Saturday, November 08, 2008

“We're the Government. All of our checklists are one item long.” and other inane statements. Why do these people (anyone responsible for the breached data) try to invent such silly excuses?

VA: New Details on Stolen Laptops (follow-up)

Friday, November 07 2008 @ 03:59 PM EST Contributed by: PrivacyNews

There is new information about those two stolen laptops that have sensitive, personal information about every registered voter in Charlottesville. Friday afternoon the city's electoral board is explaining why the laptops were left behind on election night. The head of Charlottesville's electoral board says its standard protocol to leave behind election equipment, just bring back the ballot data.

... As for liability, Charlottesville says it's not at fault. City spokesperson Ric Barrick says police told the city not to say anything about the theft because it was part of an ongoing investigation. Barrick also points to a "reasonable amount of time" clause as a defense as well.

Source - WVIR-TV

[From the article:

The city contends that the risk of identity theft is low. "They've got to get through three levels of passwords in order to even turn the computer on. [If the computer is turned off, where do they enter the passwords? Bob]

... Sincere adds that the laptops were set up so people could access the data only on Election Day. Information is still on the laptops, but it's not in any readable form.

... The city has claimed that everything on the computers was a public record and that no social security numbers are in the records. Half of that is true.

The laptops had voters' driver’s license numbers on them. Seven out of every 1,000 drivers Virginia still have their social security numbers as their driver’s license numbers. The DMV numbers are not public information available through voting lists or anywhere else, despite the city's claims.

Late Friday afternoon the state board of elections told us that the vendor supplying the polling software reviewed all 25,000 names in the Charlottesville lists scanning for social security numbers in the driver’s license field. They tell us none were found.

Boy oh boy, with a book review yesterday and these articles today you might mistake me for someone who reads! (You could catch stupid terrorists, smart ones have plenty of alternatives.)

Article: Run for the Border: Laptop Searches and the Fourth Amendment

Friday, November 07 2008 @ 08:11 AM EST Contributed by: PrivacyNews

Should customs officers be able to search laptop computers at the border in the same way they inspect suitcases and packages? This article argues that, in general, suspicionless border searches of laptops and other electronic storage devices are permissible under the Fourth Amendment. It begins by surveying the competing interests that are implicated by laptop searches at the border, including the government's need to combat terrorism and child exploitation, as well as travelers' interests in privacy and free expression. Next, the article discusses the Supreme Court's border-search doctrine. "Non-routine" border searches (e.g., invasive searches of the body) are subject to the reasonable-suspicion standard, but "routine" searches (e.g., searches of property) need not be based on any individualized suspicion at all. The article then considers how the border-search doctrine might apply to laptops. Lower courts generally hold that customs can inspect laptops without reasonable suspicion, and this consensus is largely correct. Laptops differ from other kinds of property: They contain a greater volume of material, the data they store is intensely personal, and digital searches can leave a permanent copy of the data in the government's hands. But those differences generally do not justify a special exception to the border-search doctrine. In fact, laptop searches have the potential to be less, not more, intrusive than traditional border inspections of physical objects. Finally, the article discusses possible legislative or administrative reforms that might better balance travelers' interests against the government's needs. It might be appropriate to protect laptop owners' privacy interests at the border, not through traditional "collection limits" (which restrict the government's ability to gather information in the first place), but with "use limits" (which restrict the government's ability to share or otherwise use the information it does gather).

Sales, Nathan Alexander, Run for the Border: Laptop Searches and the Fourth Amendment (October 6, 2008). George Mason Law & Economics Research Paper No. 08-58

Available at SSRN:, where you can download the full-text article for free.


Article: Privacy by Deletion: The Need for a Global Data Deletion Principle

Friday, November 07 2008 @ 08:15 AM EST Contributed by: PrivacyNews


With global personal information flows increasing, efforts have been made to develop principles to standardize data protection regulations. However, no set of principles has yet achieved universal adoption. This Note proposes a principle mandating that personal data be securely destroyed when it is no longer necessary for the purpose for which it was collected. Including a data deletion principle in future data protection standards will increase respect for individual autonomy and decrease the risk of abuse of personal data. Data deletion is already practiced by many data controllers, but including it in legal data protection mandates will further the goal of establishing an effective global data protection regime.

Keele, Benjamin J., Privacy by Deletion: The Need for a Global Data Deletion Principle (September 26, 2008). Indiana Journal of Global Legal Studies, Vol. 16, No. 1, 2009

Available at SSRN:, where you can download the full-text article for free.


Article: Facebook and the Social Dynamics of Privacy

Friday, November 07 2008 @ 08:22 AM EST Contributed by: PrivacyNews


This Article provides the first comprehensive analysis of the law and policy of privacy on social network sites, using Facebook as its principal example. It explains how Facebook users socialize on the site, why they misunderstand the risks involved, and how their privacy suffers as a result. Facebook offers a socially compelling platform that also facilitates peer-to-peer privacy violations: users harming each others' privacy interests. These two facts are inextricably linked; people use Facebook with the goal of sharing some information about themselves. Policymakers cannot make Facebook completely safe, but they can help people use it safely.

The Article makes this case by presenting a rich, factually grounded description of the social dynamics of privacy on Facebook. It then uses that description to evaluate a dozen possible policy interventions. Unhelpful interventions - such as mandatory data portability and bans on underage use - fail because they also fail to engage with key aspects of how and why people use social network sites. The potentially helpful interventions, on the other hand - such as a strengthened public-disclosure tort and a right to opt out completely - succeed because they do engage with these social dynamics.

Grimmelmann, James Taylor Lewis, Facebook and the Social Dynamics of Privacy (September 3, 2008). Iowa Law Review, Vol. 95, No. 4, May 2009

Available at SSRN:, where you can download the full-text article for free.

Now we're getting serious!

Pakistan Declares Death Penalty for 'Cyber Terror'

By Noah Shachtman November 07, 2008 6:22:19 PM

American officials can have some pretty over-the-top reactions to hackers and so-called cyber terrorists. Once, I saw a briefing comparing our own Kevin Poulsen to Osama bin Laden and Pablo Escobar -- seriously. But the U.S. has nothing on Pakistan, when it comes to cyber terror paranoia. Yesterday, Pakistani president Asif Ali Zardari signed a law making cyber terror a crime "punishable with death."

Executions will only be allowed if the hack attack "causes [the] death of any person," the Prevention of Electronic Crimes law states.

Cloud Computing's definition starts to firm up (and expand)

The future of the cloud

Posted by Dan Farber November 7, 2008 12:30 PM PST

... Warrior believes that cloud computing will evolve from private and stand-alone clouds to hybrid clouds, which allow movement of applications and services between clouds, and finally to a federated "intra-cloud."

... Warrior laid out the cloud-computing stack as having four layers: IT foundation, flexible infrastructure, platform as a service, and applications (software as a service).

... Dave Giroaurd, president of Google Enterprise, brought up the potential legal tangles of moving intellectual property between clouds. "It's an unclear area of the law as to who owns what," he said.

Extending the Digg Effect (AKA: Slashdotting) In short, when you can't access a web site because too many users tried to access it, this app automates the attempt to connect adding even more traffice for the site to handle. (The Internet equivalent of “Are we there yet?”) - Address The Digg Effect

The expression “Digg effect” refers to the unavailability of pages due to exceedingly-high amounts of traffic. This is a common occurrence when browsing through social sites or news resources that link to the hottest spots on the web. Pingdom is a company that realized that many people were missing on interesting contents because of this. With all the information that is available on the Web, it is a fact that people forget about articles they could not read, and just move on. Consequently, the company set to work on an application that has recently been launched.

This application goes by the name of Mr. Uptime. In general terms, what this browsing tool does is to try to reach a website in the background while you carry on browsing as usual. As soon as the website can be accessed, Mr. Uptime will notify you so that you can check it right away.

Mr. Uptime is presented as a Mozilla Firefox extension that can be easily procured and installed through the site. The system requirements are also included, along with a FAQ that provides guidance on bandwidth usage and related considerations.

Something for the Swiss Army File? - SMS To Cell

Cell Phone Message Sender is a well-established company that provides a suite of free text messaging applications and services. These aim to allow users to send text messages from any computer to a cellphone at no cost. All the major carriers in the United States are supported, and carriers from all over the world are also taken into account.

The services on offer will also enable you to create groups for sending bulk messages, saving time and money in the process.

As it was already mentioned, these services are rendered free of charge, but paid accounts are also available. These will allow you to send more than 50 messages per month.

The corporate website includes a comprehensive FAQ guide that explains how the system works in minute detail, and account-related considerations are also duly dealt with.

Moreover, the site features a collection of wallpapers and other resources such as mobile themes and games. Also included is a reverse phone search tool that will let you find out who owns any cellphone in a practical way. [Everyone seems to include a surveillance/stalking option these days... Bob]

Not sure this is a “better Search Engine” but the little screenshots help you find that website you remember from last week but can't put a name to... - Where Search Meets Research

“Where search meets research” is the tagline of this new web-hosted service, an endeavour that will let you look up research materials in a straightforward manner, and present the results to you using a flexible interface.

Several screenshots are displayed when seeing results, and you can easily zoom in and out of the relevant pages. You can also save individual results to your own personal workpad for ulterior reference. Moreover, this personal workpad can be shared with any person you wish, so that sharing results is an easy task indeed.

Friday, November 07, 2008

I got my hands on an interesting new book: Privacy Law in a nutshell published by Thompson West. The authors, John T. Soma and Stephen D. Rynerson have collected, analyzed and explained (so even I can understand it) “everything you ever wanted to know” about Privacy Law. I get the impression that at least part of their excellent scholarship was made easy (perhaps necessary) because of the questions I keep asking them – to which their polite responses normally begin: “No you incredible cretin, that's not what it means...” Their lives will be so much simpler now, since they can say: “Read the flaming manual!”

NOTE: There should be a link to purchase this book on the Privacy Foundation site, but I don't see one yet. But you can go here: Buy several, they'll make great stocking stuffers!

This summarizes just the Data Breach side of Privacy

UK: Data loss claims 280 million victims since 2006

Friday, November 07 2008 @ 05:36 AM EST Contributed by: PrivacyNews

Over 280 million people have had their personal details lost because of data breaches in the past three years, according to the first KPMG data loss study.

The KPMG Data Loss Barometer (PDF) found that in 46 per cent of cases the data was not password-protected or encrypted, while in 62 per cent of cases the data was lost rather than stolen.

Source -

Related? One possible reason why breaches occur?

Study: Breaches May Not Affect User Behavior

Friday, November 07 2008 @ 08:00 AM EST Contributed by: PrivacyNews

More than half of employees will continue using Internet applications even after they become aware of a security problem with that application, according to a study scheduled to be published next week.

In the study, which was conducted by Ponemon Institute and sponsored by Palo Alto Networks, end users were confronted with "breaches" -- such as data losses or malware -- affecting the Internet applications they use each day. The idea was to see how their online behavior would change as a result of hearing about the breach.

Source - Dark Reading

Even the CIA needs to follow procedure.

AU: AFP security breach exposed

Friday, November 07 2008 @ 06:31 AM EST Contributed by: PrivacyNews

From the oh-this-is-very-very-bad dept.

CONFIDENTIAL Australian diplomatic cables and police documents were left in open files on a computer and read by guests at a hotel in the Nepalese capital, Kathmandu.

At least 20 police photographs of the charred bodies of plane crash victims, including those of two Victorians, were also left in open files on a computer and could be seen by guests for three weeks. The security breach included information about an Australian Federal Police agent meeting a CIA operative in Kathmandu last month.

... The security breach included a seven-page document detailing priorities and strategies for the AFP's office in Bangladesh, including information about sharing intelligence with foreign agencies.

One document marked "protected" detailed a meeting an AFP agent had with a secret foreign military organisation where sensitive security intelligence was discussed, including recent terrorist attacks in India.

Source - The Age

Here's an interesting Case Study. (Not enough fact to be sure, so make some up as needed.) It looks like the extortionist sent samples of customer data, but there is no proof that it was obtained by hacking into their system. How should the company proceed?

Express Scripts Warns of Potential Large Data Breach Tied to Threat

Thursday, November 06 2008 @ 01:31 PM EST Contributed by: PrivacyNews

Express Scripts (Nasdaq:ESRX), one of the largest pharmacy benefit management companies in North America, today announced that it has received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patients' records.

The letter included personal information of 75 members, including their names, dates of birth, social security numbers, and in some cases, their prescription information. The company said it has notified the affected members. It also immediately notified the FBI, which is investigating the crime. The company also said that it is conducting its own investigation with the help of outside experts in data security and computer forensics. The letter arrived in early October.

Source - Global Newswire Related - Express Scripts Supports Site [Correct URL:

I am starting to see reactions by regualtory bodies that point out the failure of management to manage. How refreshing!

Mortgage Company Settles Data Security Charges

Thursday, November 06 2008 @ 08:52 AM EST Contributed by: PrivacyNews

A Texas-based mortgage lender has settled Federal Trade Commission charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data. The lender made the data vulnerable, the complaint alleges, by allowing a third-party home seller to access the data without taking reasonable steps to protect it. A hacker compromised the data by breaking into the home seller’s computer, obtaining the lender’s credentials, and using them to access hundreds of consumer reports.

According to the FTC’s complaint, Premier Capital Lending, Inc. (Premier) violated the FTC’s Safeguards and Privacy Rules, as well as Section 5 of the FTC Act. The proposed settlement bars deceptive claims about privacy and security, and requires the company to establish a comprehensive information security program and hire an independent third-party security professional to review the program every other year for 20 years.

Source - FTC Related - Agreement Containing Consent Order

[From the FTC article:

The FTC complaint alleges that Premier violated the Safeguards Rule because it:

  • allowed a home seller to use its account for accessing credit reports in order to refer purchasers for financing without taking reasonable steps to verify the seller’s procedures to handle, store, or dispose of sensitive personal information;

  • failed to assess the risks of allowing a third party to access credit reports through its account;

  • failed to conduct reasonable reviews of credit report requests made on its account by using readily available information (such as management reports and invoices) to detect signs of unauthorized activity; and

  • failed to assess the full scope of credit report information stored and accessible through its account and thus compromised by the hacker.

Related? Some of the technology that would be used to evaluate customer queries

Article: Search Query Log Privacy is a Balancing Act

Thursday, November 06 2008 @ 02:02 PM EST Contributed by: PrivacyNews

Search engines have numerous technical measures at their disposal to enhance the privacy of their stored query logs, CDT's Alissa Cooper explains in the journal "ACM Transactions on the Web." The article assesses seven of these techniques against three sets of criteria: (1) how well the technique protects privacy, (2) how well the technique preserves the utility of the query logs for search engine companies, and (3) how well the technique might be implemented on an individual basis as a user control. For search engine companies navigating an increasingly complex privacy landscape, it is likely that these kinds of techniques in combination with policy measures will ultimately be required to develop a strategy that protects privacy and maintains the utility of query logs for many different purposes.

Source - CDT: Search Query Log Privacy Article [pdf]

Speed is one measure of the concern management has about any data breach. What does sloth suggest?

Countrywide still hasn't notified everyone (follow-up)

Thursday, November 06 2008 @ 03:06 PM EST Contributed by: PrivacyNews

Seen elsewhere....

... As of yet, not all Countrywide customers have been notified. The letters are still being printed and sent out.

“It’s starting to dwindle down, we hope; there is a lot of evidence that needs to be sifted through – computer programs and e-mail files,” explained Bauwenf. “As [investigators] find things, we contact the customers.”

Source - The Village News

[From the article:

Even if a letter has not been received, sources say Countrywide loan customers should call their lenders to see if they are at risk. [If they don't know you were a victim, they will most likely say “No worries, Mate!” How does that impact their credibility? Bob]

[Offhand, I'm not certain when this occurred, but the article suggests they have been “working” on it for months: Bob] In August, the Federal Bureau of Investigation (FBI) released a statement pertaining to their findings in an investigation on the matter.

New technology, same old problems. Until we re-invent the same solutions.

Ringleader's Privacy Problem: No Opt-Out Of Tracking

Thursday, November 06 2008 @ 03:57 PM EST Contributed by: PrivacyNews

NebuAd might think it had problems with privacy advocates, but that's nothing compared to what's in store for nascent mobile ad networks. One such network, Ringleader Digital, has unveiled its new "media stamp" -- a cookie-like item that creates and stores profiles about cell users based on the mobile sites they visit. Unlike online advertising cookies, however, the media stamps are stored on Ringleader Digital's servers and not browsers, which means users can't delete them.

Source - Media Post

[From the article:

Ringleader Digital collects information based on characteristics of the device, but says it can gather enough data this way to create unique, "anonymous" stamps for every mobile phone user.

"We track devices, not individuals," the company said in a privacy statement issued today. Ringleader Digital adds that it doesn't collect mobile phone number, names, addresses or other so-called "personally identifiable information." [So how will you write a law to cover the privacy of the information they do collect? Bob]

Remembering the old adage: “Marketer see, Marketer do” I expect this will catch on. Fortunately, the politicians probably won't use it for four years – but expect testing in two.

NZ: Peters' direct mail angers hundreds targeted

Thursday, November 06 2008 @ 04:40 PM EST Contributed by: PrivacyNews

Winston Peters has been sending direct mail and setting up webpages in the names of random Kiwis, to the horror of some of those targeted who believe their privacy has been invaded.

New Zealand First have received 400 complaints about the marketing technique but at the same time, it has driven 66,000 people to their website. [66,000 trumps 400 every time. Bob]

Source - The New Zealand Herald

Since the election wasn't even close, there was no need for the press to agonize over voting machine failures. (E-CHAD) But this article seems to suggest broader problems.

Stolen Election from Alaska?

Shannyn Moore Posted November 6, 2008 | 04:39 AM (EST)

... In Alaska, more people voted for George W. Bush in 2004 than for Sarah Palin on Tuesday despite an identical 61-36 margin of victory.

... The second woman to ever make a presidential ticket; and she's one of our own. Despite that, we're supposed to believe that overall participation DECREASED by 11%. Not only that, but this historic election both nationally and for Alaska HAD THE LOWEST ALASKA TURNOUT FOR A PRESIDENTIAL RACE EVER!!! That makes sense. REALLY??? Something stinks.

Big Brother seems to have won big in several elections – and sometimes without them.

CA: Roseville will open hotel guest registries to police (follow-up)

Thursday, November 06 2008 @ 04:44 PM EST Contributed by: PrivacyNews

Joining Sacramento, San Diego and San Jose, Roseville has adopted an ordinance requiring motel and hotel operators to give police officers access to guest registries.

Without debate or question, [Indicating pre-purchased politicians? Bob] the Roseville City Council on Wednesday night approved the local law that police said was a necessary tool to investigate crimes and to keep tabs on probationers and parolees.

The new ordinance requires police access to the following registry information about guests: name, address, vehicle description, date of arrival and departure, number of guests and room number for each guest. The ordinance does not authorize access to guests' credit card or private payment information.

Source -

Related The Internet equivalent of Black Helicopters

UK Outlines Plan For Internet Black Boxes

Posted by timothy on Friday November 07, @04:50AM from the but-don't-panic-they'll-say-don't-panic-on-them dept. Privacy Communications The Internet

RobotsDinner writes

"In what sounds like a dystopian sci-fi plot, the Home Office has made public plans to outfit the country's Internet with upstream data recorders to log pretty much everything that passes through. 'Under Government plans to monitor internet traffic, raw data would be collected and stored by the black boxes before being transferred to a giant central database. The vision was outlined at a meeting between officials from the Home Office and Internet Service Providers earlier this week.'"

Related Think of it as the camels nose in the tent.

Project Turns GPS Phones Into Traffic Reporters

Posted by timothy on Friday November 07, @06:42AM from the then-it's-mandatory dept. Cellphones Transportation Science

narramissic writes

"Starting on Monday, researchers from Nokia and UC Berkeley will kick off the Mobile Millennium project. The researchers hope that thousands of volunteers will download a free Java program that figures out by their movement and location when they are driving, and then transmits that information to the project's servers, which then crunch it into a Bay Area traffic map. 'The whole concept here is that if everyone shares just a little bit of what they're seeing ... then everyone can benefit by seeing the conditions ahead of them,' said Quinn Jacobson, a research leader with Nokia in Palo Alto."


German Coalition Under Fire for Backing Online Investigation

Thursday, November 06 2008 @ 04:43 PM EST Contributed by: PrivacyNews

Germany's Grand Coalition government has reached an agreement on the finer details of the so-called BKA (or "Federal Criminal Police Office") Law. It will allow German security services to monitor suspected civilians more closely, without people knowing that they're being watched.

Significantly, it also gives the Federal Criminal Police for the first time the right to act preventatively, foiling crimes before they happen. [“Ve could tell he vas thinking about resisting arrest, so ve had to Taser him.” Bob]

Online espionage has been one of the biggest sticking points during debates in Berlin. Under the new proposal investigations can still monitor online activities secretly using so-called Trojan software, but only if a judge deems that there is good reason to do so.

Source -

Related... To Big Brother and Marketing and Invasion of Privacy in every conceivable way...

Windows 7 knows where you are

Friday, November 07 2008 @ 05:26 AM EST Contributed by: PrivacyNews

Windows 7 has a new programming interface designed to make it a whole lot easier for software to figure out where in the world a PC and its user are located.

That should make it easier for a whole new range of location-based services [AKA: Advertising Bob] from finding nearby friends to LoJack-like PC tracking programs. Even search could be a whole lot better if the search engine knew where you were. Indeed, searchers often enter their city with their location to try and get just that benefit. [That's called “Opt In” Bob]

... At the same time, broader use of location-based services could also open up a range of privacy concerns.

Those issues--and how to handle them--was the subject of a discussion this week at the Windows Hardware Engineering Conference (WinHEC) here.

Source - Cnet

Related Agreement is simple, compliance is not.

Craigslist Agrees With State AGs To Curb "Erotic Services" Ads

Posted by timothy on Thursday November 06, @06:21PM from the right-to-pursue-happiness dept.

The New York Times reports that Craigslist has reached an agreement with 40 state attorneys general to tame its notoriously unruly "erotic services" listings. Clever diplomacy: according to the article, Craigslist "said that it will charge erotic services vendors a small fee for each ad — about $10, Mr. Buckmaster said — and require that they use a credit card for the payment. It will donate the money to charities that combat child exploitation and human trafficking. This, theoretically, will let the company confirm not just a phone number but also an identity." I hope they work on cleaning the weird spammers from the ordinary personal ads, too.

Related Something for Nutshell, Volume Two...

Mass: Get ready for data privacy regs

Friday, November 07 2008 @ 05:52 AM EST Contributed by: PrivacyNews

Companies and lawyers are working overtime to comply with new data-privacy regulations that will take effect on Jan. 1, giving Massachusetts what observers say are the nation’s strictest rules governing sensitive customer and employee information.

The new regulations, announced in September by the Massachusetts Office of Consumer Affairs and Business Regulation, will require companies to safeguard with firewalls all personal data belonging to any Massachusetts resident, and encrypt it whenever it is transmitted or saved on a portable device such as a laptop or a flash drive.

.... For now, uncertainty remains regarding companies based outside of Massachusetts that work with customers or employees in the commonwealth. The Office of Consumer Affairs and Business Regulation has left it up to the Attorney General’s Office to determine whether the regulation would be enforced against such entities.

Source - Mass High Tech

Tools & Techniques Now you can carry your wall-sized TV with you!

The Pocket-Sized Projector Has Arrived

Posted by timothy on Thursday November 06, @01:48PM from the wistful-longing-fills-my-chest-cavity dept. Displays Technology

mallumax writes

"David Pogue of New York Times has reviewed the Pico, which is a pocket projector from Optoma. The review is quite entertaining (Pogue projects the images on to a plane's ceiling, leaving passengers baffled) and detailed. The highlights are: It is a pocket-sized projector which runs on batteries and can project images and videos from a variety of sources like iPhone, iPod and DVD players with a 480x320px resolution, with a maximum screen size of 65 inches at 8.5 feet. It uses a non-replaceable 10,000 hour LED lamp and a DLP chip from Texas Instruments. The battery lasts for 90 minutes and can be recharged through USB or with its own power cord. The device weighs 115g and comes with an inbuilt speaker which is practically useless. If you want one, it will set you back by $430."

Thursday, November 06, 2008

I suppose smart people tend to waffle think longer than us normal folk...

MA: HLS loses sensitive data of 20,000 legal services center clients

Thursday, November 06 2008 @ 05:34 AM EST Contributed by: PrivacyNews

Over 20,000 clients of the Wilmer-Hale Legal Services Center have had their personal data-ranging from addresses and social security numbers to sensitive legal intake information-potentially exposed, the Record learned late last night from Robb London, Associate Director of Communications.

... [Harvard Law School] has sent letters, in both English and Spanish, notifying the 8000 individuals whose SS numbers were lost, giving them a point of contact at LSC, and offering that the law school (at its expense) will be making services available to them for identity and account protection. An additional letter went out to the 13,000 other clients affected.

The tape was lost on or around September 23. LSC has its servers on site in Jamaica Plain, unlike other Harvard clinicals such as Defenders, Prison Legal Assistance Project, or the Harvard Legal Aid Bureau, whose servers are located on campus and are encrypted. Each week, IT sends an employee to LSC to take out the data tapes and to transport them to campus for back up. When IT went to back up the tapes two days after they were delivered from LSC, they noticed that only 5 of the 6 tapes were there.

Source - Harvard Law Record

[From the article:

London described the password protection as, "almost the same level as encryption," and stated that it would take "Herculean efforts and immense computing power," to breach the security of the tape [Think about this: The tape contains digital data. The program that asks for and validates the password is not on the tape. All anyone needs to do is skip the bits that make up the password and start reading the data further into the tape – ask any teenager how to start listening to the Second song on the tape. Bob]

... Nevertheless, in response to this loss, HLS has changed its procedures regarding data protection at LSC. First, the servers at Jamaica Plain site are now being encrypted. [Perhaps they could encrypt the backup files, too? Bob] Second, data transport is now in the hands of a courier service known as Iron Mountain rather than IT. Third, a new tape library for LSC has been purchased, which includes a bar code reader for improved inventory control. [Notice that they start with the assumption that tapes are required. Secure transmission over the Internet would mean there are no tapes to get lost in the first place... Bob]

Failure to remove this information has been a hot topic for several years. How can anyone remain so clueless? (Oh, yeah... West Virginia)

WV: Web error fallout ongoing

Wednesday, November 05 2008 @ 02:04 PM EST Contributed by: PrivacyNews

The fallout continued Thursday following an error that officials said resulted in the placement of Social Security numbers, birth dates and other personal information onto a county Web site.

Late last week, Jefferson County Clerk Jennifer Maghan said she unveiled a new online search tool that enabled residents and business professionals to access nearly 1.6 million documents that are stored in her office via their home computers.

Maghan said she received a number of compliments about the new program after it debuted, but learned within a matter of days that the deeds and some of the other documents that the service contained featured residents' Social Security numbers and other personal information. [“In all my years processing these form, I never noticed that.” Bob]

Source - The Journal hat-tip, The Breach Blog

[From the article:

"It's on these documents, where a Social Security number had no business being there," she told county commissioners on Thursday. [“They put their social security number on the “Amount paid” line or in the Name field – anyplace we wouldn't notice it.” Bob]

A trivial hack, but see what an automatic censorship program can teach you...

OR: Restaurant’s computer hacked

Wednesday, November 05 2008 @ 04:50 PM EST Contributed by: PrivacyNews

The computer system of Swee*censored*ers on the River restaurant in Valley River Inn in Eugene was hacked between June 19 and Oct. 3, the restaurant said Wednesday.

Valley River Inn’s computers were not effected.

As a result of the security breach, the information magnetically encoded on credit or debit cards, which may include the cardholder’s name, card number, card expiration date and other information encoded by the card issuer, may have been obtained by unauthorized persons.

Source - Portland Business Journal Related - Sweetwaters on the River Press Release

My guess is that the campaign of 2012 has already started. Some of the comments have other interesting suggestions...

Obama, McCain Campaigns Both Hacked, Files Compromised

Posted by timothy on Wednesday November 05, @06:20PM from the nogoodniks-abound dept. Security United States Politics

dunezone writes

"As the election ends, news is coming out from both campaigns on what happened behind closed doors. During the summer, the Obama campaign had their systems hacked, but so did McCain — and not by each other, but bya third party. '... both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," [Rude, but very FBI? Bob] an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem ... and you have to deal with it." The Feds told Obama's aides in late August that the McCain campaign's computer system had been similarly compromised.'"

Also from the article:

"Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps' policy positions — information that might be useful in negotiations with a future administration." [Which of course is silly. Campaign retoric has nothing to do with anything that happens after the election. Bob]

Sounds like a “gang” with very low Identity Theft skills. They need time in prison to perfect their technique...

CO: Five-member identity-theft ring indicted

Wednesday, November 05 2008 @ 11:50 AM EST Contributed by: PrivacyNews

Five members of an identity theft ring that operated in the Denver metro area have been charged in a 65-count grand jury indictment, authorities say.

... During the investigation that began in April, authorities confiscated nearly 300 fraudulent identification cards and counterfeit checks they had used to steal thousands of dollars from dozens of victims, Friel said. .... The ring burglarized homes and broke into cars to steal credit card information.

Source - Denver Post

Comment: not to impugn the intelligence of clerks and merchants, but: the story says that "The group made their own credit cards that didn't have magnetic strips on the back, Friel said. When asked about the missing magnetic strips, ring members would say the cards were only temporary and ask the clerk to key in the credit card numbers stolen from a valid credit card, he said." A little common sense or caution on the part of the clerks or cashiers might have prevented some of the resulting problems -- Dissent.

I'm sorry they pled guilty. I was hoping for more details during the trial...

Three Plead Guilty in $2 Million Citibank ATM Caper (follow-up)

Wednesday, November 05 2008 @ 06:08 PM EST Contributed by: PrivacyNews

Three New Yorkers accused of using hacked Citibank ATM card numbers and PINs to steal $2 million from customer accounts in four months have pleaded guilty to federal conspiracy and access device fraud charges.

The defendants -- Ivan Biltse, Angelina Kitaeva and Yuriy Rakushchynets, aka Yuriy Ryabinin -- are among 10 suspects charged earlier this year in connection with a breach of transaction processing server handling ATMs at 7-Eleven convenience stores. The ATMs are branded Citibank, and owned by Houston-based Cardtronics.

Source - Threat Level

[From the article:

Court records indicate a Russian hacker cracked the ATM server in late 2007, and monitored transactions from 7-Eleven cash machines long enough to capture thousands of account numbers and PINs. The Russian then farmed out the stolen data to mules in the United States, who burned the account numbers onto blank mag-stripe cards [Something the Colorado crooks didn't bother with Bob] and withdrew cash from Citibank ATMs in the New York area for at least five months, sending 70 percent of the take back to Russia.

... Citibank hasn't commented on the breach, except to say that customers aren't held responsible for fraudulent withdrawals, and that its own servers weren't compromised. Cardtronics also hasn't commented, but insisted in a July press release that its systems meet the PCI Data Security Standard, [Undoubtedly true. Shows just how poor those standards are! Bob] which sets requirements for credit and debit cards processing systems.

... In addition to looting Citibank accounts, Rakushchynets was accused of participating in a global cybercrime feeding frenzy [Cute! Bob] that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 -- just two days -- the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines "around the world," according to an FBI affidavit, resulting in a staggering $5 million in losses.

... Rakushchynets and Biltse agreed to forfeit the cash found stashed in their homes at their arrest: $838,000 for Rakushchynets; $912,500 for Biltse. [Sounds like they don't trust banks... Bob]

Take that, Google!

Hustinx: nameless data can still be personal

Thursday, November 06 2008 @ 05:45 AM EST Contributed by: PrivacyNews

A person does not have to be identifiable by name for details of their computer usage to be protected by data protection laws, a senior European privacy watchdog has warned.

... Hustinx, who is charged with advising EU institutions on privacy law and ensuring they comply with it, has said in a video published by technology news service ZDNet that companies that gather addresses that might or might not be personal data should just treat them all as personal, with all the restrictions that entails.

Source - Related - The video at ZD Net

Interesting, but it seems somewhat shallow to me. They consider the CPO and CIO perspective, but not the Board of Directors as a whole. And what about shareholders?

Paper: The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises

Wednesday, November 05 2008 @ 01:39 PM EST Contributed by: PrivacyNews


This paper presents a consolidated view of the requirements of stakeholders of an enterprise's privacy implementation. Because there are so many stakeholders in enterprise privacy, the paper also analyzes the tension between the stakeholders as they relate to purchasing behavior of privacy enabling technology. An action this paper motivates is the creation of technology so enterprises might operate in a privacy-respecting manner. The paper is meant to encourage development of products and services that have maximum understanding and therefore appeal across the various stakeholders. Some of the assertions in this paper are supported by interviews of stakeholders within a variety of enterprises in and across geographies and business sectors, who each have been promised anonymity. Enterprise customers reading this document will benefit from understanding concerns of other enterprise privacy stakeholders, filling gaps or oversights for privacy problems that may be pending but not yet surfaced in their own enterprise.

Nickel, Cyndi; Sander, Tomas; Bramhall, Pete HP Laboratories HPL-2008-153

Source - The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises [pdf] October 21, 2008

Examples – practically Case Studies..

New resources from the Office of the Privacy Commissioner of Canada

Thursday, November 06 2008 @ 05:15 AM EST Contributed by: PrivacyNews

The Office of the Privacy Commissioner of Canada announced two new resources:

They have produced a guide for businesses., and

They have also introduced a new e-newsletter: Privacy Perspectives - News from the Office of the Privacy Commissioner of Canada that includes cases summaries of PIPEDA decisions. This month's newsletter includes:

  • PIPEDA Case summary #394: Outsourcing of e-mail services to U.S.-based firm raises questions for subscribers

  • PIPEDA Case summary #393: Laptop theft at bank and long delay before informing victims were both avoidable

  • PIPEDA Case summary #392: Individual objects to being photographed by private investigation firm

  • PIPEDA Case summary #391: Company must not charge flat fee to process access request

For your security manager (The link does not take you to a PDF)

Critical Vulnerability In Adobe Reader

Posted by timothy on Wednesday November 05, @05:32PM from the see-attachment dept. Security Bug Media

An anonymous reader writes

"Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."

How to steal passwords wholesale... - Store All Your Passwords Online

The I Forgot My Password website is there to ensure you can give your memory a break and store all your passwords in the same place. Some might say that storing such information on the web it is not the safest thing to do, [Ya think? Bob] but different people want different things, and I think it is best to have alternatives to choose from rather than being always stuck with the same options and resources.

... You can also register for free easily and become a site user in no time at all.

Attention Class Action Lawyers!

D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection

Posted by timothy on Wednesday November 05, @06:45PM from the not-polite dept. Networking Businesses Technology

chronopunk writes

"Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"

An interesting 'call to arms' but the link to e-discovery resources and blogs is more useful...

The E-Discovery Crisis: An Immediate Challenge to our Nation’s Law Schools

[e-Discovery resources and Blogs:

Making life easier for us perverts! privacy advocates!

New Firefox privacy mode released to testers

Wednesday, November 05 2008 @ 08:08 AM EST Contributed by: PrivacyNews

Late Monday a small, yet big Firefox feature was released to testers of Minefield, Mozilla's testbed application for new browser innovations. The new feature is private browsing, also known in some circles as "porn mode." When toggled, it takes your Web history, user names, passwords, searches, and cookies and bins them the second you close out the window, effectively making it appear that the session never existed.

Source - Cnet

Wednesday, November 05, 2008

Not much important news today, there seems to have been some kind of election...

Spin over facts

Baylor Health Care says laptop with patient data stolen

Tuesday, November 04 2008 @ 07:37 AM EST Contributed by: PrivacyNews

A laptop computer containing limited health information on 100,000 patients was stolen from an employee's car in September, Baylor Health Care System Inc. said Monday.

A letter is being sent to the patients, including 7,400 patients whose Social Security numbers were stored on the computer.

Source - Dallas Morning News

[From the article:

"Fortunately, the laptop did not contain comprehensive patient medical records, and, according to law enforcement officials, it is rare that incidents such as this result in identity theft," Dr. Winter said.

The data consisted of names of patients and medical codes relating to the treatment they received. The codes are a series of numbers requiring a medical code book to interpret, [Or a query on Google Bob] said Nikki Mitchell, a Baylor spokeswoman.

... It was within the manager's job description to visit Baylor locations collecting patient data on the laptop, but she was fired because leaving the laptop in her car broke protocol, Ms. Mitchell said. [I approve! Bob]


Baylor Health Care System employee is fired over stolen laptop

Interesting but not much detail available. Why were medical records in public storage? Did the crooks only steal the hard drives?

AZ: Info of 40,000 kids on stolen hard drives (DES update)

Tuesday, November 04 2008 @ 06:09 PM EST Contributed by: PrivacyNews

Arizona's Department of Economic Security said five hard drives stolen from a storage unit contained the personal information of up to 40,000 children.

The department sent letters to parents who had submitted their children for its "Early Intervention Program" informing them the children may be at risk of identity theft as a result of the October break-in at the public storage unit, KTVK-TV in Phoenix reported Tuesday.

"The hard drives contained info that might include name, address, insurance info, child disability, date of birth and Social Security number," the letters stated.

Source - Times of the Internet

If you can't get the death penalty for copyright violations in the US, add it into a secret treaty agreement, then claim we have to comply!

Concerns About ACTA In EU, Canada

Posted by kdawson on Tuesday November 04, @03:29PM from the back-rooms-and-dark-alleyways dept. Privacy Government

Elektroschock writes

"An EU document on the Anti-Counterfeiting Treaty was leaked. The main purpose of the trade agreement is to impose the European enforcement measures for IPR infringements on the US and emerging economies, widen the enforcement measures to include criminal sanctions for patent infringements, and introduce internet content filtering measures. Civil society groups such as the FFII criticize the ACTA process because negotiation documents are not made publicly available by the governments. The EU document ('fact sheet') from the EU Trade Commissioner explicitly mentions: 'Internet distribution and information technology — e.g. mechanisms available in EU E-commerce Directive of 2000, such as a definition of the responsibility of internet service providers regarding IP infringing content.'"

And an anonymous reader adds Michael Geist's push for more transparency around ACTA negotiations in Canada.

Interesting application. As you use your browser, highlight text and a search engine plops results onto a sidebar. - Intelligent Discovery Engine

Developed by Linkool Labs, Juice is an intelligent discovery engine that has just been launched. This engine enables you to highlight a portion of text and process it in order to produce a set of content recommendations.

The Juice engine comprises a natural language processing system with a dictionary that connects keywords with the corresponding (and richest) content that can be found on the web, based on the information you drag and drop.

Moreover, the content that is discovered for you and put forward by Juice can easily be organized and categorized for browsing convenience. For instance, when a video is recommended you can simply add it to our video playlist and watch it afterwards. The same applies to any picture you come across – you can save it for ulterior viewing in a straightforward manner.

The supported browsers so far include only Firefox 3.0. It will be interesting to see if other browsers are taken into account as the project evolves. For the time being, Firefox users can check Juice out at and start discovering new content on the web right away.

Tuesday, November 04, 2008

Put your money where your mouth is...

President Obama? Web sites bet it's a done deal

Posted by Declan McCullagh November 4, 2008 5:00 AM PST

After the votes were tallied on Election Day four years ago, the big winners turned out to be the betting Web sites that predicted George W. Bush's re-election.

U.K.-based Betfair correctly predicted that Bush would stay in office and gave him 2-to-1 odds of beating his Democratic rival, Sen. John Kerry. The odds at Dublin-based were similarly accurate, giving Bush a 58 percent chance to win and Kerry a 42 percent chance.

For my fellow paranoids...

Hundreds of Thousands of Voter Records Found Scattered on Highway in Florida

Monday, November 03 2008 @ 12:03 PM EST Contributed by: PrivacyNews

Hundreds of thousands of pages of voter documents were found scattered along a highway in Hillsborough County, Florida, Monday morning. Two empty cardboard boxes were found near the documents, suggesting they may have fallen from a truck or been purposely dumped along the highway.

The documents, which filled nine plastic bags when collected, contain names, addresses, phone numbers and party affiliation of Hillsborough County voters.

It appears, however, that the documents aren't the county's voter registration applications since they also contain the voters' registration numbers, precincts where they are registered to vote and a check box next to each voter's name indicating their choice of Barack Obama or John McCain in the presidential election and whether they need a ride on Election Day, according to the Tampa Tribune. The latter would not be on a county voter record. [Interesting that they think only the last piece is not on the county records... Bob]

Source - Threat Level Related - Associated Press

[From the AP article:

The elections office says the information in the documents is public record.

Related – and this one would work too...

Phony Virginia Flier Culprit Found

RSS stumble digg reddit news trust

AP November 3, 2008 08:57 PM

State elections officials have identified the person responsible for a phony election flier that told Republicans to vote on Tuesday and Democrats to vote a day later.

Cloud Computing Considerations Tactically brilliant but strategically dumb.

Is openness a second-order purchasing consideration?

Posted by Matt Asay November 3, 2008 3:07 PM PST

Nick Carr writes a fantastic piece--"Openness is not enough"--which highlights how far Microsoft has gone in the cloud, and whether anyone cares about lock-in. The answer to the first question is "shockingly far," and the answer to the second question is "not yet."

... [I]n this early stage of the cloud's development, openness means little to the buyer (or user).... What they care about right now is security, reliability, features, compatibility with their existing systems and applications, ease of adoption, stability of the vendor, and other practical concerns. In the long run, they may come to regret their lack of stress on openness, but in the here-and-now it's just not a major consideration. They want stuff that works and won't blow up in their faces.

... Now, it's absolutely true that openness is not necessarily the reason to buy, but rather can be the reason a prospect even knows you exist (e.g., they downloaded your product). But Carr is onto something here. Some grouse about the iPhone being proprietary, but even at open-source Red Hat I saw an increasing number of iPhone users. Why? Because it works, and it works well.

Very interesting on several levels. 1) Check the comments 2) Didn't the Air Force scrap their Cyber Command? 3) Will they be looking for Hacker Consultants? (They won't want these guys in uniforms...)

Air Force To Rewrite the Rules of the Internet

Posted by CmdrTaco on Monday November 03, @01:59PM from the because-they-can dept. The Internet The Military

meridiangod writes

"The Air Force is fed up with a seemingly endless barrage of attacks on its computer networks from stealthy adversaries whose motives and even locations are unclear. So now the service is looking to restore its advantage on the virtual battlefield by doing nothing less than the rewriting the 'laws of cyberspace.'"

I'm sure that'll work out really well for them.

[From the article:

An upcoming Air Force doctrine calls for the service to have the "freedom to attack" online. [What stops them today? Bob]

Funny it's not more widespread...

Privacy Concerns Over Google On the Rise In Germany

Posted by kdawson on Sunday November 02, @08:22PM from the not-being-evil-we-promise dept. Privacy Google

An anonymous reader writes

"After protests from several sources, major German news site Spiegel Online has dropped Google Analytics. 'Google gathers so much detailed information about its users that one critic says some state intelligence bureaus look "like child protection services" in comparison,' they say. Spiegel Online no longer uses Google Analytics. 'We want to ensure that data on our users' browsing patterns don't leave our site,' says Wolfgang B├╝chner, one of Spiegel Online's two chief editors."

The article covers a wide swath of German concern over Google's data-collecting and -handling policies, including a local rebellion against Google's Street View survey vehicles that threatens to go national.

Why physics is cool.

New Type of Particle May Have Been Found

Posted by kdawson on Monday November 03, @07:33PM from the outside-the-pipe dept. Science

An anonymous reader writes

"The LHC is out of commission, but the Tevatron collider at Fermilab is still chugging along, and may have just discovered a new type of particle that would signal new physics. New Scientist reports that the Tevatron's CDF detector has found muons that seem to have been created outside of the beam pipe that confines the protons and anti-protons being smashed together. The standard model can't explain the muons, and some speculate that 'an unknown particle with a lifetime of about 20 picoseconds was produced in the collision, traveled about 1 centimeter, through the side of the beam pipe, and then decayed into muons.' [Interesting. An undetectable particle decays into a detectable one. Bob] The hypothetical particle even seems to have the right mass to account for one theory of dark matter."

Save the rainforest, fuel the Hummer!

Rainforest Fungus Naturally Synthesizes Diesel

By Alexis Madrigal November 03, 2008 7:15:49 PM

A fungus that lives inside trees in the Patagonian rain forest naturally makes a mix of hydrocarbons that bears a striking resemblance to diesel, biologists announced today. And the fungus can grow on cellulose, a major component of tree trunks, blades of grass and stalks that is the most abundant carbon-based plant material on Earth.

Niche, but interesting for those used to reading PDFs online and perhaps to import into your Kindle... - Turn Your Feeds Into A Magazine

Tabbloid is a web-based service that serves one specific purpose: turning all your favorite feeds into a personal magazine that can be read as a PDF document.

The mechanics of the site are actually quite simple. To begin with, you have to enter as many RSS feeds as you wish. Starting lists are also provided just in case, and these deal with aspects such as “Technology”, “Politics” and “Business”. Then, you must set down the delivery options that suit you best. You can choose the frequency and the time along with the day from a series of provided drop down boxes. Once this has been dealt with, you will receive the print-ready PDF at the frequency you have just stipulated.

This service is not only practical and easy to implement, but it is actually rendered at no cost whatsoever. In addition to that, there is no registration process to be complied with – you simply follow the “Get started” link which is featured and set down the aforementioned criteria.

I'll make a selection of music to sooth my students during testing: Cry me a river, My Way (the end is near...) -- come to think of it, there are very few Happy Test-Taking tunes... - Listen To Music Online

A service which has clearly been set up with practicality and ease of use in mind, StreamDrag will enable you to look up music files which are part of YouTube videos and arrange and create playlists that can be listened to whenever you wish.

The site revolves around a basic search tool that has the distinct advantage of being very fast. For instance, I tried looking up “The Who”, one of my best-loved bands and 50 different results were produced almost instantly. These included classic performances of My Generation and Pinball Wizard along with monumental recent performances like Baba O’Riley at the Concert for New York City and Won’t Get Fooled Again at the Live 8.

All in all, a service like this stands as a versatile (not to mention inexpensive) way of listening to your favorite music wherever you are, and also as a viable way of recommending your favorite artists to friends and acquaintances when you don’t have a CD or your MP3 player at hand.

To hell with the mice, give us a T-Rex!

Cloning from the grave: Scientists create new life from a mouse that has been frozen for 16 YEARS

By David Derbyshire Last updated at 7:49 AM on 04th November 2008

Scientists have created clones of a mouse that had been dead and frozen for 16 years.

... The Japanese researchers say their work will benefit mankind - and could be used to bring back extinct animals such as the woolly mammoth or sabre tooth tiger.

But ethical watchdogs branded the experiment disturbing.

Critics say it brings the world closer to the day when people try to clone long- dead relatives stored in cryopreservation clinics.