Tuesday, June 24, 2014

If the public had been made aware of this breach, would the penalty have been greater? Have they really been negotiating for 5 years?
From HHS, this press release today about an incident that never appeared in their public breach tool:
Parkview Health System, Inc. has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio.
… On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.

I think this should have happened sooner.
Jeanne Price reports:
One of the most memorable privacy stories of 2013 involved Aaron’s Rent-To-Own affiliates accused of spying on consumers who’d rented computers with secret software. While federal charges against Aaron’s Inc. were settled last year, that didn’t satisfy a pair of Colorado attorneys who were themselves clients of affiliate Aspen Way Enterprises in Fort Collins. Yesterday the duo filed a lawsuit in Georgia federal court that revealed just how deep the computer snooping went.
The case is based on the premise that rent-to-own doesn’t mean right-to-spy. Details provided yesterday include a statement from Herman Gerel LLP of Atlanta, the firm representing attorney plaintiffs Michael Peterson and Matthew Lyons. It stated that the spyware on Peterson’s and Lyons’ computers was responsible for “remotely capturing 4,702 screen shots, and 2,464 key log entries with undetectable software. [Are they saying they can't prove this software was on their computers? Bob] The images and logs include attorney work product and privileged communications regarding the lawyers’ clients in 2010 and 2011.”
Read more on idRADAR.com

“We don't like him. Let's kill him!” This is just legal babble...
This morning the 2nd Circuit published a redacted version of the long-sought Department of Justice OLC memo that authorized [Wrong word. Bob] the killing of U.S. citizen, Anwar al-Awlaki. We’ve got the entire 2nd Circuit opinion (full text) and the OLC memo itself (full text) available here on Just Security.

Survey, but no link yet. Perhaps they just made up this “data?”
Fortinet Reveals “Internet of Things: Connected Home” Survey Results
… Completed in June 2014, the survey asked 1,801 tech-savvy homeowners questions relating to the Internet of Things as it pertains to the connected home. These were [some of] the top findings:
Homeowners are concerned about data breaches
Privacy and trust are concerns
Data privacy is an extremely sensitive issue
Homeowners are willing to pay for a connected home

It's called “Traffic Analysis” and it shows much more than they mention here. Should be a good paper to point my Cryptography students to.
Jeremy Kirk reports:
Analyzing encrypted Web traffic can potentially reveal highly sensitive information such as medical conditions and sexual orientation, according to a research paper that forecasts how privacy on the Internet may erode.
In a paper titled “I Know Why You Went to the Clinic,” researchers show that by observing encrypted Web traffic and identifying patterns, it is possible to know what pages a person has visited on a website, giving clues to their personal life. The paper will be presented July 16 at the Privacy-Enhancing Technology Forum in Amsterdam.
Read more on Computerworld.

Why? What governmental projects are aided by this? None apparently, so why do it?
David Heinzmann reports:
The curled metal fixtures set to go up on a handful of Michigan Avenue light poles later this summer may look like delicate pieces of sculpture, but researchers say they’ll provide a big step forward in the way Chicago understands itself by observing the city’s people and surroundings.
The smooth, perforated sheaths of metal are decorative, but their job is to protect and conceal a system of data-collection sensors that will measure air quality, light intensity, sound volume, heat, precipitation and wind. The sensors will also count people by measuring wireless signals on mobile devices.
Read more on the Chicago Tribune.
[From the article:
Researchers have dubbed their effort the "Array of Things" project. Gathering and publishing such a broad swath of data will give scientists the tools [It might point out what tools are needed, but data are not tools. Bob] to make Chicago a safer, more efficient and cleaner place to live, said Catlett, director of the Urban Center for Computation and Data, part of a joint initiative between the University of Chicago and Argonne National Laboratory, near Lemont.
The novelty of a permanent data collection infrastructure may also give Chicago a competitive advantage in attracting technological research, researchers contend.
… Data-hungry researchers are unabashedly enthusiastic about the project, but some experts said that the system's flexibility and planned partnerships with industry beg to be closely monitored. Questions include whether the sensors are gathering too much personal information about people who may be passing by without giving a second thought to the amount of data that their movements — and the signals from their smartphones — may be giving off.
City officials don't have firm expectations about what the data may yield [I thought not... Bob] but share researchers' desire to push "Chicago as a test bed of urban analytical research," said Brenna Berman, the city's commissioner of information and technology.

Interesting. A change to the training we need to give our Criminal Justice students. However, searching for social media should be simple.
Social media 'at least half' of calls passed to front-line police
Chief Constable Alex Marshall, head of the College of Policing, said the number of crimes arising from social media represented "a real problem".
He said it was a particular problem for officers who deal with low-level crimes.
About 6,000 officers were being trained to deal with online offences, he said.
He said the police and public were still trying to understand when online insults became a crime.
Mr Marshall told BBC Radio 4's Law in Action: "As people have moved their shopping online and their communications online, they've also moved their insults, their abuse and their threats online, so I see that it won't be long before pretty much every investigation that the police conduct will have an online element to it.
Currently, online crimes are recorded under traditional headings such as harassment or threats to kill and not as a cybercrime, so each record is required to be read individually to ascertain if the crime originated on social media.
Mr Marshall said because of that, the force was missing out on information.
The College of Policing was currently carrying out research to quantify how many crimes actually originate on social media, he said, and was expecting the results in the next couple of months.

(Related) Can they do this? How will they enforce this ban? Can police in San Francisco detect “bad App-ers” in real time and ticket their cars?
San Francisco bans parking space app
Parking is a huge problem in the city and Rome-based start-up MonkeyParking thought it had come up with a solution.
The app lets users auction off public parking spaces that they are using and wait for the buyer to arrive before pulling out.
But the city says it is illegal to auction off public land and has threatened to fine anyone doing so.
San Francisco lawyer Dennis Herrera sent a cease-and-desist order to MonkeyParking and has also asked Apple to remove it from the app store for violating local law.
… He said that the company would be subject to fines of up to $2,500 (£1,470) per violation and it has been given until 11 July to stop operating in the city. Users of the app would also be subject to a $300 fine.

How do I explain this to my Computer Forensics students? There are limits to a “temporary overseize.”
Orin Kerr writes:
I blogged last week about the Second Circuit’s important decision in United States v. Ganias, on the ‘right to delete’ seized computer files. A prosecutor I know sent me a thoughtful e-mail responding to the decision. I asked the prosecutor if I could post the e-mail (as it was intended just for me), and I received that permission.
Read the email and Orin’s comments on it on WaPo The Volokh Conspiracy.

...for some values of “work.”
Daniel Barth-Jones writes:
In a FierceBigData article which ran last Wednesday, Pam Baker posed some compelling questions regarding a recent “Big Data and Innovation, Setting the Record Straight:De-identification Does Work” whitepaper (.pdf) released by Ann Cavoukian, the Ontario information and privacy commissioner, and Daniel Castro, Information Technology and Innovation Foundation Senior Analyst. Of these, the most salient question was also the simplest: “Does de-identification work or not?
How we answer this question really boils down to whether we will define de-identification as “working” only if it provides absolute privacy guarantees. Or whether, as we do with many other areas of life (like door locks, seatbelts and other protections), we accept a dramatic reduction from the original risks (without the protection in place) as being worthwhile.
Read more on FierceBigData.

I love the little insights in these articles.
Make Customers Want to Buy Offline
Showrooming, once a worry primarily for consumer electronics retailers, is expanding into markets we might have thought exempt. Today we can investigate everything from cars to books to groceries in person and then proceed to order them online, often with greater ease and significant savings.
Chalk this up to the efficiency of digital retailers, who’ve systematically dismantled every obstacle to online shopping. Shipping is fast and cheap, returns are a snap, and customer service is often better than what you find in a store. Price competition these days is a guaranteed losing strategy, especially with Amazon, whose long cash floats and high inventory turnover allow them to stay profitable even with no margin. [Obvious, in retrospect. Bob] Stores like Best Buy and Walmart once seemed unstoppable as they displaced independent retailers; now the Goliath has become David.
… Not every retail environment can be a community center, of course, but the demand for such spaces is huge and unmet, and there are endless ways to build community — even in surprising environments, like financial institutions. Since its “Slow Banking” redesign in 2003, Oregon-based Umpqua Bank has provided ample seating, free coffee, and wifi to its customers, and offered up its branches for meetings, workshops, and concerts. In that time, it’s grown from less than 70 branches to nearly 400, becoming the largest regional bank in the Western US.

Getting the pro-noun-say-shun just perfect.
'Why-Fi' or 'Wiffy'? How Americans Pronounce Common Tech Terms
Okay, once and for all: Is it "gif" or "jif"?
EBay Deals, which runs a blog, decided to find out. Its team surveyed 1,100 people—U.S. residents, ranging in age from 18 to 45—asking them about the terms they use to describe some of the most common objects and actions of digital life.

No comments: