Wednesday, June 13, 2012

Have I mentioned that management seems unable to accurately determine the scope of a security breach prior to the first announcement? If I was a true cynic, I would suspect they wanted to keep the really bad stuff hidden at first, hoping that no one would notice when they finally disclosed it. Apparently, they store data for some customers that goes beyond that needed to complete the credit card transaction.
Global Payments: Consumer data may also have been stolen
Credit card processor Global Payments said today that in the course of investigating the theft of 1.5 million credit card numbers, it has discovered that hackers may also have stolen consumer data from servers.
"Our ongoing investigation recently revealed potential unauthorized access [Does that mean they may have accessed the data or that they may have been authorized to access the data? Bob] to personal information collected from a subset of merchant applicants," the company said in a statement on its Web site.
"It is unclear whether the intruders looked at or took any personal information from the company's systems [You have no log of activity on your system? Bob]

I don't see much new...
June 12, 2012
IC3 2011 Internet Crime Report Released
[May 10, 2012] - The Internet Crime Complaint Center (IC3) released the 2011 Internet Crime Report — an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row that the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. As more Internet crimes are reported, IC3 can better assist law enforcement in the apprehension and prosecution of those responsible for perpetrating Internet crime."

Sounds fair to me, but also suggests an ever increasing “war” of video recordings... (Is someone tracking who is using video to lie?)
"Posting videos to YouTube allegedly showing police misconduct has become commonplace these days. Now police themselves are posting their own videos to refute misconduct claims. 'After a dozen Occupy Minnesota protesters were arrested at a downtown demonstration, the group quickly took to the Internet, posting video that activists said showed police treating them roughly and never warning them to leave. But Minneapolis police knew warnings had been given. And they had their own video to prove it. So they posted the footage on YouTube, an example of how law enforcement agencies nationwide are embracing online video to cast doubt on false claims and offer their own perspective to the public.'"

On June 4th I posted this article: “UK: Google was allowed to destroy data haul after ICO spent less than three hours examining information collected by Street Cars ” Looks like several people found that inadequate.
UK reopens probe into Google’s Street View data capture
June 13, 2012 by Dissent
BBC reports:
Google is back under investigation after gathering personal data while cameras on its cars took pictures for its UK Street View service.
The Information Commissioner’s Office previously dropped a probe into the affair after being told limited data had been “mistakenly collected”.
However, it said it had since become aware of reports that a Google engineer had deliberately written software to obtain a wider range of material.
The ICO has asked for more information.
Specifically it wants to know what type of data was captured; when Google managers became aware of the issue; how the news was managed and why the full range of gathered data was not represented in a sample the firm presented to it in 2010.
Furthermore it has requested a certificate to show that the data had since been destroyed.
Read more on BBC.
It’s hard not to view this as anything more than “Data Protection Theater.” I don’t recall ever seeing anyone use that phrase before, but it seems like a useful generalization from “security theater” to describe things governments do that are supposed to protect our data and privacy but don’t.
In this case, the ICO had an opportunity to really investigate the Street View mess but did only minimal investigation. Now it’s embarrassed after the FCC report was released and is making a show of looking into this more. Did the ICO ever ask Google to sign an affidavit attesting that the sample presented represented the full range of data types gathered? According to the ICO’s letter to Google, Google misled them. Now they’re asking to see design documents and a whole lot more.
That said, I don’t expect anything really useful to come out of this investigation other than to accomplish some egg-removing from the ICO’s face.

(Related) “Oops! Looks like we accidentally designed our software to work like Google Street View...”
Virgin Media denies intention to monitor commuters’ emails
June 12, 2012 by Dissent
Sophie Curtis reports that Virgin Media has clarified its Terms & Conditions to make clear that they never intended to snoop on communications, even though their T&C appeared to reserve that right unrestrictedly:
Virgin Media has amended a clause in the terms and conditions for users of its London Underground Wi-Fi service, which went live last week, in response to complaints from privacy campaigners.
Originally, the T&Cs stated that Virgin Media “may monitor email and internet communications, including without limitation, any content or material transmitted over the services”.
The suggestion that Virgin Media could be snooping on customers’ communications raised the ire of MPs and privacy campaigners alike, with conservative MP Robert Halfon suggesting that “a surveillance society is being created on the Underground”.
Read more on TechWorld.
Thank goodness at least some people read privacy policies and T&C.

I mat ask my IT Management students to do a statistical study of “settlements.” I suspect there is a dollar amount that indicates the settlement was to avoid the hassle of extended legal wrangling that would wind up with no resolution and another (much?) higher level that suggests “Okay, you got us. Here's the basic settlement plus a reasonable amount to match a future fine.”
Spokeo to Pay $800,000 to Settle FTC Charges Company Allegedly Marketed Information to Employers and Recruiters in Violation of FCRA
June 12, 2012 by Dissent
From the FTC:
Spokeo, Inc., a data broker that compiles and sells detailed information profiles on millions of consumers, will pay $800,000 to settle Federal Trade Commission charges that it marketed the profiles to companies in the human resources, background screening, and recruiting industries without taking steps to protect consumers required under the Fair Credit Reporting Act. This is the first Commission case to address the sale of Internet and social media data in the employment screening context.
The FTC alleged that Spokeo operated as a consumer reporting agency and violated the FCRA by failing to make sure that the information it sold would be used only for legally permissible purposes; failing to ensure the information was accurate; and failing to tell users of its consumer reports about their obligation under the FCRA, including the requirement to notify consumers if the user took an adverse action against the consumer based on information contained in the consumer report.
… According to the FTC, Spokeo collects personal information about consumers from hundreds of online and offline data sources, including social networks. It merges the data to create detailed personal profiles of consumers. The profiles contain such information as name, address, age range, and email address. They also might include hobbies, ethnicity, religion, participation on social networking sites, and photos.
The FTC alleges that from 2008 until 2010, Spokeo marketed the profiles on a subscription basis to human resources professionals, job recruiters, and others as an employment screening tool. [“It takes us a few years to notice this stuff...” Bob]
Note that this may not be the end of Spokeo’s problems, as the plaintiff in a lawsuit in the Ninth Circuit has appealed the court’s dismissal of his case.

It couldn't hurt...
"Rep. Darrell Issa (R-CA) has published a first-draft Internet Bill of Rights, and it's open for feedback. He wrote, 'While I do not have all the answers, the remarkable cooperation we witnessed in defense of an open Internet showed me three things. First, government is flying blind, interfering and regulating without understanding even the basics. Second, we have a rare opportunity to give government marching orders on how to treat the Internet, those who use it and the innovation it supports. And third, we must get to work immediately because our opponents are not giving up.' Given the value of taking an active approach agains prospective laws such as SOPA, PIPA, and ACTA, I think it's very important to try to spread awareness, participation, and encourage elected officials to support such things."

So do we live in a digital world or not?
Facebook isn't the place to serve legal papers, says judge
Facebook is the normal way to communicate with people. It may not yet be a fine place to slap legal papers upon an adversary, however.
In an intriguing case involving a mother, a daughter, and a bank, a federal judge decided that it's not yet time for Facebook to become a fine substitute for chasing someone down a street in order to serve them with papers.
Paid Content reports the contents of his ruling as being highly nuanced.

Language evolves (sorry creationists) so it is useful to have a translation tool.

Alternatives to paying an extra $99 to get a clean copy...
… The problem with buying a new Windows PC from a big manufacturer such as HP, Lenovo, Dell, or Acer is the amount of pre-installed software bundled on the machines. Most of it is useless, and none of it was requested by the buyer, hence why we refer to it as crapware.

No comments: