Thursday, August 09, 2012

Something for all students (and parents) Trivial numbers, unless you happen to be included.
University of Arizona server exposes personal data on 7,700
August 8, 2012 by admin
Yes, right, sure we’ll let universities amass oodles of personal info on students…
Carol Ann Alaimo reports:
Thousands who received payments from the University of Arizona last school year are at risk of identity theft after their personal data was mistakenly put online for more than a month during an upgrade of UA’s financial systems.
About 7,700 vendors, consultants, guest speakers and UA students had their names and Social Security numbers compromised in the incident that occurred in February and early March, a school official said.
The problem came to light when a UA student Googled herself and her private information popped up on a UA computer server accessible to the public, said Cathy Bates, the university’s information security officer.
Read more on Arizona Daily Star. I cannot find any statement on the university’s web site at the time of this posting.

Wasn't this inevitable? After all, war is an economic event.
Flame and Stuxnet Cousin Targets Lebanese Bank Customers, Carries Mysterious Payload
A newly uncovered espionage tool, apparently designed by the same people behind the state-sponsored Flame malware that infiltrated machines in Iran, has been found infecting systems in other countries in the Middle East, according to researchers.
The malware, which steals system information but also has a mysterious payload that could be destructive, has been found infecting at least 2,500 machines, most of them in Lebanon, according to Russia-based security firm Kaspersky Lab, which discovered the malware in June and published an extensive analysis of it on Thursday.
The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.

Can this be significant if the vast majority of people (even victims) have never heard of it?
"Over the past three years, about 21 million patients have had their unencrypted medical records exposed in data security breaches that were big enough to require they be reported to the federal government. Each of the 477 breaches that were reported to the Office for Civil Rights (OCR) involved 500 or more patients, which the government posts on what the industry calls 'The Wall of Shame.' About 55,000 other breach reports involving fewer than 500 records where also reported to the OCR. Among the largest breaches reported was TRICARE Management Activity, the Department of Defense's health care program, which reported 4.9 million records lost when backup tapes went missing. Another five breaches involved 1 million or more records each. Yet, only two of the organizations involved in the breaches have been fined by the federal government."

What a concept!
ABA: Lawyers Must Implement Reasonable Data Security for Client Information
August 8, 2012 by admin
Back on August 2, in response to yet another breach involving a law firm’s records, I wrote to the American Bar Association to ask what the ABA advised members in terms of disposal of records. I got a pro forma response that was totally non-responsive to the question I had posed to them. I wrote back and tried again. This time I got no answer at all. Way to go, ABA.
Thankfully, Jim Brashear has blogged about this very issue. He writes, in part:
This week, the American Bar Association (ABA) House of Delegates adopted changes to Model Rule 1.6 of the ABA Model Rules of Professional Conduct. New subsection (c) adds the following sentence to the model rule:
“A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”
In comments to the revised model rule, the ABA provides a non-exclusive list of factors to be considered in determining the reasonableness of the lawyer’s data security efforts. They include:
  • the sensitivity of the information,
  • the likelihood of disclosure if additional safeguards are not employed,
  • the cost of employing additional safeguards,
  • the difficulty of implementing the safeguards, and
  • the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Read more on ZixCorp Insight.
So… if most of the records are part of court records that are publicly available, does the lawyer have a duty to shred/securely dispose of the records or not? It almost sounds like they wouldn’t, but I hope that’s not the case.
Update: I put the question to Jim Brashear, who answered me in a series of tweets:
@pogowasright Exsting rules say client files belong to the client; lawyers must keep information related to the representation confidential.
— Jim Brashear (@JFBrashear) August 8, 2012
@pogowasright New ABA rule clarifies existing ethics obligations. No lawyer should dispose of client files before making them unreadable.
— Jim Brashear (@JFBrashear) August 8, 2012
@pogowasright Ethics rules and opinions are set by state bars, not the ABA, but dumping unshredded client files clearly is an ethics breach.
— Jim Brashear (@JFBrashear) August 8, 2012
Well, I think they are an ethics breach, too, if not a violation of state law, but I wonder how often such breaches involving lawyers or law firms are brought to state bar associations.

Privacy or “automatic criminal?”
App for disposable phone numbers launches
August 8, 2012 by Dissent
Meghan Kelly reports on disposable mobile phone number app that launched today:
Burner launched today, an app that gives you one-off numbers that go dark after you’re done using them. But what happens when those numbers are used by criminals? The privacy-focused company says it is ready to deal with illicit behavior, and will comply with U.S. court orders.
“Burner is a very focused product around anonymity and privacy,” said Burner chief executive Greg Cohn in an interview with VentureBeat. “Part of the reason we’re doing this company is because we’re privacy advocates.”
Burner lets you buy a number to use for a certain amount of time before it is “burned” or goes inactive. Think of Craigslist transactions. You don’t want that guy who tried to sell you a crappy TV to have your real number sitting around. A Burner number allows you to cut off ties from that person quickly, and keeps you identifying information out of their hands.
Read more on VentureBeat.
I checked out the app’s privacy policy and noted this section:
Our Deletion of Your Personal Data and other information:
One of the features of the Services allows you to “burn”, or delete, individual phone numbers from your phone at any time, as well as automatically upon the expiry of a number that you elect not to renew. If you delete a number via this feature, we delete all of its history and message content from the application on your phone and from our primary working server. Backup copies of this data are not immediately deleted, however, and some aspects of user history are maintained for longer periods of time so that we can reconcile our records and manage our business. Please be advised that we have no control over data that may be captured by third parties through your use of the Services, including but not limited to your carrier, internet service provider, Apple, and third-party vendors we may rely on to perform the services, except that we will not disclose Personal Data to third parties other than as permitted in this Privacy Policy.
If you would like to delete your entire account history, please contact us via email at
It would be helpful if that statement were more specific about for how long user data are retained following non-renewal or deletion, and what types of user data are retained for them to “reconcile their records” or manage their business.
Depending on your motives for using a disposable number, this might be a useful app, but if you’re doing anything illegal or worried about repressive regimes, it will probably not afford you the protection you might want.

Oh, that's what they meant...
Disclosing (unnecessary) personal info on parking ticket violates DPPA – Court
August 8, 2012 by Dissent
In September 2010, I blogged about a case in Palatine, Illinois after Jason Senne sued the village for the amount of personal information it needlessly exposed in a parking ticket left on his windshield. Some of the original court filings were linked from that blog entry. In August 2011, the district court ruled that the practice did not violate the Driver’s Privacy Protection Act. Mr. Senne appealed, but a panel of the appellate court affirmed.
Not giving up, Mr. Senne requested re-hearing en banc and the full court agreed with him:
Mr. Senne’s appeal requires that we examine the scope of the DPPA’s protection of personal information contained in motor vehicle records and the reach of its statutory exceptions. We now conclude that the parking ticket at issue here did constitute a disclosure regulated by the DPPA, and we further agree with Mr. Senne that, at this stage of the litigation, the facts as alleged are sufficient to state a claim that the disclosure on his parking ticket exceeded that permitted by the statute. Accordingly, we reverse the judgment of the district court and remand for further proceedings consistent with this opinion.
On appeal, the Village contends that the placement of the citation on Mr. Senne’s windshield was permitted under the statute either because the disclosure was “[f]or use by a[] . . . law enforcement agency[] in carrying out its functions,” id. § 2721(b)(1), or “[f]or use in connection with any civil[] . . . [or] administrative[] . . . proceeding . . ., including the service of process,” id. § 2721(b)(4).11 The Village does not describe in any length how all the information printed on the ticket served either purpose; instead, it maintains, in effect, that the statute does not require that analysis. In the Village’s view, as long as it can identify a subsection of the law under which some disclosure is permitted, any disclosure of information otherwise protected by the statute is exempt, whether it serves an identified pur pose or not.
We cannot accept the Village’s position.
You can read the Seventh Circuit Court of Appeals opinion in full here. It’s a privacy-protecting interpretation of DPPA that affirms that unnecessary disclosures of personal information are not permitted by the statute.

Will the RIAA and MPAA find a way to nuke this?
An anonymous reader writes with news that The Internet Archive has started seeding about 1,400,000 torrents. In addition to over a million books, the Archive is seeding thousands and thousands of films, music tracks, and live concerts. John Gilmore of the EFF said, "The Archive is helping people to understand that BitTorrent isn't just for ephemeral or dodgy items that disappear from view in a short time. BitTorrent is a great way to get and share large files that are permanently available from libraries like the Internet Archive." Brewster Kahle, founder of the Archive, told TorrentFreak, "I hope this is greeted by the BitTorrent community, as we are loving what they have built and are very glad we can populate the BitTorrent universe with library and archive materials. There is a great opportunity for symbiosis between the Libraries and Archives world and the BitTorrent communities."

Another case of “We can, therefore we must” or maybe too much Homeland Security money? I too have trouble explaining the banking interest.
NYPD, Microsoft Launch All-Seeing “Domain Awareness System” With Real-Time CCTV, License Plate Monitoring
August 8, 2012 by Dissent
Neal Ungerleider reports:
The New York Police Department is embracing online surveillance in a wide-eyed way. Representatives from Microsoft and the NYPD announced the launch of their new Domain Awareness System (DAS) at a Lower Manhattan press conference today. Using DAS, police are able to monitor thousands of CCTV cameras around the five boroughs, scan license plates, find out the kind of radiation cars are emitting, and extrapolate info on criminal and terrorism suspects from dozens of criminal databases … all in near-real time.
According to publicly available documents, the system will collect and archive data from thousands of NYPD- and private-operated CCTV cameras in New York City, integrate license plate readers, and instantly compare data from multiple non-NYPD intelligence databases. Facial recognition technology is not utilized and only public areas will be monitored, officials say. Monitoring will take place 24 hours a day, seven days a week at a specialized location in Lower Manhattan. Video will be held for 30 days and then deleted unless the NYPD chooses to archive it. Metadata and license plate info collected by DAS will be retained for five years, and unspecified “environmental data” will be stored indefinitely.
Read more on FastCompany and then explain to me how/why Pfizer is involved. And why would banks or stock brokerage firms really want to spend their time sitting in the control center watching?
The DAS system is headquartered in a lower Manhattan office tower in a command-and-control center staffed around the clock by both New York police and “private stakeholders.” When this reporter visited, seats were clearly designated with signs for organizations such as the Federal Reserve, the Bank of New York, Goldman Sachs, Pfizer, and CitiGroup.

Legislation by implication – not worth the paper it's written on?
Article: The Life, Death, and Revival of Implied Confidentiality
August 8, 2012 by Dissent
Woodrow Hertzog has uploaded a new paper to SSRN. Here’s the abstract:
The concept of implied confidentiality has deep legal roots, but it has been largely ignored by the law in online-related disputes. A closer look reveals that implied confidentiality has not been developed enough to be consistently applied in environments that often lack obvious physical or contextual cues of confidence, such as the Internet. This absence is significant because implied confidentiality could be one of the missing pieces that help users, courts, and lawmakers meaningfully address the vexing privacy problems inherent in the use of the social web.
This article explores the curious diminishment of implied confidentiality and proposes a revitalization of the concept based on a thorough analysis of its former, offline life. This article demonstrates that courts regularly consider numerous factors in deciding claims for implied confidentiality; they have simply failed to organize or canonize them. To that end, this article proposes a unifying and technology-neutral decision-making framework to help courts ascertain the two most common and important traditional judicial considerations in implied obligations of confidentiality – party perception and party inequality. This framework is offered to demonstrate that the Internet need not spell the end of implied agreements and relationships of trust.
You can download the full article from SSRN.

Cooler heads prevail?
Justice Dept. won't appeal computer fraud dismissal
… The decision means the 9th U.S. Circuit Court of Appeals' rejection of the case against David Nosal, who was accused of illegally misappropriating trade secrets from his employer, will stand. In a 9-2 ruling, the court found in April that the 1984 federal Computer Fraud and Abuse Act was being interpreted too broadly and warned that millions of Americans could be subjected to prosecution for harmless Web surfing at work under the prosecutors' reading of the law.

Interesting video from local news. Apparently New Zealand sees this as a big story – why else a 10 nimute news report?
New Zealand Police Try to Justify Paramilitary Raid on Kim Dotcom
A New Zealand court is looking into the paramilitary raid on filesharing kingpin Kim Dotcom’s mansion in January, having already found that the warrant justifying it was illegal.
Dotcom’s mansion was raided at dawn by helicopter, which dropped off four heavily armed agents to launch the assault. They were followed by even more agents and dog handlers. The raid on the founder of Megaupload was coordinated, the government admits, with help from the FBI.
… Agents said the concern was that Dotcom would delete evidence, though as Dotcom pointed out in court, speaking directly to the government, there was little chance of that.
“You knew the FBI was in the data center, prior to you arriving,” he said. “There was no chance for anyone to do anything with that evidence.”

(Related) At least there were no 'black helicopters' involved.
"LendInk, a community for people interesting in using the lending features of the Kindle and Nook, has been shut down after some authors mistakenly thought the site was hosting pirated ebooks. The site brought together people who wanted to loan or borrow specific titles that are eligible for lending, and then sent them to Amazon or to make the loans. Authors and publishers who were unaware of this feature of the Kindle and Nook, and/or mistakenly assumed the site was handing out pirated copies, were infuriated. LendInk's hosting company received hundreds of complaints and shut the site down. LendInk's owner says: 'The hosting company has offered to reinstate on the condition that I personally respond to all of the complaints individually. I have to say, I really do not know if it is worth the effort at this point. I have read the comments many of these people have posted and I don't think any form of communication will resolve the issues in their eyes. Most are only interested in getting money from me and others are only in in for the kill. They have no intentions of talking to me or working this out. So much for trying to start a business and live the American Dream.'"

I will be following to see which candidate proposes something like this for the US. A new currency for buying votes?
"The Indian government is finalizing a $1.2 billion plan to hand out free mobile phones to the poorest Indian families (around six million households, according to some estimates). The Times of India reports: 'Top government managers involved in formulating the scheme want to sell it as a major empowerment initiative... While the move will ensure contact with the beneficiaries of welfare programmes (sic) ..., there is also a view the scheme will provide an opportunity for the (government) to open a direct line of communication [Vote for ___TBD___ Bob] with a sizable population that plays an active role in polls.'"

For the non-iPhone crowd.
"Some time ago, Google admitted that the biggest threat was not other search engines but services like Siri. However, Google just bridged that gap with Google Voice Search, already available in Jelly Bean, but also available via downloadable app. [So I should be able to run it on my PC Bob] Google also submitted this app to the iOS App Store and is currently waiting approval. However, Slashdotters are no doubt recalling to mind the 'Google Voice' fiasco, in which Apple refused to allow it to appear, saying that it replaces a native function. It wasn't until Apple was brought before Congress to answer questions on how it approves or rejects apps that Google Voice was brought in."

The running joke continues?
Linux Copyright Troll SCO Files for Double Secret Bankruptcy
SCO Group — the company behind a number of lawsuits relating Linux — has filed for Chapter 7 bankruptcy, a step beyond the more common Chapter 11 bankruptcy status. It’s not the end of the road for the much-hated company, but it’s close.
SCO Group already filed for Chapter 11 bankruptcy in 2007. Chapter 7 is like double secret bankruptcy. As explained by tech law site Groklaw: “Chapter 11 means you are trying to reorganize and survive as a corporate entity. Chapter 7 means you’ve given up the ghost and are shutting down.”

For my geeks...
"Employment research firm Foote Partners says U.S. labor statistics from last month reveal an increase of some 18,200 jobs in IT, which represents the largest such monthly jump since 2008. 'The overall employment situation in the U.S. is lackluster, in fact this is the fifth consecutive month of subpar results,' says David Foote. 'But the fact that more than 18,000 new jobs were created last month for people with significant IT skills and experience — and nearly 57,000 new jobs added in the past three months — is incredibly good news.'"

Perspective Think it's just a geek thing?
Viewers opted for the Web over TV to watch Curiosity's landing

The future is certification of skills, not classroom lectures...
"Back in the day, getting traction for a new programming language was next to impossible. First, one needed a textbook publishing deal. Then, one needed a critical mass of CS profs across the country to convince their departments that your language was worth teaching at the university level. And after that, one still needed a critical mass of students to agree it was worth spending their time and tuition to learn your language. Which probably meant that one needed a critical mass of corporations to agree they wanted their employees to use your language. It was a tall order that took years if one was lucky, and only some languages — FORTRAN, PL/I, C, Java, and Python come to mind — managed to succeed on all of these fronts. But that was then, this is now. Whip up some online materials, and you can kiss your textbook publishing worries goodbye. Manage to convince just one of the new Super Profs at Udacity or Coursera to teach your programming language, and they can reach 160,000 students with just one free, not-for-credit course. And even if the elite Profs turn up their nose at your creation, upstarts like Khan Academy or Code Academy can also deliver staggering numbers of students in a short time. In theory, widespread adoption of a new programming language could be achieved in weeks instead of years or decades, piquing employers' interest. So, could we be on the verge of a programming language renaissance? Or will the status quo somehow manage to triumph?"

About time...
Pinterest lets users sign up without an invite
One of the Internet's most popular social networks pushed its doors wide open today -- Pinterest has started open registration.

Still waiting for an 'Emily Post' article...
We Read the Stanford Encyclopedia of Philosophy's New Article on Social Media Ethics
As far as online encyclopedias go, the Stanford Encyclopedia of Philosophy may be the best. Created in 1995 by Stanford Professor Edward Zalta, it took one of the first stabs at creating a truthful, rigorous reference resource that could thrive on the web. Experts write and edit and update its articles. College professors use it in their syllabi throughout the world.
So when it publishes a new article, it's a signal: This thing is an increasingly big deal in the philosophical world.
And last Friday, the Stanford Encyclopedia published an article explicitly on the ethics of social networking, by Santa Clara University* professor Shannon Vallor.

No comments: