Stolen and sold: Private details of thousands of World Cup fans
September 5, 2010 by admin
Jason Lewis reports on the FIFA breach that was mentioned on this site last month (here).
The personal details of thousands of football fans who bought World Cup tickets from official FIFA outlets have been stolen and sold for up to £500,000. [That seems high – perhaps there is more here? Bob]
The data breach first emerged in Scandinavia where the details of 50,000 Swedish and Norwegian fans were offered for sale. Among the details were those of former Swedish Prime Minister Ingvar Carlsson and former Minister of Integration Jens Orback.
Mr Orback said: ‘I don’t like this at all. As a former government minister, this is also a security issue.’ [But not for all those second class citizens? Bob]
But it quickly emerged that the data breach was far more widespread and included the details of nearly 20,000 American citizens, 36,000 Swiss nationals, 42,000 Portuguese and 36,000 Dutch fans, as well as thousands more supporters from Poland, Italy, Germany, France, Spain and Croatia.
Read more in the Daily Mail.
In related coverage, David Hills and Mark Townsend of the Guardian report:
The authority is looking at claims that a “rogue employee” of Match Hospitality, Fifa’s official ticketing agency, may have sold the information to black market touts who could then get in touch with individuals and offer to buy their tickets before they, in turn, illegally traded the same tickets at big mark-ups.
The Norwegian newspaper Dagbladet reported it had gained possession of the list of 250,000 records, and said it had obtained several emails in which a Match employee offers the lists for sale to a major player on the black market. The newspaper claimed it has confirmed the seller’s identity.
Jaime Byrom, chairman of Match Event Services and Match Hospitality’s biggest shareholder, the Manchester-based Byrom plc, has told Dagbladet that it was not aware that the information had been sold and that it had taken every possible step to prevent the unauthorised sale of tickets.
Don’t worry that Match will lose any contract with FIFA, however. The reporters note:
Match Hospitality, owned in part by a media company run by Philippe Blatter, nephew of the Fifa president, Sepp Blatter, won exclusive rights to sell ticket hospitality packages at the 2010 and 2014 tournaments three years ago. The firm was criticised for over-pricing packages for this summer’s World Cup, resulting in empty seats at most matches in South Africa.
Article: Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes
September 5, 2010 by admin
Dana Lesemann of the Howard University School of Law has an article of note in the Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Here’s the abstract:
Companies facing the loss of a laptop or a compromised server have long waged battles on several fronts: investigating the source of the breach, identifying potentially criminal behavior, retrieving or replicating lost or manipulated data, and putting better security in place. As recently as seven years ago, the broader consequences of a data breach were largely deflected from the party on whose resource the data resided and instead rested essentially on those whose data was compromised. Today, however, with the patchwork quilt of domestic data breach statutes and penalties, most companies forging “unto the breach” would consider paying a ransom worthy of King Henry to avoid the loss of its consumers’ identities through theft or manipulation. The cost to businesses of responding to data breaches continues to rise. According to the Ponemon Institute, the average cost of data breaches to the businesses it surveyed increased from $6.65 million in 2008 to $6.75 million in 2009. The per-record cost of the data breaches experienced by the companies it surveyed was $202 in 2009, only $2 per record more than the average in 2008 but a $66, or 38% overall increase since 2005. The most expensive data breach in the 2009 Ponemon survey was nearly $31 million; the last expensive was $750,000.
In confronting a data breach, a company has to contend with a multitude of issues: the costs of replacing lost equipment, repairing the breach, and thwarting a potentially criminal act. Some specific industries have their own privacy laws. For example, financial firms must contend with the reporting requirements associated with the federal Gramm-Leach-Bliley Act, and health care companies face broad reporting requirements under the new HITECH Act. Across the broader economy, however, attorneys and companies worry most about a thicket of data breach notification statutes enacted by 45 states and the District of Columbia. These statutes expose law firms and their clients to conflicting time limits, reporting requirements, fines, and potentially millions of dollars in penalties and civil liability – not to mention reputational risk. The 46 data breach notification statutes vary widely from state to state and, most critically, focus not on the location of the breach or where the company is incorporated, but on the residence of the victim. Therefore, a company facing a data breach must comply with the state laws of each of its affected consumers. A company’s multi-state or Internet presence only extends the potential web of specific time limits and other often conflicting requirements for notifying consumers.
This Article addresses the legal, technological, and policy issues surrounding U.S. data breach notification statutes and recommends steps that state and federal regulatory agencies should take to improve and harmonize those statutes.
Part I of this Article provides background on the data breaches that gave rise to the enactment of notification statutes.
Part II addresses the varying definitions of “personal information” in the state statutes – the data that is protected by the statute and whose breach must be revealed to consumers.
Part III analyzes how states define the data breach itself, particularly whether states rely on a strict liability standard, on a risk assessment approach, or on a model that blends elements of both in determining how and when companies have to notify consumers of a breach.
Part IV discusses the time limits companies face, penalties for non-compliance, litigation under the statutes, and state enforcement of the statutes.
Finally, Part V presents specific recommendations for the state legislatures and enforcement agencies and for Congress, as well as for companies facing data breaches.
You can download the full article at SSRN.
One of Lesemann’s recommendations is that states adopt a risk-based assessment model as opposed to a strict liability model. Similarly, Lesemann recommends a national law that would also incorporate a risk-based assessment. Lesemann’s explanation of a risk-based assessment would require a more extensive investigation and consultation with federal, state, and local agencies, but seems geared only towards financial harm, once again ignoring the issue that unless consumers say they do not want to be informed, it is self-serving to claim that too many notifications makes consumers numb. In my opinion, rather than rationalizing not providing notifications, we should ensure that the notifications provide sufficient, accurate information that enables consumers to evaluate the risk and to make an informed choice as to their next steps — which in addition to financial or credit protection strategies, may or may not include terminating their relationship with the entity. But I do recommend the article as it provides a good review of the various state laws, class action lawsuits, and issues.
Lesemann, Dana, Once More Unto the Breach: An Analysis of Legal, Technological and Policy Issues Involving Data Breach Notification Statutes (September, 02 2010). Akron Intellectual Property Journal, Vol. 4, p. 203, 2010. Available at SSRN: http://ssrn.com/abstract=1671082
(Related) Laws mutate and evolve. The interesting question is always, “will that mutation become dominant?”
Tw: The Age of Information Liability Begins
September 4, 2010 by Dissent
Benjamin Chiang of CommonWealth Magazine in Taiwan recently discussed some of the consequences of revisions to the 1995 Computer-Processed Personal Data Protection Act (the CDPA). The provisions of the Personal Data Protection Act are expected to go into effect in 2011, and Chiang says that the revised law has created a “legal minefield.” Some snippets from his article:
Before the latest revisions, the Personal Data Protection Act applied only to eight specific industries. But the revised Act applies to all industries and every individual.
For companies or the government, information security will no longer be strictly the business of their information departments once the Act is enforced. Instead, every single employee from the boss down will be liable. If a company or government agency engages in the illegal collection, processing or use of personal data, it is liable for monetary compensation for every single incident of personal data damage. A single injured party may claim up to NT$20,000 in monetary compensation for each incident. All parties involved, from the company or government agency to the person in charge and data processing employees, can be held liable.
Even more harrowingly, injured parties may file class-action suits. Under a single class-action suit, monetary compensation of up to NT$200 million can be claimed. Company owners may even face jail sentences of up to five years.
Another special feature of the revised Act are notification obligations. “Before a company collects information, it must clearly inform the consumer who they are, what the goal of the information gathering is, and for what period of time the information will be used,” says Rhonda Chen, researcher with the Executive Yuan’s Science & Technology Advisory Group and director of the National Information and Communication Security Taskforce office.
While the implications for businesses appear enormous, there is also a significant impact for individuals in their private capacity:
Posting an article or photo of someone else on the Internet or in a personal blog amounts to leaking personal data, if the person concerned has not given his or her approval. “Human flesh searches” – a growing phenomenon in China in which groups collectively investigate, expose and sometimes harass individuals perceived of wrongdoing – entail the unauthorized posting of private information on the Internet. While those who wage these campaigns claim to do so “in the name of justice,” they are in fact violating the Personal Data Protection Act.
Read the full article on CommonWealth Magazine.
We can, therefore we must.
Article: The End of the Net as We Know it? Deep Packet Inspection and Internet Governance
September 5, 2010 by Dissent
From an article by Ralf Bendrath of the European Parliament and Milton Mueller, Syracuse University School of Information Studies:
Advances in network equipment now allow internet service providers to monitor the content of data packets in real-time and make decisions about how to handle them. If deployed widely this technology, known as deep packet inspection (DPI), has the potential to alter basic assumptions that have underpinned Internet governance to date. The paper explores the way Internet governance is responding to deep packet inspection and the political struggles around it. Avoiding the extremes of technological determinism and social constructivism, it integrates theoretical approaches from the sociology of technology and actor-centered institutionalism into a new framework for technology-aware policy analysis. [A rare species, indeed. Bob]
You can download the full article at SSRN.
Bendrath, Ralf and Mueller, Milton, The End of the Net as We Know it? Deep Packet Inspection and Internet Governance (August 4, 2010). Available at SSRN: http://ssrn.com/abstract=1653259
Illustrating how Augmented Reality works for niche markets (people waiting for buses) Note that this requires knowing where the buses are (GPS or RFID at the bus stops?) and accepting “inquires” from riders.
Augmented Reality Coming to DC Bus Stops Today (Photo)
Gov 2.0 advocates have printed a run of QR (2D barcode) stickers they will stick at bus stops all over Washington DC today, allowing mobile phone users to quickly get up-to-the moment bus progress reports, post traffic status updates, and more. This augmentation of the physical world with real-time data from the ether strikes me as accessible and useful. The project was one of many ideas discussed at DCWeek this June and is being implemented by the Research and Development group in Office of the CTO, DC Government (on Twitter: OCTOLabs).
O'Reilly's Gov 2.0 correspondent Alex Howard shared a link to this photo on Twitter this morning. Smart phone users will use QR reading apps to snap a picture of the codes, then their phones will be shown relevant real-time information corresponding to the bus stop they are at. (That makes more sense to me than NYC's new QR codes on the back of garbage trucks, but hey - they point is, these things are growing more mainstream in the US.)
“Ignorance of the technology is no excuse.”
Reasonable Expectation of Privacy . . . Not!
September 4, 2010 by Dissent
Law professor Susan Brenner writes:
As I’ve explained in earlier posts, the 4th Amendment protects us from “unreasonable” searches and seizures.
And as I’ve noted, under the U.S. Supreme Court’s decision in Katz v. U.S., 389 U.S. 347 (1967), a “search” violates a reasonable expectation of privacy in a place or thing. Under Katz, you have a 4th Amendment reasonable expectation of privacy in a place/thing if (i) you subjectively believe it’s private and (ii) society accepts your belief as objectively reasonable.
This post is about an Ohio case in which the defendant made what I’d consider a . . . pretty expansive argument as to the existence of a reasonable expectation of privacy.
Read her commentary and analysis of State v. Ingram, 2010 WL 299-865 (Ohio Court of Appeals 2010) on CYB3RCRIM3. And no, the issue wasn’t the search of the car. It had to do with statements Ingram made while he was in the back seat of the police cruiser, unaware that he was being recorded when no police were in the car.
Couldn't this be accomplished at a lower level of intrusion? Isn't full video just to make it easier for the “telecaregivers?” Are these “medical records?” (Senior Porn?)
Surveillance Tech Wirelessly Watches Over Older Parents
September 4, 2010 by Dissent
Ki Mae Heussner reports:
For 74-year-old Carol Brewer, welcoming a video camera into her living room wasn’t easy.
She said she’d walk through her own home and wonder, “Am I dressed appropriately?”
But over time, she said, she grew accustomed to the little grey globe in the corner of the room and now credits it, in part, with helping her and her 78-year-old husband Ross, who is paralyzed from the waist down, continue to live in their Lafayette, Ind., home on their own.
“It bothered me a little,” she said. “But now I don’t worry about it.”
That’s because during the past two years, the surveillance camera and the other wireless sensors scattered around the Brewers’ home have allowed “telecaregivers” to help the couple avert emergency time and again.
The “eyes” and “ears” that watch over the Brewers belong to trained caregivers at ResCare, a Louisville, Kentucky-based company that provides residential care services to the elderly and people with disabilities.
Through its Rest Assured program, which was developed with the Purdue University School of Technology, the company remotely monitors about 300 clients across the country.
Dustin Wright, the general manager for Rest Assured, said the company works very closely with clients and their families to determine exactly what is needed.
Read more on ABC.
I wonder if anyone has researched technology bans? Would carrying a BlackBerry into some countries get you arrested? (Is there a market for this information?)
Dubai's Police Chief Calls BlackBerry a Spy Tool
Posted by Soulskill on Sunday September 05, @02:20AM
"Does the battle over the Blackberry ban in the United Arab Emirates have its roots in a spy story? Dubai's police chief says concern over espionage (specifically, by the US and Israel) led to the decision to limit BlackBerry services. The UAE says it will block BlackBerry email, messaging, and web services on October 11th unless it gets access to encrypted data. Comments by Lt. Gen. Dahi Khalfan Tamim are often seen as reflecting the views of Dubai's leadership, and would appear to indicate a very hard line in talks with Research in Motion."
We've gotta protect the pornographers! Same rights and same law, but I wonder if the language of the argument will change substantially?
New Copyright Lawsuits Go After Porn On Bittorrent
Posted by Soulskill on Saturday September 04, @11:55AM
"Three adult media entertainment producers filed suit Thursday in the US District Court for the Northern District of Illinois alleging copyright infringement against hundreds of anonymous defendants accused of trading videos using Bittorrent. This kind of action resembles the much-criticized mass litigation undertaken by the US Copyright Group against hordes of unknown accused Bittorrent users trading movies like The Hurt Locker. In this case, the subject matter promises to be more provocative."
An alternative view of copyright...
Radiohead Helps Fans Make Crowd-Sourced Live Show DVD
Posted by Soulskill on Saturday September 04, @11:19PM
"After having a go with a Name-Your-Price album and an open-source video, Radiohead is again breaking new ground, this time with a fan-based initiative. A group of fans went to one of the band's shows in Prague, each shooting the show from a different angle. By editing it all together and adding audio from the original masters provided by the band, they have created a video of the show that is 'Strictly not for sale — By the fans for the fans,' adding, 'Please share and enjoy.' Can this be the future of live show videos?"
“We don't expect anyone to be gullible enough to believe this, except the budget committees in Congress of course...”
DoD Takes Criticism From Security Experts On Cyberwar Incident
Posted by Soulskill on Saturday September 04, @06:59PM
"Undersecretary of Defense William J. Lynn is being challenged by IT security experts who find it hard to believe that the incident which led to the Pentagon's recognizing cyberspace as a new 'domain of warfare' could have really happened as described. In his essay, 'Defending a New Domain,' Lynn recounts a widely-reported 2008 hack that was initiated when, according to Lynn, an infected flash drive was inserted into a military laptop by 'a foreign intelligence agency.' Critics such as IT security firm Sophos' Chief Security Adviser Chester Wisniewski argue that this James Bond-like scenario doesn't stand up to scrutiny. The primary issue is that the malware involved, known as agent.btz, is neither sophisticated nor particularly dangerous. A variant of the SillyFDC worm, agent.btz can be easily defeated by disabling the Windows 'autorun' feature (which automatically starts a program on a drive upon insertion) or by simply banning thumb drives. In 2007, Silly FDC was rated as Risk Level 1: Very Low, by security firm Symantec."
Not as big a joke as you might think and it tracks well with the balkinization of the news.
Blogging And Mass Psychomanipulation
… it’s become pretty clear to me that any blogger worth her salt could start, say, an extremely successful militant religious cult.
… A big part of blogging is simply keeping the peace. You set rules on whether or not you’ll allow anonymous commenting, or commenting at all. You decide if/how to moderate comments. You decide if/how to respond to opposing arguments and (more often) personal attacks. And you, involuntarily for the most part, evolve your writing in response to the feedback loop. Those are the days of innocence, simple joys and simple sadnesses.
But then you start to get really good at what you do. You write something and you get trashed. The next time you try it a little differently and it the commenters love you. You don’t even do it consciously – but over the years you just get better at it. To the point where you pretty much know exactly what the reaction will be to any given post, and how to tweak things to get the reaction you want.
Looks like fun.
BugGuide.net: Insect Identification Guide Online
One particularly awesome feature is the ability to upload a photo of an insect you’ve captured or spotted and request the community to identify it. They’re surprisingly good at doing this, and quickly, which is very useful if you’re wondering whether the spider in your yard is poisonous or not.