Tuesday, February 28, 2006

Senate Inaction on Data Privacy Bill

Inside Bay Area - Daily Review Online - Op-Ed This Diane Feinstein commentary appears in the Opinion section of the "Daily Review" of February 28. In it, she describes the problem of identity theft and how it must be battled by requiring companies which hold personal financial information on consumers to notify those whose information is compromised in any data breach.

She lists some of the well known recent cases, and then announces her introduction of legislation which requires companies to notify customers of every data breach which exposes them to potential identity theft. This comes amid a flurry of ID theft news and extensive local level lawmaking. Feinstein is taking this to the Senate for national action.

She then points to the inaction on the bill by noting that:

This bill was incorporated into a larger data privacy bill that I sponsored with Senators Arlen Specter, Patrick Leahy, and Russ Feingold, which was approved by the Senate Judiciary Committee in November. We have written Senate Majority Leader Bill Frist to get a commitment to bring the bill to the floor, but have not gotten a response.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:16 PM 0 comments

Saturday, February 25, 2006

Government, Business & Big Brother on CNBC

Excellent Tim Russert show on CNBC Saturday, 7pm & 10pm ET
Authors James Risen (State of War) and Robert O’Harrow, Jr. (No Place To Hide), on "Government, Business and Big Brother."
Russert, the Meet the Press journalist from MSNBC interviews the two authors on privacy, surveillance, RFID tracking, identity theft and NSA illegal wiretapping. There is currently no live link to the show or to a transcript.

It's great to see privacy issues making their way into mainstream media and hour long CNBC television shows.

From the Washington Post Bio for O'Harrow,

As a reporter for the Financial and Investigative staffs of the Post, Robert O'Harrow has carved out a data privacy beat and uncovered stories about the use of information that has led to changes in state and federal law. In 2000, O'Harrow was a finalist for a Pulitzer Prize. He was a recipient of the 2003 Carnegie Mellon Cybersecurity Reporting Award.
From a bio of James Risen at Random House comes the following:
James Risen covers national security for The New York Times. He was a member of the team that won the Pulitzer Prize for explanatory reporting in 2002 for coverage of September 11 and terrorism.
Clearly these are not extremists, but rather Pulitzer prize nominated authors employed by two of the largest newspapers in the country. They put forward well-reasoned arguments against surveillance and put forward serious issues on privacy invasion in our society. America needs to pay attention and begin to get this monster under control.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 7:47 PM 0 comments

Total Information Awareness Lives On

NATIONAL JOURNAL: TIA Lives On (02/23/2006)This Shane Harris penned story discusses how aspects of the Defense Department's Total Information Awareness program, supposedly ended by legistators after public uproar and vehement opposition by privacy advocates, has been continued under other names in different government agencies.

With a "deep throat" type of informant, Harris claims to have uncovered a very active program continuing under code names

... according to documents obtained by National Journal and to intelligence sources familiar with the move. The names of key projects were changed, apparently to conceal their identities, but their funding remained intact, often under the same contracts.

It is no secret that some parts of TIA lived on behind the veil of the classified intelligence budget. However, the projects that moved, their new code names, and the agencies that took them over haven't previously been disclosed. Sources aware of the transfers declined to speak on the record for this story because, they said, the identities of the specific programs are classified.
These programs are funded under secret intelligence programs and while that keeps details from view, it doesn't stop a bit of random speculation.

I'll hesitantly step out on a limb here and suggest that BILLIONS are accessible to fund these programs through obfuscation and claimed losses and diversions of cash that have passed through just one source. That source is Iraq and supposed "missing" money that was passed out, in cash, by the wheelbarrow full to Iraqis.

Nine BILLION dollars is claimed to be "missing" and unaccounted for by those in charge of those funds. Further BILLIONS have gone missing through Haliburton and other infrastructure rebuilding firms absorbing massive funding in Iraq rebuilding.

Redirecting "missing funds" to secret projects is very likely, but even if this little scenario were a complete fantasy, there is funding available to programs the Bush administration strongly supports. There will be a way found to fully fund Total Information Awareness, no matter what it is called to hide its existence.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 5:19 PM 0 comments

Thursday, February 23, 2006

CardSystems Solutions Settles FTC Charges

CardSystems Solutions Settles FTC Charges with a finger wagging and a tsk, tsk. No fines, no consequences, just biennial audits required. CardSystems was sold to Solidus Networks, Inc., doing business as Pay By Touch Solutions in December, 2005 near the time of the data breach. The FTC says "Your Bad", and the company is done.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:06 PM 0 comments

Canadian Do Not Call List Proposed

CRTC seeks comments on National Do Not Call List and Telemarketing Rules It appears the our neighbors to the north are going to get their own Do Not Call List. The Canadian Radio-television and Telecommunications Commission (CRTC), which is roughly the equivalent to the US Federal Communications Commission or FCC, has called for public comments in the above linked press release. An idea whose time has come will likely spread around the world due to the agressive phone calling abuses of business marketing firms.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:54 PM 0 comments

Schwarzenegger Summit on Identity Theft

Governor Arnold Schwarzenegger Opened Second Annual Summit to Fight Identity Theft before representatives of law enforcement, the financial services industry, consumer groups and state and local government.
Nearly 10 million people in the United States are victims of identity theft each year - more than one million of them are Californians. In 2005, this crime cost businesses and financial institutions more than $57 million nationwide.
Note the statistics on the cost to BUSINESSES but no mention of the cost to CONSUMERS in lost dollars, time to fix credit histories and lost time from work which likely amounts to more in dollar amounts than that cost to financial institutions. ChoicePoint was fined $15 million for it's role in the theft of financial data to criminals (and probably made back a good portion of that in fees paid by those crooks to access the data).

Just one of the criminals convicted in the data thefts involved was suspected of $65 million haul in just his small portion of resulting identity thefts. Business and financial institutions will eat a portion of that loss, but data broker ChoicePoint -the original source of the losses - should see larger losses than the financial institutions. Insurance carriers of affected credit cards and other identity theft targets will probably bear the brunt of the costs.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 3:28 PM 0 comments

Strict Privacy Liability in Financial Data Breaches

Strict liability for data breaches?
This excellent piece by SecurityFocus' Mark Rasch reviews a court case in which a half million people were exposed to identity theft, credit ruination and financial humiliation due to the theft of a single laptop computer from the home of a financial analyst working as a consultant to a financial institution. (Court case here) The court found that no harm had been done.

As is the case in so many computer theft cases, no proof that any personal or financial information has actually been used is immediately available. Although the information is at risk for abuse only if the burglar is sophisticated enough to realize the value of the data on that computer and finds a way to sell it to sophisticated identity theft rings, there is simply no proof that any harm has been done.

Possibilities for serious crime are numerous, some more likely than others to be true and some, although far-fetched, are entirely realistic. The financial analyst, in one scenario, could be tired of crunching numbers and might prefer a tropical beach hut to his suburban Maryland home.

He might have come in contact with the head of a sophisticated identity theft ring, who offers him large sums of money to leave his laptop containing detailed personal and financial records of 550,000 people unlocked, unencrypted and available on his home office desk when he leaves home at a specified time and date.

He'd just have to file a police report for the burglary, book a flight to Tahiti and take a vacation. He could return to work tanned, relaxed and happy in a couple of months.

This scenario is a remote possibility for dozens of number crunchers and others in the finance industry, but it will NEVER be proven in court. The computers may be burgled by ignorant dimwits in need of a few items to fence to cover their next drug buy. They're happy with their haul in the burglary and are loaded and flying high on their dope before the machine is checked by a bit smarter crook working in the back room of the pawn shop where the laptop ended up.

It may go through the hands of a half dozen bad guys before it ends up, hard drive removed and copied, in the hands of a very savvy computer criminal hacker who then cracks the login information for the financial network (from that data on the stolen laptop) before the financial institution realized this and has the opportunity to change access codes used by the consultant to access even more financial data on thousands more people.

At issue here is the clear fact that the financial institution who hires consultants working from their homes on laptops, must be held strictly liable for all data breaches, thefts and resulting losses. Period.

There is no way the endless stream of losses will ever be damned and the seriousness of the duty to protect that data will ever be understood unless and until those holding personal financial information are held strictly liable for ALL losses suffered for abuse of data they once held. Gramm Leach Bliley Act requires all regulated by it to ...

establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards - (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Yet when data is breached (or in this case innocently lost to burglary) there are no consequences to the financial institution or the careless consultant who left unencrypted financial data for a half million people sitting on his desk in a highly portable laptop instead of a remote secured data center, encrypted and guarded.

The GLBA growls menacingly, but is a toothless old dog incapable of harming the crooks or the careless corporations handling, moving or transmitting that data - short of making them file loads of paperwork as a slap on the wrist.

Carelessness in handling financial data will never change until there is a bigger threat of loss to the industry treating that information in such a cavalier manner as to allow that data to even exist anywhere but Fort Knox-like, remote & secured data centers. Until the financial industry and all its minions face threat of substantial financial harm, there will be endless and ever-flowing data breaches leaking from hundreds of unsecured sources.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 8:18 AM 0 comments

Wednesday, February 22, 2006

Digital Surveillance Requires Privacy Laws

Digital Technology Makes Surveillance Easier: Stronger Laws Needed, Center for Democracy & Technology Report Finds. This press release issued today by CDT claims that tougher privacy protections & laws are needed due to the ease with which surveillance is now conducted. The likelihood that surveillance data will be misused by the government increases until we legislate protections against that abuse. The report is titled "Digital Search & Seizure: Updating Privacy Protections to Keep Pace With Technology" (PDF 1.1 MB - 48 page report.)

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 5:55 PM 0 comments

State Department Tests RFID Passports

State Department Issues First E-Passports Diplomats have been issued the first copies of new RFID bearing electronic passports on a trial basis. Opponents of RFID passports worry that the embedded radio frequency tags can be "skimmed" from a distance, but they've incorporated radio frequency blocking covers that prevent remote reading and claim the passports are secure. All newly issued passports are to contain the RFID chips by the end of 2006.

Dutch passports containing RFID tags were successfully skimmed in January. US officials claim that their version can't be skimmed and that fears of being targeted by terrorists using remote readers seeking US citizens is not possible.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:01 PM 0 comments

Medical Privacy Requires Protection

From Typhoid Mary To Diabetic Debbie is an opinion piece by Phillip Longman in the Washington Post last Wednesday, beginning by pointing to a strange new law in New York, which became effective on January 15, 2006.
New York City began requiring local clinical laboratories to report to the city health department the results of blood sugar tests performed on citizens. The department plans to use the information to improve surveillance for diabetes, which afflicts an estimated one out of eight New Yorkers and to "target interventions."
Let us all hope this law falls quickly. Public agencies have no business doing ANY type of surveillance of medical records! What on earth are they thinking? Does this not immediately raise alarm bells about what non infectious types of threats the health department may choose to monitor next? That odd law sounds as though it were authored by those with a financial interest in "Diabetic Interventions" - Wow!

In his commentary he uses a flawed logic in supporting the need for free flow of medical information in order to allow protection of the public, whether from the threat of developing diabetes due to eating too much candy, or from inhaling second hand smoke from public smoking holes.

Longman joins the list of those decrying the protections of the Health Insurance Portability & Accountability Act (HIPAA) which has threatened some long term health studies undertaken before HIPAA was enacted in 1996 to help protect medical privacy. Longman cites the need for

the idea that every American should have a lifelong, electronic medical record. The promise is that such records would lead not only to better coordination of care among different providers but to fewer medical errors, more scientific medical practices, and ultimately, greatly reduced costs.
... which he believes should be completely open and accessible to the medical community as a whole.

This belief most often stems from a frustration by profit-making entities like pharmaceutical companies and medical device manufacturers that they can't run wholesale through public medical records looking for potential money-making opportunities and allowing them free data outside of those expensive (because they must fund them) and overly regulated medical studies (with tedious and burdensome laws) which take too long to complete and require scientific proofs by the medical community.

Reporters have been frustrated with HIPAA protections for years now because it meant that the ambulance chasers among them had suddenly been cut off from juicy emergency room gossip. Why? Because due to medical privacy laws, medical staff are no longer allowed to tell them who is injured, ill or diseased and how it came about.

Now those in the pharma and medical device industry can no longer pore over private medical records searching for free data to support their latest patent-pending. What a shame. Twila Brase of "Citizens Council on Health Care" wrote a letter to the editor in the Post responding to Longman's support of "Lifelong Medical Records" accessible for "Surveillance" by public agencies and corporate patent-pending industry. She sums up the core issue nicely ...

In Mr. Longman's view, every person should be "watched" through his or her medical record. Such intrusions would not only reduce the accuracy of data in the medical record -- wreaking havoc on research -- but also would cost more than a pretty penny to undo the resulting damage to the public's and patients' trust.
Hooray for HIPAA. Boo for medical "surveillance" by public agencies.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 8:38 AM 0 comments

Tuesday, February 21, 2006

Google Agrees - Desktop Search Risk

Google admits Desktop security risk when using the "Search across computers" optional function within the new version 3 beta of Google Desktop Search Software as Gartner research warns corporate America that GDS presents "Unacceptable Security Risks." The program requires a user to be tech savvy to make settings adjustments to prevent compromising important data within corporate networks.

Google agrees and their solution is that corporate IT departments not allow the use of the standard version of Desktop Search, but rather require the Enterprise version to be used to allow in-house corporate security staff to make appropriate settings to protect corporate data.

No doubt we'll see headlines about corporate espionage being carried out by disgruntled employees - or even whistle blowing employees who used Google Desktop Search to prove company wrongdoing in the near future. Google has made possible all manner of corporate spying and sleuthing via their elegant PC hard drive search tool.

No doubt we'll see blunders and slip-ups first as enterprise computers are exposed to the non-enterprise version of Google Desktop Search used by unauthorized employees.

Hacking into sales force or other road warrior and traveling corporate employees laptop computers via public wifi networks in airport lounges and coffee shops near convention centers will become an interesting new activity for a new breed of corporate spy.

This news focuses on the corporate aspect of GDS software after the Electronic Frontier Foundation last week called for a boycott of the standard version of Desktop Search due to privacy implications of storing hard drive data on Google servers, required when the "Search Across Computers" function is enabled in the software.

This has all the makings of the new movie "Firewall Meltdown - Google Desktop Search!"

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:39 PM 0 comments

Privacy, Identities Corporate Focus

Private identities become a corporate focus according to this SecurityFocus piece by Robert Lemos, which leads with reference to a Scott McNealy's RSA Security Conference keynote speech in which he took a decidedly different tone in regards to privacy than his outrageous and now famous "You have zero privacy anyway, Get over it" comment in January of 1999. McNealy was the victim of a lost laptop containing his personal information and has come to see the light of privacy victimization out of his control.

Multiple serious data breaches and blunders are recapped in this piece and a slowly dawning awareness that protecting privacy can be good business is peeking above the horizon. Other corporate leaders at the RSA security conference presented on aspects of privacy and issues related to protecting it. Microsoft announced through Bill Gates that the long awaited new operating system will contain an application called

"InfoCard, the application will be part of Internet Explorer 7 and initially act as a password vault. However, as a companies start signing agreements of trust and build federated identity systems, InfoCard could hold credentials that prove only certain attributes, Gates said.
So now corporations who we entrust with our private information are realizing that they could lose our trust, and quite easily. That makes it imperative that they find ways to stop leaks, thefts, hacks and losses of any kind in whatever ways they can possibly work out.

Hardware manufacturers, software designers, network operators, data brokers, web sites, ISP's and every link in the chain that connects them all, must find ways to help us protect, armor and lock down all private, personal, financial, medical and even just embarrassing data. It's getting interesting.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:56 PM 0 comments

Monday, February 20, 2006

New Active Cookie Protects Against Pharming

New 'active cookie' helps protect Internet users from cyber crooks according to this news release from Indiana University, where a security startup company has been launched, co-founded by Cybersecurity expert and professor at IU, Markus Jakobsson.

The details of the concept are a bit much for the average internet user to easily understand, but requires adoption of the "active cookies" concept by banking and financial services companies. The method protects against invisible redirects of web browsers from the site they intend on visiting, to another "spoof" site which appears to be the one they clicked to or typed into their browser address bar.

The startup is out to protect the 9 percent of those who fall victim to identity theft online through adoption of their concept by all financial services companies on the web. Here's to their success.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 3:53 PM 0 comments

Skype Calls Secure Against Wiretapping?

Skype could force end to wiretapping calls according to this MSNBC story. Clearly the NSA is just as aware of the inability to wiretap Skype calls as are terrorists and criminals, which is why the FBI attempted last year to force VOIP providers to route all calls through a back door tool allowing decryption. According to this current story,
Kurt Sauer, Skype's chief security officer said there are no "back doors" that could let a government bypass the encryption on a call. At the same time, he said Skype "cooperates fully with all lawful requests from relevant authorities." He would not give particulars on the type of support provided.
So while it is possible that the NSA has their own private access to Skype calls, just as they apparently have their own complete private access to AT&T calls, most callers can rest assured that those calls are not otherwise LEGALLY tapped. Only the lawbreaking NSA, through an illegal order from the Bush Administration, has access to your Skype calls if they want it. Since it is unlikely that eBay owned Skype has the cajones of Google to refuse over-reaching demands for too much information.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:23 AM 0 comments

Friday, February 17, 2006

Passwords Passe at RSA Security Conference

Wired News: Passwords Passe at RSA where it appears that phishing and pharming are being addressed by the banking industry due to high profile cases of data theft, which then lead to identity theft and which got them nervous about losing too much money. But the vast majority of those losses occurred due to weak security, not at banks, but at data brokers and poorly protected retail credit and debit card databases.

Of course the banks and large retailers are rightly tightening security for online transactions and their own internal networks. I called my bank yesterday to retrieve my online login information and went through the usual ID verification questions to get it - and then was shocked as I attempted to login while he held the phone and when I made a typo and that login failed, he said, "No, that's not it" from his place on the other end of the phone. I was startled that he could watch my login attempts live.

Interesting, but security industry attention should be focused on the source of the original losses of data - brokers who sell the information used to steal from the banks to crooks. How interesting that security experts are looking at protecting secondary targets against loss when it would seem the attention should be on the primary source of the information that leads to further losses.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:59 AM 0 comments

Thursday, February 16, 2006

Privacy & Anonymity Online - Nearly Impossible

Privacy and anonymity
This long piece by Kelly Martin of SecurityFocus, looks at tools and techniques to remain anonymous online and to protect personal and financial information on your computer from prying eyes, or subpoena's. It all gets rather obscure and complex with layers of hardware, software and providers & proxy IP address anonymizers, (coffee shop wi-fi and laptops, with software protections as first choice) if one is truly insistent on remaining anonymous and secure.

The risk of losing the laptop to a thief in public places is greater than losing the data on the home computer to hackers and static IP address traces, combined with trojanware and key logger software. My belief is that it is nearly impossible to do if you want to stay sane and steer clear of paranoic mania. All the cloaking, covering, rerouting and hiding suggested by security analysts seems absurd and is certainly practiced by only a tiny fraction of web users.

I hope it never becomes necessary to be so careful in order to protect the privacy of average web users. What a nightmare scenario painted by Martin here of a shadowy world of privacy darkness. I realize it is possible to remain mostly anonymous online, but I believe I'd give up the web before I'd put such inordinate energy into protecting myself as rigorously as security experts appear to do.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 12:00 AM 0 comments

Monday, February 13, 2006

US Company Implants RFID Tags in Workers

US group implants electronic tags in workers according to this Financial Times of London news report. Apparently this Video Surveillance company in Ohio feels the need to "watch the watchers" by embedding RFID chips into two employees that have access to a video storage room where law enforcement store surveillance tapes.

One of the employees was interviewed, and claimed it didn't bother him to be tagged in this way. Interestingly, that employee quipped “It’s not a GPS chip. My wife can’t tell where I am.” How odd that he is more concerned about his wife knowing his whereabouts, than his employer.

The company claims the chipping is voluntary for the employees tagged for access to that room. I'd love to be a fly on the wall during the conversation with the employees volunteering for that chip.

"If you'd like a raise and a promotion, we have a proposal for you, how about being implanted with a company bug?" or perhaps, "If you'd like to stay assigned to this detail, you'll need to have this device injected into your shoulder, but don't worry, your fellow workers are lining up for the chance to take this position, so you don't have to do it, maybe you'd like guard shack duty at the front gate."

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:44 AM 0 comments

Lawful Intercept Conferences? Spooks & Spies

I learned a new term today - Lawful Intercept. It apparently is a euphemism for wiretap which applies across the full spectrum of communications, including email, computer networks, Internet Service Providers, phone companies (wired and wireless) and any other known method of communication. And they have a yearly conference for law enforcement and government and of course, those who profit from the industry. The linked headline takes you to the conference overview. I was attracted to this spook and spy conference by a press release from a company called SS8 Networks in which they promote a new partnership with another company called PenLink to offer new "Lawful Intercept" tools.

I'm certainly not surprised that these tools and companies exist, just the size of the industry for spooks and spies. Can anyone attend these conferences, stroll the show floor hearing about how to "Lawfully Intercept" any type of communications and buy the latest software and hardware available for wiretapping of any communications sources? It makes me wonder if "Lawful Intercept" companies pay much attention to whom they sell their tools.

The press release that got my attention discusses the new partnership like this:

"This partnership between SS8 Networks and Pen-Link enables us to build on Xcipio's intercept capabilities for wireless, wireline, cable, packet data, VoIP and broadband data networks with a market-leading call data, content analysis and storage platform, providing a compelling one-stop-shop for lawful intercept solutions and expertise," said Dennis Haar, president and CEO of SS8 Networks. "Coupled with our passive probe portfolio, customers now have the ability to select specific components or a complete solution from SS8. In this way, SS8 will play an even more critical role in how government agencies, local and state security organizations and international intelligence groups work with communication service providers to combat crime."
Appears to be a profitable, and large industry. I think I'll take home one of those cool new monitoring center boxes:
Pen-Link's LINCOLN(R) 2 collection server, a high-end data collection and monitoring platform that stores and tracks activity of specific targeted individuals.
Very interesting stuff. I hope they require law enforcement ID or FBI spook badges to get into this conference or purchase "Lawful Intercept" equipment and software.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:48 AM 0 comments

Saturday, February 11, 2006

ChoicePoint Data Breach - Nigerian Sentenced

Nigerian national sentenced in ChoicePoint ID theft case This Mercury News story points to on bad guy who is no doubt one of many more involved in the gigantic Choicepoint data breach. That debacle exposed 145,000 people to potential identity theft. The bad guy in this case is a Nigerian national, named Olanatunji Oluwatosin, operating out of Beverly Hills. He has been ordered to pay restitution of $6.5 Million dollars and sentenced to 10 years in jail.

I'd rather see Choicepoint executives pay restitution while Oluwatosin does the jail time. Their weak system of vetting Choicepoint customers leads to this type of crime. Data brokers selling financial data of innocent people, making them potential crime victims of slick ID theives, operating out of Beverly Hills PO boxes - is a worse offense.

The $15 million fine imposed on Choicepoint by courts last month seem paltry for their part in this. (How about increasing Choicepoint fines by like amounts assessed against each bad guy prosecuted in the resulting identity theft cases?

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 4:16 PM 0 comments

Google Desktop Boycott Urged by EFF

Google Desktop Boycott Urged in this RedHerring.com article covering the recent Electronic Frontier Foundation press release and resulting stories urging Google Desktop Search software users not to upgrade to a newly available enhancement which allows two PC's using the software to "search between computers" and allowing users to be able to view contents of one machine while at the other. (Work/home/laptop machine files all accessible from each of the other machines.)

The crux of the argument is that use of this software and storage of those files on Google servers (which makes the service possible) could potentially allow government and private litigants and law enforcement agencies to access those files without obtaining a warrant for the machine in question.

Stated this way, it raises other questions about information that millions of internet service users provide to all online companies. For example, many businesses and individuals use remote backup services which allow backup of their computer software and files to a remote server for storage as a way to restore computer glitches or failures. All of those companies are presumably subject to this subpoena process raised by EFF.

The thing that makes Google Desktop Search tantalizing to those who may seek computer records in this way is the broad use of that software compared to relatively narrow adoption of remote backup services, such as Backup.com or Apples' .Mac service. We all provide bits of personal and financial data to internet service providers, web sites, shopping sites and application service providers.

Once again, this raises the issue of the trust we impart to online services when we provide any personally identifiable information or financial data to them. It becomes databasified and subject to hacking, data breaches and subpoena. The "Digital Dossier" discussed by Daniel J. Solove, in his privacy treatise, "The Digital Person," is widened and ever growing.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 3:29 PM 0 comments

Friday, February 10, 2006

Google Desktop Search Stores Contents of Your Hard Drive at Their Servers

The following is from the EFF (Electronic Frontier Foundation) newsletter "EFFector" list where they state "Electronic reproduction of this newsletter is encouraged". Happy to do that. This is a version of a press release distributed by EFF commenting on the new Google Desktop Search software version, just released this week.

Article begins--------->

Google Copies Your Hard Drive - Government Smiles in Anticipation

Consumers Should Not Use New Google Desktop

San Francisco Google announced a new "feature" of its Google Desktop software that greatly increases the risk to consumer privacy. If a consumer chooses to use it, the new "Search Across Computers" feature will store copies of the user's Word documents, PDFs, spreadsheets and other text-based documents on Google's own servers, to enable searching from any one of the user's computers. EFF urges consumers not to use this feature, because it will make their personal data more vulnerable to subpoenas from the government and possibly private litigants, while providing a convenient one-stop-shop for hackers who've obtained a user's Google password.

"Coming on the heels of serious consumer concern about government snooping into Google's search logs, it's shocking that Google expects its users to now trust it with the contents of their personal computers," said EFF Staff Attorney Kevin Bankston. "Unless you configure Google Desktop very carefully, and few people will, Google will have copies of your tax returns, love letters, business records, financial and medical files, and whatever other text-based documents the Desktop software can index. The government could then demand these personal files with only a subpoena rather than the search warrant it would need to seize the same things from your home or business, and in many cases you wouldn't even be notified in time to challenge it. Other litigants--your spouse, your business partners or rivals, whomever--could also try to cut out the middleman (you) and subpoena Google for your files."

The privacy problem arises because the Electronic Communication Privacy Act of 1986, or ECPA, gives only limited privacy protection to emails and other files that are stored with online service providers--much less privacy than the legal protections for the same information when it's on your computer at home. And even that lower level of legal protection could disappear if Google uses your data for marketing purposes. Google says it is not yet scanning the files it copies from your hard drive in order to serve targeted advertising, but it hasn't ruled out the possibility, and Google's current privacy policy appears to allow it.

"This Google product highlights a key privacy problem in the digital age," said Cindy Cohn, EFF's Legal Director. "Many Internet innovations involve storing personal files on a service provider's computer, but under outdated laws, consumers who want to use these new technologies have to surrender their privacy rights. If Google wants consumers to trust it to store copies of personal computer files, emails, search histories and chat logs, and still 'not be evil,' it should stand with EFF and demand that Congress update the privacy laws to better reflect life in the wired world."

Google can and should design its technologies to avoid these problems in the first place. For example, searching across computers can be accomplished without Google having to keep copies of those computers' contents. Alternatively, Google could encrypt the stored data such that only the user has access.

"Google constantly touts its creative brainpower. More privacy-protective technologies are surely not beyond its reach, so long as its engineers make that a design priority," added Bankston.
More on the new version of Google Desktop
More on Google's
data collection

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:25 AM 0 comments

Wednesday, February 08, 2006

Identity Theft News is Overflowing

The following comes from a daily emailed alert from Google News for headlines generated by the search phrase "Identity Theft" and shows how extensive the problem is becoming. It could be that more awareness equals substantial increases in news on the topic, but the problem is real and it is generated by bad guys gravitating to an easy mark - credit card skimming or data theft from easily accessible databases, sloppy data brokers, and lack of security at points of purchase.

The fearmonger sessions: Identity Theft
CNET News.com - San Francisco,CA,USA
... Mi5 Networks has an appliance that blocks outbound identity theft activity at the edge of a corporate network. It scans for spyware ...
See all stories on this topic

New state hot line to aid identity theft victims
Chicago Tribune - United States
ILLINOIS -- Illinois has formed a new hot line for residents to report identity
theft and take steps to repair their credit and prevent future problems, Atty. ...
See all stories on this topic

FTC, BBB continue campaign against identity theft
Phoenix Business Journal - Phoenix,AZ,USA
Halfway through National Consumer Protection Week, federal and state business
groups are desperately trying to get the word out that identitytheft remains the ...
See all stories on this topic

Identity Theft: A Big Problem in The Natural State
KATV - Little Rock,AR,USA
With identitytheft now firmly on the nation's radar, experts say hundreds of thousands of Arkansans are being too careless with their vital information.
See all stories on this topic

ID theft, the sequel
Computerworld Australia - Australia
... will release "Firewall", the latest film to focus on an issue that over the past year has come front and centre in the public's consciousness - identity theft.

ID theft suspect arrested here Police call woman a top 10 ...
Brownsville Herald - TX United States
February 8, 2006 -- A Harlingen woman serving probation for forgery and suspected of several identity theft crimes across the Rio Grande Valley was arrested ...

Identity theft ring indicted
9NEWS.com - Denver,CO,USA
Constance Matthews, 42, Matthew Sweeney, 41,
and Sean Montgomery, 29, are facing felony charges under the Colorado Organized Crime Control Act. ...
See all stories on this topic

State offers help to identity theft victims
Belleville News-Democrat - Belleville, IL,USA
News-Democrat A new identity theft hot line to assist consumers struggling with identity theft was announced Tuesday by Attorney General Lisa Madigan. ...

BBB and USPS warns about identity theft
News 14 Carolina - Raleigh,NC,USA
Now, the United States Post Office wants to help put a stop to what's known as identity theft. If you think identity theft won't happen to you, think again. ...

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 8:23 PM 0 comments

Internet Governance and Privacy

Reproduced from the Harvard Law School newsletter, "The Filter" Where the following usage restrictions are posted in the footer of that newsletter, edited by Amanda Michel:

* Not a Copyright
This work is hereby released into the public domain. Please share it. To read the public domain dedication, go here

*** Internet Governance and Privacy ***
By Berkman Fellow Wendy Seltzer

Ever since The New York Times broke the story in December that the U.S. government is wiretapping its citizens' communications without warrants, privacy has been in the spotlight. That light has illuminated our expectations of privacy in overseas telephone calls and emails. It has also reflected into still shadowy concerns about the amount of information that we scatter around us in other day-to-day activities of the electronic age. That concern hit its own flash point a few weeks later, when Google refused a wide-ranging government subpoena for records of searches performed through the company's service.

The privacy interests at stake in these two cases differ substantially. Government surveillance of private communications triggers fears about government power to punish political opponents, and of unchecked executive power when the administration bypasses procedural and judicial oversight. Although the FISA courts have granted almost every intercept request made of them, even that was too much of a hurdle to this government's hunger for information.

The Google subpoenas, by contrast, seem unlikely to reveal much private information. Yes, Google tracks much personally identifying information, but the government has said that was not part of its request, as it is not investigating individuals but assessing the effectiveness of content filters (to fight constitutional challenges to the Children's Online Protection Act). Nevertheless, the Google fight (and the news that Microsoft, AOL, and Yahoo! responded to similar subpoenas) has gotten wide play on the Internet. Is this because more people see themselves typing medical queries into Google than emailing friends in Afghanistan?

What both stories have in common is that the privacy risks come from entrusting communications to third parties. In the digital age, we need third-party telephone companies and ISPs to carry our phone calls and emails, and third-party search engines to help us make sense of the web's massed information. We should put corresponding pressure on those intermediaries to keep our information private. But in the face of government subpoenas and warrantless information requests, that will not be enough. We also need the courts to recognize what Google's users have clearly stated: our expectation of privacy does not end when we give information to third parties necessary to its communication — neither should the protections of the Fourth Amendment.

BLOGPOST: Wikipedia.de Controversy, Urs Gasser

BLOGPOST: "The Internet - Freedom or Privilege?" David Isenberg

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 6:39 PM 0 comments

Friday, February 03, 2006

Google Searches Not Private

When Google is not your friend | CNET News.com is a (long) overview of the basics of what search engines know about users and the search terms they have used, either through cookies and IP addresses or accounts with Yahoo, Google, AOL or MSN.

What it all comes down to is that information most users believe is private can be attached to a person via multiple avenues. The search terms used can be tracked and linked to every user (or at least to their computer). Good overview for anyone curious about what information is available at all search engines to be subpoenaed by courts or governments. (Everything you've ever searched for)

This was highlighted recently when a man who killed his wife had searched Google for "neck, snap, break" on his computer and it was introduced into evidence at trial. This evidence was not supoenaed from Google, but was found on his computer directly.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 3:08 PM 0 comments

Wednesday, February 01, 2006

AT&T Sued Over NSA Surveillance

Wired News: AT&T Sued Over NSA Eavesdropping. This story looks at the Electronic Frontier Foundation law suit against AT&T (PDF) claiming they allowed illegal NSA access to the massive phone company database of all calls made by phone and long distance customers of AT&T and apparently all internet addresses visited through AT&T internet services since 2001, according to a December 26, 2005 LA Times story.

The shocker here is that phone companies store this type of data in massive databases and that they have their own data mining systems to root through that huge haystack of information. What possible need could there be to keep stacking that hay continuously?

The lawsuit seeks up to $22,000 in damages to be paid to every party who were AT&T customers since the illegal surveillance was implemented in 2001. Although that payout is extremely unlikely as it is expected that the National Security Agency (NSA) will invoke the State Secrets privilege to kill the case. The state secrets privilege has been used successfully in every case it has been applied to. That law provides a back door for escape for the NSA and AT&T in this suit.

Expect to see the case dropped soon. But it has been confirmed that the domestic spying and warrantless wiretaps are a reality. This scandal is likely to be swept under the rug, but the lawsuit and the reporting by both the New York and Los Angeles Times will definitely throttle the expansion of domestic spying and illegal surveillance by NSA spooks.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:32 AM 0 comments