Tuesday, November 12, 2013
What if polls suggest that Privacy is a major factor in this election? Colorado is looking for a governor too.
I’ve occasionally mentioned that in my opinion, Texas Attorney General Greg Abbott is one of the most activist state AGs when it comes to consumer privacy protection. He’s now running for Governor in Texas, and his platform does include privacy. Aman Batheja reports on a speech he gave:
In the most detailed speech since launching his bid for governor earlier this year, Attorney General Greg Abbott laid out a dozen new policy proposals Monday evening, touching on ethics reform, privacy rights, education, guns and Obamacare.
Abbott also proposed changes to state privacy laws. He described his proposals as pushing back against federal and state efforts to turn government “into Big Brother.”
“Government agencies like the NSA, like the IRS, like the EPA, are increasingly using tools to look at our emails, to tap into our phone calls, to look at our financial information or our health records,” Abbott said.
He said he wanted to bar state agencies from selling Texans’ personal information without their consent. Abbott described the practice as routine at agencies including the Texas Department of Motor Vehicles and the Texas Department of Health Services.
He also proposed creating “a personal property right for your DNA.”
“Your DNA belongs to you, and no one else has the right to access that information without your consent,” Abbott said. “But the reality is that advances in technology are threatening that privacy right… You should have control over how your information about your DNA is used.”
He next waded into the debate over red light cameras, one which he acknowledged pits those arguing the safety value of the devices against those with privacy concerns.
“I believe it should be up to you, the people, to decide whether red light cameras is right for a community,” Abbott said, explaining that he would push to change state law to allow for voters to push for a ballot initiative to repeal a local red light camera ordinance.
Read more on Texas Tribune. The dozens of comments on him and his record under the news story are mainly negative.
My students say, TL;DR (too long; didn't read) I'm saying TL;NH (too logical; never happen) In fact, looking back through my blog, I say it quite frequently. But even if it did, it would only impact the back end, not the collection.
Benjamin Wittes writes:
Over at the Guardian today, Kenneth Roth—executive director of Human Rights Watch—argues for a a worldwide human right of privacy:
It’s time for governments to come clean about their practices, and not wait for the newest revelations. All should acknowledge a global obligation to protect everyone’s privacy, clarify the limits on their own surveillance practices (including surveillance of people outside their own borders), and ensure they don’t trade mass surveillance data to evade their own obligations. Of course it is important to protect security, but western allies should agree that mass, rather than narrowly targeted, surveillance is never a normal or proportionate measure in a democracy.
Washington is finally grappling with the Snowden revelations, holding hearings and considering legislation that might help to rein in the NSA’s seemingly unconstrained power. Some of these bills would limit or end bulk data collection, institute greater transparency, and give the secret court that oversees surveillance requests a more adversarial character. These are important proposals, but none include protection for non-Americans abroad. The US has the capacity to routinely invade the digital lives of people the world over, but it barely recognises any privacy interest of those outside the US (emphasis added).
Roth’s article echoes arguments made recently by David Cole on Just Security (here and here), to which Orin Kerr responded (here and here) on Lawfare. I fully agree with Orin’s response to Cole, which essentially posits that the US government’s obligation to respect the privacy of its citizens and those within its territory stems from a social contract not present with everyone else in the world.
But I’m hung up on an antecedent question in light of Roth’s and Cole’s arguments: What if we were to accept, in Roth’s words, that there is some “global obligation to protect everyone’s privacy”?
Read more on Lawfare.
Of course they will do it, here's were they will go wrong.
“Big Data” for Educational Institutions: A Framework for Addressing Privacy Compliance and Legal Considerations
David Navetta writes:
Educational institutions at all levels have begun to realize that they hold a treasure trove of student-related information, that if analyzed using “Big Data” techniques, could yield valuable insights to further their educational missions.
Of course, as one can imagine, Big Data projects using student-related information can implicate significant privacy issues. Schools are regulated under the Family Educational Rights and Privacy Acts Statute, and depending on a school’s specific activities may be subject to GLB and HIPAA. In addition, many educational institutions have internal policy and public-facing privacy policies that apply to, and may limit, the collection, use and disclosure of student personal information. The impact of applicable privacy laws and existing privacy-related policies should be taken into account well before engaging in a Big Data project. We have looked at Big Data privacy issues generally before, and the following is a framework for analyzing high level legal considerations and action items for educational institutions considering Big Data projects involving student-related information.
I won’t say that I’m tired, but I just read his first sentence as “to further their educational mistakes.” Freud is having a field day…
You can read David’s actual framework as he wrote it on InfoLawGroup.
Another example of Educators thinking they know better than parents? Imagine being a parent and finding out that your child's name is on this list.
Get a search warrant, Mt. Diablo district attorney told Concord detective investigating suspected child molester
Matthias Gafni reports on another case where a school district cited FERPA as a reason for not complying with a request to disclose information about alleged assaults on students:
In May, about a month into her investigation of molestation allegations against a Woodside Elementary School teacher, a Concord police detective hit a roadblock. A Mt. Diablo school district attorney refused to turn over a key internal report on previous abuse allegations against popular fourth- and fifth-grade teacher Joseph Martin.
The detective, as recorded in portions of a police report obtained by this newspaper, was trying to identify potential victims of Martin when she was told she would need a search warrant to get a version of the 2006 report without key information blocked out. Detective Tamra Roberts reminded Deputy District Counsel Deborah Cooksey that the district was required by law to report child abuse suspicions and the names of potential victims. Only then did the district hand over the unredacted report.
Read more on Contra Costa Times.
Why would a Police Department pay for a tool, pay to have it installed, and then not use it?
David Ham reports:
In February, the Seattle Police Department announced it bought what’s called a “mesh network,” that will be used as a dedicated wireless network for emergency responders. What SPD did not say is that the network is capable of tracking anyone with a device that has a Wi-Fi connection. “They now own a piece of equipment that has tracking capabilities so we think that they should be going to City Council and presenting a protocol for the whole network that says they won’t be using it for surveillance purposes,” said Jamela Debelak of the American Civil Liberties Union.
A spokesperson for Seattle Police said the network is not being used right now. A draft policy is being reviewed by the city attorney’s office and will eventually go before the City Council.
Read more on KIRO TV.
[From the article:
The network includes 160 wireless access points that are mounted on poles across Seattle. Every time a device looks for a Wi-Fi signal and the access point recognizes it, it can store that data. The manufacturer of the network points out in a manual that the mesh network can store IP addresses, device types, applications used by the devices, current location, and historical location. This information can be stored and connected for the last 1,000 times a person is connected with a specific device. The network shows up online in public places usually as intersections in the city such as, "4th&Pike," "4th&University" and "3rd&Union."
… Council member Bruce Harrell pointed out the need for SPD to be able to collect some of this information. "While I understand that a lot of people have concerns about the government having access to this information, when we have large public gatherings like the situation like in Boston and something bad happens, the first thing we want to know is how are we using technology to capture that information," said Harrell. [It does no good to turn this on AFTER a terrorist incident. Bob]
The network was bought with a Homeland Security grant for $2.6 million. [Apparently, DHS has a line called “Big Brother Tools” in their budget. Bob]
I enjoy reading about lawyers analyzing other lawyers' little failures. Sorry, I'm just built that way.
I splurged and purchased a copy of the transcript of Thursday’s oral argument in FTC v. Wyndham. You can download it here (PDF, 561kB, 186 pp.). Consider it an early holiday gift from PogoWasRight.org to you.
I look forward to reading everyone’s reactions after we’ve all had time to read it. I did a quick read, and here are my first impressions on some of the issues:
Who, exactly, would this advocate represent?
Introducing a Public Advocate into the Foreign Intelligence Surveillance Act’s Courts
Introducing a Public Advocate into the Foreign Intelligence Surveillance Act’s Courts: - Select Legal Issues. Andrew Nolan, Legislative Attorney; Richard M. Thompson II, Legislative Attorney; Vivian S. Chu, Legislative Attorney, October 25, 2013.
“Recent revelations about the size and scope of government foreign surveillance efforts have prompted some to criticize the level of scrutiny that the courts – established under the Foreign Intelligence Surveillance Act of 1978 (FISA) – currently provide with respect to the government’s applications to engage in such surveillance. In response to concerns that the ex parte nature of many of the proceedings before the FISA courts prevents an adequate review of the government’s legal positions, some have proposed establishing an office led by an attorney or “public advocate” who would represent the civil liberties interests of the general public and oppose the government’s applications for foreign surveillance. The concept of a public advocate is a novel one for the American legal system, and, consequently the proposal raises several difficult questions of constitutional law.”
An article for my Ethical Hackers too consider. How much would it cost to encrypt everything? Look at the list of hints and see if you can figure out how to “guess” the password.
Adobe credentials and the serious insecurity of password hints
Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder in terms of what they got wrong with their password storage so I won’t try to replicate that, rather I’d like to take a look at the password hints.
This is an interesting one from an application security perspective and the rationale basically goes like this: In order to help people remember their passwords, you give them the ability to create a “hint” or in other words, record a piece of information that will later help them recall their password. Password hints are an absolutely ridiculous security measure. The whole premise that the secret that is the password can be unlocked by referring to a retrievable user-generated piece of text is just completely nonsensical.
The other thing that’s completely nonsensical is this: Whilst Adobe encrypted their passwords (even though done poorly), password hints had absolutely no security whatsoever. Right, so protect the password but don’t protect the data that helps you determine the password!
When you visit “WebsiteX.com” what other sites (e.g. Advertisers) see that connection?
– is a Firefox add-on that enables you to see the first and third party sites you interact with on the Web. Using interactive visualizations, Lightbeam shows you the relationships between these third parties and the sites you visit. As you browse, Lightbeam reveals the full depth of the Web today, including parts that are not transparent to the average user.
Talking to my students, perhaps this isn't as obvious as I thought. (They never heard how Kennedy raised the minimum wage in Massachusetts and drove the shoe industry out of the state.)
Wharton – The Complex Economics of America’s Minimum Wage
Wharton Public Policy commentary – “One of the most powerful arguments for raising the minimum wage is the notion of creating a “livable wage” that enables people to have the dignity of working a job that pays enough to live on and support their family. Today a person working full-time for the entire year on minimum wage earns roughly $15,000, which puts them below the poverty line for a two-person household. Raising the minimum wage purely as a poverty reduction strategy is not as straightforward as it seems, however, observers note. For one, most working-age people who live in poverty don’t have a job, and so consequently they would not benefit from such an increase. Second, many people who earn the minimum wage live in households above the poverty threshold, including high school students earning extra pocket money, retirees supplementing their Social Security and others working part-time to add to their family’s income.”
Please God, don't let my wife read my blog. Seriously, when this guy lists resources on the Internet, he lists everything.
New on LLRX – ShoppingBots and Online Shopping Resources 2014
Via LLRX.com - ShoppingBots and Online Shopping Resources 2014 - Marcus Zillman’s timely and information packed guide to ShoppingBots and Online Shopping Resources is a comprehensive listing of shoppingbot and online shopping/coupon resources and sites on the Internet. Marcus also provides a value-added section of Notes and Suggestions for Virtual Shopping to assist you with safe, effective tools, techniques and sources to ensure your online shopping will be successful in all its facets!