Friday, September 17, 2010

“You know, now that we've had a breach the simple preventive measures are obvious...”

Lost in transit, Thursday edition

September 16, 2010 by admin

Through its lawyers, Rhode Island-based Benefit Concepts, Inc. recently notified the New Hampshire Attorney General’s Office that a package containing employee payroll checks and a CD with copies of the payroll checks went missing.

According to the notification letter, their vendor, CompuPay, had sent the package on July 19 via FedEx and it should have been delivered on July 20. FedEx believes that the shipment went missing at its Warwick, Rhode Island facility. Employees were not notified of the loss until September 3. [One must assume that the checks were replaced in time to meet the payroll? Bob]

The payroll checks contained the employees’ first and last names, Social Security Numbers, and bank account numbers. To prevent future problems, the company has asked CompuPay to mask SSN and encrypt the accompanying CD.

The profits from “Behavioral Advertising” seem to encourage this type of activity.

Lawsuit Targets Mobile Advertiser Over Sneaky HTML5 Pseudo-Cookies

A New York mobile-web advertising company was hit Wednesday with a proposed class action lawsuit over its use of an HTML5 trick to track iPhone and iPad users across a number of websites, in what is believed to be the first privacy lawsuit of its kind in the mobile space.

The company, Ringleader Digital, uses HTML5’s client-side database-storage capability as a substitute for the traditional cookie tracking employed by all major online ad companies. Mobile Safari users visiting sites with Ringleader ads are assigned a unique ID number which is stored by the browser, and recalled by Ringleader whenever they revisit.

But the tracker, labeled RLDGUID, does not go away when one clears cookies from the browser. Our sister site Ars Technica reported last week that users savvy enough to find and delete the database have found it returning mysteriously with the same ID number as before — a result the lawyers suing Ringleader say they’ve reproduced.

The lawsuit lodged Wednesday in Los Angeles federal court also names as defendants a number of companies who’d allegedly been serving the Ringleader trackers on the mobile versions of their sites: Surfline,, The Travel Channel, CNN Money, Go2 and Merriam-Webster’s dictionary site.

“Hello. How are you?” doesn't translate well to modern technology.

HOW many patient privacy breaches per month?

As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide some baseline data on how many patient privacy breaches their clients were experiencing each month.

… Although no detailed statistics are provided, the report also provides a summary on the types of patient privacy breaches most likely to occur for different types of localities.

… The company uses case examples with timelines to make the following points:

1. Simply informing your employees that you have implemented a monitoring program to detect privacy breaches can decrease patient privacy breaches significantly (on the order of 36% in one large metropolitan multi-hospital system and 60% in a rural hospital with remote clinics).

2. Telling employees that they are being monitored is not sufficient. Staff training (and re-training when new employees are hired) is also required to achieve desired results as is consistent and appropriate sanctions. The company notes that they observed spikes in privacy breaches whenever new staff was hired, suggesting to me that entities need to do (and probably could do) a do better job of initial training of new hires before they get access to patient information, including informing them that they will be monitored and informing them of possible dire consequences to their employment should they violate privacy policies.

3. A high-profile patient privacy breach that escalates into a Compliance Review and into a three year Resolution Agreement can cost between $8 to $17 million. The breakdown of costs they provide and the rationale could be useful for IT personnel who are pulling their hair out trying to get their employer to invest more in security and monitoring. Although I’m not qualified to evaluate whether their estimates are likely to be overestimates or not, I noted that the least of the costs — by a long shot — is notifying patients and offering them credit protection.

Another stalking/comm-tapping tool. Direct Messages are for “Private” communications – but they did nothing to ensure Privacy.

Latest Twitter concern: apps accessing DMs

September 16, 2010 by Dissent

A blog entry by Mike Chapman on devblog by oneforty. is causing quite a stir on Twitter. Mike writes that

Currently Twitter application developers are given 2 choices when registering their apps – they can either request “read-only access” or “read & write” access. For Twitter “read & write” means being able to do anything through the API on a user’s behalf. These course-grained levels push most apps to choose “read & write”, in case they want to tweet on the user’s behalf, or make it simple to follow a Twitter account. Anecdotally, of the 130 apps & Twitter-integrated websites I’ve approved 91% have full read & write access to my Twitter account, with the other 9% having read-only access.

Of particular concern to many, he also writes:

In reality any app you have granted access can read all of your DMs. As an example, if you can get Michael Arrington (@arrington) to try your site and use Twitter OAuth you can now read all of his DMs. That might be tempting to an unethical few. And the challenge to Mr Arrington would be to even know that they were read without his permission. Twitter would have the logs of the API calls, but how would he know it happened? Or which app to revoke if he suspected it?

Read more on devblog by oneforty.

[About Direct Messages:

(Related) Other concerns.

Remember That DM on Twitter? So Do Your Apps

Spam and hackers. If you authorize full read-write access to a malicious app, or someone gets hold of your “token” that gives an app permission, they could send malicious links through your account, or even delete all your messages.

Pushy apps. This would include services that auto-publish to Twitter without asking you, or without making it obvious that they are going to do so, such as Twifficiency, which recently caused some backlash by auto-tweeting on a user’s account when they signed up for the service.

“Need to automatically create an alibi? There's an App for that!”

The “I was on MySpace” Alibi

September 16, 2010 by Dissent

From Bow Tie’s Law Blog:

In an unplublished criminal appeal over a jury instruction that the Defendant failed to explain or deny evidence, the Appellant-Defendant claimed as his alibi that he was playing poker on MySpace at the time of the crime.

The Prosecutor claimed the “MySpace Alibi” was implausible or bizarre. People v. Calderon, 2010 Cal. App. Unpub. LEXIS 7172, at *5-6 (Cal. App. 2d Dist. Sept. 9, 2010).

The Court of Appeals disagreed, finding the alibi was neither implausible or bizarre. Calderon, at *6.


There is a courtroom drama waiting to erupt in a brutal cross-examination over whether someone was on Facebook on their iPhone or at home when the “Social Media” alibi is next offered.

Read more about the case and what might happen in the future when a social media is offered on Bow Tie’s Law Blog.

I expect that some will use this to tell us how data retention and logs are our friends… [Guilty! Bob]

[From the article:

The MySpace records showed that someone was logged into the Appellant-Defendant’s account at the time of the crime. The Appellant-Defendant claimed he did not share his account information with anyone.

… Now for the big “however”: The Court of Appeals found there was no “ reasonable probability that appellant would have received a more favorable verdict if the instruction had not been given.” Calderon, at *6.

… The second big “however”: The MySpace Alibi was not compelling. The Court noted that anyone could have logged into MySpace for the Defendant or he could have logged in from another location. Calderon, at *7.

“Dis is why dem lawyers learns dem big woids!”

Juror's imprudent iPhone search causes mistrial

… It seems that there was a case in Florida featuring a man in his 60s who allegedly shot a 19-year-old.

… the shooter was indicted for murder and convicted of manslaughter. However, one important conjecture--both at jury instructions and during closing argument--gravitated around whether the elder gentleman's actions were "prudent."

It seems that the jury foreperson was not entirely sure of prudence's definition. So he whipped out his iPhone and ascertained that prudence was all about acting as reasonably as the common person you see on a bus. I paraphrase.

I should note that the foreperson didn't perform his search in the jury room. Rather, he tried to remember the definition and then shared it with many of his fellow jurors.

The court at the time found that, though his donning a Zuckerbergian cloak and sharing compounded his misconduct, it wasn't enough to warrant a mistrial.

There is one painful snag with this story. Dictionaries are not allowed in jury rooms.

So the Court of Appeal of Florida felt it had no choice but to disagree with the trial court and order new proceedings in the case. The Court of Appeal declared: "We cannot say that the intrusion of the definition of "prudent" into the jury deliberations did not affect the jury verdict."

Perhaps this is why so many Universities are offering some type of “Gaming” degree...

Halo: Reach Makes More Money on Day 1 Than Any Movie, Ever

No comments: