Friday, March 31, 2006

Privacy, Surveillance Lawsuit - EFF vs. AT&T

: . : . : . : . : . : . : . : . : . : . : . : . : . : . :

* EFF Motion in AT&T Surveillance Case Draws Government's Eye

DOJ Demands First Look at Documents It Claims Might Be Classified

San Francisco - The Electronic Frontier Foundation (EFF) filed a motion for a preliminary injunction in its class-action lawsuit against AT&T today. However, much of the evidence that was to be included in the motion--as well as the legal arguments based on that evidence--was held back temporarily at the request of the Department of Justice (DOJ). While the government is not a party to the case, DOJ attorneys told EFF that even providing the evidence under seal to the court--a well-established procedure that prohibits public access and permits only the judge and the litigants to see the evidence--might not be sufficient security.

EFF's motion seeks to stop AT&T from violating the law and the privacy of its customers by disclosing to the government the contents of its customers' communications, as part of the National Security Agency's (NSA's) massive and illegal program to wiretap and data-mine Americans' communications. The motion was supported by a number of internal AT&T documents that the government now claims might include classified information.

EFF will seek the Court's permission to publicly release the preliminary injunction motion and supporting documents, and hopes to have redacted versions available after further discussions with the government.

"Openness in court proceedings is fundamental to a free society," said EFF Staff Attorney Kurt Opsahl. "The facts supporting our motion are not classified and are important to the public debate over the propriety of the NSA domestic spying program. The public deserves to know the truth."

The NSA program came to light in December, when the New York Times reported that the President had authorized the agency to intercept telephone and Internet communications inside the United States without the authorization of any court. Over the ensuing weeks, it became clear that the NSA program has been intercepting and analyzing millions of Americans' communications, with the help of the country's largest phone and Internet companies, including AT&T. This surveillance is ongoing, and today's injunction motion seeks to stop the spying while the case is pending.

"AT&T's wholesale diversion of communications into the hands of the NSA violates federal wiretapping laws and the Fourth Amendment," said EFF Staff Attorney Kevin Bankston. "More than just threatening individuals' privacy, AT&T's shameful choice to allow the government to spy on millions of ordinary Americans' communications is a threat to the Constitution itself. We are asking the Court to put a stop to it now."

In the lawsuit, EFF is representing the class of all AT&T residential customers nationwide. Working with EFF in the lawsuit are the law firms Traber & Voorhees, Lerach Coughlin Stoia Geller Rudman & Robbins LLP and the Law Office of Richard R. Wiebe.

For the motion for preliminary injunction: Brief and some evidence NOT AVAILABLE BY DOJ REQUEST

More on EFF's suit

EFF News release

Reproduction of this publication in electronic media is encouraged. Press releases and EFF announcements & articles may be reproduced individually at will.

Save To    Digg! Digg This!
posted by RealitySEO at 4:30 PM 0 comments

Thursday, March 30, 2006

Cell Phone Privacy Trojan?

Spy program snoops on cell phones according to this CNET story. Apparently only works on phones with the Symbian operating system - but who knows what operating system their phone uses?

The program must be installed and configured by someone, so they would need access to the phone belonging on the person they want to spy on. Apparently the information logged includes numbers called and length of calls. The program is being developed further to monitor email and text messages, according to a section of the web site called FlexiSpy, run by a company based in Bangkok Thailand called Vervata.

As phones get more complex and include PDA's and software applications, they become more susceptible to trojans, viruses and malware that may come attached to downloadable tools. Ultimately the biggest threat is that of loss of privacy until someone figures out how to hijack the number and make calls through the phone without our knowledge.

The FlexiSpy web site proudly boasts that they are working on an upgrade that will allow a third party to dial in to monitor conversations remotely without the phone owner's knowledge. It is being promoted as a way to protect children and monitor the safety of phone users, but is clearly spyware, just as the name FlexiSpy suggests.

Save To    Digg! Digg This!
posted by RealitySEO at 9:29 AM 0 comments

Tuesday, March 28, 2006

IRS to Allow Tax Preparers to Sell Returns!

Philadelphia Inquirer | 03/21/2006 | IRS plans to allow preparers to sell data. This is without a doubt the most offensive idea to emerge in the financial privacy arena since CardSystems lost 40 million consumers' information in mid June of last year.

The IRS is considering a rules change that would allow our most trusted financial advisors to sell entire tax returns of consumers to marketers and data brokers! This would not only be a serious ethical violation and breach of trust by tax preparers, but may entirely undermine taxpayers trust in the tax systems in the US.

This rules change is apparently proposed at the behest of Congressman Ed Markey of Illinois who raised privacy concerns when it was discovered that some tax preparers were outsourcing tax preparation online to India and other countries without privacy protections. It was supposedly to prevent the loss of financial information to identity thieves. How ironic that the rule change was proposed as a privacy protection, when it allows outright sale of tax returns to marketers and data brokers.

While so-called notification and consent by taxpayers is required to allow this sale of information - can you imagine anyone questioning their accountant about why he is asking them to sign papers following tax return preparation? Most of us put full trust in our tax preparers, accountants and financial advisors when asked to sign documents. (I don't condone this, it's just the way we operate - every person should ALWAYS read EVERY document they sign and UNDERSTAND it before signing.)

If those professionals suffer even a momentary flash of reduced ethical and moral standards during that brief signing - they may choose not to disclose what we are signing and count on us to either ask pointedly what we are signing or that we read large sheafs of prepared documents to find out that we are about to sign away our financial privacy along with signing our tax returns.

By now we should all be painfully aware of the endless stream of data breaches, hacks, and dozens of cases of ineptitude by data brokers and handlers of private personal financial information.

This issue has somehow escaped much public notice since it was first proposed by the IRS on December 7, 2005. Here is the official government notice of the proposed IRS Rule Change allowing the sale of tax return data by tax preparers (38 page PDF file). The Philadelphia Inquirer broke the story and posted the following notice at the end of that piece:

It's too late to comment electronically, but the IRS may still consider written comments:

Mail comments to:

CC:PA:LPD:PR (REG-137243-02)
Room 5203
Internal Revenue Service, Box 7604
Ben Franklin Station, Washington, D.C. 20044.
This is so patently offensive that it is difficult to comprehend. I want to know who convinced the IRS rulemakers to slip this proposal in so quietly. Did Congressman Markey have a hand in the rule language or was that a back room deal between the Bush Administration and ChoicePoint? I find it hard to fathom that it was a lobbyist for beancounters who make their living by doing taxes for median income families. I don't think it is likely to have been Ernst & Young looking for extra little profit centers they might exploit in their corporate client tax filings.

Who would profit most from this? The data brokers and credit reporting agencies - just follow the money. Who wants access to broad swaths of taxpayer information? Those who don't currently have it yet - ChoicePoint, Experian, TransUnion, and dozens of subsidiary data brokers who currently don't have access to income (and spending) data directly.

Imagine the rich new income streams they'd see being able to sell information to marketers about our buying habits, food preferences, hotel choices, internet service providers, travel information, cell phone providers - all right there on our itemized deductions list.

A joint press release has been distributed by three separate consumer orgainizations calling for removal of launguage in the proposed rules that would allow for sale of information in taxpayer tax returns to third parties for purposes of selling "Subsidiary Services" to taxpayers. That broad language is the focus of concern.

Since many of us are on the current "Do Not Call" list and out of reach of telemarketing annoyance, you can bet your junkmail volume would increase dramatically after your spending habits are so well documented to marketing firms - right off of your tax forms, which they legally purchased!

If this were the only concern - it would be enough to rattle most Americans trust in our government. But it isn't the end of the story - we lose control over our financial data and risk identity theft on a grand scale once the information is in the hands of marketers. Just stop what you are doing and go write a letter to the IRS at the address above to demand that they stop this nonsense.

Save To    Digg! Digg This!
posted by RealitySEO at 9:33 AM 0 comments

Monday, March 27, 2006

NSA Surveillance of Attorney & Doctor Phone Calls

The headline above links to a Wired News story on NSA spying on otherwise inviolable communications between attorneys and client or doctor and patient. Congress is probing the warrantless spying by the Bush Administration and has received vague and evasive answers to their questioning.
Michigan Rep. John Conyers, the House Judiciary Committee's top Democrat, complained about the department's evasiveness in answers to questions from the House and Senate Judiciary Committees, submitted to Attorney General Alberto Gonzales. All but two of 45 answers to the House Judiciary Democrats were vague and unresponsive, Conyers said.
The Justice Department gave the following response to direct questions about monitoring priviledged communications between lawyers and their clients and doctors and their patients:
"Because collecting foreign intelligence information without a warrant does not violate the Fourth Amendment and because the Terrorist Surveillance Program is lawful, there appears to be no legal barrier against introducing this evidence in a criminal prosecution."
It appears the Bush Administration Justice Department is busily creating case law to cite back to anyone challenging the warrantless spying in the future. There appears to be no end to the domestic spying program, even though the press, the public and politicians are all up in arms over this program. The definitive position on surveillance of otherwise priviledged communications?
"Although the program does not specifically target the communications of attorneys or physicians, calls involving such persons would not be categorically excluded from interception."

Save To    Digg! Digg This!
posted by RealitySEO at 9:51 AM 0 comments

Friday, March 24, 2006

Spitzer Sues Marketer Over E-mail Privacy

N.Y. sues marketer over e-mail fraud according to this MSNBC story. New York attorney general Eliot Spitzer is like a privacy bulldog that just won't let go of his targets. While the "Gratis Internet" company claims innocence due to outsourcing their email distribution to external providers, Spitzer maintains that consumer data was sold and resold to spammers who inundated members who had signed up with the company, which markets by offering free consumer goods, such as iPods in exchange for personal information.

Some consumers who have been given free electronics products say the spam is worth it due to the goodies they were given, but this should clearly demonstrate the high value placed on consumer information by marketing firms. If a company can justify giving away $300 products, they must make up for it by selling (and reselling, and reselling) the information gathered or they would quickly go out of business.

Spitzer has proven himself a privacy watchdog in previous high profile privacy cases filed in New York.

Save To    Digg! Digg This!
posted by RealitySEO at 11:21 AM 0 comments

Thursday, March 23, 2006

Fliers' Privacy Safe, Entrepreneur Says

Fliers' privacy safe, entrepreneur says according to this USA Today story on the private sector companies working jointly with TSA on the controversial "Trusted Traveler" program. The scheme is odd in that businesses are handed the keys to unlock quick passage through airport check-in for frequent fliers after the government does mandatory background checks on those applicants.

The company handles iris scans and fingerprints and then issues an encrypted code and identity card to those who pass muster with the government.

This article interviews entrepreneur Steven Brill of "Verified Identity Pass" in a short overview of several companies that have signed their employees up (Hyatt Hotels, signed up VIP and frequent guests). The gist of this story is Brill reassuring everyone that ID card encryption is secure and that those participating can feel secure in the knowledge that their private information is safe and cannot be hacked, stolen or lost.

The odd thing is that this program is not handled entirely by TSA and that they are palming off the portions of the program that are most vulnerable to abuse to private contractors like Brill and other businesses to handle - the technology.

Participants in "Trusted Traveler" are likely to include celebrities, politicians and the wealthy in the beginning. While the yearly fee is less than $100 to participate in the "Trusted Traveler" or "Registered Traveler" program, those using the encrypted cards and subjected to quick fingerprint readers and iris scans can pass through airport security more quickly.

Those not willing to pay the yearly fee, not willing to be scanned, fingerprinted and background checked, will be waiting in long lines for what has become "normal" for airport security checks - removing coats, shoes and belts, opening laptops and emptying our pockets of metal objects to pass through scanners.

No doubt it will look much like the Southern California toll lanes on certain freeways at rush hour, where those paying fees zoom through - while stop and go creeping is the norm for everyone else.

One would assume that those "Trusted Traveler" members will still be scanned for weapons and nail clippers. After all, because someone has paid to avoid lines is no reason to trust their rationality or forgetfulness - is it? Is a "Trusted Traveler" less likely to do stupid, irrational things just because we know their fingerprints and iris scans are stored in a database?

What exactly is it that makes us more secure because a person has paid to be less thoroughly searched? While we can know that ID# 12345 has boarded a United flight to Atlanta - and we are sure of who that person is, do we know their mental state or intentions?

Maybe a brain scan of those "Trusted Travelers" would be more appropriate than an iris scan when it comes to airline security - and possibly a brain scan of those employees working the airport equipment. Here's hoping that the profit-making companies handling security for "Trusted Traveler" don't cover up database breaches, hacking attempts, bribes, disgruntled employee abuses or equipment failure in order to look better and hang on to contracts with the TSA.

Save To    Digg! Digg This!
posted by RealitySEO at 3:16 PM 0 comments

Wednesday, March 22, 2006

Debit Card Fraud Legal Loopholes

Debit card fraud underscores legal loopholes allowing companies to keep breaches quiet. This Security Focus article is a thorough review of the problem of notification-law-squirming by financial institutions, ATM manufacturers, software designers and all others to blame for breaches of personally identifiable financial information. All links in the chain of financial data handlers should be held fully liable for any loss of the data crossing their networks or being handled by any one of those sources. Until there is financial incentive to stop losses of financial information, there will be no fixes by those to blame for the losses. Many times the leak cannot be identified or traced so each of the weak points avoid blame for the loss of data. Security should be the highes priority of all financial data networks that put individuals at risk for financial loss. This is the only way to plug the leak in the dike - before the flood.

Save To    Digg! Digg This!
posted by RealitySEO at 10:41 PM 0 comments

Iowa Identity Theft Passport Police Protection

Iowa proposes ID theft 'passport' to protect Identity Theft victims from police and arrest for crimes they haven't committed.

Crooks who steal your identity and use it on driver licenses are apparently becoming more common. It is wise for bad guys to be able to present false identification during traffic stops or other instances of ID checking. So they are using identity theft as protection from arrest, but in the process racking up suspicious activity on the record of honest citizens who have been victimized.

This Iowa law would provide paperwork for victims to carry proving they are Identity Theft targets who may show suspicious activity on their record due to bad guys using their name to commit crimes.

It seems that after awhile the crooks will forge these documents won't they? No, let's prevent ID theft instead of carrying further ID to protect us from law enforcement. Bad idea.

How about getting credit card companies and banks to stop mailing paper documents with account numbers and other data on them exposing us to mail theft? How about stopping businesses from being able to require our social security number for routine records like video rentals and health club memberships? How about stopping the sale of personally identifiable financial information through data brokers?

Save To    Digg! Digg This!
posted by RealitySEO at 8:59 AM 0 comments

Monday, March 20, 2006

Patient-Data Chips vs. Privacy

Use of Implanted Patient-Data Chips Stirs Debate on Medicine vs. Privacy according to this Washington Post from March 15. The report, by Rob Stein, discusses the use of the RFID chips in two Alzheimers patients, who seem to be the first target of Verichip, a company marketing their RFID technology agressively to hospitals.

While they have very few takers of implanted chips, which up until recently were used only in animals, they are convincing dozens of hospitals to accept their chip readers free and training doctors to implant them in humans.

Lining up in opposition to implantable RFID chips are the Health Privacy Project, the Electronic Frontier Foundation, the Electronic Privacy Information Center, and privacy advocates. Those in support of RFID tagged humans are security firms, RFID manufacturers, the Mexican government - which has tagged several mexican politicians in a move to protect them from kidnapping and ransom demands.

There appear to be no built-in protections in the chips stopping anyone with a reader from scanning the information contained in them, but the manufacturer claims that access to a secure website is required to see data from tagged individuals. All that is required is a password and username and those can be hacked or accessed via pretexting.

Abuses are bound to emerge as more Alzheimers patients are RFID tagged with verichip implants. Abuses appear to be necessary to arouse the concern of most Americans.

Save To    Digg! Digg This!
posted by RealitySEO at 10:44 AM 3 comments

Torn up Credit Card Application from Trash Gets Credit!

The Torn-Up Credit Card Application
resurrected from a trash can and taped back together from tiny pieces shows that credit card issuers are not in the least concerned with identity theft. This site discusses a test done by someone who legitimately received the application from Chase Mastercard, but he felt certain tearing it up and then taping it back together to fill it out would set off alarm bells at Chase. Not only did he piece the thing back together, but he changed the address on the application - something that identity thieves would most certainly do.

Well, not only was the card approved, but it was sent to his parents home, the address he had changed it to. This clearly shows that credit card companies have absolutely nothing to lose to identity theft and take no precautions against it.

The pieces of this application could have been retrieved from a dumpster, taped together and the address changed. Thieves would have been awarded the credit card and the original recipient would have no idea he had been the victim of dumpster diving criminals - even after he had taken the precaution of tearing up the application.

Credit card companies should be held fully accountable for all damage done to victims of identity theft when they award credit cards to anyone willing to dig through garbage cans, use a little tape and claim to be someone else. This case clearly illustrates how cavalier Chase is in issuing cards to crooks and liars - as it probably mirrors a good portion of true identity theft cases.

Save To    Digg! Digg This!
posted by RealitySEO at 8:06 AM 0 comments

Thursday, March 09, 2006

iBill Customer Database Breach

See Update at Bottom!

Cutomer records lost to apparent inside job from online billing site iBill, an online payments system doing a reported 85% of its business with online porn sites, billing customers. But because of an odd loophole in data breach reporting laws, the leak, which apparently happened in 2003 or earlier, went unreported because reporting laws require notification to victims only if credit card numbers are exposed in the breach. Apparently all personal information about iBill clients was exposed EXCEPT credit card numbers, including passwords for iBill logins and customer email addresses.

Clearly, a list of 17 million email addresses of mostly porn site customers would be valuable information to other porn service operators and would be an attractive purchase to spammer lists. While email addresses sold to spammers is also a serious data breach in itself. The potential for financial data loss is more important and dangerous to victims than embarassment and spamming from additional porn sites.

A Google search for "iBill Data Breach" turns up a large number of adult oriented blogs, discussion lists and "terms of service" pages where iBill is named as the payment processor.

This thorough story, by Wired News reporter Quinn Norton takes a look at the players in the story, iBill history, security firm discovery of the customer information online in hacker forums and web sites registered under phantom names.

While the iBill customer data breach went unreported for at least three years, 17 million iBill customers names and personal login information no doubt proved fruitful to enterprising hackers armed with that information.

It is well known that people are lazy with passwords and usernames, using the same logins for multiple sites. This knowledge and name access could be as dangerous financially as actual credit card numbers to hackers.

Long story short, this iBill data breach and lack of required reporting to victims of the breach makes apparent the fact that reporting requirements should be extended to cover instances where credit card information is not lost, but passwords and other personally identifiable information is lost.

In this case, hackers probably used the password information to exploit those exposed in the breach without the victim knowing how they were exposed. The wired story concentrates on the embarassment of the victims because they are on long lists of porn site customers, but the focus should not be on the type of business that loses customer information.

Reporting needs to be universally required when large scale data breaches such as this happen at companies that handle financial data.


Apparently iBill has been framed, according to another Wired News story, which was the original source for this post. In the follow-up story, iBill president Gary Spaniak, Jr. claims that the database is secure and that he believes spammers are to blame for planting false files on the sites where they were found by security firm Secure Science Corporation and apparently the sole identifying clue was a filename for the data posted on a spamming website, seeking the sale of the information.

It appears spammers have no hesitation to screw each other by selling fake information in the underground economy. This time porn billing company iBill appears to be Sunday school clean in a misunderstanding and a drive-by shooting by "security firms" seeking publicity for their "discovery" of data breaches based on nothing more than a filename from a spamming web site.

There appear to be risks involved for iBill in dealing with an industry known for low morals.

But Wired news should be taken to task for breaking this story before iBill was able to respond, the same way the security firms are taken to task for drawing conclusions based on nothing more than a filename "discovered" while trolling the underworld of the web. It appears someone must be having a good chuckle in this story. It isn't the good guys.

Save To    Digg! Digg This!
posted by RealitySEO at 9:43 AM 0 comments

Wednesday, March 08, 2006

Bush Privacy Assault Frightening

Bush's Mysterious New Programs measure up as marshall law by civil liberties yardsticks. This linked story by Nat Parry covers bizarre new detention centers which appear to be intended to house large numbers of "enemy combatants" or domestic terrorists. Contracts awarded to Halliburton affiliate Kellog, Brown & Root, according to a CBS MarketWatch story from January 24 titled "KBR Awarded Homeland Security Contract Worth Up To $385 Million".

Scary stuff that is not discussed openly because it is "Homeland Security" related. The story looks at these odd contracts in depth, along with statements made by Bush supporters, confidants and administration officials which suggest we may see a return to a new type of McCarthyism. Americans can be arrested, detained and held without legal representation for indeterminate periods without reason or recourse. Scary, scary stuff this.

Save To    Digg! Digg This!
posted by RealitySEO at 6:35 PM 0 comments

Bill Banning Phone Record Sales in House

House panel approves bill banning sale of phone records so this looks like the beginning of the end for the practice of "pretexting" by underhanded online companies that sell phone records for about $100 to anyone with a credit card number. The services were used mostly by private detectives who discovered they could track their quarry by following the phone calls they made.

But once the phone number tracking service became public knowledge following a Chicago Sun Times article, outraged citizens and politicians leapt to stop the practice.

Save To    Digg! Digg This!
posted by RealitySEO at 6:06 PM 0 comments

Saturday, March 04, 2006

Ohio Site Is Identity Theft Source

Site makes identity theft possible, lawsuit says. According to this Dayton Daily News story, all state records are public records and posting social security numbers from official state documents is required by law, according to Ohio Secretary of State J. Kenneth Blackwell. Thus, the lawsuit filed by Darrel Estep claims that the practice exposes he and thousands of Ohio residents to identity theft by making their sensitive financial records openly available online for the taking by potential identity thieves.

It's incredible that this practice still stumbles along in states that apparently haven't been subject to similar lawsuits and been forced to remove at least the social security numbers from those documents they feel they must post publicly.

This practice stems from old think. "If we made all records available previously from our office file cabinets in obscure state records file rooms where potential identity thieves had to physically live nearby, drive down here, come in, sign in, pay to copy those records and sign out - then it follows that we must now post those same records online, where anybody can visit anonymously and instantly via computer from across the world, search instantly for lists of data it would otherwise have taken hours to find and record, copy sensitive files free, steal social security numbers anonymously and leave instantly without leaving a trace." Does that sound like something crooks would love?

It's stunning that government can be so consumingly obtuse about the consequences of "doing it like we always have" when that puts citizens at serious, almost certain risk of financial crimes.

Ohio Attorney General Jim Petro is opposing Blackwell in the upcoming Ohio GOP nomination for governor. If nothing else, Petro deserves to win that race simply because he is capable of comprehending the danger of posting public records online - while Blackwell blindly stumbles on, claiming that the state is, "not permitted to alter a document filed ... and it becomes public record." Stunningly bureaucratic old think.

Save To    Digg! Digg This!
posted by RealitySEO at 7:15 AM 0 comments

Wednesday, March 01, 2006

Self-Storage Privacy Rights

Self-Storage Privacy Rights overview This excellent article is by Atlanta Attorney Scott Zucker, author of Legal Topics in Self-storage: A Sourcebook for Owners and Managers. He is also a partner in the Self-Storage Legal Network, a subscription-based legal service for self-storage owners and managers.

The linked article looks at all aspects of privacy issues for rental storage unit owners. Covering consumer requirements to provide social security numbers as an opening issue, but moving to a discussion of the responsibility of storage owners to properly destroy or have destroyed, all potentially damaging personally idendtifiable information that might put a renter at risk of identity theft or financial loss.

It's great to see attention being paid to privacy issues in particularly vulnerable industries. Many consumers have at one time or another stored boxes full of financial records, old credit card statements, taxes and financial and banking paperwork in a rental unit. The idea that those records might be targeted for identity theft has probably rarely crossed our minds.

Disposal of property upon delinquency is a particularly thorny issue for Storage Businesses and here's hoping that more attention is paid to an underprotected area. Certainly there are identity thieves who are well aware of dumpster diving as a method of scoring sensitive financial information. But it is clear that rental storage facilities are a particularly rich target for discarded records or deliquency sales that might net social security numbers, bank accounts, credit card statements and all manner of sensitive paper records - not to mention old computers and discs storing more financial booty.

Save To    Digg! Digg This!
posted by RealitySEO at 3:59 PM 0 comments