Saturday, April 09, 2011

We don't need no stinking regulation!”

The Epsilon Hack Attack: Time For “SOX For Consumers”?

April 8, 2011 by admin

Matt Pauker of Voltage Security discusses the Epsilon breach and where we go from here. He writes, in part:

What about requiring every third-party service provider to protect personal customer data through encryption, tokenization or another advanced security technology, through clauses written into and enforced as part of standard service level agreements? This is something that companies can initiate today, without waiting for federal, state or industry regulation.

Or, has the time come for “SOX for consumers”: a consumer-focused plan calling for new rules that force companies to certify that they have adequate data protection in place to protect data even in the event of a breach?

Read more on Forbes.

Are Social Networks at risk? Perhaps, if the legislative pendulum swings too far...

Internet firms wake up to federal privacy scrutiny

April 8, 2011 by Dissent

Cecilia Kang reports:

As LinkedIn prepares to sell its stock to the public, the social network for professionals is warning of a potential threat to its business: Internet privacy laws.

In a filing to the Securities and Exchange Commission this month, the startup said a push by federal regulators to create first-time privacy rules “could deter or prevent us from providing our current products and solutions to our members and customers, thereby harming our business.”

Read more in The Washington Post.


DOJ filing would create dangerous precedent on privacy policies

April 8, 2011 by Dissent

Declan McCullagh reports:

The U.S. Justice Department today dismissed as “absurd” any privacy and free speech concerns about its request for access to the Twitter accounts of WikiLeaks volunteers.

In a 32-page brief filed in federal court in Virginia, prosecutors characterized their request for a court order as a “routine compelled disclosure” that raises no constitutional issues.

Read more on cnet.

In related coverage, Andy Greenberg of Forbes focuses on the DOJ’s argument that the presence of a privacy policy on Twitter obliterates any reasonable expectation of privacy, even if the user never looks at it:

In their brief, the U.S. attorneys attack an argument from Appelbaum, Jonsdottir and Gonggrjip’s team that they shouldn’t be held to Twitter’s privacy policy–which allows authorities to lift data like users’ IP addresses–because it’s unreasonable to assume that users have read it or any other of the dense policies they face on commonly used sites.

“The existence of the Privacy Policy, even if unread by the Subscribers, undermines the legitimacy of any expectation of privacy the Subscribers may have had in the IP addresses they conveyed to Twitter,” reads the brief. “Although individual users might be ignorant of the terms of Twitter’s Privacy Policy, society is not prepared to recognize as reasonable an expectation of privacy that is directly contradicted by policy statements available to all who wish to read them.”

Read more on Forbes.

For my Computer Security students

Put Your Passwords Through The Crack Test With These Five Password Strength Tools

How Secure Is My Password

The Password Meter

Test Your Password

Strength Test

Microsoft Safety And Security Center

Friday, April 08, 2011

This is going to take a shelf full of books to document...

And the hits just keep on coming for Epsilon

April 3, 2011 by admin

Note: CBS reports that the Secret Service is investigating the Epsilon breach. If you receive a phishing attempt that you want to report to the Secret Service, email You can also file a report at I’ll add businesses to the list of affected customers as I become aware of them, so check back if you want to see what else has been reported. See Brian Krebs’ commentary on the fears about spear phishing as a result of this breach.

  1. 1-800-FLOWERS

  2. AbeBooks

  3. AIR MILES Reward Program (Canada)

  4. Ameriprise

  5. Barclays Bank of Delaware (BJ’s Visa, L.L. Bean Visa)

  6. Beachbody

  7. bebe

  8. Best Buy

  9. Best Buy Canada Reward Zone

  10. Benefit Cosmetics (see below)

  11. Brookstone

  12. Capital One

  13. Charter Communications

  14. Citi (ExxonMobil, Card,Home Depot Card, NTB Card, The Place)

  15. City Market

  16. College Board

  17. Crucial

  18. Dell Australia

  19. Dillons

  20. Disney Destinations (The Walt Disney Travel Company)

  21. Eddie Bauer Friends

  22. Eileen Fisher (doesn’t name Epsilon but same template letter)

  23. Ethan Allen

  24. Eurosport Soccer (

  25. Food 4 Less

  26. Fred Meyer

  27. Fry’s

  28. Hilton Honors

  29. Home Shopping Network (HSN)

  30. Jay C

  31. JPMorgan Chase

  32. King Soopers

  33. Kroger

  34. Lacoste (and as per TG Daily)

  35. Marriott Rewards (FAQ on site)

  36. Marks & Spencer

  37. McKinsey Quarterly

  38. MoneyGram

  39. New York & Company

  40. QFC

  41. Ralphs

  42. Red Roof Inn

  43. Ritz-Carlton (FAQ)

  44. Robert Half International

  45. Scottrade

  46. Smith Brands

  47. Stonebridge Life Insurance

  48. Target

  49. Tastefully Simple

  50. TD Ameritrade


  52. TiVo

  53. US Bank

  54. Verizon

  55. Viking River Cruises

  56. Walgreens

  57. World Financial Network National Bank (Ann Taylor, Catherine’s, Chadwick’s, Dressbarn, Express card, Fashion Bug, Giant Eagle fuelperks!, J Crew, Lane Bryant, Maurice’s, PotteryBarn/Kids/Teens, RadioShack, Sears, Smile Generation Financial, The Limited, United Retail Group (Avenue, Jessica London, OneStopPlus), Value City Furniture, Victoria’s Secret)

Thanks to all those who have copied and pasted in the emails you have received. If you have something you think I’m missing, please check the list first to see if I already have the name of the company and a linked copy of the notice (bank cards are under the name of the issuing bank), and if not, post away!

Benefit Cosmetics. What’s significant about their report is that they appear to be former clients of Epsilon, raising the question of why their data were on the compromised server. Did the breach occur while they were still clients or did Epsilon not remove their data from their server after they stopped using their service?

An email sent to DataLossDB who shared it with this site, read:

While we wish this was about lipstick, we have important news regarding your email address.

We were just informed by a former email vendor that the database with our customers’ names and email addresses has been compromised by an unauthorized person. The only information at risk is your name and email address.

The vendor has assured us that “a rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.” This data breach has also affected several other companies that work with this vendor.

(Related) If the “breachee” is responsible for notifying the customers of their customers, what are the implications for Cloud Computing?

Who should be notifying consumers about the Epsilon breach?

April 7, 2011 by admin

Senator Richard Blumenthal, a staunch consumer privacy advocate, has said that Epsilon should be notifying every consumer whose data were involved in the recent humongous breach. You can read his entire letter to Attorney General Eric Holder requesting an investigation on his web site, but here’s part of what he wrote:

I believe that immediate notification to all customers is vital to protect them – and enable them to protect themselves – from identity theft.


I believe that affected individuals should be notified and provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Epsilon or its affected clients. I believe it is also necessary to provide every affected individual with sufficient insurance to protect them against possible financial consequences of identity theft.

Who Should Send Us the Notifications?

Should Epsilon be sending us the notifications – as Senator Blumenthal’s letter would seem to suggest – or should the company who gave our data to them be sending us the notifications?

[How about “Fourth Party” actors? Bob] If you have an account with a store and got a branded credit card through World Financial Network National Bank (WFNNB), WFNNB sent you the notification and apology email. They told you that their email was about [name of store where you have an account], but it was their email to you – not the store’s.

So you got the important information to be alert to phishing attempts, but you probably didn’t hear from the store. Are you okay with that? It was WFNNB who had the contract with Epsilon (or so it seems from their notification email text), but whom do you feel you have the relationship with – the store or WFNNB?

Who owes you the apology as well as the information?

And who should be accountable for this? The store or WFNNB – or both?

You trusted the store. They trusted WFNNB. WFNNB trusted Epsilon. But it all started with consumer trust in the store. And I think we need to hold the stores (or hotels or financial institutions) accountable if they want to keep our trust and our business. For that reason, I’ve been including all of their names in the running list of affected entities even though most other sites keeping tabs have not taken this approach and might just list WFNNB.

I’d also point out that on practical and safety levels, even if we had gotten an email from Epsilon (as the Senator urges), would most of us have even opened it, much less believed it – or would we have just looked at the subject line and deleted it as probably spam or a phishing attempt?

What do you think? You can sound off in the Comments section.

Here's one we haven't heard from in some time. I'm certain this will get all the attention it deserves.

T.J.Maxx hacker says feds gave him the OK

Albert Gonzalez, the hacker who pleaded guilty to leading one of the largest cases of credit card theft in the U.S., is asking a judge to toss out the pleas, arguing that they were part of his assignments as a paid government informant.

"I still believe that I was acting on behalf of the United States Secret Service and that I was authorized and directed to engage in the conduct I committed as part of my assignment to gather intelligence and seek out international cybercriminals," Gonzalez wrote in a 25-page petition filed March 24 with the U.S. District Court in Massachusetts and published on the Threat Level blog. "I now know and understand that I have been used as a scapegoat to cover someone's mistakes."

“Hey, our degrees are in education. They never trained us to count!”

(update) More Student SSNs Were At Risk, TEA Says

April 7, 2011 by admin

Morgan Smith reports that a breach involving the Texas Education Agency was much worse than originally reported. An unencrypted disk containing data on almost 25,000 Laredo Independent School Districtast month, the TEA reported that an students had gone missing. But when the Texas Tribune obtained records about the breach, they discovered that there were data on 164,406 students who graduated from eight Texas school districts over the past two decades that had been sent via unencrypted disks.

The data were for students who graduated between 1992 and 2010 in the top 10% of their classes in the Crowley, Harlingen, Round Rock, Killeen, Richardson, Irving, Mansfield, and Grand Prairie school districts.

Between August (2010) and January (2011), the districts mailed unencrypted CDs loaded with students’ Social Security Numbers, dates of birth and ethnicity — data requested by the University of Texas at Dallas ’ Education Research Center — to the TEA, with the expectation that the TEA would deidentify the records and pass them along to UT-Dallas.


A TEA spokeswoman told the Tribune today that Laredo ISD’s data set is the only one believed to be missing. [“Of course, we didn't know about the other 140,000 students either” Bob] The January memo says the agency has since destroyed the CDs from the eight districts whose information it did receive.

Read more in the Texas Tribune.

I would expect any judge to do this, but I have one of those “I'm not a lawyer” questions. Shouldn't someone from the Patent Office be explaining this to the Judge? If they explained it the way Oracle said it should work wouldn't that end the case? What did the Patent Office think they were granting a Patent for?

Judge In Oracle-Google Case Given Crash Course in Java

"Lawyers for Oracle and Google gave Judge William Alsup of the U.S. District Court in San Francisco an overview of Java and why it was invented, and an explanation of terms such as bytecode, compiler, class library and machine-readable code. The tutorial was to prepare him for a claim construction conference in two weeks, where he'll have to sort out disputes between the two sides about how language in Oracle's Java patents should be interpreted. At one point an attorney for Google, Scott Weingaertner, described how a typical computer is made up of applications, an OS and the hardware underneath. 'I understand that much,' Alsup said, asking him to move on. But he had to ask several questions to grasp some aspects of Java, including the concept of Java class libraries. 'Coming into today's hearing, I couldn't understand what was meant by a class,' he admitted."

Senator, your STD test results are back...”

Doctor visit text reminders violate patient privacy: Swedish health board

By Dissent, April 8, 2011

The Swedish health authorities have made a privacy-protective ruling about text messaging patients:

Text message reminders for appointments with doctors or dentists may soon be a thing of the past in Sweden.

The National Board of Health and Welfare (Socialstyrelsen) have found them to be in breach of their rules on patient confidentiality.

“It is against our rules. The texts contain patient information and must therefore be handled securely,” Anders Printz of the National Board of Health and Welfare said to daily Dagens Nyheter (DN).

Today, many health care providers in Sweden use text messages to remind patients of looming appointments. But now this will have to cease. At least for the time being.

The rules apply to both dentists’ and doctors’ appointments and it makes no difference if the patient has agreed to be contacted by text message.

Read more in The Local (Se)

I admit I’ve never even thought about this issue as I don’t text anyone, period, but in light of this news story, I wonder how many U.S. health care professionals use text messages to communicate with patients. I hope none, but I wouldn’t be surprised to hear that it goes on.

[From the article:

The National Board of Health and Welfare argue that because the traffic is not encrypted there is no way of making sure that the texts reach the right person.

… The Swedish Public Dental Service (Folktandv√•rden) is one health care provider that has made good use of text message reminders. They think that the reasoning around text messages is surprising.

“It seems strange that it wouldn’t be allowed to send text messages to those patients that have agreed to it. If they give us their phone number we are allowed to phone them,” Irene Smedberg of the Public Dental Service said to DN.

(Related) “Citizens! Give us your personal information so we can protect it! If you don't voluntarily surrender this information, we'll assume you have something to hide...”

Report: U.S. to issue terror alerts via Facebook, Twitter

The Department of Homeland Security plans to replace its color-coded, five-level system of terrorism alerts with a new two-tiered approach later this month and will issue some public alerts via Facebook and Twitter, according to a report.

The Associated Press said it had obtained a confidential, departmental document outlining the plan, which, though not yet finalized, should go into effect by April 27.

According to the AP, the new plan will ditch the notoriously perplexing, green-to-red, low risk–to–severe risk system put in place in 2002 with a two-level system that labels threats as either "elevated" or "imminent." [Do you know if those “levels” connect with any specific regulatory power? If it was possible to have a “Nothing To Worry About” level, would there be a cut in funding? Bob]

“We've gotta DO something!”

TSA Is Taking Steps to Validate the Science Underlying Its Passenger Behavior Detection Program, but Efforts May Not Be Comprehensive

As GAO reported in May 2010, TSA deployed its behavior detection program nationwide before first determining whether there was a scientifically valid basis for the program. According to TSA, the program was deployed before a scientific validation of the program was completed in response to the need to address potential security threats. However, a scientific consensus does not exist on whether behavior detection principles can be reliably used for counterterrorism purposes, according to a 2008 report of the National Research Council of the National Academy of Sciences.

For my Ethical Hackers

Schneier's blog tips an article about research into geolocation that can track down a computer's location from its IP address to within 690 meters on average without voluntary disclosure from the target. Quoting:

"The first stage measures the time it takes to send a data packet to the target and converts it into a distance – a common geolocation technique that narrows the target's possible location to a radius of around 200 kilometers. Wang and colleagues then send data packets to the known Google Maps landmark servers in this large area to find which routers they pass through. When a landmark machine and the target computer have shared a router, the researchers can compare how long a packet takes to reach each machine from the router; converted into an estimate of distance, this time difference narrows the search down further. 'We shrink the size of the area where the target potentially is,' explains Wang. Finally, they repeat the landmark search at this more fine-grained level: comparing delay times once more, they establish which landmark server is closest to the target."

No doubt this will confuse those in the Academic community who refuse to allow their students to use Wikipedia...

Editing Wikipedia Helps Professor Attain Tenure

"Lianna Davis writes in Watching the Watchers that Michel Aaij has won tenure in the Department of English and Philosophy at Auburn University Montgomery in Alabama in part because of the more than 60,000 edits ... he's written for Wikipedia. ... Aaij felt that his contributions to Wikipedia merited mention in his tenure portfolio and a few weeks before the portfolio was due two of his colleagues suggested, after they had heard him talk once or twice about the peer-review process for a Good Article, that he should include it under 'research' as well as well as 'service.'"

Thursday, April 07, 2011

Looks like a day of questions. The first is the classic, what did they know and when did they know it?

Epsilon breach used four-month-old attack

April 7, 2011 by admin

Brett Winterford writes:

… Today iTnews can reveal that Epsilon has been aware of the vulnerability behind this attack for some months.

In late November, Epsilon partner ReturnPath – which provides monitoring and authentication services to email service providers – warned customers about a series of coordinated phishing and hacking attacks levelled at the mailing list industry.

Neil Schwartzman, senior director of security strategy at Return Path’s ‘Email Intelligence Group’ warned its partners of “an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems”.

He said that the phishing attacks were targeted specifically at employees at email service providers that had specific access to email operations.

Read more on iTnews. I note that Epsilon has not actually stated or confirmed the cause of the breach. That said, I suspect Neal’s right and I’m definitely not surprised to read this.

As a reminder, a Walgreens spokesperson had told that after the December breach that led to its notifying customers:

After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.

Phishing attacks on ESPs like Epsilon are not new. There were breaches, and the threat was made publicly known. What did Epsilon do since they were made known? It seems evident that whatever they may have done, it wasn’t sufficient – assuming that this breach was of the same type as what we saw last year.

In 2008, we saw a rash of breaches in the hospitality sector when cybercriminals learned that many restaurants were using default configurations on their POS systems for customers’ credit or debit card payments. The industry spread the word – or tried to – about the need to disable remote desktop access unless absolutely necessary and to change their passwords and to limit access. There are still some breaches of this kind, but they have declined dramatically.

Now we have a rash of breaches involving ESPs. Will the Epsilon fiasco be the wakeup call for this industry? One would hope so, but before that happens, I fear we’re going to hear about more breaches – including some breaches that may have already occurred but not have been fully disclosed.

(Related) These questions seem to confirm my suspicions that the Epsilon breach is big enough to be a potential game changer.

House Lawmakers Want Info About Data Breach – So Do I!

April 6, 2011 by admin

Earlier today, I noted that Senator Blumenthal had asked Attorney General Holder to open an investigation into the Epsilon breach.

Also today, some members of the House decided that they wanted some answers, too. Juliana Gruenwald reports:

In a letter Wednesday to Epsilon’s parent company, Alliance Data Systems, the leaders of the Subcommittee on Commerce, Manufacturing and Trade voiced concern that even access to limited data such as a name and e-mail address can lead to identity theft.

“In the simplest fashion, a criminal can easily create a phishing e-mail that could lead an unwitting consumer into financial disaster,” subcommittee Chairwoman Mary Bono Mack, R-Calif., and ranking member G.K. Butterfield, D-N.C., wrote. “With a reported 40 billion marketing e-mails sent a year, the Epsilon breach could potentially impact a historic number of consumers.”

In response, the lawmakers asked for more details by April 18 on the breach and how it might affect consumers.

Some of the information they are seeking include: when Epsilon learned of the breach; when it notified authorities and its corporate customers about the breach; how many companies and consumers were affected; which companies were affected; what information was taken; how did the breach occur; and what steps the company is taking to prevent future intrusions.

Oh please, please, please, add a P.S. to that list of questions to include:

  • Was that Epsilon’s first breach, its second, third…?

And if there was a previous breach (as seems to be a reasonable hypothesis in light of Walgreens’ previous notice to customers):

  • Was this breach via the same means as the previous breach circa November 2010?

  • How many clients – and specifically which clients – did they notify of the 2010 breach?

  • What additional security steps did they take in response to Walgreens’ reported request in December 2010 that they add security protections to prevent a breach like the one Walgreens reported to its customers in December 2010?

  • Epsilon detected the breach on March 30, but when did it actually occur?

  • What other kinds of personal information were on the same server(s) that were compromised?

Read more on National Journal.

You can read the Representatives’ letter to Alliance here.

(Related) Many of Epsilon's clients have a global customer base...

AU: Privacy czar to investigate Epsilon email breach

(Related) France makes it much more difficult to protect users (much more attractive for hackers looking for passwords) Question: If you have access to all the data in a user's account, why do you need the password?

France Outlaws Hashed Passwords

"Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."

Questions for the Cloud Computing industry?

Does Government Own Your Remotely Backed Up Computer Files, Your Emails, or Your Cell Phone GPS Info?

April 6, 2011 by Dissent

Warner Todd Huston writes:

Did you know that there are no laws to prevent government agencies from raiding your computer’s remotely hosted back up files, your third party emails, your cloud computing files, or your cell phone GPS location records? Well, there aren’t. As the law stands today government can go into your private computer files or trace your cell phone location without a warrant.

As a result of this lapse in protection form unlawful search and seizure a new group of concerned parties intends to change the law with the Digital Fourth Amendment campaign.

Read more on Publius Forum

(Related) I can see their interest in published writing (your Facebook page) but does the unpublished (background) stuff have any bearing on job performance?

ACLU Responds To Maryland Division Of Corrections’ Revision Of Invasive Social Media Policy

April 6, 2011 by Dissent

Today, the Maryland Department of Corrections released a letter describing a revised social media policy, in response to a complaint from the American Civil Liberties Union of Maryland asking DOC to rescind their blanket policy demanding personal social media passwords from corrections officers and applicants as part of the employment certification process.

The ACLU’s January 25 letter to Public Safety Secretary Gary Maynard details the experience of Officer Robert Collins, who was ordered to supply his Facebook login information during a recertification jnterview – giving the DOC access to his private electronic communications, and leaving his friends vulnerable to governmental cyber-snooping.

There was a public outcry when the case was reported in the media in February, and within days after the case was publicized, the department suspended the practice. Of concern, however, the state’s Attorney General held that the practice could be appropriate and legal under some circumstances. The Department of Corrections has not yet provided the written policy itself, although the ACLU has requested a copy.

Deborah Jeon, Legal Director for the ACLU of Maryland, said:

“The government should not ask people to “volunteer” access to their private, personal communications. If the term “chilling effect” describes anything, it describes this. Few job applicants, eager to please a prospective employer, are going to feel genuinely free to decline to give up their information. Under the DOC’s reasoning, it would be equally permissible (and logical) for them to ask that job applicants volunteer to have the DOC monitor all of their calls, read all of their e-mail, look at all of their letters, and search their houses on demand. The fact that no employer in country would think of “asking” that strongly indicates how improper it is, and how improper this is.

According to a statement released by the ACLU, although the government promises not to refuse to hire someone because the applicant does not turn over their password, it will be virtually impossible for an applicant who suspects the government is not living up to its word to prove that. Moreover, if the policy is truly voluntary, and if it is true that no negative inferences will be drawn, then it serves no useful purpose. [I doubt they'll buy the “logic” of this argument. Bob]

Equally significant, the revised policy does not address the privacy rights of the Facebook “friends” of those who apply for positions and agree to grant the government access to their social media sites, whose privacy rights are invaded by the government without their consent.

In a separate press statement regarding the policy change, the Department of Correction claims that, according to their own figures, 94 percent of those hired by the DOC during the past year shared their social media information. Because most people would not want to share their social network posts with a future employer, the staggeringly high rate of “volunteering to share” suggests that this was not really perceived as voluntary if one wants to get a job. The DOC statement is ambiguous as to whether anyone actually refused, saying only that five of those hired “chose not to, or were unable to” supply their login information.

Of significant interest is the omission from the DOC press statement of any statement as to how many of those who were not hired declined to provide the DOC with social media information.

(Related) Change is frightening. When you have a process that works and everyone understands it is very difficult to unlearn that process and learn a new one. Likewise, it is easier to oppose change that to support it.

Justice Department opposes digital privacy reforms

April 6, 2011 by Dissent

Declan McCullagh reports:

The U.S. Justice Department today offered what amounts to a frontal attack on proposals to amend federal law to better protect Americans’ privacy.

James Baker, the associate deputy attorney general, warned that rewriting a 1986 privacy law to grant cloud computing users more privacy protections and to require court approval before tracking Americans’ cell phones would hinder police investigations.

This appears the first time that the Justice Department has publicly responded to a set of digital privacy proposals unveiled last year by a coalition of businesses and advocacy groups including AT&T, Google, Microsoft, eBay, the American Civil Liberties Union, and Americans for Tax Reform.

Read more on cnet.

[From the article:

The question at hand is rewriting the Electronic Communications Privacy Act, or ECPA, which was enacted in the pre-Internet era of telephone modems and is so notoriously convoluted, it's difficult even for judges to follow.

[An interesting graphic illustrating how email is protected (or not):

This has further implications for Data Mining. If you have millions of records, can you determine who is a terrorist and who is a completely innocent Blogger? (I really need to know!)

Applying the Mosaic Theory of the Fourth Amendment to Disclosure of Stored Records

April 6, 2011 by Dissent

Orin Kerr writes:

I’ve blogged a few times about United States v. Maynard, the controversial D.C. Circuit case holding that over time, GPS surveillance begins to be a search that requires a warrant. Maynard introduced a novel mosaic theory of the Fourth Amendment: Although individual moments of surveillance were not searches, when you added up the surveillance over time, all the non-searches taken together amounted to a search. The obvious question is, just how much is enough to trigger a search? At what does point the Constitution require the police to get a warrant?

This issue recently came up in a court order application before Magistrate Judge James Orenstein in Brooklyn seeking historical cell-site location for two cell phones used by a particular suspect.

Read more on The Volokh Conspiracy.

Julian Sanchez responds to Orin’s commentary in, “Blurry Lines, Discrete Acts, and Government Searches.” Julian writes, in part:

Orin’s point about the seeming arbitrariness of these determinations—and the difficulties it presents to police officers who need a rule to rely on—is certainly well taken. The problem is, the government is always going to have substantial control over how any particular effort at information gathering is broken into “acts” that the courts are bound to view “discretely.” If technology makes it easy to synthesize distinct pieces of information, and Fourth Amendment scrutiny is concerned exclusively with whether each particular “act” of information acquisition constitutes a search, the government ends up with substantial ability to game the system by structuring its information gathering as a series of acquisitions, each individually below the threshold.

Behavioral Advertising may be too aggressive?

Do certain mobile apps violate the Computer Fraud and Abuse Act?

April 6, 2011 by Dissent

Caroline Belich writes:

According to the Wall Street Journal and other sources, federal prosecutors in New Jersey are investigating whether certain mobile applications for smartphones have illegally obtained or transmitted information about their users. Part of the criminal investigation is to determine whether these app makers made appropriate disclosures to users about how and why their personal information is being used. The app makers subpoenaed include the popular online music service Pandora.

Examples of information disclosed by these app makers may include a user’s age, gender, location, and also unique identifiers for the phone. The information may then passed on to third parties and advertising networks. The problem is that users may be unaware that their information is being accessed by a smartphone app because a maker failed to notify them.

As a result, this failure to notify may violate the Computer Fraud and Abuse Act (18 USC 1030).

Read more on Internet Cases.

A data breach as a labor negotiation tactic? Lots of unanswered questions here, and I'm too ignorant to see how this aids negotiations in any way.

US Airways Pilots Express Outrage over Data Theft

April 6, 2011 by admin

A press release from the U.S. Airlines Pilots Association reminds us yet again how labor disputes may increase the risk of a privacy breach or data breach:

The pilots of US Airways, represented by the US Airline Pilots Association (USAPA), today expressed their outrage at the airline’s acknowledgement that its management personnel aided in unauthorized distribution of the highly confidential personal data of thousands of pilots. USAPA is currently cooperating with a criminal investigation into this matter.

US Airways recently admitted that a management pilot accessed and transferred a confidential database containing the personal information of thousands of US Airways pilots, including names, addresses and Social Security numbers. The transferred database may also have included pilot passport information. The data was given to a third party pilot group, which has acted to disrupt the ongoing negotiations between USAPA and US Airways currently under the auspices of the National Mediation Board and undermine USAPA’s bargaining objectives.

“US Airways pilots are infuriated at the data breach perpetuated by a management official of the company for which they work,” stated Mike Cleary, president of USAPA. “Thousands of us have been exposed to identity theft that could impact us for the rest of our lives. Further, as the Federal Bureau of Investigation has yet to determine the extent of the breach, we are concerned about the security of ALL information provided to US Airways – including our families’ personal information. US Airways collects personal information on US Airways employees’ family members and information from passengers, such as credit card data.”

USAPA has been working with the FBI since November 2010 in an attempt to determine the exact scope of the data breach. In his letter alerting the FBI, the Transportation Security Administration and the Federal Aviation Administration to USAPA’s concerns, President Cleary said,

“We believe the unauthorized access to this confidential information may pose a direct threat to national security, our represented pilots’ safety, and their professional standing.

“The exact scope of the breach is unknown, but unauthorized access to airline pilot passport numbers coupled with pilot residential addresses could potentially be used to forge U.S. commercial airline pilot passports, or identities, in order to gain access to international or domestic commercial aircraft or flights – thereby posing a direct threat to our nation’s security.”

“In light of this breach, USAPA has concluded that US Airways cannot be trusted with confidential or sensitive information,” President Cleary said today. “The union is also extremely disappointed by the Company’s lack of aggressive action to address this issue, first denying that a significant breach had even occurred, then equivocating concerning the extent of that breach, all the while taking no remedial action against the Company personnel involved in the breach. Significantly, the Company has also failed to take steps to provide lifelong protection to the pilots directly affected and adequately address the potential national security issues for all of our pilots and passengers.”

USAPA is committed to spending the time and resources necessary to protect its members, while it believes that US Airways sits on the sideline. US Airways management has informed USAPA that it is relying on the “assurances” of the very parties responsible for the data breach that the confidential information will not be misused.

“This is, of course, ludicrous,” President Cleary responded. “It’s analogous to a bank robber promising he will not spend the stolen loot. We are demanding swift and aggressive action as we simultaneously take significant steps to hold both US Airways and the specific responsible parties liable for the damage caused.

For my Disaster Recovery students. How easy would it be to disrupt the Internet in your neighborhood? The Internet was designed to re-route data around links taken out in a nuclear war – but you have to have more than one link for that to work.

Elderly Georgian Woman Cuts Armenian Internet

"An elderly Georgian woman was scavenging for copper with a spade when she accidentally sliced through an underground cable and cut off internet services to nearly all of neighboring Armenia. The fibre-optic cable near Tiblisi, Georgia, supplies about 90% of Armenia's internet so the woman's unwitting sabotage had catastrophic consequences. Web users in the nation of 3.2 million people were left twiddling their thumbs for up to five hours. Large parts of Georgia and some areas of Azerbaijan were also affected. Dubbed 'the spade-hacker' by local media, the woman is being investigated on suspicion of damaging property. She faces up to three years in prison if charged and convicted."

Wednesday, April 06, 2011

Are we seeing only a small part of this breach?

Who is Epsilon and why does it have my data?

Epsilon is one of a growing number of companies that offer outsourced services for helping companies attract and keep customers. In addition to offering e-mail marketing services and managing customer e-mail databases for clients, Epsilon monitors social networking and other sites to see what people are saying about a company, advises on markets to target, helps develop and maintain customer loyalty programs, and offers Abacus, "the world's largest cooperative database with over 8.6 billion consumer transactions and 4.8 billion business transactions" used for creating lists of prospective customers. The different data Epsilon sells includes age, profession, residence, ethnic information and political affiliation, according to a list published on the site of security firm Magmatic.

"The e-mail component of Epsilon is a small part of the company," Dave Frankland, vice president and principal analyst at Forrester Research, told CNET. "They are in the business of managing customer data and helping companies integrate that data and communicate more effectively with customers. So they have a lot more information than just e-mail addresses and names."

… Breaches at third-party providers aren't new. After McDonald's and other companies' customers were informed of a breach at their e-mail database provider late last year, Silverpop acknowledged that it was one of "several technology providers targeted as part of a broader cyberattack."

… The Epsilon breach appears to be truly shaking the industry, said Frankland who is at the Forrester Marketing Forum this week and wrote this blog post on the incident.

"Epsilon, as well its competitors are here. They're all saying 'it could have been us,'" he said. "There is a lot of talk about legislation in the industry. This is going to increase the spotlight."

… Epsilon also has information and links for opting out of its e-mail and marketing services on its Web site here. [But, they will keep your information on the database, even if their clients no longer use their services... Bob]

No surprise. Data on the Internet is kept for geological time...

Why unsubscribing might not have protected you from the Epsilon breach

April 5, 2011 by Dissent

Back in December 2010, when Walgreens sent out its first breach notifications, one of the troubling aspects was that despite the fact that consumers had unsubscribed from their mailings, their data had been retained. The December 2010 notification email read, in part:

We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue. As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident.

So why did they retain his data when the customers had clearly unsubscribed? How does it inspire trust if you keep data that you are no longer supposed to use when hanging on to it increases the risk that it will be acquired by cybercriminals? How is that a relationship built on trust?

Fast forward and it appears that it has happened again. The latest round of Walgreens notifications reads, in part:


We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue, but we feel an obligation to make you aware of this incident. We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.


Walgreens Customer Service Team

So why were those data still on Epsilon’s servers? Was that a function of Walgreens’ policies about data retention even for unsubscribers? [Either a deliberate policy choice to keep the data, or a failure of management to consider it in their record retention policy Bob]

Shouldn’t “unsubscribe” mean “Pretend you never met me and I never gave you my email address. Delete it.” And do most customers believe that when they unsubscribe, their data are being deleted? [Probably, but your assumption is not my mandate. (Your wish is NOT my command) Bob]

Don’t tell me to read the privacy policies as we all know most people don’t really read them.

Why isn’t there a popup next to the “subscribe” button that tells you that your name and email address will be sent to a third party and will never be deleted even if you unsubscribe? How about:

By subscribing, your name and email address will go to a vendor that we trust, even if you don’t know who they are. And your data will remain with that vendor even after you die, barring any act of Congress or the FTC.

Wouldn’t that at least be more transparent if you’re not going to delete the data when the customer unsubscribes?

Walgreens has not (yet) responded to an inquiry I sent them about this issue earlier today.

What can you do with a mere email address?

Attack on RSA used zero-day Flash exploit in Excel

The breach at RSA that could compromise the effectiveness of the firm's two-factor authentication SecurID tokens was accomplished via phishing e-mails and an exploit for a previously unpatched Adobe Flash hole, RSA has revealed.

Small, but some interesting twists (and lots of common themes)

CT: MidState Medical Center informs 93,500 patients of data breach

By Dissent, April 5, 2011

Greg Bordonaro reports:

MidState Medical Center has begun sending letters to 93,500 patients whose personal information may have been compromised following the accidental loss of a computer hard drive, [unencrypted, of course Bob] the hospital said in a letter to employees Tuesday.

The misplaced hard drive, which has not yet been recovered, contains patient’s names, addresses, birthdates, social security numbers and medical record numbers, hospital spokeswoman Pamela Cretella said.

The hospital learned of the misplaced hard drive, which was lost by a Hartford Hospital employee, Feb. 15, Cretella said. The hospital conducted an investigation into the matter and began notifying patients in a letter sent today.

Cretella said the hospital has no reason to believe that any personal information found on the lost hard drive has been misused. But MidState is offering those who have been affected two years of identity protection with Debix Identity Protection Network.

A statement on the medical center’s web site dated April 5 says:

Important Notice to Patients Regarding Misplaced Personal Information

By MidState Staff

MERIDEN – On February 15, 2011, we learned that a hard drive containing personal information of some patients of MidState Medical Center had been misplaced. The information contained on the device consisted of names, addresses, dates of birth, marital status, Social Security numbers and medical record numbers. Not all of the patients being notified of the incident had Social Security numbers on the missing hard drive. We promptly began an investigation of the incident and subsequently reported the event to law enforcement authorities.

… MidState Medical Center and other affiliates of Hartford HealthCare are in the process of reviewing their policies and are taking steps to help ensure that this type of incident does not happen in the future [Encryption? Bob]

A companion FAQ on the breach, also on the medical center’s web site, has some interesting details (emphasis added by me):

… We promptly began an investigation and subsequently reported the event to law enforcement authorities. The individual is no longer employed by our business associate, Hartford Hospital, or any other Hartford HealthCare affiliate.

We also retained a private investigator to search for the hard drive, but it has not been found. [What prompted this? Bob]

More of the same, with a few new tricks...

April 05, 2011

Symantec Internet Security Threat Report: Trends for 2010

Symantec Internet Security Threat Report Trends for 2010, Volume 16, Published April 2011

  • "Spam and phishing data is captured through a variety of sources, including the Symantec Probe Network, a system of more than 5 million decoy accounts; MessageLabs™ Intelligence, a respected source of data and analysis for messaging security issues, trends and statistics; as well as other Symantec technologies. Data is collected in more than 86 countries from around the globe. Over 8 billion email messages, as well as over 1 billion Web requests are processed per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future."

  • "Symantec recorded over 3 billion malware attacks in 2010 and yet one stands out more than the rest - Stuxnet. This attack captured the attention of many and led to wild speculation on the target of the attacks and who was behind them...."

[From the report:

The ability to research a target online has enabled hackers to create powerful social engineering attacks that easily fool even sophisticated users.

… All these types of attacks are moving to mobile devices, limited only by attackers getting a return on their investment.

… Polymorphism and new delivery mechanisms such as Web-attack toolkits continued to drive up the number of malware variants in common circulation. In 2010, Symantec encountered more than 286 million unique variants of malware. [Security can not be done “manually.” Bob]

Italy again. Are they now the leading edge of “Luddite legislation?”

Google Loses Autocomplete Defamation Case

"Google has been found liable in an Italian court for defamatory comments made against an anonymous plaintiff — the complainant's name, when googled, elicited autocomplete suggestions that translate as 'con man' and 'fraud.' Google was found not to qualify for EU 'safe harbour' protection because the autocomplete suggestions were deemed to be Google's own creation, and not something merely passing through its systems."

(Related) Not to be left out of the “Luddite Legion”...

Street View slapped by Swiss court on privacy issue

According to the Federal Administrative Court’s ruling of March 30, Google is not currently utilising sufficient protective processes to fully safeguard the identities of people (and the number plates of vehicles) inadvertently snapped by the fleet of Street View camera cars.

… As things stand, Google uses special algorithms to apply pixel blurring to the faces of any people (and vehicle number plates) caught by the multi-directional lenses of its Street View cameras. According to Google, its automatic blurring system is successful 99 percent of the time.

It’s also worth noting that any Swiss citizen that finds their face has slipped through the Street View security net can always have blurring applied upon request.

However, that clearly isn’t good enough for the Swiss court, which wants Google to manually seek out and blur the identifying features of anyone and everyone photographed by Street View—placing particular focus around “sensitive” locations such as courts, hospitals, prisons, retirement homes, schools and women’s shelters.

I may be only ¼ Dutch, but I can understand why they gave this the finger... After all, a leak is a leak.

Dutch Senate rejects electronic patients’ records

By Dissent, April 5, 2011

Radio Netherlands Worldwide reports:

The Dutch Senate has unanimously rejected Health Minister Edith Schippers’ plan to introduce the Electronic Patient Dossier (EPD) nationwide.

Under the scheme, people’s medical records would have been available to doctors and other health professionals throughout the country. However, the senators decided that the planned system’s security was not good enough and that patients’ privacy and rights were not adequately safeguarded.

The EPD has been planned by successive governments over the last 14 years and has so far cost 300 million euros. [You would think that in 14 years, someone would have considered Security? Bob] Official figures show nearly 60 percent of healthcare professionals such as family doctors and pharmacies have voluntarily joined the scheme, which already holds the medical records of nearly 8.5 million Dutch residents.

So what’s the security like on those 8.5 million residents’ records? I wonder if people will be concerned enough by the Senate’s action to ask that their files not be part of the scheme any more.

Interesting, but I want to see it work.

Digital Agenda: new guidelines to address privacy concerns over use of smart tags

April 6, 2011 by Dissent

Today the European Commission has signed a voluntary agreement with industry, civil society, ENISA (European Network and Information Security Agency) and privacy and data protection watchdogs in Europe to establish guidelines for all companies in Europe to address the data protection implications of smart tags (Radio Frequency Identification Devices – RFID) prior to placing them on the market. The use of such smart tags is expanding enormously (around 1 billion in Europe in 2011) [so this is not really “ahead of the curve” Bob] but there are widespread concerns about their privacy implications. RFIDs can be found in many objects from bus passes to smart cards that pay motorway tolls. Microelectronic devices can process data automatically from RFID tags when brought close to ‘readers’ that activate them, pick up their radio signal and exchange data with them. Today’s agreement forms part of the implementation of a Commission Recommendation adopted in 2009 (see IP/09/740) that inter alia indicates that when consumers buy products with smart tags, they should be deactivated automatically, immediately and free-of-charge unless the consumer agrees explicitly that they are not.

Neelie Kroes, European Commission Vice-President for the Digital Agenda said “I warmly welcome today’s milestone agreement to put consumers’ privacy at the centre of smart tag technology and to make sure privacy concerns are addressed before products are placed on the market. I’m pleased that industry is working with consumers, privacy watchdogs and others to address legitimate concerns over data privacy and security related to the use of these smart tags. This sets a good example for other industries and technologies to address privacy concerns in Europe in a practical way.”

The agreement signed today, “Privacy and Data Protection Impact Assessment (PIA) Framework for RFID Applications”, aims to ensure consumers’ privacy before RFID tags are introduced on a massive scale (see IP/09/952). Around 2.8 billion smart tags are predicted to be sold in 2011, with about one third of these in Europe. But industry estimates that there could be up to 50 billion connected electronic devices by 2020.

RFID tags in devices such as mobile phones, computers, fridges, e-books and cars bring many potential advantages for businesses, public services and consumer products. Examples include improving product reliability, energy efficiency and recycling processes, paying road tolls without having to stop at toll booths, cutting time spent waiting for luggage at the airport and lowering the environmental footprint of products and services.

However RFID tags also raise potential privacy, security and data protection risks. This includes the possibility of a third party accessing your personal data (e.g. concerning your location) without your permission.

For example, many drivers pay tolls electronically to use roads, airport and car parks based on data collected through RFID tags on their car windscreens. Unless preventative action is taken, RFID readers found outside those specific locations could unwittingly lead to privacy leaks revealing the location of the vehicle. Many hospitals use RFID tags to track inventory and identify patients. While this technology can improve the overall quality of healthcare, the benefits must be balanced with privacy and security concerns.

Comprehensive assessment of privacy risks

Under the agreement, companies will carry out a comprehensive assessment of privacy risks [sure they will Bob] and take measures to address the risks identified before a new smart tag application is introduced onto the market. This will include the potential impact on privacy of links between the data collected and transmitted and other data. This is particularly important in the case of sensitive personal data such as biometric, health or identity data.

The PIA Framework establishes for the first time in Europe a clear methodology to assess and mitigate the privacy risks of smart tags that can be applied by all industry sectors that use smart tags (for example, transport, logistics, the retail trade, ticketing, security and health care).

In particular, the PIA framework will not only give companies legal certainty that the use of their tags is compatible with European privacy legislation but also offer better protection for European citizens and consumers.


In May 2009 all interested stakeholders from industry, standardisation bodies, consumers’ organisations, civil society groups, and trade unions, agreed to respect a Recommendation from the European Commission laying out principles for privacy and data protection in the use of smart tags (see IP/09/740). Today’s PIA Framework is part of the implementation of the 2009 Recommendation. Information gathered during the PIA framework drafting process will also make a valuable contribution to discussions on the revision of EU rules on Data Protection (see IP/10/1462 and MEMO/10/542) and on how to address the new challenges for personal data protection brought by technological developments.

For more information:

SPEECH/11/236 Link to the PIA framework Digital Agenda website:

Neelie Kroes’ website:

Source: Press Release from

So, delegate already!

House Votes To Overturn FCC On Net Neutrality

"House Republicans voted unanimously today to block controversial Net neutrality regulations from taking effect, a move that is likely to invite a confrontation with President Obama. By a vote of 241 to 178, the House of Representatives adopted a one-page resolution that says, simply, the regulations adopted by the Federal Communications Commission on December 21 'shall have no force or effect.' 'Congress did not authorize the FCC to regulate in this area,' Rep. Rob Woodall (R-Ga.), said during this morning's floor debate. 'We must reject any rules that it promulgates in this area... It is Congress' responsibility to delegate that authority.'"

This is nothing new, surely?

Key Music Industry Lawyer Named EU Copyright Chief

"The European Union's new point person on copyright policy won't take up her post until mid-April, but she's already stirring up controversy. That's because Maria Martin-Prat spent years directing 'global legal policy' for IFPI, the global recording industry's London-based trade group, before moving back into government. The appointment raises new questions about the past private-sector work of government officials, especially those crafting policy or issuing legal judgments on the same issues they once lobbied for."

This fits with our increasing “work from home” (online and hybrid classes) at the university.

Ask Slashdot: Would You Take a Pay Cut To Telecommute?

"IT pros want to telecommute — so much so that more than one-third of those surveyed by said they would take a pay cut for the chance to work full time from home. In a survey conducted by the careers site, 35% of technology professionals said they would sacrifice up to 10% of their salaries for full-time telecommuting. The average tech pro was paid $79,384 last year, according to Dice's annual salary survey, which means a 10% pay cut is equivalent to $7,900 on average."

It's a geek thing, we're not really going to carry our PC around to make phone calls...

Want To Run Android Apps On Your Windows PC? You Can With BlueStacks.

There’s nothing new about virtualization software, per se, but BlueStacks might be worth checking out. It brings the Android operating system to Windows-based computers via a virtualization layer, much like how you can run Windows “inside” your Mac using Parallels. Why, exactly, you’d want to run Android “inside” your Windows PC, I’m not exactly sure, but there’s nothing inherently wrong with giving it a go.