Saturday, February 26, 2011

Apparently, this was a more significant “First” than I thought.

HIPAA Bares Its Teeth: $4.3m Fine For Privacy Violation

The health care industry's toothless tiger finally bared its teeth, as the U.S. Department of Health and Human Services issued a $4.3 m fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996.

The U.S. Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS's Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS's Office of Civil Rights for information related to the complaints.

For my students (and everyone else)

4 Online Resources To Prepare For Your Death & Digital Afterlife

… have you ever thought what happens to all your content when you die? Do your digital productions, no matter how large or small, represent a part of who you are? Is what you produce a part of the legacy you will leave behind after you’re gone?

To address these and other questions, writers Evan Carroll and John Romano have put together a website called The Digital Beyond, as well as another companion site for their book, Your Digital Afterlife.

Perhaps they read my Blog? Or at least listened to their users?

Facebook Pulls Plug on 'Breakup Notifier' App

Facebook crushed the hearts of 3.6 million Facebook "stalkers" on Wednesday, when it suddenly disabled the popular tracking app, Breakup Notifier.

Three days after the launch of the app, which notifies Facebook users when a chosen friend changes his or her relationship status, the social network on Wednesday sent a vague e-mail (obtained by TechCrunch) to app creator Dan Loewenherz, a 24-year-old programmer in Beverly Hills, telling him it had disabled the app.

On Thursday, Facebook sent Loewenherz a second e-mail clarifying (sort of) why it had disabled the app the day before:

"Thanks for your inquiry. We apologize for any inconvenience or confusion - provided Breakup Notifier respects user privacy settings, the general concept of the app is fine from a policy perspective because it surfaces information that is readily available to people through their News Feed. However, your app unfortunately received very strong negative feedback from users, which is why it was detected and disabled by our automated systems. We are currently looking into your situation and will be in touch with more information when we can provide it." (emphasis added)

For my Information Assurance students – a “Full Employment Act”

A Novel Data Security Law Proposed in Colorado

February 25, 2011 by admin

David Navetta discusses a proposed law in Colorado, HB 11-1225:

Regulation is achieved via the “carrot” or the “stick” (and sometimes both). This is true in the information security context as well. For example, to incentivize encryption of personal information, breach notice laws use a stick: those that fail to encrypt may have to provide notice to affected individuals in the event of a security breach. In the credit card breach context, a Washington state law provides banks with a stick (e.g. the right to seek fraud and reissuance expenses from breached merchants), but also provides those merchants with a shield to block that stick (e.g. validation of PCI compliance blocks a bank’s ability to recover). In HB 11-1225, Colorado state legislator, Dan Pabon, apparently wants to give the carrot a chance. In the process, I am told that part of the goal is to make Colorado the “Delaware” of data storage. Here is how it works.

Read more on InformationLawGroup.

[From the article:

Under HB 11-1225, if certain conditions are met (discussed below) a person or entity operating in Colorado that owns, licenses or maintains computerized data that includes “personal information” shall not be liable for civil damages resulting from a breach of data security due to its acts or omissions that are in good faith, and not grossly negligent or willful and wonton. So essentially, this would provide immunity from negligence claims. In order to receive this protection, two conditions must be satisfied:

(1) the breach must have been caused by an unauthorized third party, or an employee or agent acting outside the scope of his employment; and

(2) the person or entity must have been certified by a “qualified information technology auditor or assessor” as having used “best practices of data security and meeting information technology standards” established by an authorized state entity.


Facebook Proposes 'Data Use' Policy To Replace 'Privacy Policy'

Facebook on Friday acknowledged what privacy advocates have been saying for years: Privacy policies are too difficult to understand.

"Our own privacy policy has been criticized as being '5830 words of legalese' and 'longer than the U.S. constitution -- without the amendments,' the company said in a blog post. "Okay, you're right. We agree that privacy policies can and should be more easily understood, and that inspired us to try something different."

… Toward that end, Facebook has re-imagined its privacy policy and presented the results for user comment.

… This isn't an official change however: Facebook's Privacy Policy continues to represent the company's official position.

… The company admits that is has "tried not to change the substance of the policy..."

And therein lies Facebook's problem: Neither its "Privacy Policy" nor its "Data Use Policy" includes an option for actual privacy, which is to say unidentified use.

"If you want to completely block applications from getting your information, you will need to turn off all Platform applications," the company explains. "This means that you will no longer be able to use any games, applications or Web sites." And even then, Facebook still knows who you are, unless you're violating the site's Terms of Service. Facebook requires that users submit accurate personal information.

Contrast this with a post by Alma Whitten, Google's director of privacy for products and engineering, on Friday describing how Google supports three modes of use: unidentified, pseudonymous and identified.

Facebook needs an anonymity policy.

For my Criminal Justice students. Maybe you do need to understand technology... I'm gonna write me one of those programs too! (Take “actual speed” minus “speed limit” and adjust “driving time” appropriately.)

Smart Phone Gets Driver Out of a Speeding Ticket

"Sahas Katta writes in Skattertech that a traffic cop pulled him over while driving home and gave him a speeding ticket but thanks to his Android, he ended up walking out of traffic court without having to pay a fine or adding a single point to his record. "I fortunately happened to have Google Tracks running when an officer cited me for speeding while heading back home from a friend's place," writes Katta. "The speed limit in the area was a mere 25 miles per hour and the cop's radar gun shockingly clocked me driving over 40 miles per hour." Once in court Katta asked the officer the last time he attended radar gun training, when the device was last calibrated, or the unit's model number — none of which the officer could answer. "I then presented my time stamped GPS data with details about my average moving speed and maximum speed during my short drive home. Both numbers were well within the posted speed limits," says Katta. "The judge took a moment and declared that I was not guilty, but he had an unusual statement that followed. To avoid any misinterpretations about his ruling, he chose to clarify his decision by citing the lack of evidence on the officer's part. He mentioned that he was not familiar enough with GPS technology to make a decision based on my evidence, but I can't help but imagine that it was an important factor.""

It's not a sale, it's a license. “Anything to squeeze more money out of this newfangled publishing thing...”

HarperCollins Wants Library EBooks to Self-Destruct After 26 Loans

"HarperCollins has decided to change their agreement with e-book distributor OverDrive [and other distributors, too]. They forced OverDrive, which is a main e-book distributor for libraries, to agree to terms so that HarperCollins e-books will only be licensed for checkout 26 times. Librarians have blown up over this, calling for a boycott of HarperCollins, breaking the DRM on e-books -- basically doing anything to let HarperCollins and other publishers know they consider this abuse."

Cory Doctorow, who wrote TFA, says:

"For the record, all of my HarperCollins ebooks are also available as DRM-free Creative Commons downloads. And as bad as HarperCollins' terms are, they're still better than Macmillan's, my US/Canadian publisher, who don't allow any library circulation of their ebook titles."

(Related) New tech, old argument. “Sure we have rock solid contracts with some (most?) of these services, but we need someone to blame for our incompetence.”

Music Execs Stressed Over Free Streaming

"At the Digital Music Forum East conference, held Thursday in New York, music industry watchers gathered to puzzle anew over the continuing decline in music sales. 'We have lost 20 million buyers in just five years,' said Russ Crupnick, a president at the analyst firm NPD Group who spoke at the conference. Moreover, only about 14 percent of buyers account for 56 percent of revenue for the recording industry. In years past, the blame was put on digital music piracy. At this year's conference, however, the focus was on free streaming Internet services, such as Pandora, MySpace, Spotify and even YouTube."

For the Techie Toolkit.

Eight Great Tools Windows Users Would Never Want To Miss

[One example:

Pandora Recovery

Pandora Recovery allows you to find and recover recoverable deleted files from NTFS and FAT-formatted volumes. Pandora Recovery will scan your hard drive and build an index of existing and deleted files and directories (folders) on any logical drive of your computer with supported file format.

Friday, February 25, 2011

Apparently, no one at Google (or any of the others who gather Behavioral data) bother to consider the implications of gathering information that identifies their users.

Consumer Watchdog Asks House Privacy Caucus Chairmen to Seek Hearing After Google Gathers Children’s Social Security Data

February 24, 2011 by Dissent

Consumer Watchdog today asked Rep. Ed Markey, D-MA, and Rep. Joe Barton, R-TX, to seek hearings examining why Google gathered children’s social security numbers in entry forms for its “Doodle 4 Google” contest. The hearing should also investigate the Wi-Spy scandal.

In a letter to the Congressmen, who are co-chairmen of the Bipartisan House Privacy Caucus, the nonpartisan, nonprofit public interest group said, “The Doodle 4 Google incident is not a one-time event, but part of a consistent pattern of disregarding privacy rights.”

Read Consumer Watchdog’s letter here

Read the rest of their press release on PRNewswire.

“Sure we have policies, but that doesn't stop us from doing whatever we want.” (Or are the merely the tool of the government agencies that monitor cash transfers through PayPal?)

PayPal Freezes Support Account For Bradley Manning

"The online payment provider PayPal has frozen the account of Courage to Resist, which in collaboration with the Bradley Manning Support Network is currently raising funds in support of US Army Pfc. Bradley Manning. 'We've been in discussions with PayPal for weeks, and by their own admission there's no legal obligation for them to close down our account,' noted Loraine Reitman of the Bradley Manning Support Network (Support Network). 'This was an internal policy decision by PayPal. ... They said they would not unrestrict our account unless we authorized PayPal to withdraw funds from our organization's checking account by default. While there may be no legal obligation to provide services, there is an ethical obligation. By shutting out legitimate nonprofit activity, PayPal shows itself to be morally bankrupt.'"

The debate continues...

Md. AG: Requiring employees’ personal passwords is legal

February 24, 2011 by Dissent

Neal Augenstein reports:

Maryland Attorney General Douglas Gansler says requiring a prospective state employee to turn over his social networking user names and passwords as a condition of employment could be appropriate and legal, WTOP has learned.

A day after Maryland’s Department of Public Safety and Corrections suspended the practice, which it used to root out potential employees’ possible gang affiliations, Gansler says the major problem is there hasn’t been a written policy in place for corrections officials.

Gansler, whose office defends the corrections department in court, says it “it would be patently unfair” to say to a current employee, who had passed all background checks, “Now you’re going to have to waive all your privacy rights on the Internet in terms of your social networking.”

“It’s a completely different issue to prospectively do it, and say ‘You can be a correctional officer at this facility, but one of the things you should know up front is that you’ll have to give up your passwords to your social networking websites.’”

Read more on WTOP.

So what happens after the applicant gets the job? Is AG Gansler saying that the state can require employees to continue to make access to their accounts available to check to ensure that they haven’t subsequently become gang members or are consorting with gang members? Or is he saying that it might only be appropriate at the original application stage?

I don’t think this should be legal, but I’m not surprised to read his statement that it would be if handled differently. The state would make the case that the security issues are so compelling that the request is “reasonable,” and the way SCOTUS is going, they’d defer to that.

This is the first “fine” I can remember based on loss of paper documents. Also, there is no indication that Mass. General knew about the loss until they were sued.

Mass. General to pay $1M to settle privacy claims

February 24, 2011 by admin

Massachusetts General Hospital and its physicians organization have agreed to pay the federal government $1,000,000 to settle claims related to a worker leaving personal health documents on the subway.

The hospital also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, and to provide training to workers. The hospital must remit semi-annual compliance reports to the U.S. Dept. of Health and Human Services for the next three years.

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

The settlement stems from a 2009 complaint from a patient whose personal health information was lost. The federal government subsequently opened an investigation and found that records from 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, were lost. It was determined that a Mass General employee had left the records on the MBTA while commuting to work on March 9, 2009.

Read more on Boston Business Journal.

Resolution Agreement (HHS site)

Note: this breach was previously covered on when two of the patients sued the hospital and when one of the patients found his details posted on Rip-Off Report.

Could the same argument be made about “Cloud Computing” – the records are not under control? “Second class citizens have responsibilities. Those of us who rule have none.”

Sensitive Patient Records from Abortion Doc Were Stored in AG Employee’s Home, Ethics Panel Is Told

By Dissent, February 24, 2011

Martha Neil reports:

Under fire for allegedly mishandling sensitive patient records from an abortion doctor in addition to other claimed violations of attorney ethics rules, a former attorney general of Kansas and district attorney has contended the disciplinary case against him is politically motivated.

But the No. 2 man in the AG’s office under Phill Kline testified today that he was “surprised,” “perplexed” and “upset” when he learned that the patient records were neither in the AG’s office nor in Kline’s new office, where he was then serving as Johnson County District Attorney, for approximately one month in early 2007, the Topeka Capital-Journal reported.

Read more on ABA Journal.

The future of Privacy Law?

Private actions challenging online data collection practices are increasing: Assessing the legal landscape

February 24, 2011 by Dissent

The article by Eric C. Bosset, Simon J. Frankel, Mali B. Friedman, Stephen P. Satterfield, “Private actions challenging online data collection practices are increasing: Assessing the legal landscape,” in the February 2011 volume of Intellectual Property & Technology Law Journal is available online. Here’s a snippet from the introduction:

… The outcome of these suits may well depend on how far courts will extend the prohibitions in federal statutes such as the Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA). These statutes were drafted long before today’s online environment could be envisioned, so their application to the technologies at issue in these suits poses interpretive difficulties for courts. As one federal court has observed, there is no “legislative or judicial history [for these statutes] to suggest that Congress intended to prohibit” Internet tracking activities. “To the contrary,” that court noted, “the histories of these statutes reveal specific Congressional goals—punishing destructive hacking, preventing wiretapping for criminal or tortious purposes, securing the operations of electronic communication service providers—that are carefully embodied in these criminal statutes and their corresponding civil rights of action.”

The outcome of these lawsuits also may turn on whether traditional sources of commercial liability under state law, such as unfair competition and unjust enrichment, will be applied to electronic communications and digitally stored information.

An overview of the primary legal claims and defenses being asserted in these cases follows.

You can read the full article on Covington & Burling’s web site.

For my Computer Security students.

HackerProof: Your Guide To PC Security [PDF Guide]

I like Infographics...

10 Most Insightful Infographics About Internet

For my Geeky friends and students. Remember, Steve Jobs stole got a lot of ideas from Xerox Parc...

Xerox Opens Virtual Research Lab

"It's nothing like the glory days of Xerox PARC, but still there are some interesting projects in Xerox's new Open Xerox website. Copyfinder, for example, takes an electronic document and returns the URLs pointing to it, to different versions of the document, and to related documents. Trailmeme is a new publishing tool that allows readers to navigate stories in both Web-like and book-like ways. And the Arabic Morphological Analyzer accepts modern standard Arabic words and returns morphological analysis and English notation. As of Thursday, 15 research projects were posted at Open Xerox, and the company has another 70 projects in the pipeline, said Victor Ciriza, lab manager at the Xerox Research Centre Europe."

Thursday, February 24, 2011

The “If I own it, I can do whatever I want with it” argument, is heating up.

Police Raid PS3 Hacker's House, Hacker Releases PS3 'Hypervisor Bible'

"Graf_chokolo, who has contributed countless things to the PS3 scene, had his private home raided by police this morning. They confiscated all of his 'accounts' and anything related to PS3 hacking. Some of you may remember that graf_chokolo promised if he was pushed, that he would release all of his PS3 hypervisor knowledge to the world. He kept good on this promise, releasing what is being dubbed as the Hypervisor Bible. 'The uploaded files contains his database, which is a series of tools for the PS3's Hypervisor and Hypervisor processes. It will help other devs to reverse engineer the hypervisor of PS3 further.'"

“Micro” used to mean less than $1. I guess kids have larger allowances now.

FTC To Examine Microtransactions In Free-To-Play Games and Apps

A post at GamePolitics points out that the Federal Trade Commission will be looking into free-to-play mobile games that rely on internal microtransactions as a business model. Many such games are marketed for children, and there have been a spate of cases where kids racked up huge bills without their parents' knowledge or explicit consent.

"The in-app purchases have also catapulted children's games such as Smurfs' Village and Tap Zoo, by San Francisco-based Pocket Gems, into the ranks of the highest-grossing apps on iPods, iPhones and iPads. But the practice is troubling parents and public interest groups, who say $99 for a wagon of Smurfberries or $19 for a bucket of snowflakes doesn't have any business in a children's game. Though a password is needed to make a purchase, critics say that the safeguards aren't strong enough and that there are loopholes. 'Parents need to know that the promotion of games and the delivery mechanism for them are deceptively cheap,' said Jim Styer, president of Common Sense Media, a public advocacy group for online content for children. 'But basically people are trying to make money off these apps, which is a huge problem, and only going to get bigger because mobile apps are the new platform for kids.'"

Dudes! What have you been smoking? “You can be anonymous, as long as we know who you are.”

Marijuana Privacy Laws

DENVER (AP) — Medical marijuana patients in Colorado are facing new rules concerning patient privacy, and some are getting a briefing from the state health department to understand how their patient records could be used.

Marijuana advocates requested Wednesday's briefing by the state Board of Health.

Marijuana advocates complain that looming regulations allowing law enforcement to access records at marijuana dispensaries violate the marijuana amendment to Colorado's constitution. The amendment set up a "confidential registry" of patients maintained by "the state health agency," not the Department of Revenue, which is regulating dispensaries.

Some marijuana patients say they are planning a lawsuit to challenge how patient records are kept if the plan isn't changed so that the health department can't share patient records with law enforcement or tax regulators.

“It's not policy, but we always do it.”

Maryland Agency Stops Asking Interviewees for Facebook Login

February 23, 2011 by Dissent

As I noted yesterday in an update to the original blog entry, the Maryland Department of Corrections has issued a 45-day moratorium [Wait for this to blow over... Bob] on asking employees and applicants for their Facebook login after the Maryland ACLU went public with the situation and the story got spread far and wide.

Alexis Madrigal, who had helped call attention to the ACLU case, reports:

Days after the American Civil Liberties Union went public with the story of a Maryland corrections officer who was asked for his Facebook login information during a job interview, the state’s Department of Public Safety and Correctional Services (DPSCS) has suspended that practice.


In an e-mail to The Atlantic, the department’s director of communications Rick Binetti wrote that he thought the ACLU letter and press release had created “misperceptions” about the organization’s policy.

Binetti said that it was not policy to “demand any personal social media information from applicants.” However, he did admit that the organization does ask for that information during interviews. Here’s how he described what was supposed to happen:

During the initial interview, or recertification processes, DPSCS does not require correctional officer applicants to provide any information related to social media. An applicant is asked if they are active users of social media. If so, the Department only asks if an applicant would provide this information. If any information is provided by an applicant, it is done so voluntarily. If an applicant does not provide this information, it is not held against them and the interview process moves forward.[...]

Read more in The Atlantic.

As far as I’m concerned, the agency shouldn’t be asking at all – even if it is “voluntary.” Given how many people believe that “If you have nothing to hide…” any refusal to provide a “voluntary” login could still be viewed suspiciously or influence hiring or recertification decisions.

Won't all libraries shift to eBooks to save cost/space?

eBook Lending Library Launched

"The Open Library has launched an eBook lending program. Patrons of this Internet Archive-led group of libraries may borrow up to five books at a time, for up to two weeks. Like print books, the eBooks may be on loan only to one patron at a time. The organization perceives this model providing more bang for the libraries' bucks. The books are mostly 20th-century titles. Some librarians have books that are too fragile or rare for lending and will scan them for eBook lending."

For the Toolkit...

Thursday, February 24, 2011

View All Microsoft Formats in Google Docs

Somehow I missed Google's announcement last Friday that the Google Docs viewer now supports all Microsoft Office file types. The viewer also supports Apple's Pages files. If you have files in any of those formats you can now upload them to your Google Docs account and view them from any computer. Most importantly, if someone sends you one of these file types as an attachment to your Gmail account, you can view the file without having to download it.

Wednesday, February 23, 2011

The fine seems to be more for “failure to kowtow” than for HIPAA violations.

HHS Imposes a $4.3 Million Civil Money Penalty for Violations of the HIPAA Privacy Rule

By Dissent, February 22, 2011

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Md., (Cignet) violated the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HHS has imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by the Department for a covered entity’s violations of the HIPAA Privacy Rule.


In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records. Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010. On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

Read more in the Sun Herald. So far, I don’t see a copy of the press release or documentation on HHS’s web site, but I’ll keep checking.

[From the Sun Herald:

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule. Covered entities are required under law to cooperate with the Department’s investigations. The CMP for these violations is $3 million.

… A copy of the Notice of Proposed Determination and Notice of Final Determination can be found at Additional information about OCR’s enforcement activities can be found at

Future of Privacy & Surveillance?

Deconstructing the CALEA hearing

February 22, 2011 by Dissent

Chris Soghoian writes:

Last Thursday, the House Judiciary Committee held a hearing focused on law enforcement surveillance of modern Internet services.

Although both the New York Times and CNET have stories on the hearing, I don’t think either publication covered the important details (nor did they take the time to extract and post video clips).

The FBI is no longer calling for encryption backdoors

Read more on slight paranoia, where Chris includes excerpts from the hearing as well as his thoughts on what he thinks the FBI will be pushing for. I think Chris is dead-on in his predictions of what the FBI wants, and as he suggests, some of the “asks” will likely not get a lot of media attention – unless the privacy community gets our act together to make a lot of noise. Certainly any attempt by the government to require cloud services to provide capability for real-time interception of communications (think of the government having the ability to monitor your chats in real-time) is an issue that the public can appreciate in terms of its potential for abuse – that is, if the public doesn’t stick its collective head in the sand while it mutters, “Well, if you’ve got nothing to hide…”

One thought – based on only one cup of coffee, and hence, somewhat muddled – is whether putting a hole in the security of cloud services to enable such monitoring would somehow violate any non-U.S. laws on data protection and security or make non-U.S. entities more leery of using American cloud providers. If so, could any such “ask” or requirement put American cloud service providers at an economic disadvantage?

[From Slight Paranoia:

While Skype uses some form of proprietary end-to-end encryption (although it should be noted that the security experts I've spoken to don't trust it), and RIM uses encryption for its Enterprise Blackberry messaging suite, the vast majority of services that consumers use today are not encrypted. Those few services that do use encryption, such as Google's Gmail, only use it to protect the data in transit from the user's browser to Google's servers. Once Google receives it, the data is stored in the clear.

There is one simple reason for this, which I described in a law journal article last year ago:

It is exceedingly difficult to monetize a data set that you cannot look at.

(Related) Like your data, they “need” to track your browsing...

FTC Internet Privacy Proposal Slammed By Ad Industry

February 22, 2011 by Dissent

Mathew J. Schwartz reports:

Will the future see a “Do Not Track” setting in browsers that prevents data brokers and Web sites from tracking a consumer’s every click?


Industry groups, however, have slammed the FTC’s proposal, suggesting it would wreck the ability of Web sites to provide personalized content. “The Internet is comprised of millions of interconnected Web sites, networks and computers — a literal ecosystem, all built upon the flow of different types of data,” according to a statement released by the Interactive Advertising Bureau (IAB). “To create a Do Not Track program would require reengineering the Internet’s architecture.” [Bull! Bob] Instead, it suggested a new self-regulated program for online behavioral advertising.

But consumer rights groups have been arguing differently. The Center for Digital Democracy and U.S. Public Interest Research Group (PIRG) on Friday released a statement recommending that the FTC require that all surveillance technologies in use be disclosed. It also wants people to be allowed to view and correct the data collected about them, in addition to a Do Not Track feature.

Read more on InformationWeek.

(Related) How much of our lives are “Public?”

Is Privacy in Public a Contradiction in Terms?

February 22, 2011 by Dissent

Another thought-provoking commentary by Robert Gellman:

Is there such a thing as privacy in a public space? When you walk down the street, anyone can observe you, make notes about your location, appearance, and companions, and even take your picture. If so, then it would seem that you have no reasonable expectation of privacy.

However, most people would be unhappy if they found themselves followed all day. For most of human existence, this type of surveillance was impractical because of the great expense of following someone around.

Read his article on GeoDataPolicy


Amid unrest, a hard new look at online anonymity

Some people have undoubtedly forgotten that in the years before Facebook's fast ascent, social media was dominated by anonymity: handles worthy of CB radio, vintage AOL screen names trailed by strings of numbers, LiveJournal IDs bookended with the x's and o's of emo-kid culture. And there was a sense that in this odd and very public new medium, it wasn't safe to use your real, full name.

Thanks to Facebook, and founder Mark Zuckerberg's personal philosophy, that's changed. What Facebook did, with a policy that requires proper names and the initial restriction of access based on proven university or company affiliation, was bring the idea of "real identity" to the mainstream Internet. In general, that's been considered a good thing; [By whom? Bob] but in the wake of widespread antigovernment protests across a number of Middle East and North African countries, the Facebook philosophy is facing a sharp challenge as critics suggest that a real-names-only policy could see pro-democracy activists targeted individually by autocratic governments.

A "digital freedom" nonprofit called Access Now is leading the charge, launching an online petition this week called "Unfriend the Dictators" to encourage Facebook to rethink its policy. An explanation on Access Now's site reads: "Facebook should be congratulated and condemned in one go: They've built a revolutionary platform that's catalyzed the political change sweeping the Middle East and beyond, but Facebook has also become a treasure trove of information for dictators, allowing them to identify and track down those who oppose them."

(Related) Apparently this was temporary, but who authorized it and what were they thinking?

WI Capitol Blocks Pro-Union Web Site

"State government workers are unable to connect to a pro-union web site,, from the wifi at the state capitol."

Someone probably should let Hillary Clinton know.

Dilbert explains why you should read the fine print... on Privacy Policies, for example.

I think the 'free journal' idea is inevitable, and here are some indications of how they are used...

February 22, 2011

E-journals: their use, value and impact

E-journals: their use, value and impact [final report], 19 January 2011: "This report is the second arising from a two-year project funded by the Research Information Network to describe and assess patterns of the use, value and impact of e-journals by researchers in universities and research institutes in the UK. Publishers began to provide online access to articles in scholarly journals just over a decade ago. Numerous studies have shown how much researchers have welcomed enhanced and easy access to unprecedented numbers of journals. But until recently there has been little detailed evidence about how researchers have changed their behaviours in response to this revolution in access, about how they make use of online journals, or about the benefits that flow from that use. This two-year-long study begins to fill that gap."

[From the report:

Users in the most research-intensive universities behave differently from those in less research-intensive ones:

they view and download more articles per capita

they spend much less time on each visit

they do not use many of the online facilities provided on the publishers’ platform

they are much more likely to enter via gateway sites

Tuesday, February 22, 2011

Try this! Something for my Computer Security students.

SelectOut Founder Analyzes 1,000 Privacy Policies to Make Online Privacy Easier, Part 1

February 22, 2011 by Dissent

Elaine Rigoli writes:

Calvin Pappas is just 19-years-old but thinks online privacy is one of the hottest topics today. While Congress debates regulating the online advertising and tracking industry, the Computer Engineering student has created a site called SelectOut to teach consumers how companies really gather and use their online data.

As companies are working to become more transparent before any legislation is enacted, however, Pappas is keeping one step ahead of them with his Consumer Opt-Out list that shows people how to choose their own privacy options.

His site couldn’t be simpler. When you click on, the site instantly determines how many websites are tracking you. It then gives you the option to “select out” of all or just some of the tracking.


“In addition to the data we actually need to rin the business, we like to keep lots of older data just to clog things up...”

(update) OSU searches for possible hacking victims

February 22, 2011 by admin

Remember back in December when Ohio State University announced that it had detected a breach at the end of October and would be notifying 760,000 people who had personally identifiable information on the server? It seems that they are still trying to notify some of them.

Encarnacion Pyle reports in The Columbus Dispatch:

A hacker hasn’t hit another computer server at Ohio State University. But the school has sent 226,000 letters, mostly to alumni, in the past couple of weeks about free credit-monitoring services.

Ohio State uncovered a breach in late October and began notifying people whose data might be at risk. The original list of 760,000 students, professors and others who do business with Ohio State contained some outdated addresses, officials said yesterday. So the university recently has sent out new letters to what officials hope are their current addresses.

“Let me tell you, it’s hard to find 760,000 people,” said Jim Lynch, OSU’s spokesman.

Well yes, I imagine it would be. Which seems to be yet another excellent reason not to keep so much non-current data on a server connected to the Internet. By now, it’s somewhat discouraging that some entities still don’t seem to have learned that lesson. Maybe there should be a penalty surcharge for breaches involving data that are past their freshness date but were left connected to the Internet. [In addition to wasted storage space and increased processing time? I like it! Bob]

So do we bail out or ride a bit longer?

Has the Second Dotcom Bubble Started?

An article at the Guardian asks whether the exceedingly high valuations of social tech companies signify the arrival of a second dotcom bubble. Quoting:

"Every week, one of the new generation of internet firms seems to attract a sky-high valuation. Zynga, the social-network games company that has tempted millions to grow virtual vegetables in its FarmVille game, has been valued at $9bn (£5.54bn). Profitless Twitter is said to be worth $10bn. Groupon, vendor of online discounts, rejected a $6bn offer from Google and is considering a flotation with a potential valuation of $15bn. Tech-watchers say this is just the start: the real boom will come when Facebook, the head boy of the new dotcom frenzy, goes public, probably next year. ... The last dotcom boom really took off after the flotation of the internet software company Netscape in 1995. Patrick says this time it's likely to be Facebook that lights the fuse. So far, private investors have been locked out of the New Thing. But JP Morgan is setting up a fund, and Goldman Sachs recently tried to get its clients' money into Facebook."

Think about it. Why would your auditors be concerned with Privacy?

Privacy and Security in Health Care: A fresh look

By Dissent, February 21, 2011

A new issue brief by Deloitte reviews previous research and generates figures based on breaches reported to HHS.

This Issue Brief from the Deloitte Center for Health Solutions (DCHS):

  • Provides an update about current and emergent privacy and security challenges in health care;

  • Examines notable hot spots where current policies, rules, and regulations are a focus of industry risk;

  • Reviews the state of preparedness for privacy and security risk throughout the industry;

  • Suggests an approach to assessing an organization’s current preparedness.

Download the paper from Deloitte.

For the Stalker's Toolkit.

The Facebook Breakup Notifier: Stalk someone you like

This astounding, beautiful, utterly utilitarian piece of technology allows you to be instantly informed when someone you have loved/liked/been desperate to stalk for a very long time finally becomes available.

We used to use the US government as a 'minimum' set of tech rules. They have gotten much better, so now you need to look world-wide for the minimums...

Update: Privacy and the Protection of Personal Information in China

February 21, 2011 by Dissent

Hunton & Williams have updated their analysis of data protection laws in China:

In the past year and a half, new laws affecting personal information protection in China have arisen in various forms, including a consumer protection law and regulations, a tort law, a medical records regulation, a social insurance law, a credit reference regulation and even an anti-money laundering banking regulation.

See A Summary of Developments in Personal Information Protection in China, originally published on the DataGuidance website.

Gee, da whole woild don't speak English?

Testing Free English Anti-Malware On Non-English Threats

"Brazilian technology news site O Globo posted an interesting comparison on how free anti-malware behaves against non-english threats (Google translation of Portuguese original). By using a database of over 3000 samples from Brazil's Security Incident Contact Center, the numbers are quite different from all US anti-malware reviews. While Avira achieved the best score, 78%, Microsoft Security Essentials stopped less than 14%. This can be a headache for some large multinational corporations, whose IT departments deploy US anti-malware on the entire network, but have network segments outside US with many 'unknown' threats roaming around. I wonder what the results would be in other countries."

No doubt Microsoft will find a way to mention this in their advertising... I'd like to see more details – this sound fishy to me.

German Foreign Office Going Back To Windows

"The German government has confirmed that the German Foreign Office is to switch back to Windows desktop systems. The Foreign Office started migrating its servers to Linux in 2001 and since 2005 has also used open source software such as Firefox, Thunderbird and OpenOffice on its desktop systems. The government's response to the SPD's question states that, although open source has demonstrated its worth, particularly on servers, the cost of adapting and extending it, for example in writing printer and scanner drivers, and of training, have proved greater than anticipated. The extent to which the potential savings trumpeted in 2007 have proved realizable has, according to the government, been limited – though it declines to give any actual figures. Users have, it claims, also complained of missing functionality, a lack of usability and poor interoperability."

It's not used as a 'primary source,' but rather as a place to find primary sources...

February 21, 2011

Pew Report: Wikipedia, past and present

Wikipedia, past and present, by Kathryn Zickuhr, Lee Rainie, Jan 13, 2011

  • "Wikipedia, the “multilingual, web-based, free-content encyclopedia project,” was created in 2001 and celebrates its tenth anniversary on January 15, 2011. The percentage of all American adults who use Wikipedia to look for information has increased from 25% in February 2007 to 42% in May 2010. This translates to 53% of adult internet users. Education level continues to be the strongest predictor of Wikipedia use. The collaborative encyclopedia is most popular among internet users with at least a college degree, 69% of whom use the site. Broadband use remains another predictor, as 59% of those with home broadband use the service, compared with 26% of those who connect to the internet through dial-up. Additionally, Wikipedia is generally more popular among those with annual household incomes of at least $50,000, as well as with young adults: 62% of internet users under the age of 30 using the service, compared with only 33% of internet users age 65 and older."

For my Math students...

Online Multiplayer Games On TI Calculators?

"A calculator enthusiast has managed to allow TI-83 Plus and TI-84 Plus graphing calculators to connect to the Internet with the help of an Arduino board. It is called Global CALCnet 2.2 and there is already a chat program demonstrating it. Multi-player games for gCn such as a Scorched-Earth clone are currently in the works. Maybe in the near future we will be playing some variant of Ztetris against our friends on the other side of the world?"

Somebody also took the time to port Doom to a TI-Nspire calculator. A YouTube video demonstration is available.

It's a rare week when I have two items for my Math students, let alone two in one day!

Jeopardy, IBM, and Wolfram|Alpha

Monday, February 21, 2011

How about one in English?

Clinton says Twitter helps US tap into youth unrest

Secretary of State Hillary Clinton Sunday highlighted the need for the US government to use Twitter and other social media to connect with young people amid turbulent change in the Middle East and North Africa.

Following revolutions in Tunisia and Egypt fueled by Facebook, Twitter and YouTube exchanges, the US State Department set up Twitter accounts last week in Farsi, Arabic and other languages to get its message across.

"What we expect to do is to be communicating through the new social media with literally millions of people around the world because we want them to hear directly from us what our policies are," Clinton said.

(Related) It's interesting what you can find if you sift through enough data...

Seven Breakthrough Sentiment Analysis Scenarios

Could sentiment analysis -- the automated mining of attitudes, opinions, and emotions from text, speech, and database sources -- have foretold the demise of Egyptian autocrat Hosni Mubarak?

Can this fast-emerging technology and discipline predict the movement of Oracle's share price based on online and social reactions to company and market news? Could it quantify reactions to Groupon's widely panned SuperBowl ad and tell the ad-agency creative types what particular aspects viewers disliked? And in a more mundane, everyday application, could it identify product defects to help convert dissatisfied customers into promoters?

… In the pre-Net, pre-text analytics world, sentiment analysis was of very limited scope or limited to indirect measures. We had focus groups and other forms of "qualitative research" that, because they are expensive and generate voluminous text transcripts requiring laborious human analysis, can be used for only small samples.

Survey "verbatims" (free-text responses) are similarly expensive to analyze, so indicators such as the U.S. Consumer Confidence Index (CCI) have also been based on samples, with question responses limited to not-very-illuminating positive/negative/neutral responses.

Text analytics is a limit breaker. Solutions automate large-scale information collection, filtering, and classification technologies via natural language processing and data mining technologies that handle both factual and subjective information. Subjective information: That would be attitudes, moods, opinions, and emotions -- the province of sentiment analysis.

Will this approach become critical for any company whose reputation is challenged?

What Brands Can Learn From Taco Bell’s Social Media Lawsuit Defense

When it comes to high profile lawsuits, it’s often been the plaintiff’s use of social media that makes headlines and wins those ever-important battles in the Court of Public Opinion. Blogs raise awareness of issues that could lead to lucrative litigation, and smart SEO and SEM campaigns can dominate the online conversation. Social media is used recruit potential class action clients. All the while, the target of the litigation — the defender — often stands mute, from a digital perspective. Commonly, the defender will cede control of the Internet’s messaging high ground to adversaries.

But the “no comment” strategy has increasingly been cast aside in an age when instant impressions can cause lasting reputation damage. More and more companies are realizing the benefits of mounting a digital defense when plaintiffs come knocking. As evidenced by the recent lawsuit against Taco Bell — alleging that its “seasoned beef” doesn’t meet USDA requirements for that label — defense messages are starting to compete for attention in the online space. Over the last several weeks, Taco Bell has written a template for digital litigation communications that — while certainly more aggressive than many lawsuits call for — has highlighted a number of best practices that every company playing social media defense should consider.

Sunday, February 20, 2011

This looks like a Cloud Computing application. Apparently the customer had no control over the data and didn't even know that inappropriate data (card security codes) were being kept. The vendor, like many “assumed” that access by their people was always authorized and appropriate.

(update) Hacker accessed database by using vendor’s administrative password

February 19, 2011 by admin

On January 31, lawyers for the University of Connecticut Cooperative Corporation notified the New Hampshire Attorney General’s Office of a breach mentioned previously on this blog. Their letter revealed some previously unreported details, including the fact that the web site was hosted and managed by Fuss & O’Neill Technologies LLC in Connecticut, a firm that does business as Fandotech.

According to the Co-ops lawyers, the breach was first discovered by customers who reported it to the Co-op. On December 28, the Co-op contacted Fandotech and asked them to investigate. Fandotech investigated but informed the Co-op that it found no evidence of a breach.

The Co-op called a few more times over the next days, each time asking Fandotech to investigate again.

On January 5, Fandotech reportedly found evidence that a breach had occurred on December 26 – two days before the Co-op started calling them to investigate a possible breach. It appears that whoever accessed the database started using the data immediately as by December 28, people were already reporting card fraud to the Co-op.

Significantly, the breach involved an unauthorized person accessing the database by using a Fandotech administrative password. [Unknown is not unauthorized. Perhaps the person was authorized but the actions were not. Bob]

“Fandotech has sole access, authority, and control over that administrative password,” Aaron Bayer of Wiggin and Dana wrote to the New Hampshire Attorney General.

The database contained information on 18,059 people, 286 of whom were New Hampshire residents. Information in the database included customers’ names, addresses, telephone numbers, email addresses, credit card numbers, card expiration dates, and card security codes. At the time of the breach, the Co-op

“understood from Fandotech that it employed a firewall, antivirus software, encryption, and a secure, administrative password to safeguard this data, and believed that Fandotech was PCI compliant.”

Under the PCI standards, however, the 3- or 4-digit card security codes may not be stored – even if encrypted.

The web site, which was taken down the first week in January, is still not online.

In their correspondence of January 31, the Co-op’s attorneys describe the steps the Co-op has taken and note that despite the commercial cost in terms of lost revenues, the Co-op had not returned the site to operation. Their detailed response to the discovery of the breach included retaining Trustwave to perform an audit to determine the cause and a cure for the problem. Lawyers for the Co-op say that it does not intend to re-open the old web site, but plans to open a new web site for UConn merchandise after it is assured that the web site will be in a secure environment.

(Related) Something like this will become much more desirable as everything moves into the Cloud...

Industry IT Security Certification Proposed

"The US can build defenses against 'cyberwar' by having government and the private sector work together to confront the threat, a panel of experts said at RSA Conference 2011 in San Francisco this week. 'Chertoff called for a regulatory framework where company executives and board members sign on the dotted line, certifying what steps they have taken to secure their network, what backup systems they have in place and what level of resiliency is built into their IT system. “People take that seriously. Is it dramatic? No, but it moves the ball down the field,” Chertoff said. Schneier concurred, noting that holding individuals at a company accountable for certain protections has worked with environmental regulations and Sarbanes-Oxley, the post-Enron law that requires directors and executives to certify their financial results.'"

“We trust our employees. It's their relatives and friends we don't trust.” What happens on your own time determines your grade at school and now, your continued employment.

Should Govt. Employers Be Allowed to Require Your Facebook Login?

February 19, 2011 by Dissent

Meredith Curtis of the ACLU of Maryland describes a case that should concern us all:

Maryland corrections officer Robert Collins approached the ACLU of Maryland late last year, disturbed that he was required to provide his Facebook login and password to the Maryland Division of Corrections (DOC) during a recertification interview. He had to sit there while the interviewer logged on to his account and read not only his postings, but those of his family and friends too.


On January 25, the ACLU of Maryland sent a letter (PDF) to Public Safety Secretary Gary Maynard on behalf of Officer Collins, concerning the Division of Correction’s blanket requirement that applicants for employment with the division, as well as current employees undergoing recertification, provide the government with their social media account usernames and personal passwords for use in employee background checks.


The demand for Facebook login information is not only a gross breach of privacy for Officer Collins and his friends, it raises significant legal concerns under the Federal Stored Communications Act and Maryland state law, which protect privacy rights and extend protections to electronic communications.

Read more about the case on the ACLU of Maryland’s blog. h/t, The Atlantic

What does it tell them? Where their clients should commit their crimes?

February 19, 2011

Comparative Criminal Procedure

Via the terrific law librarians at University of Chicago at the D'Angelo Law Library, Comparative Criminal Procedure: "This research guide prepared for Professors Ginsburg and McAdams' Comparative Criminal Procedure Seminar (LAWS 41702) lists selected English-language resources on comparative criminal procedure. It focuses on journal articles, book chapters, and treatises covering comparative criminal procedure generally, criminal procedure in multiple jurisdictions, and specialized research topics in comparative criminal procedure such as: arrest, pre-trial detention, interrogation, right to counsel, legal assistance for indigent defendants, discovery, plea bargaining, trial by jury, the privilege against self-incrimination, inquisitorial versus accusatorial systems, role of prosecutors, judges and defense attorneys, cross-examination, exclusionary rules, sentencing, death penalty, criminal appeals, and double jeopardy."

Interesting video. Some “opt outs” require lots of effort...

How To: Take Back Your Privacy from Data Brokers

Data brokers, data harvesters, people finders: Whatever you call them, they roll up a huge amount or real and deduced information about you to create a dossier on your life that anyone can buy or even browse for free. While the nuggets of information about you are already out there, the way these sites aggregate it makes a lot of people feel very invaded. Watch this video to see how you can opt out, to a degree, then use the links below to start taking back your privacy.

Opt out tools: Spokeo PeopleSmart Pipl Peek You (email link): Include the address of you profile to have it suppressed. ZabaSearch