Biometric Passport Crack: Privacy, Security Threat

Face and fingerprints swiped in Dutch biometric passport crack according to a Dutch News program. A security specialist apparently cracked the Dutch passport, decrypted and read all personal data from that biometric passport. The danger in this can be clearly seen in that necessary information can be remotely read, decrypted copied and installed on fake passports to defeat security sytsems at any airport or border crossing. Those fakes would become a severe security threat worldwide - not to mention a threat to the passport holder whose information was stolen for nefarious uses. Passport security requires dramatic improvements in encryption and protections against remote reading with RFID scanners before it is used by any nation.

Save To Del.icio.us    Digg This!

Big Business in Legal Electronic Discovery

E-Discovery Is Big Business according to this Wired News article, which discusses major legal sleuthing firms whose job it is to pore over electronic communications and stored computer documents for use in legal battles such as the Enron accounting scandal and other corporate litigation.

These "e-discovery services" not only mine vast data stores from corporate computer networks and crunch it for evidence of wrongdoing, but they then store that data and retain it for their clients in vast storage computers. This information trove contains employee emails, word documents and any company generated information retrieved from electronic devices involved in compliance issues or litigation.

The data is then made available online over secure networks to legal teams to review, mark up, edit into legal documents and mine for new data. Security in this arena must surely be a minefield as legal opponents and corporate cybersleuths - even hackers and internal moles - would probably like access to undermine competitors or seek insider trading information on active cases.

Data has become more valuable than could have previously been imagined. New businesses are being founded to re-mine that data for myriad purposes and store it securely. Privacy issues will emerge from within this morass of data as external emails from employees or personal documents retrieved from computers during lunchtime activity by secretaries are sucked into this data pit.

Save To Del.icio.us    Digg This!

Convenience (Laziness) vs. Privacy

BBC NEWS - Will convenience beat privacy? This BBC story cuts to the true source of privacy issues - whereupon we prefer not having to re-fill out forms to the degree that the Gator application by Claria Corporation became nearly a $100 million a year company by selling advertisements through pop-up ads with their adware in 2003 (along with several competitors).

This story outlines how our laziness when it comes to filling out forms means that we are willing to sell our information to companies doing business with middleware firms to store that data for us. The latest development in this line is called AttentionTrust, which is being touted as a way to share your informtion with online companies through a supposedly trusted third party site.

Trust is the big thing we have to swallow here. No matter who we turn over information to, we must assign huge doses of trust that they will treat our data with care, protect it from both internal and external bad guys and never sell it or provide it to any source without our explicit permission.

Unfortunately estimates of the number of people who actually read web site privacy policies range from as much as half of all site visitors (extremely doubtful) to about 3% (probably still optimistic). We don't want to be bothered to take the time, even though the data we willingly provide is often sensitive info like credit card numbers, phone numbers, email addresses and street addresses.

We must be aware that all information given to any web site is then considered their property to do with as they wish. Many times that means selling to affiliated web sites or business partners, vendors and advertisers. We are much too lax with our sensitive information. This is the reason that so many are duped by spoofed emails appearing to come from their financial institutions or from PayPal.

People will give away far too much information in order to have the CHANCE of winning a prize and retailers and marketers are painfully aware of this. The reason for giveaways and promotions is simply to gather this valuable information and either USE it to sell things to participants or to sell it to marketing firms and the like. People need to learn to keep hold of their information without giving in to the temptation toward laziness for filling out forms (Claria's Gator) or giving it away to gain the CHANCE for a prize on every web site or giveaway in the mall.

Save To Del.icio.us    Digg This!

Goods Sold Database Privacy Concern

Database on goods sold angers privacy watchdog. Canadian privacy advocates are making a splash recently. The latest noise is coming from a little known law which affects second hand stores and pawn shops in Oshowa, Ontario where Ann Cavoukian, Ontario's information and privacy commissioner is out to squash city bylaws requiring pawn shops and second hand stores to record the height and description of used goods sellers to police. A data brokerage called Business Watch International is gathering data on used goods sellers and making that database available to police without knowledge or consent of persons selling used goods at those outlets.

One more commercial database established to profit from selling data that opens the door to mistaken criminal identity of those cleaning out their garage on a weekend. This also creates a burden on business to keep extensive records on the goods they purchase and spend daily time reporting to police.

Save To Del.icio.us    Digg This!

Privacy: Spying on Yourself Online

With myware, soon you may be spying on yourself online according to this CNN/ Business 2.0/ article outlining a new startup which is proposing an application called "Myware" in a play on the better known "Spyware". The concept is being promoted as a way to gather and protect ones own personally identifiable information online through a service called "Root Vaults" and an affiliated organization called "Attention Trust" which measures the amount of time spent and frequency of visits to particular web sites through an extension to the FireFox browser.

The concept is being promoted as a way to gain access and control the information gathered (by users of the browser extension) during surfing online.

But the water is muddied here by combining the Attention Trust, which may have laudable goals, with Root Vault, which is purely a data brokerage. A visit to the Root Vault site clarifies that it is purely a commercial enterprise seeking control of user information in order to become the broker of that information to advertisers, web site owners and email lists. There are currently four buttons on the site with only one for consumers and three for potential purchasers of member information.

Currently, support is coming from entrepreneurs and investors, and based on the angle and tone of the CNN story, it appears that they may also be early investors in Root Vault by referencing AttentionTrust.

The first place to visit upon visiting the Root Vault is the "Privacy Policy" to see that users are agreeing to provide ALL of their surfing information to the Root Vault web site and company and that major "clients" of the site are financial institutions, made very clear in this excerpt from that privacy policy:

Our product and service providers, which primarily are banks, mortgage lenders and brokers, have entered into agreements with us, and they are required to comply with the Root Markets Code of Conduct, which incorporates, among other things, the federal and state privacy regulations. Those product and service providers may contact you by telephone or e-mail or postal mail directly after they receive your information even if you have opted into the National Do Not Call List administered by the Federal Trade Commission, any state equivalent Do Not Call List, or the Do Not Call List of an internal company.

The apparent attraction to consumers interested in AttentionTrust is the ability to access, edit and control their own information, when in fact, they are providing extensive surfing and online behavior information about themselves to buyers of that information through the Root Vault service and giving up privacy they had previously, including "Do Not Call" list protections. Root Vault suggests that users will have complete control through AttentionTrust, but that control is limited to information that has not been released or sold already.

This Root Vault service appears upon even casual review, to be a wolf in sheeps clothing and a fairy tale about privacy protection which is lent by affiliation with AttentionTrust. Users will be spying on themselves with AttentionTrust browser plug-ins and providing all data gathered to make money for a third party broker (Root Vault) of information working for financial institutions and loan brokers seeking leads. It is inevitable that data aggregation achieved through the AttentionTrust MyWare browser extension, when coupled with any data brokerage services, will do more to erode and reduce online privacy of users than to protect it.

Attention Trust is threatening any potential good they might do for privacy protection by very early affiliation with data brokers and aggregators like Root Vault. This murky pond combines good (control and access of personally identifiable information) with bad (data brokers and email spammers seeking that information) and confuses privacy protection with data sales. If AtttentionTrust hopes to gain traction at this early stage of development of such a platform, it will have to studiously avoid any implied connection to or support of data brokerages.

Save To Del.icio.us    Digg This!

Phone Pecord Privacy Politics

Politicians call for better phone record privacy This excellent story touches on all the most stunning highlights of the apparent ease with which several web sites obtained phone records to sell. It appears that a firestorm of legislation was whipped up by the news about dozens of web sites which sell telephone records to all comers with $110 to spend and a phone number to trace. Rightly so.

The best news in the C|Net news story linked above are the suggestions being made by the Electronic Privacy Information Center (EPIC). Quoted from the C|Net story:

... limiting retention of records that are no longer needed for billing purposes, encrypting data stored by phone service providers, allowing customers to set passwords on their accounts, issuing notifications if any security breach occurs, and supplying "audit trails" that record whenever a customer's record is accessed.

Three cheers for EPIC! Congratulations to the politicians who finally see the concerns of their constituents about privacy, data security and public disclosure are very real and require attention and serious legislation.

Save To Del.icio.us    Digg This!

ChoicePoint $15 million Fine Privacy Leak

ChoicePoint to pay $15 million over data leak according to this lnked ZDnet story. 10 Million to the FTC and $5 Million to compensate any consumers who suffered due to the loss of their social security numbers and other critical personally identifiable information that compromised their financial information or caused identity theft.

Seems a bit backwards - shouldn't consumers get more than the FTC? What does FTC do with that money? Does it go to further safeguard consumers private financial information held by data brokers? My bet is that it is funneled to government programs with budget shortfalls or even handed back to ChoicePoint once the furor has died down.

First reactions are positive toward FTC for "Sticking it to" ChoicePoint.

Save To Del.icio.us    Digg This!

Iris Scan Grade School

Iris Scanning For New Jersey Grade School. This story casually covers the requirement of all teachers and parents submitting to iris scans in order to have access to their children at school. While it does serve the purpose of protecting the children from strangers by verifying ID of parents and teachers, the larger issue is once again, how is that information protected? Who has access to the database of scans and related home address, name and other identifying data. How is that access controlled and protected. And finally, when does the data become accessible by law enforcement & government with warrant (warrantless for Feds now apparently) searches?

Save To Del.icio.us    Digg This!

Wal-Mart, Costco Fingerprint Payments

Wal-Mart, Costco weigh biometric payment system CNN story pointed out by PrivacyWar blog in response to my previous post praising Costco for refusing to turn over customer address information to British Columbia provincial government seeking sales taxes from Alberta customers of Costco.

Once again demonstrating that if information exists, that data will be mined for revenue enhancement, theft or law enforcement. Wal-Mart and Costco's goal is revenue enhancement gained by reduced costs of payment processing and speedier checkouts.

The threat of theft via dishonest employees, hackers or others with data access becomes a looming monster over valuable fingerprint records of customers combined with other personally identifiable data, making protection of that data another critical cost center that may be ignored by the giant retailers. There is little profit in proactively protecting customer data - it becomes an afterthought when data leaks or thefts or warrants lead to unwanted negative publicity.

Finally, once government and law enforcement know of the existence of the fingerprint databases at Costco and Wal-Mart, they will subpoena and seek by warrant, any data they can convince a judge they need.

The value of the information held by retailers is already huge. I was surprised recently when returning a product to Staples that they required my driver license and address information to complete the return. When asked why, I was told it was to flag frequent returned items tied to specific individuals who abuse that priviledge. Here is a San Francisco Chronicle story detailing the customer returns database practice and the company mentioned in that story, called "Return Exchange, Inc." based in Southern California.

More new companies are being launched daily to gather and share different types of information with retailers. Who is to say which of those companies Wal-Mart and Costco will share those customer fingerprints with - fingerprints linked to financial information required to process biometric payments? Who has access internally and externally to that financial and fingerprint data held by those retailers and how is that precious data protected?

Save To Del.icio.us    Digg This!

Social Security Number (SSN) Privacy

What to do when they ask for your Social Security Number is the most complete and effective document I've seen about protecting your financial privacy by refusing to give your social security number to anyone who doesn't have a strict legal need for it. Taxes, banking, loan applications, and employer payroll records are among those legitimate reasons for requesting SSN's.

This outlines SSN history, legalities and how to avoid giving the number to those who have no true need for it. Businesses and especially low level individuals (clerks, registration desk staff) representing non-governmental or non-employment sources should be refused when they request your social security number.

I had been warned about this before taking a trip to Jamaica and had actually started to give my SSN to a tourist attraction registration desk clerk when I stopped myself and refused it. I saw a fake charge on my debit card when I returned home and got it removed and then had the card voided and replaced by my bank. I imagine that giving the SSN would have subjected me to far worse financial perils if I'd given it to that clerk when asked. How many unsuspecting tourists fall for that ruse?

I once refused to give my SSN to a YMCA to use their swimming pool. The clerk dutifully got the manager for me after insisting, "It's our policy". The manager agreed and apologized, asking me to leave if I wouldn't provide the SSN for their records! Do they protect those user SSN numbers from internal abuse or theft by employees? I doubt it and left the pool rather than providing that valuable number to an organization that had no legitimate need for it.

Don't volunteer your SSN to those who have no real need for that information. Legitimate needs would be for loan documents, tax information, employment purposes or banking uses.

Save To Del.icio.us    Digg This!

Costco protects customer privacy

Discount membership outlet, Costco has taken a stance against Big Brother with their refusal to hand over member names from a single store in Grande Prairie, Alberta, Canada to the British Columbia government. BC taxing authorities are attempting to track BC residents who cross into Alberta to purchase goods from a regional shopping area to avoid a seven percent BC provinical sales tax.

This issue is a standard battle anywhere between border towns with no tax beside towns or counties / provinces with higher sales taxes. Sales will always be higher in the lower taxation zones.

But this long running battle between Alberta and British Columbia underscores a privacy issue in dramatic form. Wherever data exists, government will attempt to demand access to that data for law enforcement and revenue enhancement. The BC government saw customer data at Costco as a rich source of income. Just look for BC residence addresses in the database and collect provincial sales tax from their purchases in Alberta.

Costco rightly refused to hand over member information and the BC government backed down - but the scuffle highlights an issue of privacy which will not easily go away. Anywhere information exists, some entity will want access to that information. This was highlighted last week when the US Justice Department demanded a million random web sites from Google's database, along with a week worth of search queries.

Google refused and claimed the demand was "overreaching" and "burdensome" as well as threatening the privacy of their users. I've stated elsewhere that no private user information was demanded or delivered by the other three search engines when they complied with similar DOJ demands. I believe the privacy issue is a moot point in that story.

But I believe strongly that where information exists, someone is going to want access to it - be it Government, law enforcement, hackers, criminals or nosy neighbors. Because businesses are demanding more information from customers, and storing more information from transactions, including credit card information and other personally identifiable data on each individual transaction - customers rightly demand that those businesses will protect that information.

Google has been publicly supported by the national press in the US on it's decision to fight the feds on those demands for random search queries and web site lists from the Google database. Costco is now taking the correct stand in protecting British Columbia residents from unreasonable access to customer data by government.

Businesses should continue to take this stance worldwide and continue to protect user data from unreasonable access to private financial data by any entity, including bad guy hackers seeking credit card and other sensitive info, governments seeking transactional data or tracking financial activity, or nosy neighbors seeking juicy gossip. Those businesses holding substantial sensitive information on customers owe it to those customers to prevent access to that information by any source.

Save To Del.icio.us    Digg This!

Pretexting Privacy? Cell Phone Records Sold to Lying Brokers

The headline above leads to a Wired News story about pretexting by phone records brokers working a shadowy underground service selling phone records. A previous post here noted a story in the Chicago Sun-Times where cell phone records are for sale via multiple web sites.

How to get that information to sell it? Lie. Call up phone company employees pretending to be another phone company employee in a "Special Needs Office" pretending to be representing voice handicapped customers and simply ask for their cell phone records. Bingo, nobody wants to deny "Special Needs" customers their right to their records - so just give them up, without checking any further!

This is an internal cell phone provider problem that they have tried to pass off by suing those who have done the pretexting in civil courts, since it is not yet illegal to do this devious deed. This is how the now infamous LocateCell.com has been getting phone records and selling them for $110 per monthly phone bill - by lying to phone reps who don't know better because they have not been briefed by their employer about the scam.

Phone companies bear responsibility for lax internal privacy policies and failure to warn call center employees of this problem. Instead they simply go to court to stop the bad guys from calling? Just tell employees NOT to give those records to anyone but the customer! Bizarre.

Save To Del.icio.us    Digg This!

National driver license law Privacy nightmare'

National uniform driver's license law is privacy 'nightmare': "An anti-terrorism law creating a national standard for all driver's licenses by 2008 isn't upsetting just civil libertarians and immigration rights activists. State motor vehicle officials nationwide who will have to carry out the Real ID Act say its authors grossly underestimated its logistical, technological and financial demands. In a comprehensive survey obtained by The Associated Press and in follow-up interviews, officials cast doubt on the states' ability to comply with the law on time and fretted that it will be a budget buster. 'It is just flat out impossible and unrealistic to meet the prescriptive provisions of this law by 2008,' Betty Serian, a deputy secretary of the Pennsylvania Department of Transportation, said in an interview"

Now these are NOT privacy advocates complaining here - they are conservative middle America DOT managers and DMV officials nationwide stating flatly that the requirements are "Impossible" and "budget buster" and require updates and changes to state databases and computer systems that may bankrupt many state IT departments in the process. This is all creating a defacto national ID card in the form of a driver license - not a REAL national ID, but a back door attempt at the same. It was discussed extensively after 9/11 and dismissed by all as privacy invasive and impossible to implement more quickly than about a 10 year time frame. Now it is being mandated within three years and states are crying foul. Technology is embraced in this scenario as a savior of policy while simply requiring states to pay for systems upgrades which they cannot afford. It won't work. It can't work.

Save To Del.icio.us    Digg This!

British Road Surveillance Tracks Cars

Christian Science Monitor story on newly approved UK scheme to record and store all road trips of English motorists for two years in giant surveillance database. Not only recording every trip made by every car, but checking for current registration, warrants, insurance, licensing and any other aspect the government wants to attach and aggregate. Already there is a road tax surcharge for the busiest streets of London that is enforced by a more limited set of surveillance cameras.

This comes from the most heavily surveilled country in the world, which will also be establishing a national ID card by 2008. Truly Big Brother.

Save To Del.icio.us    Digg This!

Cell Phone Privacy Sold for $110

Chicago Sun Times Crime Reporter Frank Main bombshell privacy story (linked above) tells of a web site called LocateCell (one of dozens of similar services) where the cell phone records of any phone can be purchased for $110 for a list, plus $50 more for length of calls.

The Chicago Police Department is warning it's undercover officers not to make personal calls on their undercover phones. The FBI ran a test of the service, paid $160 to see the cell phone calls of one of their own FBI agents and had the results in three hours.

Obviously this service is not illegal or it would be shut down quickly. New laws must be passed to outlaw the sale of phone records. Senator Charles Schumer (D-N.Y.), has called for legislation to outlaw phone record theft and use. Illinois Gov. Blagojevich announced he will seek legislation this spring making it illegal for brokers to sell telephone account records and other personal information.

The legislation proposed by the Illinois governor also would ban phone companies from releasing information to anyone except the account holder, law enforcement agencies or someone with a court order. Phone companies would have to maintain tight security and notify customers of breaches.

The only requirements to use the service are a credit card and a phone number you want to see the call list for. Spouses checking up on wandering mates can easily check up on the calls made from their cell phones. Private investigators routinely use the services. The dangers to abused spouses is clear. Criminals stalking anyone with a cell phone could pose a real threat with phone number information easily available on their targets.

But how are the web services that sell the phone records obtaining that data? Verizon Wireless has filed lawsuits in Tennessee and Florida against companies that sold Verizon customers' phone records.

In December, Cingular Wireless LLC sued Data Find Solutions and 1st Source Information Specialists in federal court in Atlanta, claiming they obtained and sold customers' confidential information through improper hacking and unauthorized access to online account information in Cingular's computer network.

Is it possible that only hacking is to blame or are the phone companies simply to lax with who they release information to? Maybe they profit from selling those numbers themselves? Maybe not, but how is that dozens of online businesses are able to sell that information if it is not readily available? The Electronic Privacy Information Center has filed a petition with the FCC seeking an end to the sale of telephone records.

Something must be done soon to stop theft and sale of phone records. Thank you to the Chicago Sun Times Frank Main for unearthing this privacy nightmare.

Save To Del.icio.us    Digg This!

Privacy hackers RFID zapper

German privacy hackers develop RFID zapper Since the RFID industry tends to want to ignore privacy implications of RFID tags, privacy advocates have taken to vigilante justice in a newly developed Zapper that fries the workings of any tags included in products. RFID industry ignores privacy concerns - privacy advocates will have their way.

Some who have installed VeriChips or similar in their pets are fretting that animal thieves will now zap the tags injected in their prize-winning dogs. Even worse, many worry that shoplifters will soon be equipped with RFID zappers to prevent setting off retail store alarms.

Well, it seems that if the RFID industry had paid serious attention to privacy advocates in the first place, this wouldn't be happening at all. Make it possible (some might say mandatory) to disable tags on all purchased goods before they leave the store. Clearly - if it is possible for consumers to permanently turn off RFID tags at will, then there will be no need to take that brute force step, eh?

RFID industry wake up call here.

Save To Del.icio.us    Digg This!