Saturday, March 17, 2007

Same story, different day.

http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/03/16/sns031707laptop.html

Laptop with city school employees' information stolen

By Andrew McGinn Staff Writer Friday, March 16, 2007

Nearly 2,000 current and former employees of Springfield City Schools are being notified their personal information was on a stolen laptop belonging to the state auditor's office.

... The payroll information had been requested by the state as part of an audit, she said.

The district mailed letters to the employees on Thursday.

... The laptop was stolen Feb. 22 from an auditor employee's vehicle parked at home in a garage, according to the letter.

Leaving equipment unattended in a vehicle is against office policy, said Susan Raber, director of public affairs for the state auditor. The employee, who lives in Hilliard, was given a verbal reprimand.

... The office doesn't need social security numbers to do audits and will stop asking clients for them, Raber said. [Now you tell me! Bob]



Costs of a data breach

http://www.jsonline.com/story/index.aspx?id=578307

Your bill: $536,000

Taxpayers' cost doubles for state to atone for allowing Social Security numbers on tax forms

By PATRICK MARLEY pmarley@journalsentinel.com Posted: March 15, 2007

Madison - Taxpayers will have to pitch in more than $500,000 to provide credit monitoring for people whose Social Security numbers were accidentally printed on tax booklets - twice the amount officials initially estimated. [No surprise here. Bob]

So far, 25,857 people have signed up for credit monitoring under a program offered by the state, which will cost taxpayers $536,425. [$25.00 per victim (see below) Bob] That number could climb to more than $677,000 because people can sign up for the program until March 31.

... In January, the Department of Revenue estimated taxpayers would have to pony up $232,000 at most because they expected no more than 8% of affected people to sign up [What if it his 90%? Bob] for credit monitoring. So far, more than 15% have done so.

... The state cut a deal with the printer, Ripon Community Printers, in January that requires the firm to pay $110,000 toward the credit monitoring. The balance - $536,425 so far - will fall to taxpayers.

The printer estimated it would spend $200,000 total because it also reprinted and resent the tax booklets and sent letters offering the credit monitoring.

... Sen. Ted Kanavas (R-Brookfield) said the department should have anticipated a higher response rate and forced the printer to pay a percentage of the total rather than a firm amount.

"That's just bad management on the part of the agency," he said. [QED Bob]



Absolutely no comment.

http://sev.prnewswire.com/publishing-information-services/20070315/AQTH06315032007-1.html

Google Tops the 11th Annual BusinessWeek 50 Ranking of Best Performing U.S. Companies

... 38 TJX



We knew this, right?

http://www.govtech.net/magazine/story.php?id=104461

More Than 100 Security Breaches Reported Under Law to Thwart ID Thieves

By News Release Mar 16, 2007

More than 100 security breaches have been reported to North Carolina Attorney General Roy Cooper's Consumer Protection Division under new laws that require businesses and government to let consumers know when their personal information may have been lost or stolen, Cooper said.

... Under North Carolina laws, state and local government as well as businesses must notify consumers if a security breach may have compromised their personal information. A total of 103 breaches that involved information about more than 500,000 North Carolina consumers have been reported since the laws took effect in 2005 and 2006.

Of those breaches, half involved the theft of laptops, computers or other equipment containing personal information. Nearly 20 percent of breaches were caused by unauthorized release or display of information, and nearly 18 percent were the result of hackers. Almost half of all breaches reported came from the financial services and insurance industry, while nearly ten percent were reported by state and local government agencies. Businesses have been required to report security breaches since December 1, 2005, and state and local governments have been required to report breaches since October 1, 2006.



Worth watching

http://www.f-secure.com/weblog/#00001143

Big Thinkers

Friday, March 16, 2007 Posted by Sean @ 13:07 GMT

BT – formerly known as British Telecom – conducts forums known as BT's Big Thinkers series.

F-Secure's Chairman of the Board, Risto Siilasmaa, was a panelist during a recent discussion along with Michael Barrett, the Chief Information Security Officer of PayPal. It was hosted by well-known security expert Bruce Schneier, and was moderated by Esther Dyson.

Security: not just a technical problem was the topic of discussion. It's a people issue as well.

The discussion is about an hour in length. It takes a minute or two for the video to load from BT's site, probably due to the demand at the moment. Be patient, it's worth the wait.



How do I scan thee? Let me count the ways...

http://www.infosecwriters.com/texts.php?op=display&id=546

Biometrics, What and How

by Moustafa Kamal on 16/03/07

Humans have used body characteristics such as face, voice, gait, etc. from the day that mankind existed to recognize each other. Some characteristics don’t change over time and some do. And since each on has a unique characteristics that no other share we humans have thought of using that in our daily life, The main aim of using it after 9/11 is for security reasons. So what characteristics do we use? Are they accurate? Can we depend on them in our daily life routine?

I have tried to cover all of the characteristics that are used in Biometrics, How they are used, and what are the disadvantages of using them. So I hope that you find this document useful…

This document is in PDF format. To view it click here.


There must be a market...

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9013408&taxonomyId=17&intsrc=kc_top

CEBIT : IBM researchers take on video surveillance privacy

James Niccolai

March 16, 2007 (IDG News Service) Researchers at IBM Corp. are trying to address privacy concerns about video surveillance systems, part of a broader effort by IBM to build a new business in the fast-growing surveillance market.

Concerns about security in cities, airports and other public places are causing a proliferation of video surveillance systems, but the increase has heightened concerns about privacy among regulators and the general public.

IBM hopes to alleviate the concerns with technology that can pick out faces in a video frame and automatically blur them, so that people's images -- and therefore their movements -- are not recorded, said Joachim Stark, director of digital video surveillance with IBM's global services group.

An obvious hurdle is identifying the potential suspects from innocent bystanders. Investigators often review closed-circuit video footage after a crime is committed, and blurring faces would defeat much of the point of doing surveillance.

One solution is to find ways to identify suspects automatically [Oh look, he came out of a mosque... Bob] so that only their faces are left unblurred. Video analytics software can already trigger an alert when a person leaves an object of a certain size on a station platform, for example, and walks off. After spotting such a behavior, a surveillance system could "rewind" the action in Tivo-like fashion and unblur a suspect's face from the moment the person enters the frame, Stark said.

Another option is to blur all the faces when the video is recorded, but allow investigators with the right access permissions to unmask them at a later date.

... The video surveillance market is growing at around 15 percent annually, Stark said. IBM hopes to distinguish itself with its database and middleware technologies, which can help store and analyze the vast quantities of video data.

Surveillance technologies have already come a long way. IBM's analytics software records metadata, or information about the data in a video, such as colors and the size of objects in a frame. If a witness reports seeing someone in a red sweater acting suspiciously, investigators can search for "red" in the surveillance software and pull up the relevant images.

Such systems can generate vast amounts of data, however, and IBM is looking at compression technologies to reduce the volume.



Attention virtual lawyers!

http://techdirt.com/articles/20070315/010624.shtml

Can A Web Crawler Enter Into A Contract?

from the seems-unlikely dept

The Technology & Marketing Law blog is discussing an interesting case where a woman put up some text on her website claiming that by visiting the website you were agreeing to the "contract" represented in the terms -- which included the fact that if you copied or distributed any content on the site, you agreed to pay large sums of money back to the woman. What happened next is probably pretty predictable. The Internet Archive archived a version of her page... and she tried to get money out of them. The Internet Archive went to court to have it declared that they did nothing wrong, and the woman countersued. Of course, she didn't just sue for breach of content, but copyright infringement, conversion, civil theft and racketeering (just to be safe). Racketeering certainly seems pretty extreme -- but then again so does claiming that by putting some simple text on your website anyone who visits the website (including automated web crawlers) enters into a binding contract. While the discussion focuses on whether or not a spider can enter into a clickwrap contract like that, an equally interesting question might be whether or not anyone can force people to give up their fair use rights. Right now, it seems that the courts are divided on that question -- though the argument that you cannot be forced to give up fair use rights makes a lot more sense based on the entire stated purpose of fair use rights. Still, the situation sounds quite similar to a discussion we had last year of a newspaper that tried to state on its website that fair use did not apply to its content. As for the question of whether or not something like the Internet Archive is fair use, at least one court has said that Google's cache is fair use, and that's quite similar to the Internet Archive. Either way, the case is still ongoing and should be interesting to follow. Hopefully the court will recognize that anyone who actually visits this woman's website actually violates that agreement by "making a copy" on their local hard drive -- which should help explain why the demand against copying is effectively meaningless.


Ditto

http://techdirt.com/articles/20070315/193857.shtml

Can A Telco Block Phone Calls To A Number They Don't Like?

from the they're-trying dept

If you're involved with startups these days, you've probably used FreeConference.com. It's become the de facto conference call system for many startups. Basically, it lets you create conference calls for just the cost of the long distance call to the number provided (usually in Iowa or Minnesota). Since many phone plans these days include unlimited long distance, there isn't even much of a cost for most users. I used to think that the business model behind FreeConference.com was to upsell people to more feature-complete conference calls (as well as ones that didn't provide a little jingle for FreeConference.com at the beginning -- for people who didn't want big name customers or partners knowing they were using a free service). However, many have suggested that the real business model was the same as those services that offered free international calls: arbitrage over termination fees. Since regulators put in place ridiculously high termination fees (the fees other telcos pay local telcos for connecting a call to that telco's end user) there was an arbitrage opportunity. These services could set up deals with the local telcos, drive many more calls to those local exchanges. The local telcos then get a ton of cash from the termination fees, and gives some of it back to the service that drove all that traffic. In the case of the free international calls, AT&T decided to sue the company for fraud.

However, it looks like the various telcos have taken a different strategy when it comes to FreeConference.com: they're simply blocking callers from calling that number. Think about that for a second, because it's quite troubling. The telco is deciding that they don't want you to be able to call certain numbers -- and then just blocking them, leaving no recourse. Apparently some people can still get through, but others are having trouble. It certainly has some similarities to the whole network neutrality debate. The FCC tends not to take kindly to telcos blocking anyone's ability to call anyone else -- though, in the past, it's usually smaller telcos doing the blocking, rather than the Kevin Martin's buddies at the big telcos. Either way, it seems pretty sleazy to suddenly block the ability to call certain numbers. The problem isn't with these services, but the bad regulations that allowed the small telcos to charge crazy termination fees in the first place. If the big telcos have a problem with it, they should take it up with whoever put those laws in place.



Wouldn't it be better to protect the victims rather than cripple the whistle blowers?

http://www.eweek.com/article2/0,1759,2104844,00.asp?kc=EWRSS03119TX1K0000594

Italy Bans Mobile Phones in Classrooms

March 16, 2007 By Reuters

ROME—Italy has banned schoolchildren from using mobile phones in class in an attempt to stop ringtones disrupting lessons and prevent pupils messing about with video cameras.

The rules force schools to discipline children who persist in using their phones, with punishments ranging from the confiscation of phones to excluding pupils from final exams.

The ban follows a series of incidents that have shocked Italians. In November, a video showing a disabled pupil being bullied by classmates, filmed on a mobile phone, caused outcry after it was posted on the Internet. In another, pupils filmed each other sexually harassing a female teacher. [“We would prefer not to know” Bob]



Just to clarify...

http://www.technewsworld.com/rsstory/56329.html

Google's Big Privacy Move - Close but No Cigar

By Katherine Noyes TechNewsWorld 03/16/07 7:40 AM PT

Google's announcement Wednesday that it will adopt new privacy measures designed to make it harder to connect searches with the individuals who request them has been met with mixed reaction. Privacy advocates have generally applauded the move, but they say Google's plan to erase key pieces of data between 18 and 24 months after a search is done is still not the right solution.

... the company now has announced that it will no longer save such identifying information at all beyond a certain point. Instead, it will erase key pieces of data [What they actually said was that they would “anonymize our server logs ” I take this to mean they will replace data that can easily identify you (your e-mail address, for example) with a random code that will make your identity non-obvious. I also suspect they will keep a table connecting your email address with the new random code – after all, they will want to ensure that as each month's search data is anonymized,” it can still be connected to the same individual's file. Or am I wrong? Bob] between 18 and 24 months after a search is done.

[Here's another take on this story: http://searchengineland.com/070314-180307.php ]



Good idea?

http://www.pogowasright.org/article.php?story=20070316171456832

Data-Mine Time in The Senate (commentary)

Friday, March 16 2007 @ 05:14 PM CDT - Contributed by: PrivacyNews - Fed. Govt.

Buried deep within the massive Homeland Security bill recently passed by the Senate is a provision that should give privacy advocates some much needed cheer. But it probably won't. Section 504 of the bill requires the federal government to report annually on its development and use of data-mining technologies. However, the provision does not prohibit the government from data mining. It only has to tell Congress what it's doing.

Source - InternetNews.com



So will the court smack SCO for wasting its time? (Transcripts included)

http://yro.slashdot.org/article.pl?sid=07/03/16/1255230&from=rss

The Score is IBM - 700,000 / SCO - 326

Posted by Zonk on Friday March 16, @09:57AM from the that's-some-impressive-evidence dept. Caldera The Courts Linux

The Peanut Gallery writes "After years of litigation to discover what, exactly, SCO was suing about, IBM has finally discovered that SCO's 'mountain of code' is only 326 scattered lines. Worse, most of what is allegedly infringing are comments and simple header files (like errno.h). These probably aren't copyrightable for being unoriginal and dictated by externalities and aren't owned by SCO in any event. Above and beyond that, IBM has at least five separate licenses for these elements, including the GPL, even if SCO actually owned those lines of code. In contrast IBM is able to point out 700,000 lines of code, which they have properly registered copyrights for, which SCO is infringing upon if the Court rules that it repudiated the GPL."



Inevitable?

http://hosted.ap.org/dynamic/stories/C/COURT_RECORDINGS?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Courts to Release Trial Tapes Online

By MATT APUZZO Associated Press Writer Mar 17, 2:58 AM EDT

WASHINGTON (AP) -- A computer and an Internet connection may soon be all that are needed for anyone to hear closing arguments in a corruption trial or listen to the testimony of a mob turncoat.

The federal judiciary approved a pilot program this week to make free audio recordings of court proceedings available online. Although a court's participation in the program is voluntary, U.S. District Judge Thomas F. Hogan, the executive committee chairman of the policy-making Judicial Conference, said he expects the system ultimately will be widely used.

... At present, recording devices and cameras are prohibited in all federal courtrooms. However, in some high-profile cases the Supreme Court releases audio recordings of oral arguments. Some federal trial courts, such as the one in Philadelphia, sell daily audio recordings of hearings.

... "As technology becomes more pervasive and access to recorded material becomes more a part of daily life, the courts are moving with the times," Siegel said.

... He said judges will have discretion over when to turn the recorder off, such as during an FBI informant's testimony or when a rape victim takes the stand. Ronald Collins, a scholar at the First Amendment Center, said lawyers will haggle [and the sun will rise in the east... Bob] over when that's appropriate.



Can I be private?

http://www.pogowasright.org/article.php?story=20070316135757776

Computer Protocols Changed to Insure Private Network

Friday, March 16 2007 @ 01:57 PM CDT - Contributed by: PrivacyNews - Minors & Students

Wesleyan will adjust its computer network access protocols in order to remain exempt from an order by the Federal Communications Commission that requires facilities-based Internet service providers to engineer their networks to assist law enforcement agencies in executing wiretap orders. The changes, intended to ensure that the university's network is viewed as "private" and thus exempt, include requiring log-ins for access to the campus wireless network, kiosks and library computers.

Source - The Wesleyan Connection

[From the article:

Analyses by EDUCAUSE and the American Council on Education support the use of two criteria in determining whether a college or university can hold itself exempt: it may not own the hardware that connects its network to the Internet, and it must authenticate all users who access the Internet from its network. The hardware Wesleyan uses is owned by the Connecticut Education Network.

Friday, March 16, 2007

In Japan, this is a major indictment of the printing company. They might go out of business in shame... Seriously! Perhaps someone in this country might do the same for TJX? Naaaah.

http://www.asahi.com/english/Herald-asahi/TKY200703160105.html

EDITORIAL/Theft of personal data

--The Asahi Shimbun, March 15(IHT/Asahi: March 16,2007) 03/16/2007

In a shocking case of data theft, personal information on more than 8.6 million consumers was stolen from a printing company that handles direct mail for dozens of corporate clients. According to Dai Nippon Printing Co., the data affects customers of 43 of its clients, including credit sales companies, insurers, retailers and consumer loan firms.

The data was apparently pilfered by a former employee of a subcontractor that processed the information for the printing company. The suspect, Hirofumi Yokoyama, 45, smuggled out the information on a magneto-optical disk, according to prosecutors.

They said he sold the data of some 150,000 customers of a major consumer credit firm to a fraud ring targeting online shoppers. Part of the data was used for credit card fraud totaling several millions of yen. Yokoyama was arrested after he left the company. He was later indicted on theft charges.

Under the new law for the protection of personal information that went into force in 2005, companies dealing with such data are required to enhance their information security management.

Dai Nippon Printing clearly bears a heavy responsibility for this data leak. It says similar leaks started several years ago.

Dai Nippon says it hadn't expected data theft to be committed by insiders. [Historically the most common way... Bob] Still, the company could have prevented the crime if it had taken cautionary steps like prohibiting workers from taking recording media out of computer rooms and frequently checking records of access to databases.

The company clearly is out of touch in its awareness of the huge responsibility it shoulders in protecting such vast amounts of personal data provided by its clients.

The companies that entrusted the data with Dai Nippon also share blame. The privacy protection law stipulates that when companies provide personal data to other firms for processing they must properly supervise the information security management of those entities.

This is a data breach of an unprecedented scale that led to actual financial fraud. In order to identify the problems with Dai Nippon's information security system, the Ministry of Economy, Trade and Industry and other organizations need to start their own investigations into the case and warn the public about the risks of disclosing their personal information. If necessary, they should consider issuing special recommendations to companies that have experienced similar data leaks.

If such cases of data theft continue, political momentum could grow again for a proposal to introduce a new crime category to punish information leaks, an idea that the ruling camp had considered for a while.

The current law imposes private information protection requirements on companies and organizations but doesn't provide any punishment for individuals who have stolen or sold such information.

In the Dai Nippon case, Yokoyama has been indicted only on the charge of stealing a magneto-optical disc worth 250 yen, not of stealing the data.

We believe, however, it would not be wise to create new punishment for theft of all kinds of personal information. This kind of provision could be abused to deter acts that should be defended, such as whistle-blowing on corporate violations by insiders.

But it is worth considering how to establish category-specific regulations on the kinds of sensitive personal information that could be abused, causing serious consequences. This would include credit card numbers, data concerning personal savings and debts at financial institutions as well as data on patient charts at hospitals.

One reasonable proposal would be to establish specific rules for each of these areas--financial services, consumer credit and medical services--to hold individuals and companies that have stolen or traded personal information accountable.

The government's Quality-of-Life Council is now reviewing ways in which the information protection law has been enforced. The panel should consider a wide range of steps to prevent damaging data breaches.


This is all we get on TJX's indiscretions...

Perhaps what we need is someone to speculate on all the ways TJX could have screwed up?

http://www.channelinsider.com/article/TJX+Probes+Slowly+Crawl+Along/203180_1.aspx

TJX Probes Slowly Crawl Along

By Evan Schuman 3/15/2007 9:39:00 AM

The data breach case of $16 billion retailer TJX is crawling along, with this week delivering to us a handful of pseudo-developments. Those are things that sound like information, but examined closely tell us little new.

The Federal Trade Commission, for example, confirmed that it has been investigating TJX, but wouldn't say what it has found nor when it started. This would only be news to someone who thought the FTC would not have investigated and that pretty much rules out anyone who understands Washington's CYA mentality.

Yes, the FTC will make some inquiries, take many months to mull it over and then quietly issue a fine that is near the top of their penalties, which is also coincidentally just shy of what TJX would consider a rounding error. Oh, and the FTC investigation's details won't be published, probably under national security headings because it could help al-Qaeda attack the U.S. credit card business. (Snicker now, but just wait and see how close the FTC comes to that wording in six months.)

Ahhhhh, but this country has checks and balances, no? The new majority in the U.S. House of Representatives has pledged to act and act quickly. We're now told by House staffers that the Energy and Commerce Committee is going to leap into action with hearings in "mid-to-late May" about a proposed data security bill.

Great! So that's when congressional testimony will reveal the specifics of what happened with TJX, so the rest of the industry can protect itself, right? Well, actually, no. The FTC probe is giving Congress political cover to not investigate TJX, but the hearings will have lots of witnesses to say that data security really needs a lot of work. And money. Don't forget the money.

Maybe, say the congressional aides, the committee will truly investigate TJX when the FTC probe is over.

Wait. All hope is not lost. What about all of those class-action lawsuits? Surely those depositions will start shedding light? Don't bet on it. It's going to take quite a few months before any of those depositions will be taken and, even then, lawyers will want to keep those details quiet until they can negotiate juicy settlements with TJX.

Why? There's only one thing TJX fears more than letting this case get to a jury: letting the full details get to its customers and investors. A last-minute settlement—with a hush clause—is quite likely. To not lose their leverage, lawyers will likely sit on those details as though they're the crown jewels.

What of our state governments? They're certainly above political or monetary considerations, right? The multi-state attorney general probe is proceeding, but details coming out are few. We did learn this week some of the not-yet-released states that are participating and that it does appear to be about 34 states involved.

Beyond Massachusetts (which is in charge of the probe) and Rhode Island (which had launched its own probe before giving up and joining the group), states participating include: Alabama; Arkansas; Arizona; California; Colorado; Connecticut; Delaware; Florida; Washington, D.C. (OK, so it's not really a state. Sue me); Hawaii (Probe 'em, Danno); Illinois; Maine; Maryland; Michigan; Mississippi; Missouri; Montana; Nebraska; Nevada; New Hampshire; New Jersey; New Mexico; North Carolina; North Dakota; Ohio; Oklahoma; Oregon; Pennsylvania (which many years ago proved its insightfulness by grabbing the only "attornegeneral.gov" domain. Everyone else has to add state initials to their domain); South Dakota; Tennessee; Texas; and Vermont.

The Massachusetts case is apparently being run with the help of an all-volunteer executive committee, including representatives from the AG offices from Pennsylvania, Vermont, New Jersey, Arizona, Oregon, Ohio, Florida, Illinois, and California.

Those states participating on the executive committee, one source said, often get a shot at additional money for their states. That's part of the problem. The states have an incentive to negotiate financial arrangements to get money back to state residents, but little incentive to publicly detail the security procedure lapses that caused the breach to happen and, much more importantly, the disclosure of which might prevent similar ones from happening.



Was that the question? I thought it was “How does Real ID protect the country?”

http://www.infoworld.com/article/07/03/15/HNdhshead_1.html

DHS head: Security and privacy not at odds

Michael Chertoff downplays concerns about government's efforts to create data-chipped drivers licenses

By Grant Gross, IDG News Service March 15, 2007

The head of the U.S. Department of Homeland Security on Thursday downplayed privacy concerns raised by the government's efforts to create standardized, data-chipped drivers licenses across the country.

The same technology that makes information on identification cards more reliable can also protect privacy, DHS Secretary Michael Chertoff said during a speech to the Northern Virginia Technology Council. "It's my contention that properly used technology ... actually protects privacy," he said. "We should not allow folks to be captivated by the argument that every time we do something with a computer, it invades privacy." [Nor should we assume that all consequences are obvious and readily understood by the IT guys... Bob]



The start of something useful?

http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1173949429016

Sharing Business Information in a High-Risk World

William A. Tanenbaum New York Law Journal March 16, 2007

This is the inaugural column on privacy and data protection. The column is designed to assist general counsel in addressing the privacy and data issues that arise in a "stand-alone" context, such as liability for the wrongful disclosure of consumer personal information, and as part of large corporate initiatives, such as outsourcing, business services partnerships, structuring relationships with information technology vendors and securing intellectual property protection for databases (copyright) and business methods (patent).

The topics addressed in this column will be based on three fundamental premises. First, today's methods of doing business require a company to open its computer systems and data to third parties. More openness means more security risks. The result is that in-house counsel must work with chief information officers and other business executives to balance the benefits of openness with the increased risks to computer and data security.

Second, privacy is part of a larger category, and I will call that category "information management." This category includes trade secrets, corporate data protection, data exchange, data mining, IT security, protection against competitive intelligence, and information life-cycle management.

Third, data protection should be driven down to the data level. Focusing only on firewall protection is like building a fortress and then failing to take into account all the doors and windows that were inserted in the walls to enable data to flow to and from the castle domain. The data has to move in and out of the fortress, and it needs to be protected as it does, as required by the nature of a specific piece of information and the uses to which it will be put. Broadly speaking, protection in this context means that restrictions need to be in place so that exchange of data does not violate applicable privacy laws and so that confidential and proprietary business data does not lose its proprietary status and enter the public domain.

These three premises, which will be discussed in greater detail below, illustrate the convergence of privacy, security, cybercrime and intellectual property.



Interesting business model. How could it be a crime?

http://techdirt.com/articles/20070314/115923.shtml

Is It Illegal To Help Someone Watch TV Over Their Computer?

from the questions,-questions dept

This one is actually from a few weeks ago, but we were just informed of it by Ed.

Apparently, there's a company that's trying to help people watch satellite TV over their computer and has come up with an interesting plan. They'll use Slingboxes and DirecTV accounts to help people watch DirecTV via any internet connection. From the article, it sounds like neither DirecTV or Slingbox is happy about this, and there's talk about terms of service violations and such. However, it's not entirely clear why this is a problem. Everyone who should be getting paid still is getting paid. Each customer has to buy their own DirecTV account -- it's just that it's installed at this company's offices, rather than at their own home. Since you need to have a separate Slingbox for each account, the company is still buying the Slingboxes. So, both DirecTV and Sling Media get their cut. The company then charges a $99/month service fee, which is pretty steep considering that the person also has to pay for a DirecTV account on top of that. Really this is only useful for people who have internet connections, want the programming that's available on DirecTV, but for some reason cannot get DirecTV -- which might not be a huge market. However, it's hard to see why that should be considered a problem for any of the companies involved. This service is simply reselling their offerings, bringing it to markets that otherwise wouldn't get served.



It's good to know that when Microsoft says they have a process worked out – like security – it is infallible!

Vista Can Run Without Activation for a Year

Posted by CowboyNeal on Friday March 16, @07:22AM from the procrastinists-in-luck dept. Windows Microsoft

An anonymous reader gave us a heads up on this article for people who like putting things off. It begins: "Windows Vista can be run for at least a year without being activated, a serious end-run around one of Microsoft's key anti-piracy measures, Windows expert Brian Livingston said today. Livingston, who publishes the Windows Secrets newsletter, said that a single change to Vista's registry lets users put off the operating system's product activation requirement an additional eight times beyond the three disclosed last month. With more research, said Livingston, it may even be possible to find a way to postpone activation indefinitely."



I'll be curious to see what deal they made...

http://yro.slashdot.org/article.pl?sid=07/03/15/2124216&from=rss

RIAA Has to Disclose Attorneys Fees In Foster Case

Posted by Zonk on Thursday March 15, @05:56PM from the it-feels-good-to-come-clean dept. Music The Almighty Buck The Courts

NewYorkCountryLawyer writes "The RIAA has been ordered to turn over its attorneys' billing records by March 26, 2007, in Capitol v. Foster in Oklahoma. The 4- page decision and order, issued in connection with the determination of the reasonableness of Ms. Foster's attorneys fees, requires the RIAA to produce the attorneys' time sheets, billing statements, billing records, and costs and expense records. The Court reviewed authorities holding that an opponent's attorneys fees are a relevant factor in determining the reasonableness of attorneys fees, quoting a United States Supreme Court case which held that 'a party cannot litigate tenaciously and then be heard to complain about the time necessarily spent by his opponent in response' (footnote 11 to City of Riverside v. Rivera)."



A case of “We could, so we did?” (Imagine taking this image to the site that converts it to print in page size increments... You could wallpaper your whole house!

http://digg.com/general_sciences/Photo_Life_Size_Blue_Whale

Photo: Life Size Blue Whale

The Whale and Dolphin Conservation Society has posted a life size picture of a Blue Whale! Its so big that a map of the photograph is included to make it easier for you to know what you are seeing.

http://www.wdcs.co.uk/media/flash/whalebanner/content_pub_en.html OR

http://www.wdcs.co.uk.nyud.net:8090/media/flash/whalebanner/content_pub_en.html

Thursday, March 15, 2007

Sometimes lost just means lost...

http://news.com.com/CD+with+medical+data+of+75%2C000+is+found/2100-1029_3-6167435.html?tag=cd.top

CD with medical data of 75,000 is found

By Milt Freudenheim Story last modified Thu Mar 15 05:04:14 PDT 2007

A missing CD containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday.

Erin Sommers, a spokeswoman for Magellan Behavioral Services, a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January.

... The recipients were assembling a new audio system when they found the Magellan disc among the packages, she said.

... Both companies said that they are no longer sending patients' information without coding protection. Failure to provide adequate security protection for individuals' medical records is prohibited by privacy laws.



Much ado has become nothing...

http://news.com.com/Calif.+court+drops+charges+against+Dunn/2100-1014_3-6167187.html

Calif. court drops charges against Dunn

By Leslie Katz Story last modified Thu Mar 15 06:17:47 PDT 2007

A California judge on Wednesday dismissed the charges against former Hewlett-Packard Chairman Patricia Dunn in the HP spying scandal.

The three other remaining defendants--former HP attorney Kevin Hunsaker; private detective Ronald DeLia; and Matthew DePante of data-brokering company Action Research Group--pleaded no contest to a count of fraudulent wire communications at Santa Clara County Superior Court in San Jose, Calif., the state attorney general's office said in a statement. The trio will be required to complete 96 hours of community service by September 12; the court said it will dismiss the case against them if that condition is satisfied.

Dunn, for her part, did not enter a plea.

"We have maintained from the beginning that Pattie Dunn was innocent and thus vigorously fought the charges against her," said Dunn's attorney, James Brosnahan, of the firm Morrison & Foerster. "Today, the judge dismissed the case. Ms. Dunn did not plead to anything. This is the right result."

... Originally, California charged five people with four felonies, including conspiracy and identity theft. In January, the state dismissed its case against the fifth HP defendant, Bryan Wagner, a Colorado man believed to have been an employee of Action Research, when he pleaded guilty to federal charges relating to his role in HP's internal investigation of boardroom leaks. Under California law, the state cannot prosecute a defendant for conduct that the defendant has already been tried for in another jurisdiction.



Must reading.

http://www.heise.de/english/newsticker/news/86719

UNESCO states position on ethical issues in the information society

UNESCO has published a brochure entitled "Ethical Implications of Emerging Technologies" (PDF file) dealing with the consequences of the use of RFID chips, biometric identification systems, and location-based services (LBSs). Written by lawyers from the US, the brochure was published as part of the "NGO Geneva Net Dialogue" in which non-governmental organizations stated their case after the UN World Summit on Information Freedom and the Internet Governance Forum.

... The authors call for the establishment of an advisory board within UNESCO to advise politicians in matters concerning information ethics.

... Finally, a generally applicable code of ethics should be worked out for information technologies, taking the Universal Declaration of Human Rights as a guideline.



  1. Take down specified material while considering

  2. Write huge, nasty article describing the weak brains making the request

  3. Watch many times more users access the material when you put it back...

http://techdirt.com/articles/20070312/174754.shtml

Court Says That Taking Down Content After Nastygram Isn't An Agreement To Never Discuss Again

from the good-ruling dept

Over on Dave Farber's Interesting People mailing list, there's news that an Appeals Court has found that simply taking content offline after a lawyer nastygrams you is not an agreement to stop discussing the subject. In the case at hand, an unhappy patient of Lasik eye surgery created an anti-Lasik website where he trashed his doctor. The doctor got upset, and his lawyers nastygrammed the website owner -- who, like many people when first nastygrammed, pulled the site offline. A trial court said that, in taking down the content, the website owner was effectively giving up his right to discuss the doctors again -- which seems quite stifling of free speech. Luckily, the Appeals Court agreed and found that taking down content is not the same as waiving your First Amendment rights. Note that this is entirely separate from the question of whether or not the content itself was defamatory -- but just whether the action of taking down the content is some sort of agreement to give up the right to discuss the topic.



In the US, garbage is in the public domain... Right?

http://calsun.canoe.ca/News/Alberta/2007/03/14/3748396-sun.html

Defence says cops trashed privacy

By KEVIN MARTIN, SUN MEDIA

Garbage picking cops crossed the line when they reached into a suspected drug producer's trash receptacle and pulled out critical evidence, a lawyer argued yesterday.



Better?

http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html

Taking steps to further improve our privacy practices

3/14/2007 03:00:00 PM

Posted by Peter Fleischer, Privacy Counsel-Europe, and Nicole Wong, Deputy General Counsel

When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)—but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months.

... This also means providing clear, easy to understand privacy policies that help you make informed decisions about using our services.

... Of course, you can always choose to have us retain this data for more personalized services like Search History. But that's up to you.

... If you want to know more, read the log retention FAQ (PDF).



Get over it?

http://techdirt.com/articles/20070313/213014.shtml

Is Your ISP Selling Your Clickstream Data? Do You Have Any Privacy At All?

from the privacy-nightmare dept

Alexa-competitor Compete Inc.'s CEO David Cancel told conference attendees Tuesday that there's a pretty good business for ISPs to sell your (just slightly) anonymized clickstream data. This explains how Compete Snapshot gets its data -- though, early reviews suggest the data isn't very good. This isn't aggregate data. The ISPs are literally selling the fact that "user 1" went to this particular list of sites in this order. He doesn't say who's buying the data (besides making it clear that he's a customer), but you can bet some of the hedge funds are making good use of it in determining what's hot as well. Still, as is noted in the article, this is "much worse" than last summer when AOL released search stream data. In that case, at least, AOL meant well in releasing the data for research purposes. In this case, it's selling your surfing habits for pure profit -- though, the "risks" are smaller since it's not nearly as easy for anyone to get their hands on the data. Of course, it probably isn't particularly hard to take that data and figure out who many of the "anonymous" users are, if someone wanted to do so. It would be interesting to see if users could make a case for this violating their privacy -- though, it would be quite difficult for any particular individual to find out if their ISP is doing this since, once again, the data is private. It's just one more reminder that your privacy may not be as private as you believe -- and also a reminder that figuring out how to surf the web over an encrypted system isn't a bad idea if you want to keep your surfing habits private.



Aren't we? (See next article)

http://techdirt.com/articles/20070312/002120.shtml

China Using Great Firewall To Spy On Business Deals?

from the sneaky,-sneaky dept

Over there years, there have been plenty of articles on the Great Firewall of China, so yet another one by itself wouldn't be that interesting. However, this lengthy piece in the Australian has one tidbit that hasn't been discussed much elsewhere, which is that China may not just be using its router-based censorship for blocking access to certain content, but also for corporate espionage purposes. Not much in the way of details is given, but the article opens with a story of a US businessman negotiating a deal in Beijing with a large state-owned Chinese company -- and he's surprised to note that each morning the other side starts the discussions with whatever key points he had emailed back to the home office the night before. He believed that the Chinese government (or by proxy via an ISP) was intercepting the messages and handing them over to the firm he was negotiating with. There aren't any details (or even names) with which to verify the story (so it should be taken with a fairly large grain of salt), but it is a reminder that a censorship system need not only serve to block out content, but also to monitor what's being done as well.


http://www.expatica.com/actual/article.asp?subchannel_id=19&story_id=37609

Bos investigates bank info to US

14 March 2007

AMSTERDAM – Finance Minister Wouter Bos is surprised at reports that the US intelligence services have access to data on Dutch bank account holders. "This is news to us and a reason for concern for myself and my colleagues," the minister said.

Bos announced that an investigation would be launched. He and Justice Minister Ernst Hirsch Ballin want to know how far the tentacles of the US services reach into the Dutch financial world. Bos promised to report to Parliament before the end of April, the Volkskrant reports.

... The US is interested in all conceivable streams of financing in its war against terrorism. It was already clear in 2002 that Belgian company Swift, which arranges bank-to-bank transactions worldwide, was giving information to the Americans.

The Dutch government took no action at the time. Bos said "little could be done by Dutch or European law then because it involved a private company."

Now the case is different however because the Americans reportedly directly requested information from the Dutch banks. Bos first wants to know whether the US services approached the public prosecution department initially with a request for legal assistance in the matter.

... Financial spokesperson for the Labour faction Ferd Crone was not satisfied with Bos's comment that banking regulator De Nederlandsche Bank does not concern itself with the privacy of bank clients.



Will this become a major issue? “You slowed my access, I missed a trading deadline, you cost me millions!” worse: “You gave preferential treatment to my competitor!”

http://techdirt.com/articles/20070314/100137.shtml

Comcast Enforces Invisible Broadband Caps

from the guess-we-missed-that-*-after-unlimited dept

Unlimited: not limited or restricted in terms of number, quantity or extent. Seems pretty straightforward, right? Apparently not to broadband providers, who seem to interpret it a bit differently. Because they've marketed their services as unlimited, then done a poor job of designing their networks, they get upset when people actually take advantage of those supposedly unlimited connections, and complain that they're screwing everything up for all their other users. Comcast is the latest to start giving people the boot for using too much bandwidth, even though they don't have a published limit. When pressed by a reporter, a company spokesman wouldn't give any specifics, just that it's "roughly the equivalent of 13 million e-mail messages or 256,000 photos a month", which is hardly helpful. While these companies are certainly well within their rights to put caps on the services they sell (even though it's an annoying practice for many consumers), they need to disclose them clearly to users, and not market their services as if they're unlimited. They also then need to give users ways to track how much bandwidth they've used -- for instance, Cox emails subscribers that go over its disclosed bandwidth caps, and in lieu of pointing them to tools where they can track their monthly usage, it just pushes them to get a more expensive "business" account. While caps may be an annoying way to cover up poor networks or to create tiered levels of service, they're not the real issue here. The real issue is the way broadband providers hide the caps and other restrictions on their services deep in the fine print -- if at all -- where they're far out of sight of their marketing materials.



...or you could donate a million dollars and see if you get invited to sit courtside at a basketball game.

http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20070315/NEWS01/703150473

High court hears UofL donor suit

Decision won't come for several months

By Jason Riley jriley@courier-journal.com The Courier-Journal

FRANKFORT, Ky. -- The public has a right to know who is donating money to the University of Louisville Foundation and what they may receive in return, [Right? Bob] an attorney for The Courier-Journal told the Kentucky Supreme Court yesterday.

... But Mike Risley, an attorney for the foundation, told the court that a donor's right to privacy outweighs the public's interest. And Risley said making the names public could have a chilling effect on donations.

... Sixty-two of more than 47,000 donors requested anonymity, according to attorneys for both sides.



Anonymity aside, were the facts correct?

http://www.nysun.com/article/50507

Secret Blogger Seeks Protection

BY Staff Reporter of the Sun March 15, 2007

An Orthodox Jewish blogger is asking a judge to protect her anonymity from a Long Island elected official who has gone to court to identity the blogger.

The elected official, Pamela Greenbaum, a member of the school board for Lawrence, L.I., asked a state judge last month to force Google to identify the writer behind a popular Web log for the orthodox community in the Five Towns area.

The blog, orthomom.blogspot.com, featured a posting in January critical of Ms. Greenbaum's position regarding the use by yeshiva students of public school facilities. In guest comments to the postings, Ms. Greenbaum has been called a "bigot."

... "It doesn't seem to me that a school board member ought to be suing to find out the identity of her critics," the lawyer, Paul Levy of the Public Citizen Litigation Group, said. "Harry Truman said, ‘If you can't take the heat get out of the kitchen,' What ever happened to that?"

Ms. Greenbaum has suggested that she intends to file a defamation lawsuit against either the blogger or commentators on the blog.



Interesting, perhaps even useful?

http://www.opencongress.org/

OpenCongress

OpenCongress brings together official government data with news and blog coverage to give you the real story behind each bill.



After you issue an apology, is it more difficult to start other lawsuits?

http://yro.slashdot.org/article.pl?sid=07/03/14/2220210&from=rss

EFF Forces DMCA Abuser to Apologize

Posted by samzenpus on Wednesday March 14, @08:35PM from the depths-of-my-mothers-basement-I-stab-at-thee dept. Censorship

destinyland writes "The EFF just announced victory over a serial abuser of DMCA copyright notices. To set an example, their settlement required Michael Crook to record a video apology to the entire internet for interfering with free speech. He's also required to withdraw every bogus DMCA notice, and refrain from future bogus notices, never contest the original image again, and take a remedial class on copyright law. He'd attempted to use flaws in the DMCA to censor an embarrassing picture of himself that he just didn't want appearing online — but instead the whole thing backfired."



Who knew physicists had a sense of humor?

http://science.slashdot.org/article.pl?sid=07/03/14/172226&from=rss

Stephen Hawking Says Universe Created from Nothing

Posted by ScuttleMonkey on Wednesday March 14, @02:25PM from the preparing-hell-for-people-who-ask-questions dept. Science News

mr_3ntropy writes "Speaking to a sold out crowd at the Berkeley Physics Oppenheimer Lecture, Hawking said yesterday that he now believes the universe spontaneously popped into existence from nothing. He said more work is needed to prove this but we have time because 'Eternity is a very long time, especially towards the end.' There is also a Webcast available (Realplayer or Real Alternative required)."