Again, a small breach but illustrative for my Introduction to Computer Security students. There is no mention of encryption (which would mean there was no possibility of a breach) so it is safe to assume they didn't bother...

http://www.databreaches.net/?p=17725

OK State Dept. of Health: Stolen laptop contained personal and medical information on 133,000

April 12, 2011 by admin

A press release from the Oklahoma State Department of Health, issued today:

The Oklahoma State Department of Health (OSDH) is notifying nearly 133,000 individuals that their names and some personal information may have been contained on an agency laptop computer that was stolen from an OSDH employee’s car last week.

A database related to the Oklahoma Birth Defects Registry was on the computer. The Oklahoma Birth Defects Registry provides statewide surveillance of birth defects to reduce the prevalence of birth defects through prevention education, monitoring trends and analyzing data. The laptop was used to record data from hospital medical records. An additional 50 paper files containing abstracted medical information were also taken in the theft.

“We are mindful that Oklahoma’s citizens trust the OSDH to do all it can to protect the personal data [except take common actions like encrypting data? Bob]we acquire as part of our disease prevention services,” said State Health Commissioner Dr. Terry Cline. “We offer our apologies to those who may be affected.”

The OSDH sent letters to affected persons and posted information on the OSDH website about the theft and potential data loss. The OSDH is cautioning those whose data might be compromised to contact credit reporting agencies and take other steps to protect their personal information. The OSDH will also make available identity protection services.

“We are reviewing our administrative policies to strengthen safeguards to better protect the confidentiality of the data we collect. [“Now that we've screwed up, maybe we should look at some of those Computer Security fundamentals.” Bob] We recognize our obligation to make any changes that will ensure a similar incident cannot happen again,” Cline said.

A copy of the notification letter and an FAQ on the breach were posted to the state’s web site as well. The notification letter informs people that the laptop was stolen in Yukon on April 6. The letter also notes:

Information may include names for you and your child, any previous full name for your child, birthdates, mailing address, Social Security numbers, medical record information, laboratory and/or test results, or Tribal membership for your child.

Great thanks to Bart Porter of Redemtech for alerting me to this incident.

[From the FAQ:

The laptop was used to record data from hospital medical records. [Another case of bad reporting? Why wouldn't the state require the hospitals to record the data and transfer it to a secure state server? More likely, the laptop had a copy of the data from the server. Bob]

[From the Notification Letter:

OSDH took immediate steps to further protect any personal information by filing a police report, launching an internal investigation and working with the police investigation. [Note that none of these actions actually protect data. Perhaps they don't know how to protect data? Bob]

This is sure to stir debate. Government is exempt (We don't need no stinking rules!), corporations are granted permission and citizens aren't protected. Other than that, no problem...

http://www.pogowasright.org/?p=22348

Senators Kerry, McCain introduce ‘‘Commercial Privacy Bill of Rights Act of 2011’’

April 12, 2011 by Dissent

A bill that’s generated a lot of buzz has been introduced today by Senators Kerry and McCain.

The text is online on Senator Kerry’s web site.

A summary of the bill is also available on his web site.

I haven’t had a chance to read either yet, but hope to do so tonight after work. Expect to see a lot of news articles and commentaries on this one.

(Related)

http://www.pogowasright.org/?p=22360

Nice try, but no cigar yet? Reactions to ‘‘Commercial Privacy Bill of Rights Act of 2011’’

April 12, 2011 by Dissent

Preliminary responses to the Kerry-McCain commercial privacy bill are in, and as I expected, most privacy groups are not endorsing it as proposed.

I still haven’t had a chance to actually read it yet, but Jacqui Cheng of Ars Technica reports:

Not everyone is cheering, though. A coalition of consumer groups—including Consumer Watchdog, Center for Digital Democracy, Consumer Action, Privacy Rights Clearinghouse, and Privacy Times—said that while they welcome the effort, they cannot yet get behind it. The groups reiterate the need for “Do Not Track” legislation and enforcement, saying the bill relies too much on the “notice and choice” model that already exists at most companies. They also criticize the bill for giving “special interest treatment to Facebook and other social media marketers” by allowing them to continue gathering data without real safeguards, and they especially don’t like that the Department of Commerce—meant to promote the interests of companies, not individuals—has some say in developing the privacy policies.

“Title VII of the act, which appears to usurp the FTC’s traditional lead role in protecting privacy and turn much of its responsibility over to the Commerce Department, is troubling. It is important to note that the Commerce Department—as it should—primarily seeks to promote the interests of business. It is not, nor should it be expected to be, the primary protector of consumers’ interests. Commerce, therefore, must not have the lead role in online privacy. That is a role best left to a new independent Privacy Protection Office and the Federal Trade Commission,” the groups wrote in a letter to the two senators.

“Protecting consumers’ privacy rights should transcend politics and we thank you for exercising leadership and seeking to deal with this challenge in a bipartisan way. But we must also express our concern that your Commercial Privacy Bill of Rights Act needs to be significantly strengthened if it is to effectively protect consumer privacy rights in today’s digital marketplace.”

Not surprisingly to me, the Center for Democracy & Technology is not on the listed organizations who have not gotten behind the bill. In a series of tweets last month, I disagreed with CDT over any “baseline” bill which they tried to argue was really “comprehensive.” Some of this is tactical, no doubt. But I do not feel disposed to settle for a weak or even bad bill just because maybe it’s all we can get at this time.

So I will go through the bill when time permits and offer my own comments. I realize that I am somewhat of an extremist compared to most folks. That’s fine. I can live with that. What I can’t live with is everyone pretending bad bills are good bills or that they’re serious about putting individuals’ privacy rights over corporate profits and greed. I do not think that we need to continue to kowtow to corporations making billions of dollars in profits each year – including health insurers. That’s bullshit. It’s time to REALLY take back our privacy.

(Related) Just keeping the status quo? See the next article...

http://www.pogowasright.org/?p=22372

Privacy ‘bill of rights’ exempts government agencies

April 13, 2011 by Dissent

Declan McCullagh reports:

Two U.S. senators introduced sweeping privacy legislation today that they promise will “establish a framework to protect the personal information of all Americans.”

There is, however, one feature of the bill sponsored by senators John Kerry (D-Mass.) and John McCain (R-Ariz.) that has gone relatively unnoticed: it doesn’t apply to data mining, surveillance, or any other forms of activities that governments use to collect and collate Americans’ personal information.

At a press conference in Washington, D.C., McCain said the privacy bill of rights will protect the “fundamental right of American citizens, that is the right to privacy.” And the first sentence of the legislation proclaims that “personal privacy is worthy of protection through appropriate legislation.”

But the measure applies only to companies and some nonprofit groups, not to the federal, state, and local police agencies that have adopted high-tech surveillance technologies including cell phone tracking, GPS bugs, and requests to Internet companies for users’ personal information–in many cases without obtaining a search warrant from a judge.

Read more on cnet.

Good for Declan for headlining this exemption! How can anyone consider this a “comprehensive” privacy bill when it exempts government?

(Related)

http://www.techworld.com.au/article/382991/us_police_increasingly_peeping_e-mail_instant_messages/

US police increasingly peeping at e-mail, instant messages

Police and other agencies have "enthusiastically embraced" asking for e-mail, instant messages and mobile-phone location data, but there's no U.S. federal law that requires the reporting of requests for stored communications data, wrote Christopher Soghoian, a doctoral candidate at the School of Informatics and Computing at Indiana University, in a newly published paper.

… "As such, this surveillance largely occurs off the books, with no way for Congress or the general public to know the true scale of such activities."

… In 2009, Facebook told the news magazine Newsweek that it received 10 to 20 requests from police per day. Sprint received so many requests from law enforcement for mobile-phone location information that it overwhelmed its 110-person electronic surveillance team. It then set up a Web interface to give police direct access to users' location data, which was used more than 8 million times in one year, Soghoian wrote, citing a U.S. Court of Appeals judge.

This is interesting in a “it's not what you say, it's what you do” kind of way... If your Privacy Policy (what you say) says you protect user data, but your software (what you do) is designed to share that data with others, which would prevail in a lawsuit?

http://www.pogowasright.org/?p=22383

Website Design as Contract

April 13, 2011 by Dissent

Woodrow Hartzog writes:

Few website users actually read or rely upon terms of use or privacy policies. Yet users regularly take advantage of and rely upon website design features like privacy settings. Could these designs be part of the contract between websites and users? A draft of my new article argues just that by developing a theory of website design as contract. This article is coming out in Volume 60 of the American University Law Review later this year. In sum, I argue that in an age where website interactivity is the hallmark for many sites, courts must re-think what constitutes an online agreement. This is particularly true with respect to user privacy.

Read more on CIS.

Does this mean the government isn't covered by the Fourth Amendment either?

http://www.pogowasright.org/?p=22374

Court denies preliminary injunction against new TSA screening procedures

April 13, 2011 by Dissent

Via FourthAmendment.com, word that the Southern District of Florida has denied a preliminary injunction against the new TSA screening procedures. The court found that the plaintiff was unlikely to succeed on the merits of his Fourth Amendment claim. The case is Corbett v. United States, 2011 U.S. Dist. LEXIS 38531 (S.D. Fla. March 1, 2011).

See FourthAmendment.com for an excerpt from the decision.

...so there isn't a regulation that covers the TSA when they put on the rubber gloves and ask you to bend over?

http://www.pogowasright.org/?p=22362

Article: Disentangling Administrative Searches

April 12, 2011 by Dissent

Columbia Law Review (2011, vol. 111; 254-312) Disentangling Administrative Searches Eve Brensike Primus

Abstract:

Everyone who has been screened at an international border, scanned by an airport metal detector, or drug tested for public employment has been subjected to an administrative search. Since September 11th, the government has increasingly invoked the administrative search exception to justify more checkpoints, unprecedented subway searches, and extensive wiretaps. As science and technology advance, the frequency and scope of administrative searches will only expand. Formulating the boundaries and requirements of administrative search doctrine is therefore a matter of great importance. Yet the rules governing administrative searches are notoriously unclear. This Article seeks to refocus attention on administrative searches and contends that much of the current mischief in administrative search law can be traced to the Supreme Court’s conflation of two distinct types of searches within one doctrinal exception—namely “dragnet searches” of every person, place, or thing in a given area or involved in a particular activity and “special subpopulation searches” of individuals deemed to have reduced expectations of privacy. Dragnets came first, and special subpopulation searches came later. As the category of administrative searches tried to accommodate both kinds of searches, it gradually lost the ability to impose meaningful limitations on either one. To bring clarity and sense to this area of the law, this Article proposes that we disentangle these two kinds of administrative searches.

Full article on Columbia Review site (pdf).

Just because a Cloud service says your data is secure doesn't mean you should believe them. Your data isn't protected by “encryption” when the service provider holds the keys...

http://www.pogowasright.org/?p=22352

Researcher uncovers serious privacy and security concerns with Dropbox

April 12, 2011 by Dissent

Last week, I read some commentary about Dropbox by Derek Newton that left me thinking that what he was raising as a security issue was not necessarily a huge deal. So today, when I saw more references to Dropbox, I thought it was just continued discussion of his commentary. Thankfully, Chris Soghoian tweeted, “How Dropbox sacrifices user privacy for cost savings. New privacy flaw, not related to Kevin Newton’s recent disclosure. ”

I just read Chris’s commentary, and for now, all I can say is, if you’re using Dropbox, do yourself a favor and read his analysis immediately.

[From the article:

Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.

(Related) Does anyone get it right?

http://www.digitaltrends.com/computing/the-5-best-cloud-storage-services-compared/

The 5 best cloud storage services compared

Now here's a scary idea... Not sure I can tell exactly how this will happen from the article.

http://www.techworld.com.au/article/383125/facebook_biggest_bank_by_2015/?fp=2&fpid=1

Facebook to be 'biggest bank' by 2015

The explosion of social networking commerce will lead to the unlikely candidate of Facebook becoming the world’s biggest bank by the middle of the decade, according to a technology observer and entrepreneur.

People who don’t have a Facebook account should get one or risk having a financial profile created for them says founder and president of Metal International, Ken Rutkowski.

… “Facebook has 680 million users and that’s massive,” he said. “Who doesn’t have a Facebook profile? Let me tell you why it’s important why you do.”

“Facebook will be the largest bank by 2015. I hear you say ‘how can they be a bank’ what’s going on?”

According to Rutkowski, Facebook credits allow people to play games and Facebook is already doing deals with the banks for credit profiles.

“If you play games on Facebook, which, by the way 40 to 50 per cent of the time spent on Facebook is playing games, and those games – like Farmville and Mafia Wars – are paid for and you have to buy credits for that and they are called Facebook Credits.”

Rutkowski cited the company Zynga that created Farmville as being worth almost $12 billion now and it “didn’t even exist 18 months ago”.

This suggest a much smaller impact than I was expecting. Could Rupert Murdock be right?

http://www.thetechherald.com/article.php/201115/7055/The-NYTimes-com-paywall-causes-traffic-to-drop

The NYTimes.com paywall causes traffic to drop

Hitwise, an online intelligence and marketing firm, looked at traffic to NYTimes.com 12 days before the paywall went live, and compared its collated figures to the traffic flow 12 days after.

“For the majority of the days, there was a decrease in the overall visits between 5% and 15%. The one exception was Saturday, April 9th, 2011 where there was a 7% increase, likely due to visitors seeking news around the potential government shutdown and ongoing budget discussions,” explained Heather Dougherty, director of research at Hitwise.

“The effect of the pay wall has been somewhat stronger upon the total page views for the NYTimes.com,” she added. “For all 12 days, there was a decline in total page views which ranged between 11% and 30%.”

… Some visitors were given a free subscription to the paywall, courtesy of a promotion from Lincoln, but that doesn’t seem to have helped. Moreover, the paywall is more like a low fence; considering it can be dodged easily enough after the visitor's 20 free views have been used. [Could it be that NYT readers are smart enough to bypass the paywall when they want the news? Bob]

For the Software Tool folder...

http://www.makeuseof.com/tag/free-cad-drawing-linux-windows-mac-librecad/

Free CAD Drawing For Linux, Windows & Mac Using LibreCAD

LibreCAD can be used for any 2D architectural drafting, engineering designs, mechanical parts drawing, construction, simulation, interior design, creative design work or other diagrams.

Files are saved as DXF format or can be exported to a number of picture formats, such as JPG or PNG.

http://www.librecad.org/

If you’re into CAD programs or design in general, you’ll love these articles:

• Build Virtual Legos On Your PC with Lego Digital Designer

• How To Convert AutoCAD Drawings Into PDF Files With DWGgateway

• Babycad: An Online 3D Design Tool for Exhibition Floors

May have come value in the classroom...

http://www.makeuseof.com/dir/freedocumentarytv-free-full-length-documentary-films/

FreeDocumentaryTV: Watch free full-length documentary films

[For example:

The Secret History Of Hacking

Can You Hack It? – Hackers Wanted

www.freedocumentary.tv

• Similar sites: Sprdword, Documentary Heaven and TopDocumentaryFilms.

• You can also check out The Best Places To Watch Documentary Movies Online.