Friday, May 29, 2015

...because it's hard to forget or misplace a fingerprint or an iris? Or because a fingerprint identifies you every time on every device?
Japan's Largest Mobile Provider to Ditch Passwords
Japan's largest mobile service provider, NTT DoCoMo, said it would replace passwords with biometric credentials on a number of its online services, in a step to move users closer to a password-free world.
Starting Wednesday, NTT DoCoMo customers with smartphones capable of handling biometric authentication will be able to access several online services using iris recognition or fingerprint authentication, the company said.

Did I miss this? Professor Soma forwarded an email that makes me think I did.
2015 Data Breach Investigations Report
Prepare your enterprise to conduct individualized self-assessments of risk, so you can make realistic decisions on how to avoid cyber threats. The 2015 DBIR expands its investigation into nine common threat patterns and sizes up the effects of all types of data breaches, from small data disclosures to events that hit the headlines.

Interesting, but I think we're still a long way from understanding, let alone controlling sexting. Would receipt of an unsolicited photo be an “invasion” of privacy? How would you prove it was unsolicited? Forwarding the photo is a different kettle of fish.
Michael Miller reports:
School officials on Wednesday said they reported a case of sexting to police to protect the privacy of students whose naked photos were being shared.
A female student saw pictures of a friend on a classmate’s phone in April and reported it to the assistant principal. The school’s resource officer called the Cape May County Prosecutor’s Office.
An investigation led to criminal charges being filed against 20 students at Lower Cape May Regional High School and the Richard M. Teitelman Middle School for allegedly invading the privacy of several female classmates.
Read more on Press of Atlantic City.
[From the article:
The students, including an 18-year-old, were charged with a third-degree crime. Those under 18 face a two-year sentence in a training school for juvenile offenders. The older student could face a sentence of up to five years in state prison.

Is this a disconnect between lawyers and techies? I wonder which side made the assertion that “consumers” could opt out? Did the lawyers just select a few phrases from some “standard” privacy policies?
Elizabeth Litten writes:
This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law. In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading.
Read more on Fox Rothschild Privacy Compliance & Data Security,
[From the article:
The complaint alleged, among other things, that although Nomi’s published privacy policy stated that Nomi would “allow consumers to opt out of Nomi’s [data tracking] service on its website as well as at any retailer using Nomi’s technology,” Nomi actually only allowed consumers to opt-out on its website — no opt-out mechanism was available at the clients’ retail stores.
… The odd aspect of this complaint and consent order is that Nomi did not track or maintain information that would allow the individual consumers to be identified. The media access control (MAC) address broadcast by consumers’ mobile devices as they passed by or entered the stores was cryptographically “hashed” before it was collected, created a unique identifier that allowed Nomi to track the device without tracking the consumer him/herself. As dissenting Commissioner Maureen Ohlhausen points out, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.” The majority, however, focuses on the fact that the opt out was partially inaccurate, then leaps to the conclusion that the inaccuracy was deceptive under Section 5 of the FTC Act, without pausing to reflect on the fact that the privacy policy and opt out process may not have been required by law in the first place.

No “opt out” here. I wonder if whatever the police are “targeting” was kept and everything else deleted immediately would reduce the concerns? But then, often there is no specific license plate being searched for. If you fall into a “pattern” the police have established, your data is retained. Unfortunately, unless they know where and when I normally drive, they can't eliminate me.
Martin Kaste reports:
License plate scanners have become a fact of life. They’re attached to traffic lights, on police cars — even “repo” staff use them. All those devices have created a torrent of data, raising new concerns about how it’s being stored and analyzed.
Bryce Newell’s laptop is filled with the comings and goings of Seattle residents. The data comes from the city’s license plate scanner, acquired from the police through public disclosure requests. He plugs in a license plate number, uncovering evidence of long-forgotten errands.
Read more on NPR.
[From the article:
Ron Sloan is director of the Colorado Bureau of Investigation. They've tried analyzing licence plate scans from an area near where a murder victim was found.
"We were able to do some rudimentary analysis of that data to try to determine whether or not there were vehicles that were going through the area that did not live in the area, [I drive through lots of neighborhoods I don't live in. Bob that were from outside of the area or vehicles that that would not have been their route driving home," he says.

I wonder if this comes with a warning to Facebook?
Justin Brookman writes:
Privacy law in the U.S. is weaker than in most places, but hey, at least we’ve got Section 5.
While many countries around the world have affirmative privacy protections for most data, the U.S. instead enforces a hundred-year old prohibition against deceptive business practices to merely prohibit companies from tricking people about data practices. In recent years, the FTC has expanded its interpretation of Section 5’s ban on deceptive practices to apply not just to misstatements but also to affirmative omissions—that is, when by failure to mention a potentially controversial privacy practice, the company is effectively trying to deceive consumers. This line of enforcement is all in the name of creating external accountability for privacy practices, and a transparent market for personal information. This market is far from perfect, and I think the law should do more to empower people to assess various privacy practices and control the flow of their information.
Still, at bottom, the U.S. has always had one (fairly low!) baseline: don’t lie about what you’re doing.
Recently, however, even this weak standard has been called into question—by two sitting Commissioners of the FTC no less.
Read more on IAPP.

Apparently this is even stranger that I first thought. If you read the statement, it looks like the New jersey DA was more 'saving face' than righting wrongs.
Earlier today, I posted the press release from New Jersey about its settlement with Tidbit’s developer, Jeremy Rubin.
Here’s his take on the issues and settlement:
There are some good and bad parts of the settlement. Although I am unhappy with how it reads at a glance — it seems like a defeat — under closer inspection, you can see that New Jersey’s ‘victory’ is Pyrrhic at best.
Read his full statement on Medium.

Unlikely to be followed, but what else is new about UN “suggestions?”
UN Report Champions Encryption and Anonymity
by Sabrina I. Pacifici on May 28, 2015
EPIC – “The UN Special Rapporteur on Freedom of Expression released a report today supporting strong encryption and anonymity tools. The Rapporteur finds that, “States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression.” EPIC previously urged the UN to support secure, anonymous communications, stating, “In our modern age, encryption is the key technique and anonymity is the core legal right that protects the right to privacy.” EPIC published the first comprehensive survey of encryption use around the world and worked in support of the OECD Cryptography Guidelines of 1997.”

(Related) See what I mean? To decrypt any encrypted communication, you must control the keys to all encrypted communications.
Glyn Moody reports:
The new Investigatory Powers Bill, announced in yesterday’s Queen’s Speech, will include legislation to force Internet companies to give access to encrypted conversations of suspected terrorists and criminals. According to The Telegraph: “New laws will require WhatsApp, which is owned by Facebook, Snapchat and other popular apps to hand messages sent by their users to MI5, MI6 and GCHQ about suspects under investigation.”
Read more on Ars Technica.

I did this in a Risk Management class. It touches all the bases and actually gets students arguing!
Remember DoD’s Counter-Zombie Plan? It's Actually a ‘Brilliant’ Preparedness, Mitigation, and Response Strategy for New and Unforeseen Threats
It’s been many months since the Defense Department’s fictitious CONPLAN 8888-11, Counter-Zombie Defense, was made public and held up to ridicule –- some declaring it another example of wasteful Pentagon spending. I mean, come on, frittering money on a fictitious plan for countering a zombie apocalypse? But the fact is, CONPLAN 8888-11 is brilliant on so many levels.

As if “Female” wasn't enough (also inevitable) note that her area of expertise is “security and terror.” That's a much more interesting (and somewhat depressing) “first.”
Oxford University first female head
Oxford University is set to have a female head for the first time in its history, with the nomination of Louise Richardson as vice chancellor.
Prof Richardson is currently in charge at St Andrews and has previously had a senior role at Harvard University.
If she is formally adopted as the 272nd vice chancellor, Prof Richardson will follow almost eight centuries of male heads of Oxford University.
… Lord Patten said the nominating committee had been "deeply impressed" by Prof Richardson's strong commitment to "scholarly values" and her record as an "educational leader".
A political scientist, her academic expertise has been in security and terror. She has written books about terror and counter-terror in the wake of the 9/11 attacks in the United States.

For my Business Intelligence students. How do you separate the wheat from the chaff? This is not so different from political spin doctors but is is more likely to be believed?
Russia steps up propaganda push with online “Kremlin trolls”
Deep inside a four-story marble building in St. Petersburg, hundreds of workers tap away at computers on the front lines of an information war, say those who have been inside. Known as “Kremlin trolls,” the men and women work 12-hour shifts around the clock, flooding the Internet with propaganda aimed at stamping President Vladimir Putin’s world vision on Russia, and the world.
… She described how the trolls manage several social media accounts under different nicknames, such as koka-kola23, green_margo and Funornotfun. Those in her department had to bash out 160 blog posts during a 12-hour shift. Trolls in other departments flooded the Internet with doctored images and pro-Putin commentary on news stories that crop up on Russian and Western news portals.

For my Data Governance students.
3 Keys to Data Modernization
Focus on Data Strategy and Data Quality
Do not underestimate the importance of a well-managed data governance team to document the processes and define the data standards and strategy to support those processes.
Understand Data Relationships across the Business
In order for businesses to use data most effectively, we must understand the relationship of the data across the business.
Keep a Flexible Data Platform
The final key to successful data modernization is using a platform that is flexible enough to be globally useful.

For all my students. They come in using the latest technology and wonder why we teach them stuff from ancient (in Internet years) history. e.g. My current textbook on Business Intelligence makes no mention of social networking.
Breaking the Death Grip of Legacy Technologies
Technologies like 3-D printing, robotics, advanced motion controls, and new methods for continuous manufacturing hold great potential for improving how companies design and build products to better serve customers. But if the past is any indicator, many established firms will be slow to adjust because of a formidable obstacle: legacy assets and capabilities that they are reluctant to abandon. Why are older incumbent firms slow to adopt new technologies even when the economic or strategic benefits are clear?
The literature on this subject is enormous. Much of the early work focused on the adoption rate of new technologies following an S-curve, with some users going early, a lot in the middle, and some following late. These models assume that it takes a while for companies to find out about new technology and, once they do, for their employees to assimilate and use it.

No comments: