It's Friday again, time to disclose the latest screw-ups leading to identity theft.
E-mail includes data on students
VCU by mistake sends personal information, grades of 561 students
BY GARY ROBERTSON TIMES-DISPATCH STAFF WRITER Dec 9, 2006
For the second time this year, the personal information and Social Security numbers of hundreds of Virginia Commonwealth University students have been compromised.
According to the university's technology services Web site, personal information on 561 VCU students in the College of Humanities and Sciences was inadvertently included [I know of no email system that randomly attaches files. The user MUST specify the file. Bob] in two attachments in an e-mail.
The information included names, Social Security numbers, local and permanent addresses and grade-point averages.
... Kapelewski said she thought a university as large as VCU 30,000 students -- would have security measures to prevent such disclosures. [A reflection of her education. Isn't that a shame? Bob]
... Chuck Epes, Virginia communication director for the Chesapeake Bay Foundation, also had his personal information compromised in the glitch. [Is there more here than the school admits? Bob]
... Epes said he doesn't know how his personal information was obtained. He is not a current student and hasn't taken full-time classes at VCU for years.
... In September, VCU said the names, Social Security numbers and e-mail addresses of about 2,100 current and former students had been online for eight months, because of human error.
... Also, a former VCU student pleaded guilty two months ago in federal court to illegally acquiring the log-in names and passwords for the e-mail and online accounts of many students and university staff members.
Perhaps we could issue “Goofy Awards” to security managers who are surprised by this type of error?
Saturday, December 9, 2006
Goof posts SS numbers on Net
Vermont health care providers’ info accidentally goes public
By David Gram THE ASSOCIATED PRESS
MONTPELIER, Vt.— At least several hundred, likely more, Social Security numbers of health care providers were posted to the Internet in a state contractor’s mistake that officials were scrambling to fix yesterday.
... Commissioner Thomas Murray of the state Department of Information and Innovation said his staff had been working since first learning of the problem on Monday to make sure the information is no longer on the Internet.
... McIntire said the information was posted on the Web site on which the state calls for bids on contracts from May 12 and was taken down June 19. But she said a doctor, whom she would not identify, told the state that her Social Security number was on the Internet as of this week.
... Robert Snapp, an associate professor of computer science at the University of Vermont, said it’s impossible to be completely sure that something once posted to the Internet isn’t still available in cyberspace despite efforts to remove it.
Is there anything to stop people from suing...
Can Your Firm Be Sued for a Data Breach?
By Gregory T. Parks and Megan E. Adams E-Commerce Times 12/08/06 4:00 AM PT
In July 2003, California Senate Bill 1386 went into effect, becoming the first state law providing for mandatory notification in the event of a breach. Some 30 states have enacted similar legislation. Although these laws do not provide for a private cause of action, they could still contribute to increased litigation because more consumers will know about data breaches.
Continuing technological advances allow companies to store increasing amounts of personal data about their customers. Maintaining this information can help both companies and consumers, allowing for more tailored customer service without requiring customers to provide the same information repeatedly.
... The federal Privacy Act allows individuals to sue the government for failure to adequately protect personal data, but there is no counterpart applicable to the private sector.
Companies can be held liable in a broader context -- as opposed to an individual lawsuit -- in two ways: via the Federal Trade Commission and through consumer class actions brought by private parties or state attorneys general.
... Initially, the FTC only enforced company "privacy policies," reasoning that a company's failure to follow its own published policy was a "deceptive act" punishable by the agency.
,,, Since 2004, the FTC has expanded its enforcement activities. The agency now claims that a company's failure to take reasonable measures to protect customers' personal information is itself an unfair practice in violation of the FTC Act.
... Consumers often wish to enforce their rights through private litigation, where they can potentially receive financial awards generally not available through FTC settlements. In the past several years, consumers have flooded the courts with lawsuits -- primarily class actions -- often following FTC action. Many of these cases are still pending. If one of these cases results in a verdict, it would be a first.
Although some cases have settled with payments to plaintiffs, litigation in this area is currently problematic for plaintiffs for two reasons:
* As there are no laws providing private rights of action to consumers specifically for a data security breach, consumers must generally rely on state consumer protection, false advertising, implied contract, and fraud laws to bring suit against private companies. These tools are vague, at best, and rarely provide a framework that is adequate for dealing with data security breaches.
* Data security breaches often do not cause any identifiable or quantifiable harm to the individuals whose information was compromised. In certain cases, courts have therefore labeled the damages claimed by plaintiffs as "speculative" or "nonexistent" and have dismissed lawsuits because of this defect. However, certain political and legislative developments indicate that the climate could soon change.
Compliance could be harder than the Senator assumes. Who will look at each image (and video?) and determine illegality?
Senator: Illegal images must be reported
By Declan McCullagh Story last modified Fri Dec 08 19:04:24 PST 2006
Millions of commercial Web sites and personal blogs would be required to report illegal images or videos posted by their users or pay fines of up to $300,000, if a new proposal in the U.S. Senate came into law.
The legislation, drafted by Sen. John McCain and obtained by CNET News.com, would also require Web sites that offer user profiles to delete pages posted by sex offenders.
In a speech on the Senate floor this week, the Arizona Republican and former presidential candidate warned that "technology has contributed to the greater distribution and availability, and, some believe, desire for child pornography."
After a report of illegal activity is filed, the Web site must retain any "information relating to the facts or circumstances" of the incident for at least six months. [Retain, not forward to an appropriate law enforcement agency? Who would be appropriate, by the way? Bob] Webmasters would be immune from civil and criminal liability if they followed the specified procedures exactly.
McCain's proposal, called the "Stop the Online Exploitation of Our Children Act" (click for PDF), requires that reports be submitted to the National Center for Missing and Exploited Children, which in turn will forward to the relevant police agency. (The organization received $32.6 million in tax dollars in 2005, according to its financial disclosure documents.)
Internet service providers already must follow those reporting requirements. But McCain's proposal is liable to be controversial because it levies the same regulatory scheme--and even stiffer penalties--on even individual bloggers who offer discussion areas on their Web sites.
"This constitutionally dubious proposal is being made apparently mostly based on fear or political considerations rather than on the facts," said Kevin Bankston, an attorney with the Electronic Frontier Foundation in San Francisco.
According to the proposed legislation, these types of individuals or businesses would be required to file reports: any Web site with a message board; any chat room; any social-networking site; any e-mail service; any instant-messaging service; any Internet content hosting service; any domain name registration service; any Internet search service; any electronic communication service; and any image or video-sharing service.
Kate Dean of the U.S. Internet Service Provider Association said her members appreciated McCain's efforts to rewrite the current procedures for reporting illegal images, which currently are less than clear.
McCain's proposal comes as concern about protecting children online has reached nearly a fever pitch in Washington. Attorney General Alberto Gonzales gave two speeches this week on the topic, including one on Friday in which he said "we must do all that we can to protect our children from these cowardly villains who hide in the shadows of the Internet."
But the reporting rules could prove problematic for individuals and smaller Web sites because the definitions of child pornography have become relatively broad.
The U.S. Justice Department, for instance, indicted an Alabama man named Jeff Pierson on child pornography charges because he took modeling photographs of clothed minors with their parents' consent. The images were overly "provocative," a prosecutor claimed.
Deleting sex offenders' posts
The other section of McCain's legislation targets convicted sex offenders. It would create a federal registry of "any e-mail address, instant-message address, or other similar Internet identifier" they use, and punish sex offenders with up to 10 years in prison if they don't supply it.
Then, any social-networking site must take "effective measures" to remove any Web page that's "associated" with a sex offender.
Because "social-networking site" isn't defined, it could encompass far more than just MySpace.com, Friendster and similar sites. The list could include Slashdot, which permits public profiles; Amazon.com, which permits author profiles and personal lists; blogs like RedState.com that show public profiles. In addition, media companies like News.com publisher CNET Networks permit users to create profiles of favorite games, gadgets and music.
"I think there is an irrational hysteria surrounding these social-networking sites and the threat to youngsters on these sites, so I don't see these measures being justified," said EFF's Bankston.
A McCain aide, who did not want to be identified by name, said on Friday that the measure was targeted at any Web site that "you'd have to join up or become a member of to use." No payment would be necessary to qualify, the aide added.
In this political climate, members of Congress may not worry much about precise definitions. Another bill also vaguely targeting social-networking sites was approved by the U.S. House of Representatives in a 410-15 vote.
And in July, for instance, Congress overwhelmingly approved a bill that made it a federal felony for Webmasters to use innocent words like "Barbie" or "Furby" to trick minors into visiting their sites and viewing sexually explicit material.
Next year, Gonzales and the FBI are expected to resume their push for mandatory data retention, which will force Internet service providers to keep records on what their customers are doing online. An aide to Rep. Diana DeGette, a Colorado Democrat, said Friday that she's planning to introduce such legislation when the new Congress convenes.
Cathy Milhoan, an FBI spokeswoman, said on Friday that the FBI "continues to support data retention. We see it as crucial in advancing our cyber investigations to include online sexual exploitation of children."
In addition, Sen. Chuck Schumer, a New York Democrat, and McCain said this week that they'll introduce similar legislation dealing with sex offenders and social-networking sites in January.
I am always impressed by effective legal strategies...
Secret To Suing Dell: Focus On A Kiosk, Not Headquarters
from the legal-strategies dept
It's no secret that Dell has had some... problems with their customer service operations over the years, some of which have been well publicized. I recently heard from someone that Dell now constantly scours blogs for any complaints to try to respond to them quickly. However, they still run into some problems at times. When one man had the company lose his laptop, and he wasn't satisfied with their replacement offer (and long drawn out conversations), he sued the company in small claims court (sent in by reader Chester Kee). However, rather than send the lawsuit to Dell headquarters, or even a Dell office, he sent it to the local Dell sales kiosk at the mall near his home. Not surprisingly, no one from Dell showed up in court (they probably had no idea the case even existed), and the man won $3,000 -- and even got an order saying court workers could seize merchandise from the kiosk. Once Dell found out about this, they quickly settled the case (as they should have), but it still seems a bit odd that it was okay for the case to be served to a random sales kiosk -- and that the court allowed the reimbursement to come from that kiosk as well.
They just don't get it. Why would I want to download a separate reader for each newspaper (news source) I read each day? (For that matter, why would I want to read anything “offline?”)
Download of the Day: New York Times Reader (Windows)
Windows only: The New York Times Reader lets you download full editions of the NYT to your desktop where you can browse the contents offline in a very familiar newsprint format.
I'm always happy to tell my students about potential scholarship funds...
Criminals 'target tech students'
The boom in cyber crime is forcing criminals to go to great lengths to recruit skilled hackers, says a report.
Some criminal gangs are paying students while they study to ensure they have a pool of tech-savvy workers to call on, says the report from McAfee. [Perhaps a wee exaggeration? Bob]
McAfee said children as young as 14 years old were being targeted by some criminal gangs.
... "Traditional criminals have the ability to move funds and use all of the background they have," he said, "but they don't have the technical expertise."
How Much Privacy?
Lisa Lerer, 12.08.06, 6:00 AM ET
ComScore Networks is the Big Brother of the Internet. [They must love this kind of start to the story... Bob] The widely-used online research company takes virtual photos of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. Then comScore aggregates the information into market analysis for its over 500 clients, including such large companies as Ford Motor, Microsoft and The New York Times Co.
ComScore says that its participants are willing exhibitionists, happily selling their online privacy for gift certificates and free screensavers. But two computer scientists are raising new questions about comScore, claiming that company tracking software is being installed without consent on an unknown number of computers.
"[The] software is sneaking onto users' computers without the user agreeing to receive it," says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall. (Edelman and Howes spend their days patrolling the Internet for new threats.)
What a country! We can argue any side of an issue. (By the way, you can join my militia for only $29.95)
Scope of 2nd Amendment's Questioned
By MATT APUZZO The Associated Press Thursday, December 7, 2006; 8:49 PM
WASHINGTON -- In a case that could shape firearms laws nationwide, attorneys for the District of Columbia argued Thursday that the Second Amendment right to bear arms applies only to militias, not individuals.
...and here's the flip side. Perhaps they will declare neutrality, like Switzerland? Remember, lots of kids in PA bring their guns to school (leaving them in their cars) during hunting season.
Town mulls recommending guns for all
By Jon HurdleThu Dec 7, 11:10 AM ET
A tiny town in western Pennsylvania could ask all of its residents to own guns, if a proposal under consideration on Wednesday wins approval from local officials.
... In written comments, Statkowski said homeowners have a right and a responsibility to defend against intruders rather than calling police and waiting for help to arrive.
... The measure was unlikely to pass because state law prevents municipalities from making their own gun laws, Ramsey said. He said about 40 percent of Pennsylvania households own guns.
Aaron Fry, owner of the Cherry Tree Cafe, said he did not understand why the measure was necessary because guns are common. "Every house has a couple of guns," he said.