Friday, April 01, 2011

A breach is a breach. Why should porn actors be treated any differently? Does their business model really lower the security of health records? Are they the only industry that shares medical test results?

AHF: Breach of Porn Actors’ Data Reveals Failure of AIM Clinic Testing Model

By Dissent, March 31, 2011

The following is a press release from AHF:

After over 12,000 current and former adult film performers who tested for HIV and other STDs at the Adult Industry Medical Healthcare Foundation’s (AIM) HIV Testing Clinic in Sherman Oaks had their privacy breached when their personal data collected from AIM was published illegally on a Wiki-leaks type website earlier this month, the AIDS Healthcare Foundation (AHF), which has separately been spearheading a workplace safety campaign to require the use of condoms in porn, harshly condemned the release of such personal patient data, yet also noted that the privacy breach underscores the vulnerability of AIM’s entire clinic business model. The industry-funded clinic serves 1,500 to 2,000 active adult film performers each year; however, over the past year it has faced mounting trouble. According to the LA Times (3/30/11), “The AIM clinic opened in 1998 but was shut down in December by Los Angeles County public health officials two days after state health officials denied its application to operate as a community clinic based on what regulators called “business-related issues.” The clinic was sold and allowed to reopen last month as AIM Medical Associates P.C., part of a doctor’s office regulated by the Medical Board of California, according to state officials.”

“Despite our differences with AIM and segments of the industry over condom use, we are indeed saddened by the news of this privacy breach of personal information of over 12,000 current and former AIM patients,” said Michael Weinstein, President of AIDS Healthcare Foundation. “However, this breach should not come as a surprise to any care provider who dutifully manages and cares for populations of patients. The entire business model of the AIM clinic has been flawed from the start, and as a result, its patients’ privacy has been violated. Performers—not producers—should be the ones to have password-protected access to their own testing results and health data from the AIM Testing Clinic. Performers should also be the ones who choose to share that information with producers they intend to work for. As it stands, AIM views the producers as their clients, not the performers walking through its doors each day to get tested.”

While AIM charges each patient (and potential adult film performer) for HIV and other testing (something that is illegal under California law), they also require patients to sign overly broad patient release forms allowing industry producers to view the test results and health data. Producers in turn pay a regular monthly subscription fee for unlimited access to AIM’s entire database of test results for current and previous performers.

It is unclear where or how the privacy breach occurred—from inside AIM, or from a subscriber to AIM’s testing results database.

AIDS Healthcare Foundation (AHF) is the largest global AIDS organization. AHF currently provides medical care and/or services to more than 156,000 individuals in 26 countries worldwide in the US, Africa, Latin America/Caribbean and the Asia Pacific Region.

A statement on AIM’s web site – dated today – says:

AIM Medical Associates, P.C. is investigating the possibility of a criminal breach of the medical record database. Substantial amounts of information posted on the site in question could not come from the AIM* database because we do not possess that information. Specifically, home addresses and identification documents are not within the AIM* database. Other testing businesses may or may not have such information on their databases.

AIM is utilizing every available resource to conduct a thorough forensic investigation to confirm if a breach of security occurred here. If such a breach occurred, we shall take all available steps to see that the felonious behavior is criminally prosecuted to the maximum extent under the law. Accessing a database for improper purposes, violating medical privacy and extortion are all crimes in California. There is preliminary information indicating that criminal behavior by persons or entities may have occurred.

In any case, the malicious nature of the site cannot be overstated. It is reprehensible that the site characterizes all adult actresses as “whores,” and refers to some women as “baby killers.” It is gratifying that the website has been largely unavailable at least over the past few days. We hope the hosting company removes this scurrilous site altogether.

Apparently, there was no procedure in place to check the data before release.

WA: Wenatchee Valley College notifies former students of data breach

March 31, 2011 by admin

Rachel Schleif reports on another breach that occurred in the context of responding to a public records request:

Wenatchee Valley College accidentally released Social Security numbers of students who attended classes there 10 years ago.

The college sent letters of apology to more than 3,800 former students Monday, and urged them to place fraud alerts on their credit files as a precautionary step.

The mistake happened as the college responded to a public records request from a local law firm asking for 10 years of financial records.

Until fall 2002, the college’s record system tracked students by their Social Security numbers instead of student identification numbers.

In December, the college sent 84,000 pages of data in the response to the request and inadvertently included the Social Security numbers. A student analyzing the data found the numbers and alerted the college on March 24, said Fiscal Services Director Jonah Nicholas.

Nicholas said it’s hard to say how many of those 3,800 former students were included in the records release, [“We have no idea what we did...” Bob] but he sent letters to students who attended WVC before 2002, just in case.

The student, Brent Magarrell, said the records also included legal names of students since 2000, along with their corresponding student identification numbers. With an identification number and a birthday, one could hack into students’ college email, registration and financial records, he said.

Magarrell said he filed a complaint about the security breach with the federal Department of Education for a violation of the Family Educational Rights and Privacy Act.

Source: Wenatchee World.

Well, Magarrell may be a cockeyed optimist, as the U.S. Education Department generally does nothing in response to breaches. Oh, maybe they’d say they do something, but when you consider how many breaches there have been by FERPA-covered entities and ask yourself, “Has USED ever once cut off funding or done anything significant to a breached entity?” the answer is “no.”

At least in this case, the risk of the data being misused does seem really low. But even so….

Another resource for Breach data is improved...

When it comes to compiling breaches, more is better

March 31, 2011 by admin

As announced by the good folks at today, I’ve agreed to work with them in terms of maintaining and developing their database. and will continue as they always have, but expect to see more breaches show up in DataLossDB in a timely fashion and expect to see more backfilling over time and more primary sources that I will be requesting under FOIA. We have some big plans, so do stay tuned.

Their announcement:

The Open Security Foundation is pleased to announce that Dissent, the publisher and maintainer of and has now joined DataLossDB as a curator for the project.

OSF has worked with Dissent over the years and she is already known to us a DataLoss Archaeologist, as she took third place in our “Oldest Incident” contest. She found the 1984 TRW incident, where computer hackers gained access to a system holding credit histories of some 90 million people which happens to be the 3rd largest breaches of all time in DataLossDB. Her more active involvement with the project on a day-to-day basis will help us remain the most complete archive of dataloss incidents world-wide and will enhance our ability to keep current on more breaches in a timely manner. Dissent will continue to maintain her own web sites as a resource on breach news and issues.

For those who do not know Dissent, she’s a practicing health care professional with a special concern for health care sector breaches, and we expect to see increased coverage of medical sector breaches in the database in months to come. As Dissent notes, “With recent changes to federal laws making more information available to us about health care sector breaches, we are now beginning to get some sense of how common these breaches are and the common breach types. Including these incidents in the database will enable analyses that would not have been possible or meaningful just a few years ago.”

Open Security Foundation’s CEO, Jake Kouns says, “Dissent has been a supporter of DataLossDB from the very beginning and is an extremely dedicated and thorough researcher.” “We are extremely fortunate to have her as part of the DataLossDB team and look forward to working more closely with her.”

Welcome Dissent, our newest curator and resident research queen!

Note that Jake was being diplomatic/professional. Personally, I would have preferred the title of “resident research bitch,” which is reminiscent of how my grad students fondly nicknamed me “Stat Bitch” back in my days as an academic teaching research design and statistical analysis.

Well, I think it was fondly, anyway…

The electronic version of “Playing Doctor?”

The Sext Wars: Consent, Secrecy, and Privacy

April 1, 2011 by Dissent

Mary Anne Franks writes:

The sexting phenomenon reveals much about contemporary social attitudes towards sexual expression, consent, and privacy, especially with regard to minors. One of the most troubling aspects of the debate over what can and should be done about “sexting-gone-bad” scenarios is the tendency to treat the parties involved as more or less moral and legal equivalents. A typical “sexting-gone-bad” scenario is one in which a young person takes an intimate cellphone photograph of him- or herself, forwards it to an actual or potential romantic interest, and discovers that this photograph has been forwarded to many other individuals, including strangers, classmates, and family members. There are at least four distinct categories of individuals involved in such a scenario: the creator of the image, the intended recipient, the distributor, and the unintended recipient. The second and third categories are sometimes the same person, but not always, and the number of individuals in the fourth category is potentially enormous. The legal response in many of the first sexting cases was to bring child pornography charges (creation, distribution, or possession) against all the individuals involved; the social response has likewise treated the various players as roughly morally equivalent. In some sexting cases, the distributors of the images have not been charged at all, whereas the creators have been. The view that the creators of sexual cellphone images are as bad as or worse than the distributors of those images combines many troubling social attitudes about sexual expression and privacy.

Read more on Concurring Opinions.

Hey, It's a way to catch stupid people...

Ninth Circuit Decides Cotterman Case, Reversing District Court on Laptop Seizure at the Border

March 31, 2011 by Dissent

Orin Kerr writes:

Back in 2009, I blogged about United States v. Cotterman, a fascinating Fourth Amendment case from the District of Arizona involving a forensic search of a computer seized at the U.S./Mexico border. Ninth Circuit precedent holds that the government can search a computer at the border with no suspicion under the border search exception, just like it can search any other property. The question in Cotterman was whether the government could seize the computer, bring it to a forensic specialist 170 miles away, and have the forensic specialist search the computer there two days later. Is that still a border search? Or does the delay in time, or the change in location, mean that the border search exception doesn’t apply (or applies differently)? The District Court held that the delay in time and the moving of the computer required applying the ‘extended’ border search doctrine, which requires reasonable suspicion, instead of the traditional border search exception, which does not. As I noted here, the Government appealed but has not argued that the search was justified by reasonable suspicion. As a result, the case presents a pure legal question: Does the Fourth Amendment require reasonable suspicion in these circumstances, or is the seizure and subsequent search permitted without any cause?

In a decision released this morning, United States v. Cotterman, a divided Ninth Circuit reversed and held that the seizure and search were permitted without cause.

Read more on The Volokh Conspiracy.

“We can, but Trust US, we won't.” I wonder which 3-letter agencies already use this?

Google rebukes CNN over facial recognition story (updated with CNN’s response)

March 31, 2011 by Dissent

Yesterday it was a report about Samsung causing a privacy scare. Today it’s a story about Google.

While I was working, it seems that CNN published a story claiming that Google was developing an application that would do facial recognition and provide corresponding contact information. The CNN story, by Mark Milian, quoted Google’s Hartmut Neven, engineering director for image-recognition development for Google for some of its statements.

Google reacted strongly. In a statement to Android Community, they wrote:

We are NOT “introducing a mobile application” (as the CNN piece claims) and as we’ve said for over a year, we would NOT add face recognition to any app like Goggles unless there was a strong privacy model in place. A number of items “reported” in the story, such as a potential app connecting phone numbers, email addresses and other information with a person’s face, are purely speculative and are inventions of the reporter.

CNN does not seem to have updated its story to reflect Google’s response.

So let’s see: if I just work longer hours each day, can I miss having to post a story and then its refutation or correction?

Update: Greg Sterling of Search Engine Land provides the next round:

Here’s where it gets strange and interesting. I just got a statement from CNN saying that Google that was full of it:

Google’s claims do not fit the facts of the situation. This interview was prearranged – on the record – and staffed by a Google PR rep, who raised no objections at the time and did not deny what the engineer said. Additionally, we have an audio recording of the interview, as does Google. We stand firmly behind Mark’s reporting.

Recorded interview. On the record. Google PR person in the room.

Clearly the technology exists; Google’s not denying that. The question is whether the app or update to Goggles is about to be released.

He said/she said: where’s the truth? I guess we’ll find out if Google does release such a capability in the near future.

h/t, @PrivacyMemes

(Related) Another trivial application of technology...

Creepy,” a New Locator App, Is Creepy

March 31, 2011 by Dissent

Nick Greene writes:

​26-year-old Yiannis Kakavas has invented Creepy, an application that he describes as a “geolocation information aggregator,” reports. What that means: Type in someone’s Flickr or Twitter account into Creepy, and it will cultivate all the information available from the user’s photos or tweets and draws a map of their locations at the time of posting. If you feel that this is an invasion of privacy, keep in mind that all the information used is already public. Scary, huh?

Read more on Village Voice.

One of the risks of over-reliance on Cloud Computing... I'll bet the contract they signed makes them responsible for backups.

'Zodiac Island' Makers Say ISP Worker Wiped an Entire Season

"The creators of 'Zodiac Island' say they lost an entire season of their syndicated children's television show after a former employee at their Internet service provider wiped out more than 300GB of video files. eR1 World Network, the show's creator, is suing the ISP, CyberLynk of Franklin, Wisconsin, and its former employee, Michael Jewson, for damages, saying CyberLynk should have done a better job of protecting its data."

(Related) I'm a day late, but it is still worth mentioning...

It's World Backup Day

"Today is World Backup Day, an occasion to back up your personal data and financial information and check your restores. For those needing motivation — a group that apparently includes 15 percent of data centers — the Slashdot archives bear witness to date disasters at providers small (Ma.gnolia) and large (Microsoft). The World Backup Day initiative grew out of a thread at Reddit, and invites online backup services to observe the occasion by offering discounts."

Legal extortion?

How Mass BitTorrent Lawsuits Turn Low-Budget Movies Into Big Bucks

On March 7, Camelot Distribution Group, an obscure film company in Los Angeles, unveiled its latest and potentially most profitable release: a federal lawsuit against BitTorrent users who allegedly downloaded the company’s 2010 B-movie revenge flick Nude Nuns With Big Guns between January and March of this year. The single lawsuit targets 5,865 downloaders, making it theoretically worth as much as $879,750,000 — more money than the U.S. box-office gross for Avatar.

At the moment, the targets of the litigation are unknown, even to Camelot. The mass lawsuit lists the internet IP addresses of the downloaders (.pdf), and asks a federal judge to order ISPs around the country to dig into their records for each customer’s name.

Sound very much like my RSS feed reader. If they send the user to the originating site, how does this hurt the publishers?

Publishing Heavyweights Target iPad Media App ‘Zite’

An unusually large group of media companies (including Advance Publications, the parent company of the company that publishes Wired) have issued a strongly-worded legal warning to Zite, a relatively new iPad media app which aggregates news stories based on your Twitter and Google Reader activity.

… Zite calls itself a magazine, but is more of a enhanced news reader, very much in the mold of Pulse and Flipboard. Zite doesn’t provide original content but rather leverages the link economy to display the content behind URLs in an eye-pleasing ways reminiscent of newspapers and, yes, print magazines. It excerpts the first few dozen words of each story and displays a thumbnail picture (if any). The reader can click on a story and see either a faithfully-produced webpage on the app’s internal browser, ads and all — or an undesigned text-only distillation, a la Instapaper and Read It Later.

For my “Global Security” students and our continuing debate “are low level terrorists stupid or ignorant”

Convicted Terrorist Relied On Single-Letter Cipher

"The Register reports that the majority of the communications between convicted terrorist Rajib Karim and Bangladeshi Islamic activists were encrypted with a system which used Excel transposition tables which they invented themselves. It used a single-letter substitution cipher invented by the ancient Greeks that had been used and described by Julius Caesar in 55BC. Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program called 'Mujhaddin Secrets' which implements all the AES candidate cyphers, 'because "kaffirs," or non-believers, know about it so it must be less secure.'"

Nothing unusual in a politician misspeaking. The downside would be a search for “John Kerry” that returned “No Results.” (or worse?)

Kerry: I misspoke regarding Google privacy commitment

March 31, 2011 by Dissent

Mark Arsenault reports:

US Senator John Kerry misspoke yesterday in saying that the Internet giant Google was on-board with the senator’s efforts to craft an Internet privacy bill, his office said this morning.

The Massachusetts Democrat has discussed the bill with Google officials but those talks are still ongoing, according to Kerry’s office.


(Related) Some politicians have never heard of the Streisand Effect. Actually, this suggests that the Congressman does not have other sources of income – probably proving that he is new rather than honest...)

Congressman Wants YouTube Video Covered Up

"Wisconsin Republicans claim that no one else can republish a video of United States Representative Sean Duffy (R-WI) complaining about how he is 'struggling' to get by on his $174,000 salary without their permission, even though they originally released the video on YouTube for the whole world to see. Now the GOP is trying to take legal action to stop anyone else from republishing the video. The tape caused a stir for Duffy, a first-term conservative best known for his past as a reality TV show star on MTV's The Real World after Democrats flagged the comments about his taxpayer-funded salary, which is nearly three times the median income in Wisconsin, and criticisms began to flow Duffy's way. Here's a one-minute clip, excerpted from roughly 45 minutes of video of the public Duffy townhall, that the Polk County GOP doesn't want anyone to see."

April First means.... (

No comments: