn't smart enough to care that you execute the same type of SQL query over one thousand times in a matter of seconds and walk away with a list of social security numbers," explains Noel Yuhanna, analyst with Forrester Re-search. "And the network doesn't care either; it just looks at packets, which may or may not contain the personal information of all your customers." What is lacking, according to Yuhanna, is an end-to-end security solution. Such a solution would be impressive as it would have to address security concerns from the network stack layer all the way up to the application layer. Nothing like that exists, currently, and IT managers would be ill advised to wait for it to materialize.

DHS Biometric Program in Trouble.

Mon, 26 Feb 2007 22:31:00 GMT

DHS Biometric Program in Trouble. Spiraling costs and a missing long-term strategy bedevil the US-VISIT program, which screens incoming travelers to the United States for terrorist links. Luke O'Brien reports from Washington. [Wired News: Security Blanket]