Saturday, October 13, 2007

Are we now looking to Germany as the home of Privacy?

The German Supreme Court is skeptical about covert online searches

Friday, October 12 2007 @ 01:04 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

After the _hearing_ pertaining to the Constitutional Protection Act from the state of North Rhine/Westphalia (NRW), experts do not believe that the controversial regulation, which would allow IT systems to be searched online, stands much of a chance. In a number of critical questions, the Court's First Chamber indicated to the government of NRW that its Act was not clearly formulated, thus violating the requirement that regulations be clear. The Court's president Hans-Jürgen Papier also announced that a ruling would be handed down on the general constitutionality of covert online searches "far beyond" the current NRW case. He said that "basic issues of liberty and security" have to be weighed off against each other in light of the changing nature of recent terrorist threats.

Source - Heise

What... They thought they were immune?

Law Firm Suspects Federal Tampering Of Computer Files

Saturday, October 13 2007 @ 06:07 AM EDT Contributed by: PrivacyNews News Section: Surveillance

The law firm of Gensburg, Atwell and Broderick, has discovered its computer files may have been compromised and it cannot assure client confidentiality.

A forensics expert has determined a "back door infection" which pumps out information by remote control has penetrated the system, David Sleigh, attorney for Robert Gensburg, said Thursday.

... Gensburg, who represents clients at Guantanamo Bay, Cuba, and in Afghanistan, also believes his home and office phones are being tapped.

... Richard Saudek, attorney for the American Civil Liberties Union in Vermont, said he has received calls from other people in the state who say they are having the same problem. These are people who make regular calls to the Mideast for legitimate reasons, Saudek said.

Source - The Caledonian-Record

[From the article: Gensburg, who represents clients at Guantanamo Bay, Cuba, and in Afghanistan, also believes his home and office phones are being tapped.

“Yeah, we know what the law says, but we're the government – laws don't apply to us.”

World Privacy Forum files comments on CMS plan to allow release of patients' protected health information from Medicare database

Saturday, October 13 2007 @ 06:06 AM EDT Contributed by: PrivacyNews News Section: Medical Privacy

The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.

Source - Comments [pdf]

One way to deal with a systems failure. Think the New York subway system would do this?

Systems glitch hits hundreds of Tokyo stations

Hundreds of thousands of commuters in Tokyo got a free ride when their contactless smart cards used to access the railways failed to work

By Martyn Williams, IDG News Service October 12, 2007

Hundreds of thousands of commuters in Tokyo got a free ride to work Friday morning after a systems glitch caused more than 7,000 ticket gates at 662 railway stations to fail.

The gates, which allow passengers with contactless smart cards to access the railway, failed to work when power was switched on at the start of Friday services and rail operators decided to allow passengers access at no charge. A large number of passengers use the contactless cards, and forcing them to buy paper tickets would have meant long queues and congestion at railway stations during the morning rush hour.

The problem occurred at stations operated by East Japan Railway, Tokyo Metro, and several private railway operators.

While the cause of the failure is not yet known, the fault appears to lie with the manufacturer of the ticket gates, Nippon Signal Co. Gates made by other companies operated without problem on Friday.

Local news reports said initial investigations point to a problem in communcation between the gates and a host computer. Nippon Signal was unavailable for immediate comment.

Tokyo has one of the most extensive railways networks of any city in the world. More than 60 railway companies operate several hundred railway lines that crisscross the capital and carry millions of people per day. The contactless smart card system interoperates between different companies and allows passengers the ability to travel on almost all trains, subways and buses in the city with a common card.

More than 27 million contactless travel cards have been issued in the Tokyo area to-date.

Interesting use of voice recognition. (A killer-app for the new gPhones?)

GOOG-411 graduates from Labs

10/12/2007 01:19:00 PM Posted by Jonathan Matus, Product Marketing Manager

... Many of you explored Google Labs and discovered a local business info service that's totally free. It's called GOOG-411 and it helps callers find and connect with local businesses just by dialing 1-800-GOOG-411. It's a voice-based local search service, which means it uses speech-recognition algorithms to recognize what a caller is saying and then finds the local business information he or she is looking for.

... And now we're happy to report that our local business info service has officially graduated from Labs. To mark the occasion, we're celebrating with a brand new website that includes this fun video:

Friday, October 12, 2007

The Privacy Foundation

In conjunction with International Technology Law Association, ITECHLAW.ORG

TJ Maxx: Plugging the Customer Privacy Leaks

FRIDAY, October 19, 2007 Sturm College of Law at the University of Denver, Room 180

Reservations required (due to seating and food) by October 16, 2007

Diane Bales, Law Coordinator 303.871.6580; Email:

They are not playing dumb – they are playing TO the dumb...

TJX: Unsurpassed Genius at Playing Dumb (opinion)

Thursday, October 11 2007 @ 12:50 PM EDT Contributed by: PrivacyNews News Section: Breaches

Opinion: TJX has repeatedly infuriated people with seemingly ill-advised statements, yet it still wins.

Source - eWeek


Shamed and Able: How Firms Respond to Information Disclosure

Published: October 11, 2007 Paper Released: October 2007 Authors: Aaron K. Chatterji and Michael W. Toffel

Executive Summary:

As national governments lose the ability to regulate business activities, interest groups and concerned citizens are turning to private governance to monitor global supply chains, ensure product safety, and provide incentives for improved corporate environmental performance. Proponents hope that private governance incentives will encourage firms to act responsibly, but critics worry that these developments will merely forestall necessary government regulation. Social ratings provide one way to benchmark and compare firms' social performance. But are such ratings schemes effective? This paper investigates the effects of third-party environmental ratings, and finds that firms are particularly likely to respond to such ratings by improving their environmental performance when two circumstances arise simultaneously: (1) when the ratings threaten their legitimacy, and (2) when they face relatively low cost improvement opportunities. Key concepts include:

* Ratings provided by nongovernment organizations will be more influential on firm behavior if they do 2 things: highlight poor social issue management and performance while at the same time help firms identify low-cost improvement opportunities.

* The role of third-party monitoring will be increasingly important as private governance replaces government regulations around the world.

Also related?

Europeans value personal data as highly as cash

9:51AM, Friday 12th October 2007

People view their personal information to be as valuable as their own cash, according to a new survey.

The report shows that 87% of UK residents would switch to another bank if they thought that their personal information would be safer - only marginally lower than the 89% who said they would be willing to switch if their money was more secure.

The survey, conducted on behalf of Unisys, shows just how important data protection should be for companies, not only from a security point of view, but also for marketing and customer relations.

"Unisys believes that trust will only become more important - both to consumers and, therefore, to companies and governments," says the report.

Identity theft and data security is now a very mainstream concern - more than half of all Europeans surveyed were either "very concerned" or "extremely concerned" about unauthorised access to their personal information.

The survey goes on to ask whether people would support trusted companies if they began to use biometric security, with an overwhelming majority of 69% saying that they would. This would suggest that if a reputable bank offered a high-security banking scheme, that demand would be high.

Gee, do you think all of Nacchio's problems were due to his high ethics?

Documents: Qwest was targeted

Thursday, October 11 2007 @ 04:34 PM EDT Contributed by: PrivacyNews News Section: Surveillance

The National Security Agency and other government agencies retaliated against Qwest because the Denver telco refused to go along with a phone spying program, documents released Wednesday suggest.

... The partially redacted documents were filed under seal before, during and after Nacchio's trial. They were released Wednesday.

Nacchio planned to demonstrate at trial that he had a meeting on Feb. 27, 2001, at NSA headquarters at Fort Meade, Md., to discuss a $100 million project. According to the documents, another topic also was discussed at that meeting, one with which Nacchio refused to comply.

The topic itself is redacted each time it appears in the hundreds of pages of documents, but there is mention of Nacchio believing the request was both inappropriate and illegal, and repeatedly refusing to go along with it.

The NSA contract was awarded in July 2001 to companies other than Qwest.

Source - Rocky Mountain News

{Props, The Privacy Law Site (blog))

Can you do less than the government recommends?

October 11, 2007

Guidelines on Securing Public Web Servers, Version 2

National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."

Encryption made (cheap and) easy!

Lockbox Computing: 25 Free Tools To Encrypt Literally Everything

"It’s not breaking news that hackers can easily figure out how to gain access to unsecured information on your system–emails, chat sessions, phone calls, and files are all vulnerable. What many people don’t know is that there are a number of free tools available that make it easy to fight back. Protect your valuable information with these..."

Got a video camera?

Announcing the Cookie Crumbles Contest!

Posted by Erica George Tue, 09 Oct 2007 19:54:00 GMT

StopBadware and our parent organization, the Berkman Center for Internet & Society at Harvard Law School, are hosting an online video contest to help explain web cookies to average internet users.

Thursday, October 11, 2007

“Pittance” grows to “pittance and a half!” Wow, I'm underwhelmed...

(update) TJX Revises Consumer Settlement, Agrees to Pay Cash

Wednesday, October 10 2007 @ 10:55 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hours before a federal judge demanded that TJX address key concerns about its proposed settlement, the merchant behind the biggest retail data breach ever agreed to some key changes, including offering a cash alternative to its voucher offer.

The biggest objection to the initial proposed settlement had been that consumer victims were only offered $30 vouchers for making purchases at stores owned by The TJX Companies. Under a new proposed settlement that was filed late Oct. 9, attorneys for both sides are now proposing giving consumers a choice: either the $30 voucher or a $15 check.

Source - eWeek

Stay current...

Pointer: Privacy and Data Security Law Update 2007

Wednesday, October 10 2007 @ 09:04 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

Proskauer Rose's September 27th webinar, "Privacy and Data Security Law Update 2007" is available for viewing online (requires java).

The overheads are available as a .pdf file.

More bad news for Microsoft Vista? Certainly the VA is having IT problems again...

VistA outage disrupts Calif. VA hospitals

By Mary Mosquera Published on October 5, 2007

The Veterans Affairs Department suffered an outage of its electronic health record system for nine hours Aug. 31 at 17 medical facilities in northern California, VA health care officials said.

Medical professionals at the hospitals, including San Francisco’s VA medical center, were prevented from logging on to VA’s VistA health record, the Veterans Health Information System and Technology Architecture, and its component, the Computerized Patient Record System.

The disruption happened during business hours at VA’s regional data processing center in Sacramento, said Ben Davoren, director of clinical informatics at VA’s San Francisco Medical Center. He talked about the incident during testimony last week before the House Veterans Affairs Committee.

He called it “the most significant technological threat to patient safety VA has ever had.” The Sacramento data center did not roll over the systems to the Denver regional processing center as planned. And backup systems for the regional strategy were unavailable or overwhelmed in four of the medical centers, he said.

Is your budget keeping up?

Businesses Spend 20% of IT Budgets on Security

Posted by samzenpus on Wednesday October 10, @09:21PM from the protect-ya-neck dept. Security Businesses IT

Stony Stevenson writes "Security accounted for 20 percent of technology spending last year and it's expected to rise, according to a report released Tuesday. The Computing Technology Industry Association (CompTIA) surveyed 1,070 organisations and found that on average, they spent one-fifth of their technology budgets on security-related spending in 2006. That's up from the 15 percent of IT budgets spent on security in 2005, and the 12 percent spent in 2004."

Completing the RIAA die-off?

Next Up To Ditch Record Label: Madonna

from the quite-a-week dept

It's been quite a bad month for the record labels, huh? Kicked off by Radiohead's ditching record labels in order to embrace the new business models that the record labels insisted were dangerous to the industry. In retrospect, it looks like they were just dangerous to the record labels (gee, who could have predicted that?). The latest huge name to ditch a record label appears to be Madonna, who is apparently siging a huge deal with a concert and merchandise promoter instead for over $100 million. She'll still be putting out albums through the promoter rather than the label. There's no indication if she's going to use this to free up some music, but the point should be pretty clear. The money is in concerts and merchandise -- the stuff that the music makes valuable -- not in the music itself. While EMI's new owners have made some noises that maybe they understand what's going on, there's a good chance that it's way too late for the old labels. They had their chance to embrace fans, new technology and the music itself -- and they spent 8 years suing the fans and the technology instead. It's reached the point that college kids are now organizing to protest the RIAA. It's becoming increasingly clear that the labels weren't helping musicians very much either -- and now it appears to be payback time. This isn't the "fault" of piracy. This is the fault of shortsighted recording industry executives who had every chance to understand the economics at play and instead chose to attack everyone (and there were lots) who pointed out to them where the market was going.

What a fun state!

California state site can't shake porn problems

The Transportation Authority of Marin's site has been taken offline again after links to pornographic pages, which had bedeviled the site last week, reappeared

By Robert McMillan, IDG News Service October 10, 2007

The Web site blamed for last week's Internet problems within the State of California has been taken offline after links to pornographic material reappeared on the site.

... The site was taken down after security experts reported that it was hosting pornographic material over the past weekend.

... "The site is down until it is restructured with additional security, can be sponsored by a more reliable ISP, and perhaps secured from this occurring."

There's always something for my Disaster Recovery students...

October 10, 2007

International Day for Disaster Reduction: October 10, 2007

UN International Strategy for Disaster Reduction, "Nearly three years ago, Governments adopted the Hyogo Framework -- a plan of action to reduce our collective vulnerability to natural hazards. Today, as we commemorate World Disaster Reduction Day, recent calamities around the world -- including floods, storms, and droughts -- continue to remind us of the devastating effects of natural hazards,as well as the potentially harmful effects of a warming planet. The need to engage fully in disaster risk reduction has never been more pressing. Disaster risk reduction is about stronger building codes, sound land use planning, better early warning systems, environmental management and evacuation plans and, above all, education. It is about making communities and individuals aware of their risk to natural hazards and how they can reduce their vulnerability."

Guidelines are good Posts Badware Guide for Casual Internet Users

October 09, 2007

Last week, released a report titled "Trends in Badware 2007: What internet users need to know." The document is a plain-English explanation of modern security threats on the web, covering iframe injections, phishing on social networks, and scareware, amongst other topics. In an environment that often offers only arcane cues to malice or wrongdoing, the 12-page document is a straightforward way to improve security awareness in the casual Internet user.

Training the next generation of Ubiquitous Surveillers... - Help Catch Criminals, Watch Videos

PostACrime lets you indulge in your superhero fantasies, allowing you to catch the bad guys and fight for justice, and all that jazz. So it’s not exactly the Justice League, but it does combine two very popular, modern day activities, watching reality videos on the web and potentially earning some cash money while you’re at it. Simply browse the CCTV and security video uploads on the site, and see if you know any of the perps.

Wednesday, October 10, 2007

This has to be embarrassing. Note that the response isn't exactly what you would expect from a school like Carnegie Mellon...

[Carnegie Mellon] Professor’s laptops stolen; contained unsecured student information

Tuesday, October 09 2007 @ 09:36 AM EDT Contributed by: PrivacyNews News Section: Breaches

The first weekend in September was notable for most students as it was the end of the first week of classes. For a small percentage of the student body population, it was the weekend that their social security numbers left campus, stored in the unencrypted files of two stolen laptop computers.

According to University Police reports filed on Sept. 2, the laptops were stolen from the office of a computer science professor in Wean Hall. The door is believed to have been locked and there were no signs of forced entry, according to case officer Lieutenant John Race of the Carnegie Mellon University Police.

... One student, who preferred to remain anonymous for this article, was concerned that students were not notified of the theft until almost a month after it occurred. He asked Carnegie Mellon to pay for a credit monitoring service, which would examine past credit history to determine if fraud had already occurred. The university refused, he said.

Source - The Tartan Online

Of course, it could be worse...

Personal info for thousands of Tenn. students accidentally put online

Tuesday, October 09 2007 @ 11:57 AM EDT Contributed by: PrivacyNews News Section: Breaches

A man working on his dissertation this past summer accidentally posted personal information for about 17,000 K-12 students in Tennessee, along with the names of several hundred teachers.

The Web site,, has been taken down since this happened on August 28.

One file of information contained: the grade levels, elementary school names, Social Security Numbers, students' full names, genders and test scores for around 2,247 elementary school students.

Another file contained: the names, Social Security numbers and composite scores for approximately 3,000 K-12 students.

A third file contained: the grade levels, elementary schools, teacher's names, students' birth dates, students' full names, students' genders and test scores for around 11,789 students.

Source - WATE

Wow! What a massive penalty! The poor guy probably gets only 6 weeks of vacation a year... Fortunately he probably will get two weeks of comp time because he assisted in covering up... er... determining the extent of the data spill.

(update, Ohio) State supervisor docked 1 week of vacation over data theft

Wednesday, October 10 2007 @ 07:03 AM EDT Contributed by: PrivacyNews News Section: Breaches

A supervisor for the state’s massive new online financial system will lose a week of vacation over the theft of a computer backup device carrying the Social Security numbers of thousands of Ohioans and other sensitive data, officials said.

Jerry Miller, 49, a team leader for Ohio’s new payroll and accounting system, didn’t follow an order [and NO ONE NOTICED? Bob] given nearly three months before the theft to move the sensitive data from a common computer drive to a secure directory.

Source -

The Tooth Fairy is on our Board of Directors. Pigs can fly! We are in control.

Pfizer Employee Data Released by Outside Company

Tuesday, October 09 2007 @ 01:34 PM EDT Contributed by: PrivacyNews News Section: Breaches

Pfizer Inc. employees, already wracked by three data breaches this year, have been hit by yet another security problem, this time with no direct connection to the company. [Except for the contract? Bob]

The spouses and domestic partners of about 1,800 Pfizer employees learned late last month about a data breach at Wheels Inc., which provides cars to the company, mostly for use by its sales force. The breach, caused by a “temporary encryption error” [We forgot to encrypt? Bob] at the Wheels Web site, released names, addresses, birth dates and driver’s license numbers, according to the Pharmalot Web site, a source of drug-industry news.

Source -

Electronic ambulance chasing? Break in and leave your business card? Certainly a great way to advertise you Hacking course...

Australia's top enterprises hit by laymen hackers in less than 24 hours

Wednesday, October 10 2007 @ 07:02 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

A penetration test of 200 of Australia's largest enterprises has found severe network security flaws in 79 percent of those surveyed.

The tests, undertaken by University of Technology Sydney (UTS), saw 25 non-IT students [Article says they were “predominately law practitioners” Bob] breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet.

Faculty of Law lecturer and LogicaCMG chief security officer, Ajoy Ghosh, who commissioned the test said students were able to breach 24 enterprises or 12 percent in less than an hour, in fact most systems were foiled in the first few minutes.

Source - Computerworld (AU)

Imagine how may people would have accessed the medical data if it had been a real celebrity. Perhaps we could count the accesses an establish a “Celebrity Index?”

Hospital Staffers Suspended Over Clooney

Wednesday, October 10 2007 @ 07:05 AM EDT Contributed by: PrivacyNews News Section: Breaches

Several hospital staffers have been suspended for allegedly peeking at George Clooney's confidential medical information after he was hurt in a motorcycle accident last month.

Clooney, 46, suffered a broken rib and scrapes in the Sept. 21 crash, while his passenger, Sarah Larson, 28, broke her foot. Both were treated at Palisades Medical Center in North Bergen.

WCBS-TV in New York reported Tuesday night that as many as 40 staffers, including doctors, were suspended without pay, accused of accessing Clooney's medical records and possibly providing information to the media, a violation of federal law. [HIPAA? Bob]

Source - Associated Press

YES! YES! YES! Someone gets it!

Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information

Tuesday, October 09 2007 @ 06:01 PM EDT Contributed by: PrivacyNews News Section: State/Local Govt.

Even though a company has not experienced an unauthorized access or acquisition of its customer information (and thus has not been subject to Nevada’s breach notification law), in 2008 merely transmitting customer information in an unencrypted format may violate a separate Nevada data security law.

Nevada has enacted a data security law that mandates encryption for the transmission of personal information (see Nev. Rev. Stat. § 597.970 (2005)). Specifically, the Nevada encryption statute generally prohibits a business in Nevada from transferring “any personal information of a customer through an electronic transmission,” except via facsimile, “unless the business uses encryption to ensure the security of electronic transmission.”[1] The Nevada encryption law goes into effect on October 1, 2008.

Source - Morrison|Foerster (Props, HIPAA Blog)

[From the article:

Companies that do business on a nationwide basis, which are already required to have an information security policy that complies with the laws of several states, should employ standards that do not leave them inadvertently out of compliance with this new Nevada law.

Governments would never read your email...

Jordan jails royal critic over e-mails

Tue Oct 9, 2007 11:22am ET

AMMAN (Reuters) - A critic of Jordan's royal family was sentenced to two years in jail on Tuesday for sending e-mails abroad that the court ruled to be carrying "false news" and harmful to the dignity of the state.

Gee, I can't imagine why anyone would be concerned to get a message from Der Führer...

Ca: Many Jews unsettled over Harper holiday greetings

Wednesday, October 10 2007 @ 07:00 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

When Michelle Kofman found a Rosh Hashanah greeting card from Prime Minister Stephen Harper in her mailbox last month, she was left with one puzzling question: How does he know I'm Jewish?

Ms. Kofman was one of several Jewish people who have expressed discomfort with the colourful greeting card sent out by the Prime Minister's Office to celebrate the religious new year holiday.

... A Conservative official, speaking on condition of anonymity, said the mailing lists the Prime Minister's Office uses are drawn from community directories, free publications available to the general public or word of mouth from friends and relatives, but not government records. Congratulatory messages for religious or cultural holidays are routinely sent out, the official said.

But Ms. Kofman said she is not a member of any Jewish organizations and, to her knowledge, isn't listed in any directories catering to the Jewish community.

Source -

As I've said before, they're not trying to prevent crime. Their objectives are 1) Look like you're doing something 2) Use technology, because it looks impressive and you can leak video clips to the news media 3) Take advantage of DHS grants (free money) to install hardware that requires a tax increase to support. 4) Put the (untrained) police “in charge” so you have a fall guy when you need one...

Study shows video surveillance on the Berlin underground has not improved safety

Wednesday, October 10 2007 @ 06:58 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

In April 2006, a pilot project was launched in Berlin, in which train operators on three lines of the Berlin underground aimed to test the extent to which 24-hour video surveillance could reduce criminality. The pilot project included the U2, U6 and U8 lines. The Social Democratic Party, which strongly supported the project in the state parliament, anticipated a "general preventive effect."

... BVG, the company responsible for public transport in Berlin, stated that the pilot project had proved its worth in the detection of assaults and criminal damage and decided to extend the project to all 170 underground stations in Berlin by the end of the year.

Civil rights group The Humanist Union has now forced the BVG, which had previously declined to do so, to release the report (PDF file). According to the report, video surveillance and recording on the three underground lines did not reduce the incidence of criminality, but in fact led to a small increase.

Source - Heise

[From the article:

Of a total of many thousands of criminal incidents, video material was available in only 78 cases. In only a third of these was the recording of sufficient quality to allow suspects to be identified.

Yeah, but is it useful?

PrivacyPlace fisks HealthVault

Posted by Dana Blankenhorn @ 12:51 pm October 9th, 2007

The term fisking, a detailed rebuttal of someone else’s statements and assertions, is fairly common to blogging but uncommon in health care.

Today The Privacy Place gave a good fisking to Microsoft’s HealthVault.

The group’s problems are these:

  1. HealthVault is not covered by HIPAA, only its own privacy statement.

  2. The privacy statement lets HealthVault move your data offshore, where there is no privacy protection.

  3. HealthVault will not promise to keep your health data separate from other data Microsoft may have on you.

  4. HealthVault access controls are easy to legally breach. If you give someone else permission to access your records, they can have them all, even change them.

It should be noted that these are not technical problems, but legal and ethical problems. Whether HealthVault delivers on its promises is not the issue. The issue is whether anyone should trust Microsoft with their health information based on current privacy statements.

The answer The Privacy Place delivers is a resounding no.

This is not just some blogger talking. The Privacy Place has a dozen major authors, and this piece was written by director Annie Anton. It is sponsored by the National Science Foundation and a unit of North Carolina State University.

It’s pretty amazing that Microsoft either did not contact these people, or did not run their policies by them, before launching. [I don't find it amazing... Bob] Microsoft did considerable homework in advance of this launch, and the company knows its privacy policies are suspect. Microsoft also has many lawyers.

It’s the kind of fiasco that could set the movement toward electronic health records back years. That kiss on the top of the HealthVault home page could prove the kiss of death.

For my Business Continuity class... (Isn't this “obvious?” The Army was doing this years ago.)

Google Patents Shipping-Container Data Centers

Posted by Zonk on Tuesday October 09, @12:43PM from the pick-it-up-and-move-it-out dept. Patents Google IT

theodp writes "Two years ago, Robert X. Cringely wrote that Google was experimenting with portable data centers built in standard shipping containers. The idea, Cringely explained, wasn't new and wasn't even Google's, backing up his claim with a link to an Internet-Archive-in-a-Shipping-Container presentation (PDF, dated 11-8-2003) that was reportedly pitched to Larry Page. Google filed for a patent on essentially the same concept on 12-30-2003. And on Tuesday, the USPTO issued the search giant a patent for Modular Data Centers housed in shipping containers, which Google curiously notes facilitate 'rapid and easy relocation to another site depending on changing economic factors'. That's a statement that may make those tax-abating NC officials a tad uneasy."

For my Security Management class

Amazing XP Tools to Arm your PC from Hackers

Posted on October 9th, 2007 by techjohn

Hackers have newer methods to hack into your systems. They are smart enough to detect security loop holes in your PC and enter through open ports,unencrypted Wi-Fi connections,malicious websites or internet servers. It is better you check your PC periodically for invasions and protect your system to prevent pilfering and damage of data.

Read the following tools that will rescue your PC when it is in danger.

What's out there?

October 09, 2007

First Internet Census Since 1982

62 Days + Almost 3 Billion Pings + New Visualization Scheme = the First Internet Census Since 1982: "Researchers at the University of Southern California Information Sciences Institute, one of the birthplaces of the Internet decades ago, have just completed and plotted a comprehensive census of all of the more 2.8 billion allocated addresses on the Internet -- the first complete effort of its kind in more than two decades, they say."

  • "Starting in 2003, researchers at ISI ANT Lab (the ANT Lab is a research group spanning USC/ISI, the USC and Colorado State University Computer Science Departments, the USC Electrical Engineering department, and USC's Information Technology Services)have been collecting data about the Internet address space. As part of this work [they] have been probing all addresses in the allocated Internet address space. This web page summarizes this research, the datasets, and related papers."

How do we protect it? (Note computer infrastructure is a short sidebar...)

October 09, 2007

White House: National Strategy for Homeland Security

Fact Sheet: National Strategy for Homeland Security - A Comprehensive Guide For Securing the Homeland: "Today, the President issued an updated National Strategy for Homeland Security, which will serve to guide, organize, and unify our Nation's homeland security efforts. This Strategy is a national strategy – not a Federal strategy – and articulates our approach to secure the Homeland over the next several years. It builds on the first National Strategy for Homeland Security, issued in July 2002, and complements both the National Security Strategy issued in March 2006 and the National Strategy for Combating Terrorism issued in September 2006. It reflects our increased understanding of the threats confronting the United States, incorporates lessons learned from exercises and real-world catastrophes, and articulates how we should ensure our long-term success by strengthening the homeland security foundation we have built. This includes calling on Congress to make the Foreign Intelligence Surveillance Act (FISA) reforms in the Protect America Act of 2007 permanent."

Is this anywhere in the catalog of most law schools?

An Open Source of Legal Business

Jessie Seyfer The Recorder October 9, 2007

Last year, business software maker Terracotta Inc. abandoned traditional sales models and dived into the complicated legal waters of open source.

Selling software this way attracted "an explosion" of customers [Why we want to do it... Bob]-- and brought a whole array of new legal questions, [We'll worry about that when we're rich... Bob] said Terracotta General Counsel Tim McIntyre. For instance, now that anyone can tinker with the company's software and suggest changes, Terracotta must make sure the changes don't infringe on anyone else's copyrighted software code, McIntyre said.

For this and other questions, Terracotta turned to attorneys in the open source practice at Cooley Godward Kronish.

Cooley is just one firm that has seen its open source practice increase significantly over the last couple of years, buoyed by a growing acceptance and popularity of open source software.

For my Web Site class... (but you can use them too – some VERY useful tools here)

Webmaster Intel Basics: 25 Tools to Compile an In-Depth Dossier on a Competitors’ Site

By Jessica Hupp

Your rankings don’t just depend on how good your site is. They depend on the quality of your competitors’ sites as well. As a result, keeping an eye on your competition should be a regular part of every webmaster’s tactical plan. Use these 25 tools to get the lowdown on their sites.

Free is good! (Also a great design for a phishing site...)

Do you love getting free stuff? I mean who doesn’t. is a site that has information on where on the web you can find free stuff, from offers to samples to limited time give aways, lists it. Once you o to the homepage you have a list of the recently posted free offers. There are contests, free shoe give aways, free popcorn and shampoo samples, basically anything you can imagine. Click on the free product of your choosing and you will see what user posted it and when, the url of the site that is offering the free sample, comments, related links, and who voted. You can decide to discuss the free sample, or send it to a friend or if it is a fake offer you can bury it. You can search for free sample by category or tag or use the search engine. You must register to submit a free offer or sample. You can take a look at the top users and see their karma, which is a score that is created by how active and useful they are on the site. Take a look at and see what cool free stuff you can find.

Visual Exploration of Medical Vocabularies

9th October 2007

If you’re interested in researching medical conditions, this might be a good place for you to spend a little time. The Visual Medical Dictionary takes your search for a medical term, gives you a definition and provides you with even more terms.

An example is order. Start at the medical dictionary at and enter a drug, disease, or therapy name. I tried shingles. I got two potential results — one for a disease and one for a drug (a vaccine). When I held my mouse over each word, I got a definition and some additional information. But even cooler is what I got on the right side of the screen.

Makes your screen doggone clean!

Tuesday, October 09, 2007

If you are a high-profile target, you must expect (and plan for) attacks. And still, they manage to break in!

Hacker breaks into eBay server, locks out users

According to eBay, perpetrator was unable to access sensitive information, affected users have been notified, and servers have been restored

By Juan Carlos Perez, IDG News Service October 08, 2007

A malicious hacker broke into an eBay server on Friday and temporarily suspended the accounts of a "very small" number of members, the company said.

Pay me now or pay me later...

Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner

Tuesday, October 09 2007 @ 07:17 AM EDT Contributed by: PrivacyNews News Section: Breaches

Enterprise IT security needs to shift from a reactive approach to security needs to a mix of strategic planning and rapid tactical execution, according to Gartner analysts speaking at the Gartner Symposium/ITxpo in Orlando, FL. Financially motivated targeted attacks are becoming more prevalent and more costly, and new vulnerabilities continue to be reported. However, 90 percent of these attacks can be avoided without requiring any increase in security spending, according to Gartner.

Source - Tekrati

This letter puts you on “double secret probation” (Hey, it works for the FBI!)

Don't Post This Cease-and-Desist Letter, Or Else

from the let's-test-that-theory dept

Greg Beck writes "In an apparent attempt to avoid the Streisand Effect, lawyers sending threat letters sometimes claim that the recipient would violate the firm's copyright by posting it online. This post is about Public Citizen's response to one dumb threat letter and its decision to post the letter online despite the copyright claim." It's funny how popular it has become for lawyers to claim it's illegal to post or even show anyone their cease-and-desist letters. Remember: just because a lawyer says so, it doesn't mean it's true. You can see Public Citizen's response to the letter (pdf), which lays out a variety of reasons why the cease and desist is ridiculous (it's yet another attempt to force criticism offline) and ends with a fantastic response to the claim that the original C&D is covered by copyright and cannot be posted online without additional charges: "By this letter, we are inviting you to test the validity of your theory that the writer of a cease and desist letter can avoid public scrutiny by threatening to file a copyright law suit if his letter is disclosed publicly on the internet." Somehow, I doubt the opposing lawyer will test out this theory.

Boys will be boys! Then daddy's gotta cover up!

Editorial: Wrong view of privacy threatens access to court records

Tuesday, October 09 2007 @ 07:20 AM EDT Contributed by: PrivacyNews News Section: State/Local Govt.

Privacy is the right of an individual not to have the government or an individual snooping into your medical history or web surfing habits. It’s not the right of an individual to have a 20-year-old disorderly conduct conviction buried in a courthouse vault.

Republican Attorney General J.B. Van Hollen knows the difference. State Rep. Marlin Schneider (D-Wisconsin Rapids) doesn’t.

Source - The Tomah Journal


Vonage Settles With Sprint... Prelude To A Sale?

from the maybe-possibly dept

Just a couple weeks after losing yet another patent lawsuit, Vonage has decided to settle its patent lawsuit with Sprint, agreeing to pay $80 million, covering both past and future licensing costs. The company is still fighting over Verizon's questionable patents. Again, it seems pretty silly that the company that actually figured out how to bring phone-based VoIP to the market in a way that people wanted now has to pay the incumbents who were unable (or unwilling) to do so. Of course, there's also been lots of talk that these patent lawsuits were really an attempt by the telcos to crush Vonage to the point where it was an easy buyout target. Thus, settling with Sprint, could open up the possibility of a Sprint purchase... but it probably would have just made more sense to do the buyout first before "settling," as the news of the settlement has sent Vonage's stock soaring. Based on that, don't be too surprised if Vonage reaches a bit deeper into its dwindling cash reserves to to pay off Verizon as well -- the resulting stock bump could effectively pay for the licensing fees. All in all, though, it does highlight how silly the patent system has become. The uncertainty over the suits hurts a company's stock and pushes companies to settle, even if they shouldn't. That's exactly what happened with RIM and NTP, and it looks like what happened here.

Need a hobby? Become a music mogul!

A Few More Music Business Model Suggestions

from the keep-'em-coming dept

Every time we talk about the economics of the entertainment industry, someone accuses us of not suggesting any alternative business models. However, we actually have suggested other business models all the time, while showing how other musicians have succeeded in embracing new models to make money while giving fans reasons to pay. Of course, part of the confusion is that many musicians are using slightly different business models to make this work -- which is exactly how it should be. No one is saying that all musicians are going to find that any particular business model works, but there are a number of different business models that all involve using the music to make other (scarce) things more valuable and worth paying for. Reader alex points us to a column from Pitchfork Media that has a bunch of other business model suggestions, mostly focused on giving people a reason to pay, rather than just complaining that they won't pay. Once again, it's important to remember that "free" isn't the business model -- but it's an important part of any business model involving infinite goods.

At Hogwarts, a flick of a wand eliminates entire segments of technology!” Go get 'em. hackers!

Info chief shrugs off Bluetooth regulation

Blue spam free for all

By OUT-LAW.COM Published Monday 8th October 2007 12:39 GMT

The Information Commissioner will no longer regulate the use of Bluetooth mobile technology, prompting fears of a wave of "Bluetooth spam".

The commissioner no longer considers the wireless connection technology to be covered by the UK's privacy laws.

Now wouldn't this be fun!

IT trainer offers master's degree for hackers

EC-Council University's security science program aimed at helping qualified IT professionals advance their skills and take on high-level industry jobs

By Matt Hines October 08, 2007

In an effort to produce the next generation of chief security officers and IT systems defense experts, an online training company is offering a new master's degree program in security science.

For my Security Management students

October 08, 2007

Deloitte 2007 Global Security Survey

"Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."


October 08, 2007

Analyst Toolbox, A Toolbox for the Intelligence Analyst,

"The U.S. Department of Justice's (DOJ) Global Justice Information Sharing Initiative (Global) Intelligence Working Group (GIWG) has prepared and made available via the Office of Justice Programs Information Technology Initiatives Web site, a valuable resource for the law enforcement community. This resource titled: Analyst Toolbox, A Toolbox for the Intelligence Analyst, represents the results of extensive Web-based, open source research and the collection of systems currently utilized by local, state, tribal, and federal law enforcement agencies. The Analyst Toolbox will assist law enforcement agencies with making the proper decisions on the products necessary to effectively serve their communities."

Shhh! Don't tell a soul!

Discover the .EDU Underground

Little appreciated outside the world of academia, there are literally thousands of .edu sites bursting with incredibly useful and interesting information and resources. Most of these sites won't pop up to the surface of the average search engine quest, and so they wait, neglected and underused...until now. Keep reading for a quick tour through the mysterious underground world of .edu.

Tools & Techniques

''Call Me On My Ring-To Number...''

-- New Service Offers FREE Privacy Number for US and Canadian Consumers to ''Veil'' their Identity on Social Netwo

Mon Oct 8, 10:12 AM

WEST DES MOINES, Iowa--(BUSINESS WIRE)--WebPoint Communications LLC, a next-generation communications service provider, today unveiled Ring-To Number, a new service to safeguard a person’s identity and privacy when interacting on social networks, auctions and online dating sites. This FREE widget provides a private channel of communication to receive phone calls without divulging the person’s actual number, address and location.

Out of control?

Survey Shows Negligent e-Records Management is Creating “Stunning Business Risks”

A new survey of records managers by Cohasset reveals continued neglect in the management of electronic records. The survey shows 40% of organizations do not include electronic records in their retention schedules and 55% do not include emails; only 14% always follow their records retention policy; 44% do not include electronic records in their litigation hold procedures; and, 46% do not think their electronic records are accurate, reliable or trustworthy. These statistics are amazing to me, especially when you consider this survey is limited to those organizations with full time professional records managers. It is reasonable to assume that the statistics are far worse for companies that do not have a records management department. The bottom line of the study is that: [see full article... Bob]

Free is good! (Got an older PC you'd like to revitalize?

Ubuntu Gutsy Gibbon free CD's: orders are taken NOW

The shipit service of Ubuntu is now taking orders for Gutsy shipments. Standard options: 1 or 2 x86 cd's or 1 x86_64 cd's

Not for everyone. Some of my students have problems studying at home... - A Study Abroad Guide

The Study Abroad Guide is a site designed to help students with making their study abroad destinations and also with the actual process. The Study Abroad Guide features articles on different universities and language programs. When you visit the homepage there is a list of recent study abroad articles, but you can scroll down to see the different categories of articles such as; business schools, Colleges, Universities, education online, Study abroad in Italy, Study abroad Asia, etc. Many of these articles have links to the programs or Universities in the study abroad destination. There are also articles and links that focus on travel and traveling bargains. Once you have registered and you have finished reading an article you can make a comment voicing your opinion on the article. If you are a study abroad provider, a University, College or School, you can apply to be featured on the site for $495 a year. The Study Abroad Guide will give your school exposure to students interested in international study abroad. So if you have been considering studying abroad the Study Abroad Guide might have some article that might interest you.

Monday, October 08, 2007

Yesterday one of their subsidiaries had a data spill due to hackers. Is there a bigger problem here?

Ticketmaster Claims Hacking Over Ticket Resale Site

Posted by Zonk on Sunday October 07, @08:18PM from the watch-out-for-ticket-haxxors dept. Security The Internet Businesses

FlopEJoe writes "Ticketmaster claims that RMG Technologies is providing software to avoid security measures on their website - even to the point of utilizing bots to get large blocks of tickets. RMG says it just 'provides a specialized browser for ticket brokers. ' From the New York Times article: 'The fact that tickets to popular events sell out so quickly -- and that brokers and online resellers obtain them with such velocity -- is clouding the business, many in the music industry say. It is enough, some longtime concertgoers say, to make them long for the days when all they had to do to obtain tickets was camp out overnight.'"

The rest of the faux pas

Data “Dysprotection:” breaches reported last week

Monday, October 08 2007 @ 03:29 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Protecting our rights?

Democrats to Offer New Surveillance Rules

Sunday, October 07 2007 @ 01:46 PM EDT Contributed by: PrivacyNews News Section: Surveillance

House Democrats plan to introduce a bill this week that would let a secret court issue one-year "umbrella" warrants to allow the government to intercept e-mails and phone calls of foreign targets and would not require that surveillance of each person be approved individually.

The bill is likely to resurrect controversy that erupted this summer when Congress, under White House pressure, rushed through a temporary emergency law that expanded the government's authority to conduct foreign surveillance on U.S. soil without a warrant. The Protect America Act, which expires in February, has been criticized as being too broad and lacking effective court oversight.

Source - Washington Post

What's new in the EU (and likely coming our way)

October 07, 2007

Guide to Finding Proposed Legislation Using EUR-Lex

European Information Association: "See also our guides to using OEIL and PreLex. Produced by the Commission and Parliament respectively, these two sources allow you to monitor the progress of proposed legislation through the various stages leading to adoption (or rejection - not all proposals are adopted). Proposals are generally published by the European Commission. They appear initially as Commission Communications (COMdocs or COMs)...Not all COMdocs are proposals for legislation; some take the form of consultative documents (Green / White papers), others are reports on EU policies."

  • See also Finding national implementing measures using N-Lex: "The form of EU legislation known as a 'Directive' sets out the objectives to be achieved, but leaves individual Member States to implement the detailed legislative measures required. The result is that, for every Directive, there is an EU-level text plus x number of national versions - which will invariably differ in detail from the original...N-Lex can be accessed direct at or via the EUR-Lex website."

An example of open source intelligence.

Googlestalking For Covert NSA Research Funding

Posted by Zonk on Sunday October 07, @05:11PM from the because-what-else-are-you-going-to-do dept. United States The Almighty Buck Politics Science

James Hardine writes "Wikileaks is reporting that the CIA has funded covert research on torture techniques, and that the NSA has pushed tens or hundreds of millions into academia through research grants using one particular grant code. Some researchers try to conceal the source of funding, yet commonality in the NSA grant code prefix makes all these attempts transparent. The primary NSA grant-code prefix is 'MDA904'. Googling for this grant code yields 39,000 references although some refer to non-academic contracts ( 2,300). The grants issue from light NSA cover, the "Maryland Procurement Office" or other fronts. From this one can see the broad sweep of academic research interests being driven by the NSA."

The world, she is a changing...

Entrepreneur Aims to Overthrow TV, Not Get Rich

By Bryan Gardiner Email 10.08.07 | 12:00 AM

Most software entrepreneurs' ambition is to sell out for a huge wad of cash, or maybe go public for an even bigger pile. Not so Nicholas Reville: He wants to overthrow the television industry, and he doesn't care if he gets rich. In fact, as executive director and co-founder of the Participatory Culture Foundation, a 501(c)(3) nonprofit, Reville is unlikely to make much money at all.

Reville oversees the PCF's core project: a free, open-source video player called Miro. Formerly known as Democracy Player, Miro is a desktop video application that lets you search and view videos. It uses RSS, BitTorrent and media-player technologies.

But the PCF's ambitions go far beyond making and distributing a popular internet video platform. Ultimately, the foundation's goal is to promote and build an entirely new, open mass medium of online television.

... Lilly notes that the big challenge for Miro will be finding a way to monetize internet video, [Got any ideas? Bob] so the company is eventually less dependent on donations.

Mesmerizing, but is it useful?

Logfiles Made Interesting with glTail

Posted by CmdrTaco on Sunday October 07, @10:11AM from the because-you-can dept. Software

Fudgie writes "My boss claimed it was pretty much impossible to create an entertaining way to visualize server traffic [Should “entertaining” be a design criteria? Bob] and events in a short time frame, so of course I had to prove him wrong. A weekend of neglecting my family produced a small ruby program which connects to your servers via SSH, grabs and parses data from Apaches access log and Ruby on Rails production log, and displays your traffic and statistics in real-time using a simple OpenGL interface (tested under Linux and Mac OS/X). It's a bit hard to explain over text, so please have a look at for an example movie, and more information."

[Also see: Bob]