Saturday, May 26, 2007

Isolated incident? Or has Visa joined the MasterCard breach? Who is required to disclose the breach? The Restaurants, the processor, Visa or the banks?

Debit card security breach at restaurant

A number of banks notify customers

By TIM LANDIS BUSINESS EDITOR Published Friday, May 25, 2007

Kyle Donaldson learned the hard way that his debit card account information had been compromised.

When he tried to pay for $20 worth of gasoline at a convenience store this week, "the card had been canceled on me," said the Springfield resident, who eventually paid with a credit card.

Several local bank executives confirmed Thursday that they have alerted customers, and begun issuing new debit cards in some cases, after someone apparently broke into the customer database of a Springfield chain restaurant.

The chain was not identified, but they said the security breach involved Visa debit cards and apparently affected institutions throughout the community. The FBI has been notified.

"What we've been told is that it was a national, chain-type restaurant, but they don't provide us much more information," said Mike Houston, president and CEO of Town & Country Bank of Springfield.

While bank security networks were not compromised, banks are responsible for notifying customers of the outside data breach.

... "This problem is nationwide, it's not just Springfield," she added.

MORE... IHOP named, but now it looks like many sources (which makes me think about the card processors, like in the MasterCard stories that are leaking out.)

Online security was latest, says restaurant owner

Leak of debit card information may not be limited to one business


Published Saturday, May 26, 2007

Springfield restaurant owner Gene Rupnik was confident his International House of Pancakes had the latest in online security when he opened the business last summer on Dirksen Parkway.

The Springfield restaurant was the source of at least some of the notices sent out by banks in the past week alerting customers that their debit card information had been compromised as the result of a breach at a local chain restaurant.

Law enforcement authorities also are said to be investigating the incident, which may have involved other restaurants or retail outlets, including some outside Springfield.

Rupnik said Friday that the company that handles credit and debit card transactions for his restaurant issued an alert in January that someone had hacked into the network from outside the company - and possibly outside the country.

... Springfield residents Lori and Kevin Fernandez were among those notified by their bank in the past week that her husband's debit card information has been compromised. Lori Fernandez said the letter from Security Bank of Springfield did mention IHOP.

"We would not have known if we had not got that letter," Fernandez said. The couple dined at the restaurant last fall. [Another case of keeping data far too long? Bob]

... Rupnik said he also wasn't sure why it took several months for the alert to reach banks and then customers, though it might be an indication that notices mailed in the past week involved other retailers.

... "I would like to sit here and tell you it couldn't happen again, but we thought it couldn't happen before." [Most honest statement I've seen! Bob]

Not much information, but it is amusing to see that the computer had the breach, not the DoT...

DOT Security Breach Affects 25,000 Employees

DOT Security Breach

Posted: May. 25 5:01 p.m. Updated: May. 25 6:28 p.m.

Raleigh — A computer server holding the names and Social Security numbers of about 25,000 North Carolina Department of Transportation employees, contractors and other state employees had a security breach, officials announced Friday.

The breach affects employees who were issued identification badges from 1997 until 2006. Officials have no evidence that the personal information was accessed, according to the DOT.

Wrap-up includes the little ones I skip and some follow-ups

Data “Dysprotection” Weekend Roundup for Week Ending May 27th (update 3)

Friday May 25th 2007, 5:29 pm

Most interesting... If there is a readily available method to circumvent the “security” it is not “effective security” -- or am I generalizing too much?

Finnish court rules CSS protection used in DVDs “ineffective”

May 25th, 2007 by Mikko

Below is the press release we sent and here’s more detailed analysis of the case and its potential implications.

Helsinki May 25, 2007 Turre Legal Free for publication immediately

Finnish court rules CSS protection used in DVDs “ineffective”

In an unanimous decision released today, Helsinki District Court ruled that Content Scrambling System (CSS) used in DVD movies is “ineffective”. The decision is the first in Europe to interpret new copyright law amendments that ban the circumvention of “effective technological measures”. The legislation is based on EU Copyright Directive from 2001. According to both Finnish copyright law and the underlying directive, only such protection measure is effective, “which achieves the protection objective.” [I love it! Bob]

... According to the court, CSS no longer achieves its protection objective. The court relied on two expert witnesses and said that “…since a Norwegian hacker succeeded in circumventing CSS protection used in DVDs in 1999, end-users have been able to get with ease tens of similar circumventing software from the Internet even free of charge. Some operating systems come with this kind of software pre-installed.” Thus, the court concluded that “CSS protection can no longer be held ‘effective’ as defined in law.” All charges were dismissed.

Defendant Mikko Rauhala is happy about the judgment: “It seems that one can apply bad law with common sense, which was unfortunately absent during the preparation of the law” he comments. Defendant’s counsel Mikko Välimäki thinks the judgment can have major implications: “The conclusions of the court can be applied all over Europe since the word ‘effective’ comes directly from the directive”. He continues: “A protection measure is no longer effective, when there is widely available end-user software implementing a circumvention method. My understanding is that this is not technology-dependent. The decision can therefore be applied to Blu-Ray and HD-DVD as well in the future.”

EU Copyright Directive, article 6(3)

What's the big deal? Isn't that what the RIAA wants Internet radio to do?

Japan Looks To Allow Compulsory Licenses For Putting TV Content Online

from the one-way-to-do-things dept

Sounds like the entertainment industry may need to rush some lawyers over to Japan. Michael Geist points out that the Japanese government is looking to change copyright laws to allow anyone to repost broadcast TV online without permission -- just as long as they pay a compulsory license fee. The idea is to help promote the distribution of TV content. However, with entertainment companies like Viacom and NBC so focused on "control" over their content, this type of proposal can't make certain entertainment companies very happy -- even if they would get paid for their content every time people help promote it for them.

Ah! So that's why...,1759,2136657,00.asp?kc=EWRSS03119TX1K0000594

Delayed Novell Report Contains MS Patent Agreement Documents

May 25, 2007 By Peter Galli

... The entire 10-K filing can be found here.

The text of the 144 page 10-K filing does not get into the specifics of the Microsoft deal but it does include, subject to some redactions, the full three Microsoft agreement documents: the second amended and restated technical collaboration agreement; the first amended and restated business collaboration agreement; and the patent cooperation agreement.

... In the 10-K filing, Novell says that "the overarching purpose of this partnership [with Microsoft] is to increase the utility, desirability and penetration of Linux by enabling its interoperation with Windows to a mixed environment that is easier to maintain.

... We will continue to be competitors of Microsoft, but it is our goal that through this set of agreements, Microsoft will serve as an important indirect source of channel sales for Novell's Linux sales," the company said.

... But Novell also recognized the potential harmful effects to its business if it lost access to third-party open source technology.

England is always at the cutting edge of “Big Brother-ology” What must the US do to catch up? (We don't have technology this advanced in our prisons!)

Using RFID and Wi-Fi to Track Students

Posted by Zonk on Friday May 25, @03:55PM from the scurry-little-ants-scurry dept. Privacy Politics Technology

An anonymous reader writes "The BBC reports on a proposal to use RFID and wi-fi to track students wherever they go on campus: 'Battery-powered RFID tags are placed on an asset and they communicate with at least three wireless access points inside the network to triangulate a location.' At The Wireless Event in London, 'Marcus Birkl, head of wireless at Siemens, said location tracking of assets or people was one of the biggest incentives for companies, hospitals and education institutions to roll out wi-fi networks.' The article points out that integration of RFID and wi-fi raises the possibility that RFID can be used for remote surveillance."

Berkeley? THE Berkeley? Maybe that stuff they smoke does rot their brains...

BHS to Give Student Data To Military Recruiters

By Riya Bhattacharjee

Berkeley High School administrators informed students this week about a change in board policy that requires all juniors and seniors who do not want their names and addresses released to the U.S. military for recruitment purposes to sign an “opt-out” form.

Well, they started it!

Creationist Periodic Table of the Elements

The Periodic Table made just for schools in Kansas.,1171,n,n

[Mirror site: Bob]

Be careful what you ask for... Sure to be a Letterman Top 10

Clinton Asks YouTube Users for Song Help

By NATASHA T. METZLER Associated Press Writer May 26, 3:47 AM EDT

WASHINGTON (AP) -- Hillary Rodham Clinton wants YouTube viewers to pick her campaign theme song - and the response, so far, has been music to her ears.

[Okay, I can't resist... “Oops! I did it again” “Sorry!” “Karma Chameleon” Bob]

Would it be too much to hope they try the Koran next?

Saturday, May 26, 2007

Google Buys Out all Bible Versions, Offers E-Tablet

Friday, May 25, 2007

Did this even make the local news?

May 24, 2007

Personal Data of Nearly 45,000 CU Boulder Students Exposed

BOULDER, Colo. – The University of Colorado (CU) College of Arts and Sciences is the latest college to experience a computer breach. In all, the personal information of 44,998 students was exposed.

According to a statement by CU, on May 12, investigators discovered a worm that had entered the server because its security settings were not properly configured by the Academic Advising Center’s IT staff.

As a result, a hacker was able to obtain the names and Social Security numbers of nearly 45,000 students. According to the Associated Press, however, the perpetrator was not seeking [If I'm prospecting for copper, I won't ignore a vein of gold... Bob] personal information. Instead, the hacker wanted to infiltrate other computers.

... In response to the breach, all Arts and Sciences Advising Center IT operations may be placed under the supervision of the school’s IT services department.

Who do you trust with your data?

PlusNet admits email security breach

Fiona Raisbeck May 24 2007 14:25

Email and internet service provider PlusNet has admitted a security breach in which spammers hacked into the company mail server to steal customer account details and spread junk mail. [see Pew study, below Bob]

PlusNet urged its customers, via a message on its website, to change their email passwords following the security breach earlier this month.

The attackers took control of the firm’s mail server and stole a list of email addresses. The hackers then used these details to send spam.

The ISP confirmed that some users may also have been exposed to a Trojan horse. But, the firm said that no financial information, such as credit and debit card details, had been snatched.

According to PlusNet, a third party was responsible for the attack, which was discovered by the company on 9 May. After the breach an undisclosed number of customers began to receive vast amounts of spam, including offers for discounted pharmaceuticals.

After a full security audit, PlusNet’s webmail service was taken offline permanently at midday Wednesday, 16 May, as a precaution against a number of minor potential security vulnerabilities that had not been exploited,” [Translation: The security was lousy... Bob] Neil Armstrong, products director at the ISP, said in a statement.

A replacement email service has now been set up for customers to access their accounts.

Unrelated, but similar... battens down the hatches

By Dan Goodin in San Francisco Published Thursday 24th May 2007 18:08 GMT

Web host is requiring customers to change their account passwords because some of them may have been compromised, according to people who say they've received security bulletins. If confirmed, the breach is the latest example of sensitive information being lost en masse as a result of security lapses by a large service provider.

"Brinkster has reason to believe some User Names and Passwords may have been Compromised," the company warned in an email sent recently to its customers. "To ensure website security, we mandate that you change your password for your account. If you do not change your password, Brinkster will automatically change it for you."

Another version of the email informs customers that their account has already been changed, according to this blog entry. Officials at Brinkster, which claims to be a top hosting provider in the US that serves customers in 175 countries, didn't respond to requests for comment.

... Credit card numbers for Brinkster customers haven't been accessed, according to the email. But the email doesn't vouch for the security of shopping-cart programs and databases that may have been hosted on Brinkster servers. The lack of information is prompting anxiety among some customers.

... Brinkster's warning is part of a trend of security scares that seem to result from breaches not by individual users but by the service providers they hire.

... And according to a story on Security Fix, as much as a third of the sites hosted by IPOWER included code designed to install malware on the machines of those who visited them. Security Fix went on to report that IPOWER's virtual servers, which run scores of sites on a single machine, were running woefully insecure versions of Apache and PHP. That means there's a decent chance at least some of the naughty sites were the result of lapses at IPOWER rather than the fault of the host's customers.

Another indicator that the MasterCard breach was BIG! How is this escaping the disclosure laws?

Fraud strikes banks

By Brandon Cone BDN Staff Writer

Local banks have taken measures this week in reaction to their customers being victims of identity theft and debit card fraud.

Ozark Mountain Bank officials reported on Wednesday that their customers, whose accounts have shown signs of being compromised in recent weeks, have been contacted to make them aware that their debit cards were deactivated as of 8 p.m. Monday.

What these people are doing is they have stolen numbers, they are counterfeiting cards and they are going to places like Best Buy and Circuit City, and they just keep going and going and going,” Ozark Mountain Bank President Craig Richards said Wednesday morning at the Branson/Lakes Area Chamber of Commerce Board of Directors meeting. “Our system was not compromised. It was an independent service provider that processes credit cards.”

Other banks in the area have also had to deal with this problem.

... Ozark Mountain Bank officials were unable to release the number of customers who have been affected, due to an ongoing investigation by federal authorities. [How is keeping the total number secret any help to the feds? Bob] But they did confirm that all affected customers would receive new debit cards in the mail within five to seven business days.

All fraudulent charges would also be refunded to the customers.

Thankfully, if unauthorized transactions do happen to post to our customers’ accounts, MasterCard’s Zero Liability Policy will protect them against any losses if we are notified in a timely manner,” Richards said.

Related? Tools & Techniques for hackers...

Why Are CC Numbers Still So Easy To Find?

Posted by kdawson on Thursday May 24, @09:11AM from the years'-old-hole dept.

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.

Why do managers choose to claim ignorance? Because it seems to work!

WISD officials investigating reported student hacking of district computers

Wednesday, May 23, 2007 By David Doerr Tribune-Herald staff writer

Waco Independent School District police are investigating whether sensitive student and staff personal information was compromised when two high school seniors recently hacked into the district’s computer network.

Waco ISD spokesman Dale Caffey said district police have executed a search warrant and seized the seniors’ personal computers and electronic storage devices.

He said it was not known whether the district’s 15,400 students’ and 2,000 employees’ personal information was compromised, [Translation: We don't (keep/know how to read) the security logs. Bob] possibly leaving them vulnerable to identity theft. However, student Social Security numbers were on the server that was accessed by the hackers, he said.

... Caffey said he did not know when the incident occurred. He said he was notified of the investigation last week.

Movies for people interested in Privacy

Reasonable Expectation of Privacy Workshop Movies

Thursday, May 24 2007 @ 05:00 PM CDT - Contributed by: PrivacyNews - Other Privacy News

The IDTrail Team produced two short films exploring the "reasonable expectations of privacy". They were used at the Computers, Freedom, and Privacy (CFP) 2007 conference in Montreal, Canada. The short films were produced and directed by Max Binnie, Katie Black and Jeremy Hessing-Lewis with contributions from Daniel Albahary, Ian Kerr, and Jane Bailey.

They are available for download under a Creative Commons Attribution 2.5 license.

Source - blog*on*nymity

A hacker's guide to FBI computers. No hurry, it will be months before they fix this.

Govt. Report Slams FBI's Internal Network Security

Posted by CowboyNeal on Friday May 25, @02:44AM from the uncle-sam's-open-doors dept. Security United States

An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."

The report: “Information Security: FBI Needs to Address Weaknesses in Critical Network,”

It's not just the FBI

Have No Fear, Federal Government Issues Data Leak Prevention Guidelines

from the see,-it-looks-like-we're-doing-something dept

Following a spate of data leaks and breaches at federal agencies, the Office of Management and Budget has now issued a set of guidelines for agencies to reduce the chances of data losses, while giving them 120 days to come up with breach-notification policies. The guidelines sound useful, particularly the advice that agencies should reduce the amount of information they collect and store to a minimum. However, it's hardly surprising to see that overall, the document is pretty toothless. What happens if agencies don't meet the 120-day deadline? Nothing, apparently, but maybe they'll be sent another memo. Furthermore, the "Rules and Consequences Policy" doesn't actually spell out any consequences should an agency lose data, rather it just says agency heads need to come up with a policy outlining behavior standards and the repercussions of breaking them. It's this sort of hands-off attitude that's the real problem here: nobody is ever forced to accept any sort of personal responsibility for these breaches, [AMEN! Bob] so there's little motivation -- beyond acting out of selflessness -- for government employees or businesses to take the situation seriously. Memos directing people to take some action, with no real followthrough, isn't the same thing as actually taking action. Until that happens, expect the data leaks to continue at the federal government, and elsewhere.

For the full memo, click here (.pdf).

Interesting. Can the New Jersey Turnpike Authority copyright their surveillance tapes? Can any government agency?,1759,2136081,00.asp?kc=EWRSS03119TX1K0000594

N.J. Sues YouTube over Deadly Crash Footage

May 24, 2007 By Steve Bryant

The New Jersey Turnpike Authority is suing several video sites, including YouTube, for infringing on the copyright of car crash footage recorded on the turnpike, eWEEK has learned.

The footage in question was recorded by a NJTA video camera. The video depicts a car traveling southbound on the New Jersey Turnpike and crashing into the Great Egg Harbor toll plaza on May 10. The driver, a 52-year-old New Jersey resident, was killed.

The NJTA is also suing NextPoint LLC, the owner of video-sharing site The complaint names UK-based as a defendant as well, though according to LiveLeak the NJTA has voluntarily removed them from the lawsuit after they removed the video.

The NJTA is suing for direct copyright infringement by public performance, public display and reproduction, as well as inducement, contributory and vicarious copyright infringement.

"The video serves no worthwhile purpose and shows a tremendous lack of common human decency towards the family of the victim," the complaint reads. "Nevertheless, defendants have either refused or failed to remove the video from their Web sites."

According to the complaint, the NJTA requested the video's removal from YouTube upon learning of its existence. YouTube complied, but the video had already been copied by other users and remains on the site.

"YouTube did not try to prevent the very same video from being uploaded again by users immediately after it was purportedly removed," the complaint reads.

A Youtube spokesperson said the company removed the video "because it violated our terms of services. Because our removal also complied with our obligations under the Digital Millenium Copyright Act, we see no legal basis for a claim." Last month Google CEO Eric Schmidt said YouTube would soon launch an automated system that would help copyright holders detect and deter abuse.

LiveLeak removed the video after receiving a formal court request, according to co-founder Hayden Hewitt.

Hewitt said the lawsuit is guaranteed to bring more publicity to the video.

"To be honest I think it's kind of a strange situation," he said. "Usually you just file a nice, low level, discrete DMCA takedown... And usually these lawsuits are around entertainment video, where there's a financial stake. I don't understand it."

According to the complaint, the offending video has been viewed 19,833 times on YouTube, 189,037 times on and 6,933 times on as of May 21. Less than 24 hours later, on May 22, the videos had been viewed 24,346 times, 213,295 times and 16,812 times, respectively.

The NJTA also is suing unnamed corporations and individuals who may have helped distribute the stolen video.

It's not to late to suggest your own “law” of unintended technology consequences. File this one with the “Streisand Effect”

May 23, 2007 Posted by Jim Harper on May. 23, 2007

Announcing: Harper’s Law

Mine is a simple - dumb, even - adaptation of Metcalfe’s Law.

The security and privacy risks increase proportionally to the square of the number of users of the data.” - first quoted in this eWeek article about the electronic employment verification system included in the current immigration bill.

I actually suspect that Briscoe’s et al’s refinement of Metcalfe’s law is more accurate, but that’s just so complicated.

Good on ya, Connecticut! No doubt management will claim ignorance – an excuse which seems to fool the Board of Directors every time.

Connecticut AG Sues Best Buy Over Phony Version Of Company Website

from the bait-and-switched dept

Earlier this year, Best Buy was embarrassed when it was discovered that the store had a special version of its website for in-store use, which didn't display the sales and special offers that its actual site did. The result was a bait-and-switch situation, whereby customers would come into a store thinking they could get a deal that they found on the site, only to be told (and shown) that whatever deal they thought they saw was no longer being offered. While the company initially denied the existence of the site, it eventually admitted its existence to the Connecticut Attorney General, although it didn't offer an explanation. Apparently, the Connecticut AG, Richard Blumenthal, believes the company intentionally sought to mislead customers, and has filed a lawsuit against the company, seeking customer refunds and other penalties against the company. It's hard to judge the merits of the case before more details emerge, but it definitely looks bad for Best Buy, and it's doubtful that the issue is just contained to Connecticut (where it was discovered), so the company could have a PR mess on its hands if other states want in on the action.


Texas Looking To Ban Speed Cameras?

from the making-the-roads-richer,-not-safer dept

There are all sorts of problems with things like speed cameras and red light cameras, starting with technical problems and moving on to the more serious questions about whether or not they make the roads any safer. Since they're usually offered in combination with private companies who receive a large percentage of the fines, it's often pointed out that these cameras are more about making private companies and government coffers money, rather than any real attempt at increasing safety. Still, they've only become more and more popular recently, with a new speed camera catching over a thousand speeders in a single day. However, it looks like Texas may actually be heading in the other direction. Jeff Nolan points us to the news that Texas lawmakers have approved a ban on speed cameras. The law also requires signs warning about red light cameras -- though, it's unclear if that will help, since studies have shown red light cameras often increase accidents, as drivers are more likely to slam on their brakes.

So maybe Enron wasn't so bad?

Who Are The Losers In SEC's SarbOx Rule Change?

from the sorting-it-out dept

Over the years, there have been a lot of complaints about the high cost of Sarbanes-Oxley compliance, although some have argued that these costs have tapered off as companies have gotten used to the requirements. Still, many are relieved about a new SEC decision to ease audit requirements, which should have the effect of reducing compliance costs. [Translation: There will be less to comply with Bob] Not all companies may be enthusiastic, however. Offering tools and services to aide in compliance has itself become a big business, particularly for a number of software firms. Some are now wondering, then, whether easing the regulations will result in a serious hit to profits at these companies. One analyst believes that the rule change could result in a 7% hit to US IT spending, which comes at a time when there's already concern about corporate tech spending. Of course, the fact that there may be some losers from the rule change doesn't mean that the rule change is a bad thing. To the contrary, money spent just to be in compliance with some regulation is pretty much a deadweight loss to the economy. [True. By definition, this is a cost society accepts. Bob] Furthermore, while IT vendors may see a short-term hit on account of the rule change, they should benefit from a less risk-averse climate and customers with more money to spend on productive investments.

Cumbersome, but interesting. Another database to link your “tech attributes” into a single dossier...

May 24, 2007 3:09 PM PDT

Dial by email

Posted by Marguerite Reardon

A company called Jangl launched a service this week that promises to provide free and low cost phone calls over the Internet to any phone and from any phone anywhere in the world.

Sound familiar? Well, it should in the wake of Skype's success everyone and his brother are trying to use the Web to provide cheap phone calls. Jajah, Jaxtr, GrandCentral Communications?they all make similar promises.

Jangl's twist is that it claims all that is needed for its service to work is an email address of the person you want to call. And voila you'll be making calls for free to any kind of phone your friend is using regardless of where he is. (Of course, the free part is only for a limited time while the service is in beta. After that Jangl will be charging to connect calls.)

... During that first call, you leave a voicemail message, because at this point there's no way to route your call to an actual phone number. The voicemail is sent to your friend's email inbox. Then he has to listen to the voicemail and click on a link that takes him to the Jangl Web site where he now has to register his own phone number as well as his email address. Then he gets a phone number that is local to him, which he uses to call me back.

If we start ignoring SPAM (or other malware) are we telling congress they can ignore it too? (Of course we are)

May 23, 2007

Pew Research Survey on Spam 2007

Press release: "The volume of spam is growing in Americans' personal and workplace emailaccounts, but email users are less bothered by it.
Spam continues to plague the internet as more Americans than ever say they are getting more spam than in the past. But while American internet users report increasing volumes of spam, they also indicate that they are less bothered by it than before. Users have become more sophisticated about dealing with spam; fully 71% of email users use filters offered by their email provider or employer to block spam... Spam has not become a significant deterrent to the use of email, as some observers speculated it might when unsolicited email first began flooding users' inboxes several years ago. But it continues to degrade the integrity of email. Some 55% of email users say they have lost trust in email because of spam."

  • Here is a link to the complete report.

If you breath, I can capture your DNA? (Guidelines for CPOs?)

May 24, 2007

World Privacy Forum Files Public Comments and Recommendations on Pharmacogenomics Privacy

"The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area. Read the comments (PDF). For more information, see the genetic section of the WPF Medical Privacy Page."

More readings in Privacy

Thursday, May 24, 2007

Privacy Self-Regulation and the Changing Role of the State

My new working paper is just out. I have looked at the changes in the regulation (or "governance") of data protection, with a special focus on the different forms of new governance mechanisms. Building on Lawrence Lessig's work on "Code and Law" and also on previous research on the governance of privacy done by Colin Bennett and Charles Raab, I distinguish between social codes (contracts, self-regulatory schemes etc.) and technical codes (privacy-enhancing technologies). This is the abstract:

Am I dragging Colorado down?

May 24, 2007

State by State Economic Snapshots: May 2007

"National economic statistics are in the news every day, but it is not always easy to get a clear picture of what’s happening at the state level. Knowing the latest trends in labor market conditions, education and child care costs, health care coverage and expenses, and gas prices are all critical to understanding the economic well-being of families in each state. While these statistics are all public, until now they have not all been collected on one page. The Joint Economic Committee (JEC) has compiled an extensive state-by-state economic snapshot, updated monthly, composed of three key indices -- the Middle Class index, the Jobs index, and Economic Security index."

I conceal, because I don't want you to know I carry. (No, you can't look at my gun!)

Concealed handgun license records sealed from public

05/24/2007 By KELLEY SHANNON / Associated Press

The names of people licensed to carry concealed handguns in Texas are no longer available to the public.

Yeah, we thought this was the case. This kind of “openness” destroys trust.

Microsoft Too Busy To Name Linux Patents?

Posted by Zonk on Thursday May 24, @03:56PM from the that's-awful-busy dept. Patents Microsoft Linux

bob_dinosaur writes "According to The Register, Microsoft's Patent Attorney Jim Markwith told the Open Source Business Conference that the reason they hadn't named the supposedly infringing patents was that it would be 'administratively impossible to keep up' with the list. 'According to Ramji, the executive tasked with the difficult job of straddling Microsoft's growing support for open source in server and tools, and aggressive and unpredictable statements from management on patents, made a jaw dropping attempt to explain away the Forbes article. "The reason we disclosed that, is because there was a request for transparency following the Novell deal Iast November. This was a response to that transparency," Ramji said. It was at that point the OSBC audience erupted.'" That transparency apparently extends to multiple levels. ZDNet is reporting that Novell will share the details of its agreement with Microsoft sometime in the near future.

Do you like movies older than you are?

Site to screen silver films

By The Hollywood Reporter Story last modified Thu May 24 06:17:33 PDT 2007

Turner Classic Movies plans to launch an online video destination devoted to classic films.

Dubbed the Media Room, the video portal will live on the site when it launches on June 1 with more than 3,000 pieces of video content in the form of short films, movie clips, trailers and interstitials from TCM programming.

The launch will feature the online premiere of the 1937 romantic comedy Living on Love in its entirety. ... The portal will expand's existing interactive movie database, which features content related to more than 130,000 titles from the Turner Entertainment catalog as well as licensed content from American Film Institute's catalog of features, the Internet Movie Database and other sources.

Thursday, May 24, 2007

Ignorance is no excuse... Unless you're a manger?

Private medical records of Colorado residents exposed on Internet

Posted at 10:03 PM on May 22, 2007 by Jon Gordon

On Friday's Future Tense, you'll hear this story:

As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.

Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It’s unclear how many people may have seen the records.

Experts say the case likely runs afoul of federal health information privacy laws, even though there is no evidence that the records were misused.

The unsecured computer, which was accessible through a Web browser, was operated by Beacon Medical Services of Aurora, Colorado, which provides billing, coding and other services to emergency physicians at 17 facilities.

Beacon CEO Dennis Beck says he was shocked to learn about the breach and that the company took immediate steps to correct it.

“We’ve implemented a culture of compliance and data security and it just did not seem consistent with our culture, our practice and our experience,” he said.

The medical records resided on an FTP server. FTP stands for File Transfer Protocol. It’s a means by which users send and receive computer files over the Internet or private networks. In Beacon’s case - and this is typical of the industry - health care providers sent encrypted data to the server for Beacon to access so it could bill patients and insurance companies. The data was unencrypted on Beacon’s end, and the FTP server was not supposed to be accessible to the public. But in this case it was. No username or password was required to view the records.

The data included details of patients’ visits to emergency rooms -- what ailments they complained of, diagnoses and treatments, and medical histories, along with the patients’ names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. Some of the records detailed sensitive cases, from sexually transmitted diseases to severe depression. The site also contained financial information, such as a list of low-income patients who received state aid to help pay their medical bills.

Beacon has employed two firms to help investigate what led to the security hole.

“It appears to us now at this point as if there was some back door that was opened to this server," said Beck. "We don’t know when, but we believe it may have been done when a consultant did some work for us several years ago."

The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000.

Future Tense discovered the Beacon site after a tip from a source who stumbled upon it. We followed up on the tip, staying just long enough to confirm the existence of the records and get an idea what kind of data they contained. We notified several health care providers whose patient data was exposed. Those providers informed Beacon, which promptly shut the server down when it learned of the problem.

Bill Byron is spokesman for Banner Health Corporation, the parent company of McKee Medical Center of Loveland, Colorado, one of the providers whose data was included on the FTP site. Byron said McKee physicians won’t transmit any more records to Beacon until they're satisfied the security problem is fixed.

We’re trying to understand what our obligations are going to be, in terms of disclosing to patients that this has occurred, so that’s still in process, to determine what we have to do,” he said.

The Colorado medical records incident appears to be a serious violation of federal law governing medical record privacy, according to Janlori Goldman, director of the Health Privacy Project at Georgetown University.

“Large-scale breaches like this are not uncommon," she said. "They may not happen every day but they happen enough that you have to wonder, why aren’t people taking greater care with this information?“

About a year ago, for example, a data security breach exposed medical information and Social Security numbers of some 26 million veterans after data was stolen from the home of an employee of the Department of Veterans Affairs.

Tomorrow on Future Tense, we’ll explore the potential harm of compromised medical records, and at the federal law designed to protect patients. One critic of current law says patients have very little recourse when their most sensitive medical records become public.

Here is a list of physician groups, clinics and hospitals which had data of various kinds on the exposed site:

-McKee Medical Center of of Loveland, CO
-Big Thompson Emergency Physicians of Longmont, CO
-Presbyterian St. Luke’s Hospital of Denver
-North Suburban Medical Center of Thornton, CO
-Carepoint Emergency Physicians of the greater Denver area
-Long’s Peak Emergency Physicians
-Longmont United Hospital
-Boulder Community Hospital
-Emergency Medical Specialists PLC
-Memorial Hospital of Colorado Springs
-Proctor Hospital of Peoria, IL

HP is wrapping up their “Pretexting” issues

HP settles with SEC over disclosure

By Greg Sandoval Story last modified Wed May 23 16:23:21 PDT 2007

Hewlett-Packard and U.S. regulators have settled allegations concerning an investigation that HP launched last year to uncover a boardroom leak.

HP "failed to disclose the reasons" that a board member had resigned, according to a statement released by the Securities and Exchange Commission. The board member, Thomas Perkins, gave up his director's position due to his objections over the company's investigation into leaks to the press. Federal law requires public companies to fully disclose the reasons why a director leaves.

"HP acted in what it believed to be a proper manner," said Michael Holston, HPs executive vice president and general counsel. "However, we understand and accept the SEC's views and are pleased to put this investigation behind us."

As part of the settlement with regulators, HP agreed to a cease-and-desist order but neither admitted nor denied any wrongdoing as part of the administrative proceeding, the SEC said.

No need for courts! We have you on video.

'Super wardens' go on patrol

Alan Salter 23/ 5/2007

PRIVATELY-employed `super wardens' are to go on patrol in Greater Manchester wearing head-mounted video cameras.

The 20 parking attendants, who work for NCP Services, will be the first in the country to be issued with the equipment.

Their main role is to issue parking tickets but under legislation brought in last year they will also have powers to give on-the-spot fines for anti-social behaviour.

Salford council has asked the wardens to issue penalties up to £80 for offences which include littering, flyposting and allowing dogs to foul the pavement. [Not everything should be videotaped... Bob] NCP will use the film as evidence to back up their wardens if any fine is challenged and also in the event of any attack or abuse.

In some cases the footage could be handed to police and used in court.

... "Our attendants do a very good job but they are not police officers and they have very specific powers. It makes the job more interesting."

Yes, it's English...

'Philfing' the new scourge of the net

Underhanded websites adding hidden charges on online sales

Ian Williams, 23 May 2007

A recent survey of more than 2,400 web users has found that Britain is becoming a nation of angry online shoppers.

The report, commissioned by, found that 93 per cent of UK users are annoyed by 'sneaky' website charges.

Hidden delivery charges provoke the most anger, with 64 per cent saying they would not buy from sites engaging in the practice.

The growing practice of so-called 'philfing' describes online stores holding back the real cost of 'extras' until the last minute.

... The research reveals that 'free delivery' tariffs that only apply with an extra purchase or spending over a certain amount frustrate consumers immensely, as do hidden surcharges for paying by credit card.

Online shopping comparison sites are now finding it increasingly difficult to maintain a level playing field when listing prices, according to the research.

... Other irritating online shopping listed on include:

* Poor stock information

* The lack of contact telephone numbers and the use of 0870 telephone numbers

* Sites that make no mention of a delivery fee until you get to the shopping basket

* Sites that say delivery is free then charge for 'packaging and handling'

* Sites that do not make any mention of a credit card surcharge then take an extra two per cent at the submit order stage

* Budget airlines that charge extra for checking in luggage

* Train ticket sites that charge extra for ticket insurance

* No indication whether prices include VAT

* Free delivery that turns out to be free only when you buy more than one item

* Credit card handling charges that state £2 then turn out to be £2 per person, per flight

Is this a taste of things to come?

Plastic privacy

This week, Minnesota became the first state to hold merchants more accountable for sensitive customer information, allowing card-issuing financial institutions to recoup losses from retailers that break the rules.

BY NICOLE GARRISON-SPRENGER Pioneer Press Press Article Last Updated:05/22/2007 09:14:17 PM CDT

When thieves hacked into the wireless network at a Marshall's store somewhere in the east metro and downloaded some 46 million credit and debit card numbers in 2005, thousands of Minnesotans were among those affected.

But it wasn't Marshall's parent company, TJX Cos. of Massachusetts, that notified individual customers of the breach. The banks and credit unions that issued the cards were forced to be the bearers of the bad news.

On Monday, Gov. Tim Pawlenty signed a law making Minnesota the first state to hold merchants more accountable for sensitive customer information and enable credit unions and banks to recoup losses from retailers that violate the accountability standards.

Beginning in August, the Plastic Card Security Act - touted by its backers as a consumer-protection measure - prohibits merchants from storing PIN, security code and magnetic stripe data from credit and debit cards for more than 48 hours after the transaction is authorized.

In August of 2008, penalties to merchants kick in. Retailers that violate the 48-hour rule and subsequently suffer a security breach must reimburse financial institutions for the costs of notifying customers and reissuing cards.

Several other states are considering legislation to make merchants liable for security breaches, and Rep. Barney Frank, D-Mass., has said he will introduce a bill in Congress to address the issue.

And the French strike again...

French Data Protection Authority Fires Warning Shot to U.S. Multinationals: U.S.-Based Employer Fined for Improper Transfers of Employee Data to the U.S.

May 2007 By: Philip L. Gordon Timothy A. Rybacki

In what may foreshadow a new era of more aggressive enforcement, France's data protection authority - La Commission Nationale de L'informatique et des Libertés (CNIL) - recently fined Tyco Healthcare France (THF), the local subsidiary of a U.S. multinational organization, €30,000 (approximately $41,000) for, among other things, improperly transferring employee information to Tyco's U.S. headquarters. The fine appears to be the first imposed on a U.S.-based company accused of unlawful cross-border transfers of human resources data. The French government's enforcement action coincides with recent public declarations by other European data protection authorities, calling for more aggressive enforcement of the European Union's strict data protection regime.

Planning is everything...

May 23, 2007

International Biodefense Handbook 2007

International Biodefense Handbook 2007, by Sergio Bonin, published by the Center for Security Studies, ETH Zurich, May 1, 2007.

  • "The handbook compares different political, strategic, and structural approaches to biosecurity in seven countries and five international and supra-national organizations. It provides an overview of national and multilateral biodefense efforts by examining important policies in this field and through an inventory of the institutions and actors involved. It is an important step towards a comprehensive overview of existing efforts in biodefense."

Another fun legal battle to watch!

The Battle of Athens, Ohio, Begins; Ohio Law Firm Takes Up Cause of Students Against the RIAA

Wednesday, May 23 2007 @ 01:15 PM CDT - Contributed by: PrivacyNews - Minors & Students

There have been numerous press reports that Ohio University, in Athens, Ohio, has been targeted by the RIAA. Now the battle is joined. The RIAA has filed its usual ex parte John Doe lawsuits. But this time it has encountered an adversary.

Joseph A. Hazelbaker and Jonathan Sowash of Sowash, Carson & Ferrier, an Athens, Ohio, law firm, have taken up the cause of Ohio University students, and have served notice on the University that they expect the University to protect its students' rights, and will hold the University accountable if it does not.

Source - Recording Industry vs The People (blog)

Merry Olde England!

Two million historic court papers to go online

By Nicola Fenwick

PREVIOUSLY inaccessible court records dating back to the Middle Ages will be compiled into an online database after a university was granted nearly $750,000 US.

The records include marriage, slander and defamation cases that came before the church courts and contain a wealth of information valuable to social, economic and legal historians.

The documents constitute one of the most extensive collections of ecclesiastical papers in Europe and take up 540 metres of shelf space.

They include two million case papers containing information on more than 13,000 cases dating from 1300 to 1858.

... Work begins this month and will take more than three years to complete.

One will probably work for you!

6 Great Free Alternatives to Quicken & MS Money

Recently I got some amazing responses from all of you in Ask the Readers: What are your financial tools? and I wanted to share some of the best tools I’ve found from that thread. And the thing I like most about them: unlike Quicken and Microsoft Money, they’re free!

Perhaps we could duplicate the “Disney clips explain Copyright” in other areas? Darth Vader explains Ethics? R2D2 on Identity Theft?

Make-It-Yourself 'Star Wars'

Lucasfilm Will Post Clips From Film Saga on the Web, Inviting Fans to Edit at Will


George Lucas, creator of "Star Wars," has never hesitated to protect his intellectual property, which is why some call him "Lucas the Litigator." But this week, his Lucasfilm plans to make clips of "Star Wars" available to fans on the Internet to mash up -- meaning to remix however they want -- at will.

The clips -- about 250 of them, from all six Star Wars movies -- will land on the Web site tomorrow, part of this week's 30th-anniversary celebrations of the release of his hit movie. Working with an easy-to-use editing program from Eyespot Corp. of San Diego, fans can cut, add to and retool the clips. Then they can post their creations to blogs or social-networking sites like MySpace. More clips will come out from time to time over coming months.