Saturday, January 26, 2008

It is hard to encrypt paper...

Warning to students after their personal data is lost

ANDREW DENHOLM, Education Correspondent January 26 2008

The personal details of nearly 1500 Scottish students have been lost in the post in a new case of wholesale data loss by government services.

The Scottish Funding Council (SFC), which distributes money to universities and colleges on behalf of the government, said paper copies of a survey of students from seven colleges went missing two weeks ago.

According to the SFC, eight boxes of the completed surveys were sent by courier from a market research company in Glasgow to an Edinburgh consultancy firm, but only three arrived.

Attention Class Action lawyers? They are relying on users to have the appropriate anti-virus software to stop/remove the virus.

Best Buy Sold Infected Digital Picture Frames

By GREGG KEIZER, Computerworld, IDG January 23, 2008

Best Buy Co. Inc. sold digital picture frames during the holidays that harbored malicious code able to spread to any connected Windows PC, the big box retailer has confirmed. It is not recalling the frames, however.

What Best Buy called "a limited number" of the 10.4-in. digital frames sold under its in-house Insignia brand were "contaminated with a computer virus during the manufacturing process," according to a notice posted on the Insignia site last weekend. [ ] The frame which went by the part number NS-DPF10A has been discontinued, and all remaining inventory pulled, Best Buy added.

... Best Buy did not specify the number of virus-loaded frames that had ended up in customers' hands, but said in a second notice posted today that it is continuing to investigate and is "connecting with our customers who may have been impacted." [No indication how this is being done... Bob]

... Only Windows PCs are vulnerable, said Best Buy's notices, and then only if the picture frame were to be connected to the computer via the included USB cable. Frames like digital cameras are designed to connect to PCs so that images can be downloaded from the machine to the frame.

We can, therefore we must? Shouldn't surprise anyone...

German Govt Skype Interception Trojans Revealed

Posted by CmdrTaco on Saturday January 26, @09:27AM from the trojan-man dept.

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."

Interesting. I wonder how often this happens since it seems easy for Verizon to hide/ignore. How would you get their attention?

Our Verizon FiOS customer service nightmare: Why won’t they protect my private customer information?

Andru Edwards Posted by Andru Edwards Friday January 25, 2008 10:17 am

... So it’s been 8 months since we have had FiOS installed, and for that entire 8 months, my personal information has been freely available to another FiOS customer who I do not know.

Sure to pass unnoticed?

Celebrating data privacy

1/25/2008 03:48:00 PM Posted by Jane Horvath, Senior Privacy Counsel; Peter Fleischer, Global Privacy Counsel; and Shuman Ghosemajumder, Business Product Manager for Trust and Safety

Last year, the Council of Europe had a great idea. Based on polling that showed that 70% of Europeans did not understand how their personal data was being protected, the Council decided to hold the first annual Data Protection Day on January 28, 2007. Privacy experts visited schools and universities, launched information campaigns, and held press conferences in locations throughout Europe, informing and educating consumers about their personal data rights and protections.

Lack of understanding about data protection on the Internet is not only a European issue, it's a global one. As more and more personal information comes online every day, it's increasingly important that users all over the world understand both the benefits and potential risks of online data sharing, and the tools at their disposal to control and manage the data they share online. In recognition of the global importance of data protection, the U.S. and Canada have joined 27 European countries to celebrate Data Privacy Day 2008 this Monday, January 28th.

As part of the day's events, we'll join legal scholars, privacy professionals, and government officials from Europe and the U.S. at an international data privacy conference being held at Duke University in Durham, North Carolina. We'll also contribute to efforts to raise awareness and promote understanding of data privacy issues by releasing the third video in our privacy series ("Google Privacy: A Look at Cookies") on our YouTube Privacy Channel. This video offers a closer look at how cookies work and how web sites and advertisers use them to personalize our online experiences. We've also developed a privacy booklet (pdf-web version coming soon!) that you can download to get an in-depth look at our privacy practices and approach, and have co-sponsored the creation of educational materials on teen online privacy for parents and educators. The goal of all these efforts is to help educate you about online data privacy so that you can make more informed choices about how you use online products and services.

We hope that you'll take a few minutes on Monday to learn something new, and that Data Privacy Day reinforces existing global efforts to educate consumers about online data collection, use, and protection.


Perhaps we should copy Swiss law?

Antipiracy group's tactics violate Swiss law

Logistep, which supplies information on suspected file sharers to law firms around the world for use in copyright violation cases, has until Feb. 9 to respond to charges

By Jeremy Kirk, IDG News Service January 25, 2008

... Under Swiss law, the identity of a subscriber to an ISP can only be revealed during the course of a criminal case, not a civil one, Schaefer said. The IP address of a computer controlled by the subscriber is considered "personal" information.

I suspect this will become common, why spend money to increase the risk of a data spill? (And it still looks like a cool laptop.)

HP introduces thin client disguised as a laptop

With data storage and system management handled remotely, HP Compaq 6720T Mobile Thin Client reduces risk of data loss, but could be hard sell for many users

By Agam Shah, IDG News Service January 24, 2008

In an effort to push mobility into thin clients, Hewlett-Packard is adding a laptop with minimal storage and wireless networking features to its lineup.

The HP Compaq 6720T Mobile Thin Client has 1GB of internal flash storage and will be more of a terminal than a full-blown PC, with data storage and system management handled from a remote server, the company said Thursday. The laptop boots off Windows XP Embedded OS in the flash module.

Because data isn't stored on the laptop, there is less risk of a company losing data, said Thai Nguyen, HP worldwide product marketing manager for thin clients.

.. Along with better security and easier system management, thin-client architecture uses less power than traditional PCs, said Klaus Besier, vice president for thin clients at HP. The thin-client laptop does not have a fan or moving parts such as a hard drive.

The product is targeted at vertical industries such as health care and insurance, Nguyen said.

What an interesting ruling. Does that mean that publishing the letter on my blog will deny the lawyer profits from the sale of copies? Perhaps it will jeopardize sale of the movie rights.

Court Says You Can Copyright A Cease-And-Desist Letter

from the free-speech? dept

Back in October, we wrote about a law firm that was claiming a copyright on the cease-and-desist letters it sent out, and insisting that it was a violation to repost them. It's long been believed that cease-and-desist letters that have no new creative expression and are merely boilerplates are likely not covered by copyright. On top of that, preventing someone from copying a cease-and-desist letter or posting it on their own website seems like a pretty severe First Amendment violation. The group Public Citizen hit back against this law firm's claims, but surprisingly, a judge has now agreed that you can copyright cease-and-desist letters (thanks to Eric Goldman for emailing over the link). The news was announced in a press release by the lawyer in question, who claims this means he can now sue anytime someone posts one of his cease-and-desist letters. He also goes on to slam those who believe free speech means being able to talk about the fact that a company is bullying them:

"The publication of cease and desist letters is an easy way for scofflaws to generate online 'mobosphere' support for illegal activity and, until today, many businesses have been hesitant to take action to address some of the lawlessness online because of possible retaliation and attacks."

To which I would respond: "The copyrighting of cease-and-desist letters is an easy way for law firms to bully small companies who have committed no wrong, but who have no real recourse to fight back against an attempt to shut them up via legal threat. Until today, many companies who were being unfairly attacked by companies and law firms misusing cease-and-desist letters to prevent opinions from being stated, had a reasonable recourse to such attacks, and could draw attention to law firms that used such bullying tactics to mute any criticism." This is an unfortunate ruling and can only serve to create a serious chilling effect on free speech.

There was an article yesterday about an ISP that had no email backup. Perhaps the problem is broader than even I (a mildly cynical guy) believe.

Most Companies Walk a High-Wire E-Mail Risk Without a Net

By Chris Preimesberger 2008-01-24

A new survey reveals that more than half of all businesses have no e-mail backup and recovery plan in place.

A new study confirms what a great many people in IT already suspected: Companies of all sizes are vulnerable to costly and damaging e-mail outages because they trust their messaging infrastructure to a single server [What we call a single point of failure Bob] and do not have an adequate backup and recovery plan in case of a disaster. surveyed 434 IT professionals responsible for e-mail continuity in small (0-99 employees), medium (100-999 employees) and large (1,000 or more employees) enterprises. provided the analysis.

The goal was to determine whether companies are prepared to deliver e-mail continuity—particularly for Microsoft Exchange—and whether companies have a plan in place to secure e-mail communication during a local or sitewide failure or downtime event.

... Key findings included the fact that less than half of the respondents have a reactive disaster recovery plan in place; only 46 percent of respondents have currently implemented a high-availability solution of some type, and the definition varies widely to include data backup solutions that do not deliver high availability of business-critical applications such as e-mail.

Only 21 percent of respondents have implemented a disaster avoidance strategy, while 29 percent of midsized companies are operating with only a single Exchange server, and have no application continuity plan in place. More than 50 percent of the responding companies that have a continuity solution in place for Exchange are only backing up files or file systems, and are not backing up the Exchange application for an immediate recovery in the event of a server failure or site outage.

... "Companies clearly recognize the mission-criticality of e-mail, with 95 percent of surveyed companies viewing it as essential to business operations," said Eric Burgener, senior analyst with The Taneja Group.

... A full copy of the report is available here or here.

Friday, January 25, 2008

Be careful what you assert – it will come back to haunt you.

Fallon Community Health Plan reports data breach affecting 30,000 members

Thursday, January 24 2008 @ 05:36 PM EST Contributed by: PrivacyNews News Section: Breaches

Fallon Community Health Plan said this afternoon the names, dates of birth and Medicare identification numbers of approximately 30,000 Senior Plan members was on a laptop computer stolen earlier this month from a Boston-based vendor of the HMO.

The health plan said it will offer free credit monitoring services for 12 months to those affected by the data breach. Fallon health plan officials said the data was not password protected or encrypted, in violation of the company's policies.

Source - Telegram & Gazette
Related - Security breach compromises Fallon patient data

[From the article:

The vendor discovered the theft Jan. 2 and originally said the material had been encrypted. But the health plan, with the assistance of a forensic technologist, came to the conclusion Jan. 14 that the information was not protected.

Am I missing something?

(follow-up) WI: 3 fired over privacy breaches, state agencies say

Thursday, January 24 2008 @ 03:42 PM EST Contributed by: PrivacyNews News Section: Breaches

... three people — two state employees and one who worked for a company hired by the state — have been fired over security concerns.

Two Department of Revenue workers were fired for not meeting the department’s standards related to the handling of confidential data, Ervin said. He would not disclose other details other than to say the workers were not directly involved in any of the problem mailings. [“Yes, they had nothing to do with the data spill... so we fired them!” Bob]

The employee responsible for a mailing including Social Security numbers on the label to 260,000 SeniorCare, BadgerCare and Medicaid recipients also has been fired, said Kevin Hayden, secretary of the Department of Health and Family Services.

Source - Green Bay Press Gazette

[From the article:

The state also now has its own employees reviewing EDS mailings, Hayden said. “We have our eyes watching their team,” he said. [Finally they grasp the obvious! Bob]

Ya Schweinhund, no papers no education!

UK: No student loan without ID card, says government

Thursday, January 24 2008 @ 03:19 PM EST Contributed by: PrivacyNews News Section: Non-U.S. News

Students will be "blackmailed" into holding identity cards in order to apply for student loans, the Tories have warned.

According to Home Office documents leaked to the Conservative party last night, those applying for student loans will be forced to hold identity cards to get the funding from 2010.

Anyone aged 16 or over will be expected to obtain a card - costing up to £100 - to open a bank account or apply for a student loan.

Source - Guardian
Related - Students revolt against being ID card "guinea pigs"

They need to pass the Waterboarding is Okay Act.

RIPA could be challenged on human rights

OUT-LAW News, 24/01/2008

The Government's new powers to force the handover of encryption keys could be vulnerable to a legal challenge under the Human Rights Act's guarantee to a fair trial. People who refuse keys or passwords face up to five years in jail.

The ultimate in asymmetric warfare -- “Today I think I'll shut down China...” And there are no laws to stop me?

Cyberwarfare in International Law

Posted by Zonk on Thursday January 24, @05:19PM from the thorny-issue dept. The Military Security The Courts

belmolis writes "If the CIA is right to attribute recent blackouts to cyberwarfare, cyberwarfare is no longer science fiction but reality. In a recent op-ed piece and a detailed scholarly paper, legal scholar Duncan Hollis raises the question of whether existing international law is adequate for regulating cyberwarfare. He concludes that it is not: 'Translating existing rules into the IO context produces extensive uncertainty, risking unintentional escalations of conflict where forces have differing interpretations of what is permissible. Alternatively, such uncertainty may discourage the use of IO even if it might produce less harm than traditional means of warfare. Beyond uncertainty, the existing legal framework is insufficient and overly complex. Existing rules have little to say about the non-state actors that will be at the center of future conflicts. And where the laws of war do not apply, even by analogy, an overwhelmingly complex set of other international and foreign law rules purport to govern IO.'"

...and it's Open Season!

No 'Insider Trading' Found in Alleged Data Hacking

Beth Bar New York Law Journal January 24, 2008

A man who allegedly hacked into the Thomson Financial network from Ukraine and subsequently used the non-public information cannot be penalized for "insider" trading, a federal judge has ruled.

Southern District Judge Naomi Reice Buchwald ruled in Securities and Exchange Commission v. Dorozhko, 07 Civ. 9606, that defendant Oleksandr Dorozhko's alleged "hacking and trading" did not violate §10(b) of the Securities and Exchange Act of 1934, the section that bans insider trading.

Thus, she refused a request by the Securities and Exchange Commission (SEC) to preliminarily enjoin Mr. Dorozhko from gaining access to the profits he made after he allegedly hacked into Thomson's network in October and discovered IMS Health's negative earnings announcement, which the company had yet to release.

Based on this information, the SEC said Mr. Dorozhko purchased $41,670 worth of put options. The next day, as soon as the market opened, he sold the options for $328,571.

In her Jan. 7 decision, Judge Buchwald said the case highlighted a "potential gap arising from a reliance on fiduciary principles in the legal analysis that the courts have employed to define insider trading, and the courts' stated goal of preserving equitable markets."

Even small firms need backups No professional organization would ever fail to back-up... (See next article),2933,325285,00.html

Angry Employee Deletes All of Company's Data

Thursday , January 24, 2008

Call it a tale of revenge gone wrong.

When Marie Lupe Cooley, 41, of Jacksonville, Fla., saw a help-wanted ad in the newspaper for a position that looked suspiciously like her current job — and with her boss's phone number listed — she assumed she was about to be fired.

So, police say, she went to the architectural office where she works late Sunday night and erased 7 years' worth of drawings and blueprints, estimated to be worth $2.5 million.

... It didn't take Steven Hutchins, owner of the architectural firm that bears his name, much time to figure out who'd done it — Cooley was the only other person who had full access to the files.

... Hutchins told one TV station he'd managed to recover all the files using an expensive data-recovery service.

Well, maybe a little bit... (And their terms of service say they owe their customers a big “Oops!”)

Charter apologizes after accidentally emptying 14,000 e-mail accounts

Associated Press Article Launched: 01/24/2008 12:15:23 PM PST

ST. LOUIS - Charter Communications officials believe a software error during routine maintenance caused the company to delete the contents of 14,000 customer e-mail accounts.

There is no way to retrieve the messages, photos and other attachments that were erased from inboxes and archive folders across the country on Monday, said Anita Lamont, a spokeswoman for the suburban St. Louis-based company.


Growth of gaming in 2007 far outpaces movies, music

By Eric Bangeman | Published: January 24, 2008 - 07:31PM CT

2007 was a banner year for video gaming, and the industry has the figures to prove it. The Entertainment Software Association announced today that total sales for 2007 were $18.85 billion, with $9.5 billion of that spent on games (both PC and console) and $9.35 billion on consoles.

Game sales for the year were weighted very heavily in favor of the consoles. In fact, PC games accounted for only 9.5 percent of total gaming sales.

I is a fi-los-e-fer!

Clive Thompson on Why Sci-Fi Is the Last Bastion of Philosophical Writing

By Clive Thompson Email 01.18.08 | 6:00 PM

Thursday, January 24, 2008

There is more to this that the article reports. Keep an eye on it!

Hackers steal OmniAmerican account data

Thursday, January 24 2008 @ 06:15 AM EST Contributed by: PrivacyNews News Section: Breaches

An international gang of cyber criminals hacked into OmniAmerican Bank's records, the bank's president disclosed Wednesday.

They stole scores of account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, including Russia and Ukraine, as well as in Britain, Canada and New York.

... The amount stolen is not yet known, he said, describing it only as "minimal." No depositors will lose money, he said.

Fewer than 100 accounts, some of them dormant, were compromised, all with a daily withdrawal limit of less than $1,000, he said.

Source - Star-Telegram

Because it's so easy anyone can do it?

Breaking News - Deputy DA Indicted for ID theft

Wednesday, January 23 2008 @ 02:08 PM EST Contributed by: PrivacyNews News Section: In the Courts

Fresno Deputy District Attorney David Jones has been indicted by the state attorney general's office, accused of stealing the identity of a former girlfriend to harass her.

Source - KSEE24

Someone will have to explain this one to me...

UT: Committee delays vote on ID theft bill

Wednesday, January 23 2008 @ 02:18 PM EST Contributed by: PrivacyNews News Section: State/Local Govt.

A bill that would allow law enforcement to seek civil penalties in cases of identity theft has been delayed.

A vote on HB95 was delayed until Friday after the Utah Attorney General's Office raised concerns about how much it would cost to enforce. That left its sponsor, Rep. Karen Morgan, D-Cottonwood Heights, a little peeved.

Source - Deseret Morning News

Imagine that! Crooks without honor!

Phishing Group Caught Stealing From Other Phishers

Posted by samzenpus on Wednesday January 23, @08:58PM from the what's-good-for-the-goose dept. Security The Almighty Buck

An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them. Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."

Digital Rights Management: Dead or Just Evolving?

Published: January 23, 2008 in Knowledge@Wharton

... While DRM may be all but dead in the music industry, experts at Wharton note that the technology isn't going to disappear completely. It's just evolving. "DRM will never go away.... It will just become more unobtrusive," says Wharton marketing professor Peter Fader. Furthermore, Wharton experts observe that consumer tolerance of DRM varies with the entertainment medium.

Tools & Techniques: Hackers take note! When politicians don't listen, hackers thrive!

Dutch Fiasco Demonstrates Futility Of Security Through Obscurity

from the no-secret-algorithms dept

Recent research on the security vulnerabilities of a new Dutch fare card system offers important lessons for computer security. The Dutch government spent $2 billion on the system, which has now been demonstrated to have fatal flaws. The researchers disassembled the smart cards used by the system and took high-resolution photographs of the circuitry. This allowed them to reverse-engineer the encryption algorithms being used by the system. As Felten points out, this wouldn't have been a problem if the Dutch had used an open crypto algorithm that has been widely tested and found to be secure. But because the system relied on algorithmic secrecy for security, this could be catastrophic. The algorithm uses a relatively short 48-bit key. This means that once the algorithm is known, it becomes possible to perform a brute-force attack, simply trying all 281 trillion possible keys in parallel until the correct one is found. That requires a non-trivial amount of computing power, but it's well within the capabilities of modern computer hardware. Indeed, this is precisely the approach taken by a Johns Hopkins research group three years ago when they cracked the encryption on the Exxon Mobil Speedpass, which used a 40-bit key. Brute forcing the 40-bit algorithm reportedly took the Hopkins team about 20 minutes, which suggests that -- even ignoring improvements in hardware -- it should be possible to brute force a 48-bit key in under a week. Since they're just deploying the system now and are presumably planning to use it for a decade or more, 48 bits is woefully inadequate. They ought to have used a standard, widely-tested cryptographic algorithm with a significantly longer key size, in order to make brute force attacks impractical.

Elvis is alive and living in Silicon Valley?

If Elvis were a digital entrepreneur today

By Nancy Prager Story last modified Thu Jan 24 04:00:02 PST 2008

Much like latter-day New World explorers, Europeans have staked their flag on the Internet to claim control of the digital frontier.

The European Union has begun to harmonize the copyright laws of its member countries related to creative content online. While the United States will still own the hardware underpinning the Internet, the Europeans, if successful, will determine how we use it.

The EU's stated objective is to craft a copyright law that supports innovative business models and facilitates the broadcast and delivery of diverse online creative content across borders.

... The European Union realizes that compliance with 27 different copyright laws and licensing regimes is a significant barrier to entry for companies and a detriment to its citizens.

... According to the official notice, the changes are designed to accomplish the following:

1. Remove the barriers to entry that multijurisdictional licensing create.

2. Encourage copyright owners to make content available online with the confidence that piracy will not cannibalize the economic value of the underlying works.

3. Create procedures to make clearing content easier and less expensive, including the ability of third parties to use works for whom the owner of the rights cannot be located (so-called orphan works).

4. Limit the negative impact of digital rights management through interoperability standards and labeling requirements.

5. Formalize a standard of conduct between access/service providers, rights holders, and consumers to encourage legal use and access of creative content and to discourage unauthorized file sharing.

... The solutions the European Union creates will serve as a guide to other countries, and perhaps the de facto legal framework for the Internet as the digital frontier continues to develop.

Rethinking the publishing business. If you subscribe (electronically) to every magazine and newspaper you ever found useful or amusing the main problem is: How do you filter all that information?

Your Website Shouldn't Be Just An Electronic Version Of Your Print Publication

from the not-an-afterthought dept

We spend a lot of time here at Techdirt beating up on large media companies for their poor media strategies. For a long time, established media companies saw their websites as little more than an afterthought. Stuff tended to be developed for the print version first, and then got dumped to the website as an afterthought. This meant the content was often stale, and it certainly wasn't designed to engage the online conversation. Even worse, in many cases the content was hidden behind a paywall, further cutting it off from the online conversation. Recently, though, we've seen a few major media properties start to take the web seriously, not just as an adjunct to their print editions but as an important medium in its own right. I noted a few months ago that the New York Times seems to be taking the web seriously. and now the Times notes that the Atlantic has jumped on the bandwagon. (Full disclosure: A couple of the magazine's recent hires are friends of mine) The Atlantic has done several smart things. First, they've dropped their paywall, not just for their new content but also for selected articles from 150 years of the print edition. Given that back issues were previously collecting dust on the shelves, that can only help drive traffic to the site. More importantly, they've recruited a stable of lively, high-profile bloggers who not only attract traffic to their own blogs, but by discussing content appearing elsewhere on the site, help to raise the profile of the site as a whole. They've also been proactive about experimenting with new technologies, including full-text RSS feeds and Flash-based video. The story indicates their traffic has quadrupled, and that's before their paywall goes down this week. The urgency of magazines' modernization project is intensified by news that Wal-Mart is removing more than a thousand magazines from their store shelves, including major titles like the New Yorker, Forbes, Fortune, and BusinessWeek. Paper is a slow, expensive, and cumbersome way to transmit news, and as online news sources mature, more and more users will find they no longer have any use for dead tree publications. So making their websites successful is no longer optional for mainstream print publications: if they don't modernize quickly, they're going to quickly find themselves drowning in red ink very soon.

Wednesday, January 23, 2008

A new twist.

Three accused in credit card ring that robbed $70,000; Police say muggings and hospital data enabled identity theft

Tuesday, January 22 2008 @ 11:12 AM EST Contributed by: PrivacyNews News Section: Breaches

... What investigators didn't see coming was the link to the Bloods street gang, with gang members suspected of committing strong-arm robberies in Elizabeth, not so much for their victims' cash, but for the bank cards and identification in their wallets that make credit card fraud so much easier, said Mountainside Police Capt. Richard Osieja.

... The list of victims runs the gamut from unsuspecting patients seeking emergency care at St. Joseph's Regional Medical Center in Paterson to an older couple out to dinner at a Westfield diner, to major brokerage houses like E*Trade and Merrill Lynch. And the toll continues to mount -- $70,000 at last tally and likely to double before the investigation is over, said Mountainside Detective Jeffrey Stinner.

... In addition to Tortorello, police charged Samuel Jacobs, who worked at the Passaic County hospital, with keeping Polo supplied with names and vital information, such as credit card and Social Security numbers.

... Investigators have still not been able to locate all of the victims, Stinner said, adding that he is hoping patients from St. Joseph's will review their credit card bills and contact police if they see anything questionable. Polo got their identities from Jacobs, 27, who would photocopy patient information sheets -- police discovered 30 at the house -- and then turn them over to Polo, usually in return for about $150 a batch, Stinner said.

Source -

Always interesting...

Ca: The Role of Identity in Society and the Privacy Issues Related to Identity: A Discussion Paper

Tuesday, January 22 2008 @ 01:39 PM EST Contributed by: PrivacyNews News Section: Non-U.S. News

Identity issues are poorly understood by all but a relatively small community of experts, and this is having an impact on how Canadians react to proposals for increased security measures, notes Privacy Commissioner Jennifer Stoddart.

... Today the Commissioner released Identity, Privacy and the Need of Others to Know Who You Are, a discussion paper that hopes to inform Canadians about the role of identity in society and the privacy issues related to identity.

Source - Canada News Centre

If they can search, can they make a copy to search later?

Police Officers Can Search Your iPhone Following Arrest For A Traffic Violation

from the fourth-amendment dept

Adam Gershowitz writes "I am a criminal law professor from Houston, Texas and I have recently finished an article about the ability of police officers to search the contents of a person's iPhone at a traffic stop. In brief, under what is referred to as the "search incident to arrest doctrine," police can search through any container found on the body of a person who has been arrested. It does not matter that the arrest was for running a stop sign, or speeding, or some other seemingly minor traffic infraction. Regardless of the reason for the arrest, police can search through every container on the person's body, even if the police have no suspicion that there is anything illegal in it. A few courts have concluded that this doctrine permits police to search text messages found on cell phones. My article explores the circumstances under which police can now search not only text messages, but also the email, pictures, movies, calendar entries, and internet browsing history found on iPhones and similar devices -- even if the police have no suspicion that there is anything illegal on the iPhone. In short, the article explores ways in which the police can search through the thousands of pages of data on individuals' wireless technology even if there is no probable cause or other suspicion of illegal activity."

e-Discovery California has a bad idea? How unusual!

California Proposes e-Discovery Laws that Governor Schwarzenegger will want to Terminate

January 21, 2008

New e-discovery rules have been proposed in California that are unfair because they do not adequately protect litigants from requests for inaccessible data. The proposal reverses the balance of Federal Rule 26(b)(2)(B), and thereby opens the door for unreasonable, expensive e-discovery.

If you think about it, this is exactly what the airline systems have been doing for years – changing their prices based on demand. Econ101 Why is this patentable?

IBM Patents Pricing Motorists Off Highways

Posted by kdawson on Tuesday January 22, @02:03PM from the prior-art-stuck-at-the-tollbooth dept. Patents IBM

theodp writes "Self-professed patent reformer IBM snagged a patent Tuesday for the Variable Rate Toll System, which covers the rather anti-egalitarian scheme of pricing motorists off of the roads by raising tolls as congestion increases. 'Congestion pricing of traffic is emerging as a completely new services market for IBM,' boasted Jamie Houghton, IBM's Global Leader for Road Charging."

Tuesday, January 22, 2008

We've been waiting for this one all week...

GE Money Reports 650,000 Customers’ Data Lost

By Dee Chisamera 16:30, January 21st 2008

GE Money representatives officially announced on Friday [No indication of unofficial announcements earlier, but their customers pointed a finger... Bob] that a backup tape containing the personal data of 650,000 customers has been reported missing since October2007 [No timeliness award for GE Bob] from an Iron Mountain storage facility. According to Iron Mountain representatives, no personal data appears to have been compromised so far, and this could just be a case of misplacement.

Navy Works Identity Theft Case

Posted: 4:38 PM Jan 18, 2008 Last Updated: 4:38 PM Jan 18, 2008

The Naval Surface Warfare Center Dahlgren Division is contacting all current and former federal employees who worked at the Naval Bases in Dahlgren, Va., Silver Spring, Md., and Panama City, Fla., on or before July 7, 1994, to warn of potential identity theft and to urge them to contact their creditor bureaus in the wake of a reported attempt to illegally obtain a credit card using an employee’s personal information.

Four people have been arrested in Bensalem Township, Pa., on Jan. 5, 2008, for attempted identity fraud. They had in their possession two pages of a hard copy report dated July 7, 1994, containing personally identifiable information (PII) – names, social security numbers and dates of birth – of nearly 100 individuals with the last name beginning with “B.”

... Current employees were notified of the incident on Jan. 10 [If the first indication they had was the jan 5th arrest, this is pretty fast. Bob] through an All Hands e-mail and urged to take action to safeguard their identity. The message is currently posted to the NSWCDD internal website.


Data “Dysprotection:” breaches reported last week

Monday, January 21 2008 @ 06:49 AM EST Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Is this the basis for a corporate model?

January 21, 2008

Department of Commerce Breach Notification Response Plan

Department of Commerce Breach Notification Response Plan, September 28, 2007 (21 pages, PDF)

  • This Plan identifies key Department officials who will serve on the Identity Theft Task Force (ID Theft Task Force) to develop strategies for handling data security breaches, including those incidents posing a potential risk of identity theft. In addition, the Plan specifies the responsibilities of the ID Theft Task Force, whose mission is to provide advance planning, guidance, in-depth analysis, and a recommended course of action in response to a data breach/loss. In the event of a data breach/loss declared by a Department Bureau/Office to be of moderate or high risk, the ID Theft Task Force will be convened promptly, conduct a risk analysis to validate the level of risk associated with the loss, review all relevant compensating controls in place to protect the data after the loss, determine whether the breach poses risks related to identity theft or other harms,3 and timely implement a risk-based, tailored response to
    each breach. As part of this process, the ID Theft Task Force will consider all existing compensating controls available to protect PII data after loss."

The Economics of Privacy (Can we extrapolate “damages” from this?)

Paper: On the Value of Privacy from Telemarketing: Evidence from the 'Do Not Call' Registry

Monday, January 21 2008 @ 08:55 AM EST Contributed by: PrivacyNews News Section: Businesses & Privacy

Png, Ivan P.L., "On the Value of Privacy from Telemarketing: Evidence from the 'Do Not Call' Registry" (June 2007). Available at SSRN:


Despite tremendous debate and policy interest, there has been relatively little research into the issue of how much individuals value their privacy. In this paper, I estimate the demand for the value of privacy from telemarketing as provided by the federal "do not call" registry. From the demand curve, I compute two estimates of the household value of privacy: a lower bound of $3.22 per year, and a best estimate of $8.25 per year. The telemarketing industry must provide consumers with at least this much expected consumer surplus to persuade them not to conceal themselves through the "do not call" registry.

Source - SSRN (free full-text article available with free registration)

(Props, Docuticker)

The Economics of Privacy

Why Privacy & Security Are Not a Zero-Sum Game

Posted by kdawson on Monday January 21, @08:17PM from the insert-ben-franklin-quote-here dept.

I Don't Believe in Imaginary Property writes "Ars Technica has up a nice article on why security consultant Ed Giorgio's statement that 'privacy and security are a zero-sum game' is wrong. The author reasons that, due to Metcalfe's law, the more valuable a government network is to the good guys, the more valuable it is to the bad guys. Given the trend in government to gather all of its eggs into one database, unless more attention is paid to privacy, we'll end up with neither security nor privacy. In other words, privacy and security are a positive-sum game with precarious trade-offs — you can trade a lot of privacy away for absolutely no gain in security, but you don't have to."

A bad example?

DHS to Replace 'Duplicative' Anti-Terrorism Data Network

$90 Million System Aimed to Aid State, Local Agencies

By Spencer S. Hsu and Robert O'Harrow Jr. Washington Post Staff Writers Friday, January 18, 2008; Page A03

The Homeland Security Department spent more than $90 million to create a network for sharing sensitive anti-terrorism information with state and local governments that it has decided to replace, according to an internal department document.

Okay, when we said we wouldn't use the data you provided we really meant we wouldn't use it except for those time when we see some advantage to using it.” (Don't think of it as nagging, think of it as hundreds of helpful hints on each aisle!)

Shoprite to link loyalty data to computerised carts

Monday, January 21 2008 @ 06:50 AM EST Contributed by: PrivacyNews News Section: Businesses & Privacy

MediaCart, Microsoft, and Wakefern have partnered to pilot MediaCart's next-generation computerised shopping carts for potential rollout to all ShopRite stores in the US. ... Microsoft's Atlas Division will provide video ad serving on the MediaCart grocery cart screen, providing advertisers with the opportunity to reach shoppers at the point of purchase, and providing ShopRite customers with a more personalised shopping experience. By using Microsoft technologies, MediaCart will enable anonymous ad targeting [They must mean the advertisers are anonymous, because I certainly won't be... Bob] through data obtained through ShopRite's customer loyalty card programme.

Source -

When you care enough to steal from the very best... (Pay attention, web site students.)

New App lets you "Widgetize" Content from any Website — New webapp lets you grab content from any website (even dynamic content) and turn it into a widget for your blog, embed it in your Netvibes / Pageflakes / iGoogle homepage, or create an OpenSocial app.

Monday, January 21, 2008

Shouldn't every organization implement this type of software? How else can we achieve mind control?

Hospitals Scan Email to Protect Patient Privacy

By Debra Wood, RN, contributor Monday • January 21 • 2008

Every time Jamie Ray, RN, IBCLC, or her colleagues at Georgia’s DeKalb Medical Center send an e-mail, it passes through a software filter that checks to ensure no patient sensitive medical information is released.

... DeKalb began using the Proofpoint Messaging Security Gateway about three years ago. It blocks nearly 500,000 inbound spam messages each month and 2,000 outbound e-mails.

... The Proofpoint Regulatory Compliance module looks for patient account numbers, credit card numbers, names, and diagnosis and procedure codes, using a series of dictionaries, databases and rules pertaining to a configuration of numbers.

... At Lincoln, certain users are allowed to send patients’ medical information to approved physicians or clinics. The system encrypts the data. If Proofpoint picks up something being sent from DeKalb to an approved third-part vendor, it automatically encrypts the message and dispatches it. Otherwise, it directs the email into an audit category and notifies the security administrator, who will review the message and any attachments.

It also produces a report showing how many messages violated the rules. Lincoln has set up the system to identify the department the e-mail came from. The head of that department receives a report showing violations from its employees and a copy of the suspect e-mail.

... Finney said physicians and nurses find Proofpoint gives them a comfort level.

“With HIPAA (Health Insurance Portability and Accountability Act), it is so convoluted and sometimes difficult to understand that you can accidentally do something and not realize you have done it,” Ray said. “This gives you a feeling of security that I cannot mess it up. Somebody is taking care of that for me. As long as you are doing what you are supposed to be doing, you don’t need to worry about [software safeguards].” [If you are innocent... Bob]

Sunday, January 20, 2008

Close to home. Shoulder-surfing, high tech style. I wonder if he'll take my hacking class?

Boulder teen arrested in grade-changing scheme

By Tom McGhee The Denver Post Article Last Updated: 01/17/2008 03:43:13 PM MST

A Boulder teen has been arrested for using his cellphone camera to snag a teacher's computer password and change math scores for himself and 48 other students.

... The 16-year-old Fairview High School student, who wasn't identified because he is a juvenile, was arrested Wednesday and faces a felony charge for tampering with the grades.

... "I think he was pretty shocked that we caught him."

... The school estimates it spent $2,178 to trace the changes in the computerized grade book and to restore the academic records, making the act a felony. [My error. It's the school that needs an education. Bob]

... The school uses a system that allows students and their parents to log on and check grades, so he was able to make the changes from home. [You can set the software to accept changes only from certain hardware... Bob]

There is potential here. Pass this on to an appropriate individual...

Data Privacy Day in North America: Spreading Awareness of Data Privacy

Saturday, January 19 2008 @ 11:03 AM EST Contributed by: PrivacyNews News Section: Other Privacy News

Data Privacy Day 2008 will be January 28th. North America and 27 European countries will be celebrating Data Privacy Day 2008 and holding a variety of events..

As part of the events going on that day, Duke University is hosting a conference, "Data Privacy in Transatlantic perspective: Conflict or Cooperation?"

IAPP notes:
The IAPP is encouraging privacy professionals to contact local schools, colleges and universities and offer to give a presentation on or during the week of January 28 about privacy using the materials provided. Our goal is to have privacy professionals all over the country giving presentations to students about the importance of privacy today. Details about presentations that happen during the week of January 28 should be sent directly to Kim MacNeill at kim[at]

At the present time, IAPP has two types of educational presentations available online to download and use:
A “Privacy Today” Slide Presentation (available in pdf and ppt formats), and “Teen Privacy Online” Slide Presentation

The Teen Privacy materials include a script to accompany the powerpoint presentation as well as additional resources on teens and social networking.

If you are running a Data Privacy Day event that you would like included on's calendar of privacy-related events and conferences, email details and a link to: privacynews[at]

Another project with potential. Perhaps a variation that includes Security, Privacy, Law, etc.?

Google to Host Terabytes of Open-Source Science Data

By Alexis Madrigal January 18, 2008 | 2:23:21 PM

Sources at Google have disclosed that the humble domain,, will soon provide a home for terabytes of open-source scientific datasets. The storage will be free to scientists and access to the data will be free for all. The project, known as Palimpsest and first previewed to the scientific community at the Science Foo camp at the Googleplex last August, missed its original launch date this week, but will debut soon.

Human 2.0 We need several 'components' beside artificial intelligence. Fortunately, they are under development. This one will allow us to talk to our computers (and monitor voice communications)

Open Source Speech Recognition

Posted by CmdrTaco on Saturday January 19, @11:14AM from the hello-computer dept. Software

bedahr writes "The first version of the open source speech recognition suite simon was released. It uses the Julius large vocabulary continuous speech recognition to do the actual recognition and the HTK toolkit to maintain the language model. These components are united under an easy-to-use graphical user interface. Simon can import dictionaries directly from wiktionary (a subproject of wikipedia) or from files formated in the HADIFIX- or HTK format and grammar structures directly from personal texts. It also provides means to train the language model with new samples and add new words."

Human 2.0: This one improves the utility of all those video cameras. (Why else would NFL coaches need to cover their mouths when calling in the plays?)

Researchers Work To Perfect Computerized Lip Reading

Posted by Zonk on Sunday January 20, @12:13AM from the eee-aye-eee-aye-oh dept. Security Science

Iddo Genuth writes "Researchers at the University of East Anglia are working to develop computerized lip-reading systems. Lip-reading is extremely hard for humans to master, but a software-based system has several benefits over even the most highly trained expert. The ultimate goal of the project is to convert lip-read speech into text. 'Apart from being extremely helpful to hearing-disabled individuals, researchers say that such a system could be used to noiselessly dictate commands to electronic devices equipped with a simple camera - like mobile phones, microwaves or even a car's dashboard. England's Home Office Scientific Development Branch ... is currently investigating the feasibility of using lip-reading software as an additional tool for gathering information about criminals or for collecting evidence.'"

Some are useful for my web site class, but mostly I just like lists...

January 19, 2008

PC World: 14 Fantastic Freeware Finds

PC World: "Get to your favorite folders in a snap. Stream TV stations from around the globe. Add new power to Internet Explorer. All this and more, and all of it for free." by Scott Dunn.

This is just neat! Someone used to make plastic models (Visible Man, Visible Woman, Visible V8 Engine) This is just a modern version... - Look Out Body World

The Visible Body is, indeed, what it sounds like—the human body, anatomically correct and ready to explore. Developed by Argosy Publishing, the Visible Body offers the first complete and most advanced 3D model of the human body today. There’s no hardware or cd-roms to install. It’s completely web-based. The results are stunning really. The Visible Body operates much like Google Maps—various layers make up the body’s organ systems. Simply peel away each layer to get a closer look inside. Take away the skin, for example, for a glimpse at the muscular system or organs. You can concentrate on and isolate specific body parts or organ systems. Or, if you’re having trouble finding what you need, use the comprehensive search engine. Manipulate the Visible Body with 3d controls, hide, rotate and see everything the human body has to offer. It’s perfect for med students, doctors, and the curious visitor, and it’s 100% free to use.