Paul Hardwick: ID

Administrivia: Possible unscheduled upgrade of Privacy Digest

Sun, 18 Mar 2007 01:39:04 GMT

Administrivia: Possible unscheduled upgrade of Privacy Digest.

I might be implementing an unscheduled upgrade of the site due to some problems with the software I am currently using to run the site. I had been working on upgrading the software to implement some new features but may have to implement sooner than originally planned. If you would like to take a peek at the planned software take a visit to http://www.PrivacyDigest.com/index.php Yes the full URL will have to be entered until I have completed the switch over.

There may be some hiccups during the process as the XML/RSS location will change along with access to the sub-topics. I plan to create mod-rewrite rules to take of this but they may not all be ready on day one.

Please let me know what you think.

Your Clickstream Data: 40 cents; Losing Your Privacy: Priceless.

Sun, 18 Mar 2007 01:15:54 GMT

Your Clickstream Data: 40 cents; Losing Your Privacy: Priceless.

Adam Fields points to this disturbing revelation that ISPs are apparently selling their customer[base ']s clickstream data. The guilty ISPs apparently took the same [base "]anonymization[per thou] seminar as AOL, merely replacing user names with User 1, User 2, etc.

And what kind of price are they charging for such a violation of user[base ']s privacy? About 40 cents a month per user. Unbelievable.

[michaelzimmer.org]

GoDaddy, Get a Backbone and Protect Your Users' Rights.

Sun, 18 Mar 2007 00:50:31 GMT

GoDaddy, Get a Backbone and Protect Your Users' Rights.

A few weeks back, we wrote about how domain name registrar GoDaddy took offline Seclists.org based merely on an informal request and without providing any meaningful notice to the site's operator. Unfortunately, this isn't the only instance in which GoDaddy has carelessly ignored its users' rights.

In February, EFF was contacted by an anonymous owner of a parody and criticism website forum that allegedly exposes the financial corruption and domestic scandal of a local politician in Birmingham, Alabama. As part of a civil case in family court, an attorney representing the politician's girlfriend issued a subpoena to GoDaddy seeking the identity of the website owner, who was not a party to the lawsuit.

With the website owner's right to anonymous speech on the line, what did GoDaddy do? It caved without any apparent hesitation, providing its customer with a mere three days to find a lawyer and decide whether to file a challenge. GoDaddy also refused to provide a copy of the subpoena, which included essential information to determine whether and how to respond.

GoDaddy promises in its privacy policy to turn over customers' information only if required by law, but its lawyers didn't give this subpoena even a shred of scrutiny. Had they done so, they could have seen it was clearly invalid -- GoDaddy is located in Arizona and Alabama state law doesn't permit a subpoena to be issued on someone out of state. That was the ultimate conclusion of the state judge who eventually quashed the subpoena, no thanks to GoDaddy.

Even putting aside this aspect of GoDaddy's casual disregard for its customer's interests, the company's behavior is shameful. The First Amendment limits the ability of litigants to pierce a speaker's anonymity, particularly when that person isn't even being sued. GoDaddy owes its customers meaningful notice, time, and information so that they can fight back and protect their rights.

With the help of lawyer Lewis Page, the anonymous website operator did manage to move to quash before it was too late. But GoDaddy's sloppy practices still put an unfair burden on this user and continue to threaten all of its customers' rights.

For what online service providers ought to do to protect their users, check out our best practice guide.

[EFF: Deep Links]

Governor Announces Florida First in Nation to Access National Crime Database.

Fri, 16 Mar 2007 19:50:03 GMT

Governor Announces Florida First in Nation to Access National Crime Database. "This powerful tool will help protect both the victims of child abuse and neglect and the public servants charged with protecting them." [GT: Security and Privacy]

Injunction Against Companies Allegedly Engaged in ID Theft.

Fri, 16 Mar 2007 19:48:47 GMT

Injunction Against Companies Allegedly Engaged in ID Theft. "Combating identity theft is one of my top priorities in the consumer protection arena." [GT: Security and Privacy]

Visa Chief: Customer Data Theft Neither Random Nor Unavoidable - Software Technology News by InformationWeek

Fri, 16 Mar 2007 19:39:19 GMT

Although the use of the Internet to buy and sell online has introduced a slew of security concerns within the payment services industry, Visa USA president and CEO John Philip Coghlan insists that technology is the solution to combating fraud -- not the cause of it. Coghlan also pointed out during Visa's security summit in Washington, D.C., Thursday that data breaches are neither random nor inevitable if proper security measures are taken.

The TJX data breach "was a stark reminder to all of us that such events can have vast reach and consequences," Coghlan said. Such breaches create mistrust and can undermine efforts make to build a good brand image. But, he made clear, "the majority of compromises come from storage of prohibited data and using vulnerable systems to process data."

TJX, the parent company of retailers T.J. Maxx, Marshalls, HomeGoods, and others, made headlines in February when it revealed an attack on its systems had resulted in the theft of customer information. Just as the headlines were threatening to die down, TJX announced a few weeks later that intrusions into its system actually began as early as July 2005, rather than beginning in May 2006 as the company had originally reported.

While the exact nature of the TJX data breach has not yet been revealed, in general, financial information is stolen in a number of ways, including the physical theft of a wallet, checkbook, or credit card; theft of information from one's home from friends, relatives, or in-home employees; phishing messages that trick people into divulging information to fraudsters; hacks, viruses, and spyware on a PC or ATM machine; and a corrupt business employee with access to your records.

But data theft is not random. Instead, it's perpetrated against businesses with the weakest security and the most valuable information, Coughlin said Thursday, adding, "More than 80% of all dollars lost come from 20% of fraudulent transactions."

Security Watch - Visa - customer data theft neither random nor unavoidable

Fri, 16 Mar 2007 19:36:34 GMT

Very revealing speech last week by John Coughlan, Visa USA's CEO, who insists that the technology is available to prevent cardholder data falling into the wrong hands.

In a speech at Visa's security summit in Washington late last week, Coughlan said that cardholder data breaches are neither random nor inevitable if proper security measures are taken.

The TJX (TJ Maxx) data hack, he said, "was a stark reminder to all of us that such events can have vast reach and consequences."

According to Coughlan, such hacks can create mistrust and undermine efforts to build a positive brand image. But, he said, the majority of system compromises result from the storage of prohibited data and using vulnerable systems to process data.

PATRIOT Act Apologist Site Didn't Get the Memo.

Fri, 16 Mar 2007 18:45:28 GMT

PATRIOT Act Apologist Site Didn't Get the Memo.

Last week, the Department of Justice Inspector General's office released a damning report documenting the FBI abusing its powers under the PATRIOT Act and violating the law to collect Americans' telephone, Internet, financial, credit, and other personal records about Americans without judicial approval.

It appears that not everyone at the DOJ got the memo. The DOJ's Life and Liberty website, a site dedicated to defending the honor of the PATRIOT Act during the re-authorization process last spring, still reads as if nothing has changed. Particularly in the light of the newly revealed truth, many of the quotes now seem (at best) naive.

Under the headline of "Examining the Facts", the DOJ asserts that PATRIOT has "four-year track record with no verified civil liberties abuses." The site quotes an op-ed by former House Judiciary Committee Chairman James Sensenbrenner:

Zero. That's the number of substantiated USA PATRIOT Act civil liberties violations. Extensive congressional oversight found no violations. Six reports by the Justice Department's independent Inspector General, who is required to solicit and investigate any allegations of abuse, found no violations.

Wow, that sure sounds good. Unfortunately, the new report reveals that is is simply not true: the inspector general identifies dozens of instances in which extra-judicial demands for personal information -- known as National Security Letters -- may have violated laws and agency regulations.

In the Archive section, the site includes quotes from an op-ed by Senator Pat Roberts responding to critics like ourselves:

I regret to say it, but the rhetoric of those opposed to permanently authorizing the act has no substance and borders on paranoia. Opponents have criticized the act for years but can cite only hypothetical abuses. Facts are stubborn things. The actual record is quite clear - there have been no substantiated allegations of abuse of Patriot Act authorities, period.

Critics could only point to hypothetical abuses because the fox was guarding the hen house. Senator Roberts also opined that:

Through aggressive congressional oversight, we know the FBI uses Patriot Act authorities within the law.

It's now clearer than ever that the oversight was not aggressive enough, with the report documenting that the FBI decieved Congress about its use of the letters. The report is likely only the tip of the iceberg. Immediate and thorough oversight hearings are necessary to uncover the truth and hold the Administration accountable.

Tell Congress to defend your privacy now.

[EFF: Deep Links]

Chertoff: Security and privacy not at odds.

Thu, 15 Mar 2007 19:12:44 GMT

Chertoff: Security and privacy not at odds. Calling privacy groups "Luddites," DHS head Michael Chertoff defends the Real I.D. Act. He claims that the data-chipped drivers licenses, which will be linked to a numbers of databases around the country, will actually protect privacy Editor:And down is up, black is white, and I have a bridge I'd like to sell you.

[...]

The head of the Department of Homeland Security on Thursday downplayed privacy concerns raised by the government's efforts to create standardized, data-chipped drivers licenses across the country.

The same technology that makes information on identification cards more reliable can also protect privacy, DHS Secretary Michael Chertoff said during a speech to the Northern Virginia Technology Council. "It's my contention that properly used technology ... actually protects privacy," he said. "We should not allow folks to be captivated by the argument that every time we do something with a computer, it invades privacy."

Chertoff was referring to privacy concerns surrounding the Real ID Act, a law passed by Congress in 2005 that would require states to create machine-readable ID cards containing the name of the holder, the data of birth, a digital photograph and other information.

Privacy groups, including the Electronic Privacy Information Center (EPIC), have said that the DHS hasn't come up with rules on how the information on the cards should be protected. DHS has made only "vague" plans for card security and for restricting which state motor vehicle agency employees would have access to the information, EPIC says.

"On security and privacy standards for the card, state motor vehicle facilities, and the personal data and documents collected in state motor vehicle databases, DHS shows little interest," EPIC says on its Web site.

But Chertoff said those raising privacy concerns about the use of IT in the U.S. government's domestic security efforts create a false tension between security and privacy. "This kind of Luddite attitude ... is exactly wrong," he said. "Security and privacy are very much the same type of value. I don't think they're mutually exclusive, they're mutually reinforced."

Chertoff also talked about how DHS is using IT. Technology plays a part in nearly all the agency's efforts, including machines that read fingerprints at border crossings, databases that link law enforcement investigations and scanning technologies for containers coming into the U.S.

[Computerworld Privacy News]

Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed.

Thu, 15 Mar 2007 19:05:57 GMT

Google's New Plan to "Anonymize" Search Logs: A Good First Step, But More Is Needed.

After years of criticism from EFF and other privacy advocates, Google announced yesterday a new policy on how it handles logs of its users' searches: after 18-24 months, it will delete key information in its server logs that could be used to link particular users to records of their search queries.

This is a big change from Google's previous policy, which was essentially to keep all of those logs forever in identifiable form, and we're certainly glad to see that Google is starting to limit its retention of such sensitive data. Your Google search history can paint an intimate portrait of your most private interests and concerns. Particularly in light of the disastrous AOL search terms disclosure, recent scandals involving government surveillance, and Google's own recent court fight with the government over a subpoena for search records, it seems that Google has finally realized that limiting the retention of such records is essential to protecting your privacy.

Hopefully, Google's change in policy will spur other online service providers to consider how they can minimize the amount of personal data that they store, and perhaps even prompt competition between service providers to offer the most privacy-protective services. However, we hope that this new announcement is only Google's first step in changing its privacy practices, because additional changes would better protect user privacy and set an even better example for the industry:

Google should shorten the retention period for identifiable logs to six months at the outside, and ideally to only thirty days (which is AOL's retention limit for similar logs). Barring this, it should at least justify why it needs such records for up to two years, beyond offering one-sentence platitudes about how such records are used to improve Google's service.
Google should also shorten the retention of the "anonymized" logs, which Google apparently still intends to keep forever. As Google itself admits, the new policy changes still don't guarantee users' anonymity, and holding onto those records indefinitely still poses a serious private threat.
Therefore, Google should consider more robust anonymization techniques, up to and including scrubbing entire IP addresses rather than just the last quarter or "octet" of such addresses.
Finally, Google should expand its new anonymization policy to include the search records of users with Google Account log-ins, and to records generated by their myriad other services, rather than limiting the policy change to regular search logs.

Beyond making these additional policy changes, there's one more thing that Google should be doing[~]something we think it actually has a duty to do as a good corporate citizen and as a preeminent Internet powerhouse[~]and that is using its considerable political clout to fight for better Internet privacy laws on Capitol Hill. Right now, there are significant questions as to whether or how Internet search logs are protected by existing federal privacy laws, and Google owes it to its customers to publicly advocate for updating those privacy laws for the 21st century.

[EFF: Deep Links]

Google To Anonymize Data -- Updated WIRED Blogs: 27B Stroke 6

Thu, 15 Mar 2007 18:15:53 GMT

Googleis reversing a long-standing policy to retain all the data on its users indefinitely, and by the end of the year will begin removing identifying data from its search logs after 18 months to two years, depending on the country the servers are located in.

Currently, Google retains indefinitely detailed server logs on its search engine users, including user's IP addresses - which can identify a user's computer, the query, any result that is clicked on, their browser and operating system, among other details. Even if a user never signs up for a Google account, those searches are all tied together through a cookie placed on the user's computer, which currently expires in 2038.

The new policy will be global, but there will be variances by country, especially in Europe where a data retention rule passed in 2005 requires ISPs and phone companies to keep data from six months to two years. After that time period, Google will "anonymize" the search data from web and image searches by dropping either the second half or last quarter of I.P. addresses, thus turning an address such as 127.0.34.35into127.0or127.0.34. The goal is to make it technically impossible to retroactively tie a query back to a computer, unless the query included identifying information.

User logs from services that require log-ins, such as personalized search, Google Documents and Gmail will not be subject to this policy. Those services are governed by their own privacy policies. More can be found on this at Google's official blog announcement.

Civil libertarians have long criticized the search giant's hoarding for data, saying that the data store created an attractive target for law enforcement and civil suits. Google successfully quashed a Justice Department request for large chunks of user data in 2005.

Google to anonymize user data.

Thu, 15 Mar 2007 18:03:25 GMT

Google to anonymize user data.

It's about time

Google is to discard some of the information it stores about user search requests in an effort to address concerns by privacy watchdogs and defend itself against government demands for data.

[The Register - Music and Media]

ID Fraud Manufacturing Ring Uncovered in Arizona.

Wed, 14 Mar 2007 20:00:48 GMT

ID Fraud Manufacturing Ring Uncovered in Arizona. Three month investigation of Arizona Homeland Security Fraudulent Identification Task Force (AFIT) uncovers one of the largest manufacturers of fraudulent identification in Southern Arizona. [GT: Security and Privacy]

Latest ID-Theft Worry? Copiers.

Wed, 14 Mar 2007 19:55:53 GMT

Latest ID-Theft Worry? Copiers. Digital photocopiers use hard drives to store data. If not properly secured, they can be vulnerable to data thieves. By the Associated Press. [Wired News: Security Blanket]

FCW.com News - Bill would protect information about students from recruiters

Wed, 14 Mar 2007 19:54:06 GMT

An amendment to the No Child Left Behind (NCLB) Act seeks to keep military recruiters from accessing secondary students' personal data by requiring parents to choose to share that information rather than having to opt out of sharing it.

Rep. Mike Honda (D-Calif.) introduced the legislation March 6. The Student Privacy Protection Act would require local school systems to obtain written consent before releasing information on secondary school students to military recruiters or their agents.

The measure will next be referred to the House Education and Labor Committee sometime during this session, said a spokesperson for Honda. That committee's chairman, Rep. George Miller (D-Calif.), is a co-sponsor of the bill.

Because of a provision in the NCLB, school districts are directed to give information about students to military recruiters unless parents explicitly request that their children's data remains private. Since the enacting of NCLB, secondary schools have been supplying the names, addresses and telephone numbers of students to recruiters sponsored by the military services.

However, schools often failed to make parents aware of the option to keep that information private, Honda said.

Dispute surfaces over certification for personal health records

Wed, 14 Mar 2007 19:51:04 GMT

n a rare instance of public dissent, an American Health Information Community AHIC) workgroup has split over whether to recommend that product certification be available for personal health record software.

AHIC, a high-level advisory committee to the Department of Health and Human Services, sided with the majority on its Consumer Empowerment Workgroup and voted unanimously in favor of the certification recommendation.

A minority -- five members of the 23-person workgroup -- took the position that certification would be premature and the top priority should be privacy and security policies for PHRs. "The risks [of certification now] outweigh any potential benefits," the dissenters said in a letter to AHIC.

The workgroup's task is to foster widespread adoption of PHRs. One of its leaders, Dr. Rose Marie Robertson, told AHIC that the group believes PHRs will be more widely used if consumers do not have to sit at a computer and enter all their health information. Instead, the PHRs could be populated by data from doctors, health plans, drug stores, or elsewhere.

Medical data on Blue Cross members may be lost | CNET News.com

Wed, 14 Mar 2007 19:45:41 GMT

WellPoint, one of the nation's largest health insurers, has begun notifying 75,000 members of its Empire Blue Cross and Blue Shield unit in New York that a CD holding their vital medical and other personal information has disappeared.

The information was on an unencrypted disc that a subcontractor recently sent to Magellan Behavioral Services, a company in Avon, Conn., that specializes in monitoring and coordinating mental health and substance abuse treatments for insurance companies.

Empire began notifying the affected consumers by mail on Saturday that their records--including their names, Social Security numbers, health plan identification numbers and description of medical services back to 2003--had been lost.

[...]

Before shipping the information to Magellan, the coding and passwords that protect the privacy of the information was removed by a Magellan subcontractor, Lisa Ann Greiner, an Empire spokeswoman, said Tuesday.

Janlori Goldman, the director of the Health Privacy Center, a nonprofit organization in Washington, said the error was an "egregious breach of privacy." She said that insurance companies were responsible under a federal privacy law for ensuring that their contractors use adequate security procedures.

Greiner said that the subcontractor, Health Data Management Services, worked for Magellan, not Empire. "If any contract was breached, we are going to take direct action," she said.

Photocopiers: The newest ID theft threat.

Wed, 14 Mar 2007 19:40:11 GMT

Photocopiers: The newest ID theft threat. Photocopiers made in recent years often have hard drives that store what's been duplicated -- making them a potential target for identity thieves. [Computerworld Privacy News]

Do You Need to Surf Anonymously?

Tue, 13 Mar 2007 20:48:57 GMT

Do You Need to Surf Anonymously? An anonymous reader writes "Computerworld has up an article entitled 'How to Surf Anonymously without a Trace'. It purports to offer tips on how to avoid detection by anyone attempting to monitor your internet access. 'If you don't like the limitations imposed on you by [proxy] sites like the Cloak or would simply prefer to configure anonymous surfing yourself, you can easily set up your browser to use an anonymous proxy server to sit between you and the sites you visit. To use an anonymous proxy server with your browser, first find an anonymous proxy server. Hundreds of free, public proxy servers are available, but many frequently go offline or are very slow. Many sites compile lists of these proxy servers, including Public Proxy Servers and the Atom InterSoft proxy server list.'"

[Slashdot: Your Rights Online]

Three Indicted for Alleged Online Brokerage Scam.

Tue, 13 Mar 2007 20:11:34 GMT

Three Indicted for Alleged Online Brokerage Scam. A federal grand jury indicted three people on charges of conspiracy, fraud, and aggravated identity theft related to a "high-tech" scheme to hijack online brokerage accounts. [PC World: Latest Technology News]

courant.com | Our I.D., Their Trash - Sensitive Records Turn Up In Ohio

Mon, 12 Mar 2007 20:41:49 GMT

Papers with sensitive information about Connecticut residents - Social Security numbers, medical records, names, phone numbers, addresses and bank records began blowing from an Ohio landfill onto nearby homeowner Harry Evans' yard months ago.

At first he just picked up the litter - dozens of papers in all - and threw it away. But about a week ago, Evans says, he talked with his wife about the personal nature of some of the windblown papers and decided he'd had enough. He called the local media. Soon, newspaper and TV reporters descended on his home in Negley.

TorontoSun.com - Canada - Privacy swipe? New system would check IDs in stores

Mon, 12 Mar 2007 20:38:21 GMT

Convenience stores that check ID by swiping driver's licences could be violating privacy law, Government Services Minister Gerry Phillips said Wednesday.

The system called "We Expect ID," would see store clerks swipe licences through a lottery terminal to verify a customer's age when purchasing alcohol, cigarettes, adult magazines, lottery tickets or fireworks. The terminal will read age information from the magnetic stripe on the licence and display the person's age on the terminal.

Congress Targets Pretexting.

Mon, 12 Mar 2007 20:22:56 GMT

Congress Targets Pretexting. Legislation would add protections against the practice of posing as another to gain personal data. [PC World: Latest Technology News]

Conn. lawmakers want MySpace, others to verify user ages.

Sun, 11 Mar 2007 17:32:38 GMT

Conn. lawmakers want MySpace, others to verify user ages. Connecticut lawmakers are pushing a bill that would require age verification rules for social networking sites and would allow parents more control over their children's pages. [Computerworld Privacy News]

'Real ID' threatens everyone's privacy - Nashville, Tennessee

Sun, 11 Mar 2007 17:28:25 GMT

"We are, after all, for the first time in the history of a liberty-loving nation, creating a national identification card ... with all the ramifications of that. ... Real ID was stuffed into the supplemental appropriations bill for Hurricane Katrina and the troops in Iraq, so of course, we had to vote for the bill, but we had no chance to amend it -- no debate, no hearing, and no consideration of other alternatives, And now we impose on the states an $11 billion unfunded mandate. ... I would say we wouldn't be doing our job if we didn't stop and think about what we've done."

Sen. Lamar Alexander's recent comments about the Real ID Act echo the widespread bipartisan resistance to this new law.

In 2005, Congress passed the Real ID Act, a law that proposed a sea change in how states issue driver's licenses. In essence, the law would federalize all state departments of motor vehicles and turn our driver's licenses into national identity cards. The burdens of compliance are onerous and guarantee longer lines, higher fees and huge bureaucratic and financial nightmares for state government.

However, the real nightmare of Real ID is the law's assault on our privacy rights. The law mandates a central, interlinked database containing a wealth of personal information, including name, address, date of birth, biometric information and an assigned identification number. Over time, the database will inevitably become the repository for more and more of citizens' personal data and will be used for an ever-wider set of purposes, moving us closer to a surveillance society.

The dangers of DNA testing

Sun, 11 Mar 2007 17:15:40 GMT

DNA testing is in the news a lot these days, and not solely because of the saga of Anna Nicole Smith, whose burial was delayed amid a legal tussle over the paternity of her 5-month-old daughter, Daniellyn.

The growing success in obtaining convictions by genetic matching (since the O.J. Simpson trial anyway) has made it the preferred identification technology for law enforcement, as well as by other federal agencies. The U.S. military requires every serviceman to give blood for future DNA analysis, presumably for body identification.

States are among the most aggressive users of DNA testing. The New Jersey Supreme Court recently upheld a Garden State law requiring DNA testing of all felons, with the results maintained in a state database and submitted to the FBI.

Other states that have initiated extensive DNA collection policies include Virginia and Arizona -- the latter tests, collects, and stores the results not only from convicted felons but also from most people who are simply arrested for a felony. Florida is now considering collecting DNA from everyone convicted of a felony, as well as from those found guilty of certain misdemeanors.

Municipalities are climbing onto the DNA testing bandwagon, too. A blood bank in Seattle has begun collecting and analyzing DNA from donated blood without obtaining explicit permission, although donors may opt out. The program is funded by the U.S. military. To protect the privacy of donors, the Puget Sound blood bank labels the samples with codes instead of printed names. For the record, that's not a very secure strategy.

Race Traces

A little-noticed provision in the recently passed Violence Against Women Act may soon trigger the largest sweep of DNA information in this country. The Justice Dept. plans to collect DNA from anyone arrested or detained by federal agents. This will, by definition, include all illegal immigrants.

The increasingly widespread use of DNA testing opens a Pandora's Box of privacy issues. Technicians can extrapolate information about a person from the sample of their brother or son. In Houston last year, a man's conviction of rape was partially based on DNA evidence collected from his twin brother.

And the process isn't without its bizarre anomalies. For example, people who have received bone-marrow transplants can in certain cases match the DNA of a donor.

courant.com | Internet Safety Is Goal Of Bill

Sun, 11 Mar 2007 17:08:47 GMT

Popular Internet social-networking sites like MySpace and Facebook would have to verify users' ages and get parental permission before minors could post profiles under a proposed law pending in the General Assembly.

Connecticut would become a national leader in protecting minors on the Internet if it adopts the tighter age restrictions, state Attorney General Richard Blumenthal said.

The bill cleared its first major hurdle Thursday when it won unanimous approval from the legislature's general law committee.

The intent of the bill is clear. Unclear is what form parental permission would take and what would prevent youths from faking permission.

Connecticut Wants to Restrict Social Networking.

Sun, 11 Mar 2007 17:06:21 GMT

Connecticut Wants to Restrict Social Networking. csefft writes "According to the Hartford Courant, Connecticut became the latest state to want to restrict the use of MySpace and other social networking sites. The proposed bill would require that all such sites verify the identity and age of users, as well as get parent's permission for those under 18. Sites that failed to comply would be subject to a $5,000 per day fine. Attorney General Richard Blumenthal said of the proposition, 'If we can put a man on the moon, we can verify age on the Internet,' but quickly followed with the acknowledgment that there is no foolproof method." [Slashdot: Your Rights Online]

Don't like ID cards? Hand over your passport | the Daily Mail

Sun, 11 Mar 2007 16:56:16 GMT

Anybody who objects to their personal details going on the new "Big Brother" ID cards database will be banned from having a passport.

James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out - but in return they must "forgo the ability" to have a travel document.

With one in every eight people saying they will refuse to sign-up, up to five million adults could effectively be refused permission to leave the country.

Campaigners reacted to Mr Hall's remarks with fury, saying they were yet more evidence of the lurch towards "Big Brother" Britain.

Phil Booth, of the NO2ID group, said: "The idea that ID cards scheme is voluntary, and people can opt-out, is a joke.

"There are all sorts of reasons why people need to travel, not just for holidays. There is work, visiting relatives.

"What are these people supposed to do? It stretches the definition of voluntary beyond breaking point. They will go to any length to get personal information for this huge database. Who knows what will happen to it then?"

No Passport For Britons Refusing Mass Surveillance.

Sun, 11 Mar 2007 16:52:17 GMT

No Passport For Britons Refusing Mass Surveillance. UpnAtom writes "People who refuse to give up their bank records, tax records & details of any benefits they've claimed, and the records of their car movements for the last year, or refuse to submit to an interrogation on whether they are the same person that this mountain of data belongs to -- will be denied passports from March 26th. The Blair government has already admitted that this and other data will be cross-linked so that the Home Office and other officials can spy on the everyday lives of innocent Britons. Britons were already the most spied upon nation in Western Europe -- more so even than Sweden. Data-mining through this unprecedented level of mass-surveillance allows any future British government to leapfrog even countries like China and North Korea." [Slashdot: Your Rights Online]

Big Brother State - An animated short about public surveillance by David Scharf

Sun, 11 Mar 2007 03:06:35 GMT

please also download using Bit Torrent:
(Xvid Version, ca. 50 MB, 768 px x 432 px) ---> CLICK HERE
(Big FLV Version, 55 MB, 768 px x 432 px, use FLV Player to view) ---> CLICK HERE

Check the Internet Archive for other resolutions and formats: CLICK HERE

Open-source ID project awaits Microsoft's blessing | CNET News.com

Fri, 09 Mar 2007 20:42:06 GMT

An open-source rival to a Microsoft identity tool has been in limbo for months, awaiting the software giant's go-ahead on certain patent-related issues.

Developers working on the Higgins project want to create a tool equivalent to Microsoft's Windows CardSpace, but fear the software giant's legal wrath if they don't receive permission on certain features. Although parts of the project continue to move forward, proponents say it may not reach its full potential without Microsoft's help.

"There are some pieces that we would not be able to release that we would like to," Mary Ruddy, a Higgins project leader, said Thursday. "We want to make sure that the intellectual property for all of our open-source projects is really clean, so that people can feel confident about using our code."

In September, Microsoft pledged not to assert its patents pertaining to nearly three dozen Web services specifications. That did help the Higgins project, but developers say that wasn't enough to help them deliver all the features they hope to. They have asked Microsoft to provide guarantees that it won't sue on other parts of its intellectual property.

Open-Source ID Project Awaits Microsoft's Blessing.

Fri, 09 Mar 2007 20:39:39 GMT

Open-Source ID Project Awaits Microsoft's Blessing. An anonymous reader writes to mention that an open-source alternative to Microsoft's CardSpace tool has been on hold for months while they await patent blessing from the Redmond software giant. "While CardSpace is available on Windows, one goal of the Higgins project is to cover other operating systems. Higgins wants to offer an open-source alternative that works on Windows and on alternatives such as Linux and Mac OS X. The application would work similarly to CardSpace." [Slashdot]

State Eyes Age Checks for MySpace.

Fri, 09 Mar 2007 03:36:59 GMT

State Eyes Age Checks for MySpace. Connecticut legislators want to force social-networking sites to verify users' ages and lock down parents' permission before minors can post personal profiles. By the Associated Press. [Wired News: Security Blanket]

Image Gallery: Seven ways to keep your search history private.

Fri, 09 Mar 2007 03:22:29 GMT

Image Gallery: Seven ways to keep your search history private. Worried that Google and other search sites know too much about you -- and that the federal government can subpoena that data? Fear not -- we've got seven steps you can follow to keep your search history to yourself. [Computerworld Privacy News]

heise Security - All Microsoft updates phone home

Thu, 08 Mar 2007 22:54:34 GMT

Possibly as a reaction to heise Security's report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not.

In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date. By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information.

With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself. The WGA package thus, among other things, sends back an event code. To calm the fears of users, alexkoc presents a graphic explaining the various fields of such a data packet.

When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users.

WGA Reports Back To MS Even If You Choose Not To Install - Aviran's Place

Wed, 07 Mar 2007 17:06:01 GMT

Heise online reports on a very interesting action Microsoft is taking during the installation of WGA.

When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send your info and the fact that you choose not to install WGA back to their servers.

In addition to that it seems that the setup program send some information stored in your registry to http://genuine.microsoft.com/. While it does not specifically identify the user, it looks like it does send some identification of your computer and Windows version (see picture) to Microsoft servers.

Microsoft WGA Phones Home Even When Told No.

Wed, 07 Mar 2007 17:00:00 GMT

Microsoft WGA Phones Home Even When Told No. Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers." [Slashdot]

Patient control of EHR data on network gets mixed reaction

Wed, 07 Mar 2007 15:56:32 GMT

The Health and Human Services Department has received mixed reviews for its decision to insist that the next iteration of the Nationwide Health Information Network (NHIN) allow patients to control who sees their electronic health records on the network.

Dr. Robert Kolodner, interim national coordinator of health information technology, said March 1 that trial networks funded by his office should give "people the capability to decide how they view, store and control access to their own information. A person could say how that information flows to specific entities or completely block the flow of information."

"If they do what they say, it's a tremendous thing for privacy," said Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation. "It's exactly what we've been talking about for a long time."

Peel said she talked with Kolodner and learned that he wants to give patients the ability to control what happens to their health information, "down to the data field level." "I think his intentions are fantastic," she said.

Asked whether such a network would be technically feasible, Peel said the existing technology would support that degree of granularity in controlling the flow of EHR data.

But Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, said he doubts the HHS move will make a difference. "I don't really have a lot of confidence that it would really have any effect whatsoever," said Rothstein, a member of the official National Committee on Vital and Health Statistics.

The reason Rothstein was less than enthusiastic about the HHS move: Privacy problems are primarily policy and legal issues in his view, not technology-based. Rothstein recently testified before a Senate subcommittee, criticizing HHS for failing to tackle privacy and other policy issues associated with development of the NHIN. Kolodner's announcement doesn't address many of the policy questions, he said.

Kolodner's office "has indicated no prior interest in this concept," Rothstein said, suggesting that there is no way to know how committed HHS is to its plans. Others have pointed out it is one of the first HHS health IT initiatives that deviates from plans outlined by Kolodner's predecessor, Dr. David Brailer.

Mass. motor vehicle registry warns of spoof site.

Wed, 07 Mar 2007 15:44:41 GMT

Mass. motor vehicle registry warns of spoof site. The Massachusetts Registry of Motor Vehicles is warning customers about an online scam intended to trick them out of their credit card information and their money. [Computerworld Privacy News]

Texas House exempts courthouse clerks from privacy laws.

Wed, 07 Mar 2007 15:43:07 GMT

Texas House exempts courthouse clerks from privacy laws. The Texas House of Representatives has approved a bill that would allow local courthouse clerks to disclose "in the ordinary course of business" Social Security numbers contained in public records maintained by their offices. Computerworld Privacy News]

Crack! Security expert hacks RFID in UK passport.

Wed, 07 Mar 2007 15:41:33 GMT

Crack! Security expert hacks RFID in UK passport. The British government says that forgery of their new biometric passports is inconceivable, but a security expert has demonstrated a successful crack of the embedded RFID chip and its info. And he did it without taking the document out of its mailing envelope. [Computerworld Privacy News]

Cybercrime Treaty ó Hidden Costs For All.

Wed, 07 Mar 2007 01:48:08 GMT

Cybercrime Treaty [~] Hidden Costs For All. linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you." [Slashdot: Your Rights Online]

Action Alert: Repeal the REAL ID Act!

Wed, 07 Mar 2007 01:24:48 GMT

Action Alert: Repeal the REAL ID Act!

The federal government has taken another step towards forcing you to carry a national ID in order to get on airplanes, open a bank account, enter federal buildings, and much more. But with state legislatures and Congressional representatives increasingly turning against the REAL ID Act, you can help stop this costly, privacy-invasive mandate -- voice your opposition now.

On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information.

REAL ID won't just cost you your privacy. The states and individual taxpayers bear the estimated 23 billion dollar burden of implementing the law, and that figure is probably low given that the necessary verification systems don't exist yet.

And what will you get in return? Not improved national security, because IDs do little to stop those who haven't already been identified as threats, and wrongdoers will still be able to create fake documents.

REAL ID is fundamentally flawed, and DHS' proposed regulations do nothing to change that. Thankfully, the tide is turning against REAL ID in a big way -- state legislatures around the country are passing or considering legislation rejecting its implementation, and Congress is considering repealing it.

The DHS regulations mean that states must have an implementation plan ready by October 2007. Make sure your Congressional representatives support the repeal of REAL ID before it's too late.

For more information, check out San Jose Mercury News' recent editorial opposing REAL ID as well as the ACLU's Realnightmare.org.

[EFF: Deep Links]

Good shoppers may find their info sold ( New Zealand and Australia )

Tue, 06 Mar 2007 16:15:46 GMT

Credit information companies will have the power to sell detailed records about responsible borrowers, not just those in serious debt, as part of a current review of privacy laws in New Zealand and Australia.

Veda Advantage chief executive Andrew Want says a sweeping review of privacy laws could see the company introduce a service by 2009 providing information about consumers who are a good credit risk.

Currently, it is illegal to sell such information.

But work by the Privacy Commission in Australia to streamline privacy rules between federal and state governments, and to bring them in line with the current developments with technology, could change that.

Texas counties illegally posting Social Security numbers online, AG says.

Mon, 05 Mar 2007 20:38:14 GMT

Texas counties illegally posting Social Security numbers online, AG says. Texas Attorney General Greg Abbot has ruled that the posting of sensitive data online by county and district clerks is illegal. But the clerks are fighting back by pushing for a state law that would allow them to continue to do so. [Computerworld Privacy News]

IT Conversations: Open Telephony and Open Identity - Bill Weinberg, Brad Templeton, Johannes Ernst

Mon, 05 Mar 2007 01:08:51 GMT

Many developers, especially small start-ups, are being out-competed by the big name players in financial terms. Regulations, including the Communications Assistance for Law Enforcement Act, or CALEA, are major challenges for start-ups, because they lack armies of lawyers. In a humorous and sarcastic presentation, Brad Templeton of EFF considers the implications of government-mandated wiretapping.

While consumers are concerned about their privacy, they also struggle to keep their digital identities organized. Johannes Ernst of NetMesh explains projects that have sprung up to provide unified identification and authentication for all of our digital communication. LID, OpenID, and i-names are providing consumers with interoperable digital identities in a world where new methods of communication and collaboration are invented daily.

Concurring Opinions: The Rise of Customer Blacklists

Sun, 04 Mar 2007 03:55:39 GMT

Blacklists appear to be the rage these days. With the ease of storing and sharing personal information -- coupled with lax privacy law restrictions on such activities -- companies can increasingly create blacklists of bad customers. In this article from the Ottawa Citizen, hotels in Australia and Canada (and soon the United States) are signing up for a service that compiles a blacklist against "bad" hotel guests:

Telco customers at risk for online privacy breach.

Sun, 04 Mar 2007 03:51:07 GMT

Telco customers at risk for online privacy breach. A study released by the Customer Respect Group indicates that telecommunications companies are slipping when it comes to customer privacy, especially in comparison to retail and high-tech industries. A majority of companies surveyed were dound to ask for excessive, inappropriate personal data. [Computerworld Privacy News]

Homeland Security offers details on Real ID | CNET News.com

Sun, 04 Mar 2007 02:52:36 GMT

Hundreds of millions of Americans will have until 2013 to be outfitted with new digital ID cards, the Bush administration said on Thursday in a long-awaited announcement that reveals details of how the new identification plan will work.

The announcement by the U.S. Department of Homeland Security offers a five-year extension to the deadline for states to issue the ID cards, and proposes creating the equivalent of a national database that would include details on all 240 million licensed drivers.

According to the draft regulations (PDF), which were required by Congress in the 2005 Real ID Act and are unlikely to assuage privacy and cost concerns raised by state legislatures:

âo¢ The Real ID cards must include all drivers' home addresses and other personal information printed on the front and in a two-dimensional barcode on the back. The barcode will not be encrypted because of "operational complexity," which means that businesses like bars and banks that require ID would be capable of scanning and recording customers' home addresses.

âo¢ A radio frequency identification (RFID) tag is under consideration. Homeland Security is asking for input on how the licenses could incorporate "RFID-enabled vicinity chip technology, in addition to" the two-dimensional barcode requirement.

Homeland Security Offers Details on Real ID.

Sun, 04 Mar 2007 02:48:45 GMT

Homeland Security Offers Details on Real ID. pr0nqu33n writes "C|Net is running an article on the DHS's requirements for the Real ID system. Thursday members of the Bush administration finally unveiled details of the anticipated national identification program. Millions of Americans will have until 2013 to register for the system, which will (some would argue) constitute a national ID. RFID trackers for the cards are under consideration, as is a cohesive nation-wide design for the card. States must submit a proposal for how they'll adopt the system by early October of this year. If they don't, come May of next year their residents will see their licenses unable to gain them access to federal buildings and airplanes. The full regulations for the system are available online in PDF format. Likewise, the DHS has a Questions and Answers style FAQ available to explain the program to the curious." [Slashdot: Your Rights Online]

TIA becomes ADVISE | Free Government Information (FGI)

Fri, 02 Mar 2007 01:13:23 GMT

Congress killed the Total Information Awareness (TIA) program in 2003 and several new programs have been reported to take its place. (See Total Information Awareness just changed its name FGI, 2006-02-26.) A forthcoming GAO report looks at the use of the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE) system.

NGA Praises Congressional Movement to Correct Real ID.

Fri, 02 Mar 2007 01:07:42 GMT

NGA Praises Congressional Movement to Correct Real ID. "The substantial costs and looming implementation deadline make Real ID unworkable and unreasonable." [GT: Security and Privacy]

DHS Proposal for State Driver License Enhancements Posted for Public Comment.

Fri, 02 Mar 2007 01:04:53 GMT

DHS Proposal for State Driver License Enhancements Posted for Public Comment. DHS will grant states an extension of the compliance deadline until December 31, 2009. [GT: Security and Privacy]

Real ID Act Deadline Pushed Back to 2009.

Fri, 02 Mar 2007 00:53:08 GMT

Real ID Act Deadline Pushed Back to 2009. "We will work closely with states to implement these standards and protect American's privacy against identity theft and the use of fraudulent documents." [GT: Security and Privacy]

National ID Card Rules Unveiled.

Thu, 01 Mar 2007 23:48:35 GMT

National ID Card Rules Unveiled. The DHS chief reveals how he'll turn state driver's licenses into internal passports. By Ryan Singel. [Wired News: Security Blanket]

DOD, Microsoft sign deal to data mine health records

Thu, 01 Mar 2007 23:46:58 GMT

The Defense Department has signed an agreement with Microsoft under which the software vendor will help develop tools and methods for analyzing the department's 9.1 million electronic patient records to find better ways to manage the health of DOD beneficiaries.

Under the cooperative research and development agreement, Microsoft will work with the Army's Telemedicine and Advanced Technology Research Center to extract, store and analyze data stored in DOD's Armed Forces Health Longitudinal Technology Application (AHLTA) electronic health record system.

The AHLTA clinical data repository (CDR) is "an untapped goldmine of health information, and the ability to draw upon and efficiently use this data will allow us to unleash the true power of AHLTA," said Dr. William Winkenwerder Jr., assistant secretary of Defense for health affairs. "This project has the potential to vastly improve our ability to provide both force health protection and population health improvement activities for every soldier, sailor, airman and Marine."

Microsoft and the Army center aim to develop a clinical data warehouse (CDW) that provides predefined queries of interest to clinicians and analysts. The warehouse also will support data mining, which uses clustering and pattern recognition techniques to discover previously unknown correlations in the data. Intel and HP are providing support on security, sizing, and scalability testing of the CDW architecture, Microsoft said.

Dr. Deborah Peel, chairwoman of the Patient Privacy Rights Foundation, views the patient information not as a goldmine ripe for exploitation but as a collection of personal and sensitive health information that needs to be zealously guarded and only accessed with express consent by the patient.

U.S. Bill Proposes E-Health Records Incentives.

Thu, 01 Mar 2007 23:19:07 GMT

U.S. Bill Proposes E-Health Records Incentives. Doctors would get $3 for every patient signed up to use an electronic health record under terms of a new House bill introduced today. [PC World: Latest Technology News]

DHS Issues REAL ID Regulations; CDT Urges Repeal of Law.

Thu, 01 Mar 2007 23:17:49 GMT

DHS Issues REAL ID Regulations; CDT Urges Repeal of Law. The Department of Homeland Security has issued proposed regulations implementing the REAL ID Act, which would require states to adopt tighter standards and create a networked system for driver's license issuance. Given the Act's fundamental flaws, CDT has joined other civil liberties groups in supporting legislation introduced in recent days in the House and Senate to repeal the hastily-enacted 2005 law and return to the driver's license reform process begun by the previous Congress. CDT is especially concerned that the Act would result in the creation of a linked network of government databases of personal information, without standards or limits on access and use. [Center for Democracy and Technology]

New Profiling Program Raises Privacy Concerns - washingtonpost.com

Wed, 28 Feb 2007 22:36:54 GMT

The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations. Similar to a Pentagon program killed by Congress in 2003 over concerns about civil liberties, the new program could take effect as soon as next year.

But researchers testing the system are likely to already have violated privacy laws by reviewing real information, instead of fake data, according to a source familiar with a congressional investigation into the $42.5 million program.

Bearing the unwieldy name Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), the program is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information, including audio and visual, and extract suspicious people, places and other elements based on their links and behavioral patterns.

The privacy violation, described in a Government Accountability Office report that is due out soon, was one of three by separate government data mining programs, according to the GAO. "Undoubtedly there are likely to be more," GAO Comptroller David M. Walker said in a recent congressional hearing.

The violations involved the government's use of citizens' private information without proper notification to the public and using the data for a purpose different than originally envisioned, said the source, who declined to be identified because the report is not yet public.

The issue lies at the heart of the debate over whether pattern-based data mining -- or searching for bad guys without a known suspect -- can succeed without invading people's privacy and violating their civil liberties.

German Antiterror Law Links Large Databases.

Wed, 28 Feb 2007 22:22:23 GMT

German Antiterror Law Links Large Databases. Law takes effect creating comprehensive pool of personal data in antiterrorist effort. [PC World: Latest Technology News]

NY1: Nightclub Safety On Council Agenda

Wed, 28 Feb 2007 22:06:21 GMT

Clubs will also now be required to have security cameras at their entrances and exits. Outside monitors could also be installed at clubs in frequent trouble with the law.

The New York Civil Liberties Union have said some of the proposals violate privacy, but the bill's sponsors have said they are just trying to keep club patrons safe.

Symantec: U.S. Data Breach Legislation Needed.

Wed, 28 Feb 2007 21:59:02 GMT

Symantec: U.S. Data Breach Legislation Needed. Officials from cybersecurity company tells the U.S. Congress that a data breach notification bill with reasonable security practice requirements would protect Americans. [PC World: Latest Technology News]

EFF - miniLinks for 2007-02-28.

Wed, 28 Feb 2007 21:50:21 GMT

miniLinks for 2007-02-28.

Supreme Court Debates Patentability of Software
Justices look skeptically at the details of software's protection.

Toward an Ethical Patent System
European citizens unite against over-broad patents....

Bad Patents Are Bad for Business
... as does the European business community to go with it.

Canada Turns Away Americans for Past Misdemeanors
Thanks to DHS data mining, Canada turned away a visitor who shop-lifted during a fraternity prank 20 years ago and others with minor criminal records.

Has the Media Center Moved to Silicon Valley?
On the day of the Oscars, Tom Forenski thinks that films have lost their magic, and Net technology has seized it.

Whit Diffie Warns Of Overbroad Privacy Laws
"I am, on balance, more pleased with the fact that I can learn lots of information about people in minutes by using the Web than I am concerned about the fact that people can learn lots of information about me that way. And I would not like to see laws that restrict people's ability to go investigate things. "

Protect Your Users' Data With a Privacy Wall
How one company works to protect its users' financial information.

SF Chronicle: Reverse Real ID
"Congress must take a hard look at whether it makes sense to proceed with an expansive law that would be more appropriately called the National ID Act."

North Korea and the Internet
North Korea's strange, inward-looking national intranet.

Did WIPO's Director-General Lie About his age?
Confidential report suggests that he was 28 when he first took the job, not 37, and has repeatedly given the wrong age on official documents for 24 years.

The "Crime" of Blogging in Egypt
Abdelkareem Nabil Soliman is sentenced to four years for free speech.

Recording Industry Targets Colleges
Administrators get caught in the crossfire: "[The complaint] is asking us to pursue an investigation and as the service provider we don't see that as our role", says Purdue spokesman.

[EFF: Deep Links]

Battle brewing over RFID chip-hacking demo | InfoWorld | 2007-02-26 | By Paul F. Roberts

Wed, 28 Feb 2007 02:04:59 GMT

Secure card maker HID Corp. is objecting to a demonstration of a hacking tool at this week's Black Hat Federal security conference in Washington, D.C. that could make it easy to clone a wide range of so-called "proximity" door access cards.

HID has sent a letter to IOActive, a security consulting firm, accusing Chris Paget, IOActive's director of research and development, of possible patent infringement over a planned presentation, "RFID for beginners," on Wednesday, a move that could lead to legal action should the talk go forward, according to Jeff Moss, founder and director of Black Hat.

[ See also our Video: "Hack in action" ]

Lawsuits, patent claims silence Black Hat talk | InfoWorld | 2007-02-27 | By Paul F. Roberts

Wed, 28 Feb 2007 01:59:50 GMT

A planned talk on RFID security by a security researcher has been pulled from this week's Black Hat Federal security conference after secure card maker HID claimed the talk violated the company's patent rights and threatened to take legal action against Chris Paget, the researcher, and IOActive, Paget's employer, if the talk went forward.

The company decided to cancel the talk after all-night negotiations with HID collapsed, said Josh Pennell, CEO of IOActive. In response, Black Hat organizers were forced to tear materials out of printed show proceedings and will instead present a discussion by a representative of the ACLU on the criticality of RFID security, said Jeff Moss, founder and director of Black Hat.

A spokeswoman for HID did not immediately respond to a request for comment.

The incident recalled a 2005 dispute over a presentation at Black Hat in Las Vegas involving Cisco Systems and Michael Lynn, a security researcher who worked for Internet Security Systems at the time.

New Controversy over Black Hat Presentation.

Wed, 28 Feb 2007 01:55:39 GMT

New Controversy over Black Hat Presentation. uniquebydegrees writes "InfoWorld is reporting about a new controversy swirling around a planned presentation at Black Hat Federal in Washington D.C. this week. Security researcher Chris Paget of IOActive will demo an RFID hacking tool that can crack HID brand door access cards. HID Corp., which makes the cards, is miffed and is accusing IOActive of patent infringement over the presentation, recalling the legal wrangling over Michael Lynn's presentation of a Cisco IOS hole at Black Hat in 2005. Black Hat's Jeff Moss says they're standing by their speaker. A news conference is scheduled for tomorrow AM." Update: 02/27 20:10 GMT by Z :InfoWorldMike wrote with a link to story saying that the presentation has been pulled from the slate for Black Hat, as a result of this pressure. [Slashdot]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Tue, 27 Feb 2007 23:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 21:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

AHIC privacy co-chairman resigns in protest

Mon, 26 Feb 2007 23:10:39 GMT

Paul Feldman resigned on Feb. 21 as co-chairman of the American Health Information Community's Confidentiality, Privacy and Security (CPS) Workgroup, citing in a letter to Interim National Coordinator for Health Information Technology Robert Kolodner the panel's lack of "substantial progress toward the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network."

TSA to Supply Information on Possible Web Security Oversight.

Mon, 26 Feb 2007 22:43:05 GMT

TSA to Supply Information on Possible Web Security Oversight. House Committee on Oversight and Government Reform requests documentation by March 9th. [GT: Security and Privacy]

DHS Biometric Program in Trouble.

Mon, 26 Feb 2007 22:31:00 GMT

DHS Biometric Program in Trouble. Spiraling costs and a missing long-term strategy bedevil the US-VISIT program, which screens incoming travelers to the United States for terrorist links. Luke O'Brien reports from Washington. [Wired News: Security Blanket]

Fool Me Once, Shame On You But Fool Me Twice....

Mon, 26 Feb 2007 21:27:39 GMT

Fool Me Once, Shame On You But Fool Me Twice....

In aiming to settle a class action suit, a group of companies is throwing a proverbial pie in the face of affected consumers.

A Security Fix reader forwarded an e-mail about a benefit he allegedly was eligible to collect as a result of a class-action settlement over services offered by a subsidiary of Experian, one of the three major credit reporting bureaus.

I immediately sensed a phishing scam after reviewing the e-mail and the third-party site touted in the message, which asks the visitor to enter a Social Security number and birth date. But it turns out that the site is legitimate, although extremely insensitive to consumers.

The class-action case referenced in the e-mail is the latest in a series of lawsuits against Consumerinfo.com. The firm promised free credit reports but allegedly failed to clarify that it would charge a customer's credit card $79.95 for a "credit monitoring service."

In yet another insult for affected consumers, the Web site providing more information about the settlement encourages affected individuals to further expose their personal data online.

Consumerinfo.com agreed last week to pay $300,000 to settle charges brought by the Federal Trade Commission that it violated the terms of a previous settlement with the agency over the misleading "free credit reports." It was originally fined $950,000.

The impersonal e-mail was sent to consumers from browningnotice@gardencitygroup.com. It begins: "NOTICE FROM FEDERAL COURT. PLEASE READ. Records show that you entered into an agreement over the Internet with Consumerinfo.com or an Experian entity to purchase any Credit Check or Credit Check Monitoring (which were formerly known as CreditCheck Monitoring Service), Credit Manager (including Yahoo! Credit Manager), Triple Alert, or Triple Advantage credit-monitoring product, or you paid for a credit score sold on a Web site that also sold one of these credit-monitoring products, between June 17, 1998 and December 27, 2006. If so, you may be eligible to receive a benefit under the proposed settlement."

So, exactly what is this perk? It's 60 days of free credit monitoring service from Experian. If you don't cancel this "benefit," Experian will bill you $9.95 per month after the initial 60 days.

The e-mail details the terms of the settlement:

"If you choose credit monitoring, and you don't cancel your credit-monitoring membership after using your code to obtain the credit monitoring benefit but prior to the expiration of the 60 day, settlement benefit period, you will be billed at the then-applicable rate, which is currently $9.95, for each month that you continue your membership."

If you were an individual burned by this bogus "free credit report" offer who wasn't already insulted enough, go to browningsettlement.com, the site erected by Melville, N.Y.-based Garden City Group, a company that administers class action settlements.

The Web site includes a link to "update your contact information," where it asks a visitors to enter a Social Security number and birth date. Phishing scams almost always try to dupe people into entering personal data at fake bank and e-commerce sites by blasting out e-mails telling people they need to "update" their information. I spoke with the contact who registered the site, Frank Dmuchowski, but he referred me without comment to Garden City's public relations staff. That person in turn referred me to a woman at Experian, with whom I'm currently playing phone tag.

How else does this whole operation resemble a phishing scam? The e-mail does not address the recipient by name. It contains some very elaborate explanations and legalese that is somewhat akin to a Nigerian scheme. There is also the element of urgency. Recipients are told that if they do not respond within a given period of time, they will give up their rights to sue the company in as part of a class in any other lawsuit. Maybe that's one reason why we have seen phishing scams disguised as settlement offers succeed so well: settlement companies are conditioning consumers to respond to them, and the federal courts are encouraging this practice.

But wait, there's more. While a federal court has deemed it acceptable for companies like the Garden City Group to communicate with people this way via e-mail, anyone who wants to object or exclude themselves from the settlement terms must do so by snail mail by May 15. Anyone who wants to accept the dubious settlement benefit, however, is free to do so by e-mail.

Please do not let this May 15 deadline slip away. Write to the Browning Settlement Administrator to tell the court why you think the settlement stinks:

Objections-Browning Settlement Administrator
P.O. Box 91141
Seattle, WA 98111-9241

In addition, you can request to speak in court about the fairness of the settlement at a hearing on July 31.

Under federal law, all U.S. citizens are eligible for a free copy of their credit report from each of the three major credit reporting bureaus: Experian, Equifax and Trans Union. Consumers should take advantage of this benefit, but only by visiting http://www.annualcreditreport.com or calling a toll-free number: 1-877-322-8228. You will get the most mileage out of your free reports if you scatter them across the entire calendar year by contacting a different credit bureau every four months.

Update, 3:50 p.m.: I heard from Experian spokesperson Heather Greer, who said that all communications were reviewed and approved by the court in accordance with the settlement." With regard to this settlement, we felt that this was the best way to inform consumers as soon as possible as to the products they were entitled to as part of the class," Green said. She added that the settlement site also includes a toll-free number (1-800-399-4322) that consumers also can use to either opt-out or accept the terms of the settlement.

[Security Fix]

Think Your Social Security Number Is Secure? Think Again - New York Times

Sun, 25 Feb 2007 03:35:33 GMT

It should come as little surprise that Social Security numbers are posted on the Internet. But, says Betty Ostergren, a former insurance claims supervisor in suburban Richmond, Va., who has spent years trolling for them, "people are always astounded" to learn that theirs is one of them.

Mrs. Ostergren, 57, has made a name for herself as a gadfly as she took on a lonely and sometimes frustrating mission to draw attention to the situation. With addresses, dates of birth and maiden names often associated with Social Security numbers, she said, they are a gift to data thieves.

But in the last few weeks, Mrs. Ostergren's Web site, The Virginia Watchdog -- with the help of lobbying from an unexpected ally, America's farm bureaus -- is having an effect.

One by one, states and counties have started removing images of documents that contain Social Security numbers, or they are blocking out the numbers. Four states, including New York, have removed links to images of public documents containing Social Security numbers.

Fraudsters Declare War on Anti-Scam Services.

Sun, 25 Feb 2007 03:15:24 GMT

Fraudsters Declare War on Anti-Scam Services.

Spammers have been attacking and threatening several of the groups and individuals who have been performing some of the most important work in hobbling online scams, spam and computer viruses.

The SANS Internet Storm Center on Thursday found a piece of malicious code (called "sans.exe") designed to update a group of several thousand infected computers that SANS has been monitoring. The code includes text strings that suggest an attack on the center if two of its crime fighters don't stop interfering with his money-making spam operations. The message, in part, read:

"You better f*** off SANS.org especially that [SANS chief technology officer] Johannes Ullrich (phone and e-mail address deleted) and Kevin Hong (phone and e-mail address deleted). I really don't have anything against you, just piss off alright?" [sic]

"I guess we always felt like this [was] going to happen at some point," Ullrich said in an online chat with Security Fix this morning. "Adding taunts like this to their code isn't what you would expect from a professional criminal trying to stay low profile. [It] points to a more juvenile 'hooligan' mentality," than hardened cyber crook.

Last month, a number of anti-spam Web sites came under a sustained "distributed denial of service" (DDoS) attack, an electronic assault during which the attackers use thousands of compromised personal computers to overwhelm a target with so much bogus traffic that the PCs can't accommodate legitimate visitors.

The attacks were made possible by tens of thousands - perhaps millions - of computers infected by the recent e-mail virus known as the "Storm worm. The virus links all infected computers into a peer-to-peer data network using the same technology as the eDonkey file-sharing network. The attackers later instructed the networked machines to attack sites such as spam trackers Spamhaus and the personal Web site of Joe Stewart, the SecureWorks researcher who conducted some of the most detailed analysis of the Storm worm.

The Web sites for CastleCops -- an all-volunteer, online scam fighting community -- also have been under a consistent denial-of-service attack for the past couple of weeks. Its main site and user forum are not working again this morning. Security Fix has spotlighted the laudable work this volunteer group does in bringing down phishing Web sites and analyzing new malicious software.

CastleCops co-founder Robin Laudanski said the intermittent site shutdowns have been inconvenient, but added that they have bolstered support for the group from within the security community.

"I take [the attacks] as a compliment because if we weren't putting a dent in the bad guys' pocketbooks, we wouldn't be getting attacked," Laudanski said. "It means we're being a pain, and that we're doing something right."

[Security Fix]