Wednesday, January 31, 2007

Just so we are all on the same page, here is one (of many) sample plans.

http://www.cica.ca/multimedia/Download_Library/Research_Guidance/Privacy/English/Incident_Response_Plan_May_2005.pdf

Incident Response Plan

Template for Breach of Personal Information



http://www.consumeraffairs.com/news04/2007/01/club_monaco.html

Data Breach Hits Canada's Club Monaco

By Martin H. Bosworth ConsumerAffairs.Com January 30, 2007

The U.S. doesn't enjoy a monopoly on data breaches and credit card hacks. Canadian authorities are investigating a possible breach of consumer data held by swanky fashion retailer Club Monaco.

The retailer was alerted to the breach of information late last year by a third-party payment processor, which was not identified.

The Royal Canadian Mounted Police (RCMP) were not brought in directly by Club Monaco, but rather from a tip delivered to the Vancouver police department.

Club Monaco quickly hired an outside forensic firm to assist the RCMP in the breach investigation, the details of which remain scant. As usual in such cases, Club Monaco claimed the incident showed no evidence of a full breach [whatever that means... Bob] as of yet.

Club Monaco caters to the high-end fashion buyer, with 80 stores worldwide, 28 of which are in Canada. The chain was bought by the Ralph Lauren business group in 1999.

... Under current Canadian law, companies are not required to notify anyone if a breach takes place.

... Business groups oppose new disclosure laws, saying they will cost too much to implement and may numb consumers to the dangers of data breaches through "too much information."



I wonder what the total cost of this little incident was?

http://techdirt.com/articles/20070130/154001.shtml

Sony BMG's Rootkit Violated Federal Law; Company Agrees To Pay To Fix Damaged Computers

from the pay-up dept

While Sony BMG already settled the class action lawsuit against it for their rootkit copy protection that opened up security holes on computers that were difficult to fix and hidden in a way that made them difficult to find, that didn't get them totally out of the hot water. There was also an investigation to see if the rootkits violated federal law -- and apparently they did. The company has reached an agreement with the FTC, and unlike the typical agreement where a company "doesn't admit guilt," in this case Sony BMG clearly states that they violated federal law with the rootkits, and will reimburse people up to $150 if their computers were damaged by the software. This is interesting for a variety of reasons, including that it should help make various companies a little more careful before just throwing any kind of copy protection on their media without knowing what it's actually doing or what liabilities they might face for using the copy protection. The most amazing thing in all of this, though, is that the DRM in question did absolutely nothing positive for Sony BMG. It cost them money directly in having to pay for the software. It cost them their reputation. And, now it cost them from a legal standpoint. And, despite all of that, it never even came close to protecting the content that it was associated with. So, what, exactly is the benefit of DRM again?



Not sure logic is the right word.

http://blog.wired.com/27bstroke6/2007/01/court_on_antipr.html

27B Stroke 6

by Ryan Singel and Kevin Poulsen Tuesday, 30 January 2007

Court on Anti-Privacy Ruling: Oops!

The Ninth Circuit Court of Appeals panel today reversed its own August decision that employees have no protection against searches by the government, an unusual move that grants both employees and their employers additional rights against government searches, legal experts said.

In August, a three-judge panel decided that the child pornography recovered from the work computer of Jeffrey Ziegler, who worked at an online transaction company called Frontline, could not be thrown out on Fourth Amendment grounds simply because the government never got a warrant. The court reasoned that since his company provided and monitored the computer, Ziegler had no reasonable expectation of privacy, which is a necessary part of the test of whether a search violates the Fourth Amendment.

Jennifer Granick, who heads Stanford's Center for Internet and Society, pointed to the original ruling as a dangerous precedent in a recent Wired News column. When asked if the August ruling would let police search a person's employer-provided laptop while sitting at a coffee shop, Granick said the ruling allowed exactly that.

"Since the ruling said you had no reasonable expectation of privacy when using a employer-issued computer, the police could have just taken it because it wasn't yours," Granick said. That ruling made no sense because "common sense tells you that is something the 4th Amendment would cover."

Ziegler's attorneys, who work for the Montana Public Defender's Office, asked the panel to reconsider in the fall and today, the panel re-issued the opinion, reversing the logic of the decision while still preserving the outcome in Ziegler's case.

Ziegler did retain a reasonable expectation of privacy even while using a computer monitored by his employer, the court said. But since the FBI asked a company employee to do the search, and that employee had the approval of management, the search wasn't unconstitutional.

Vikram Amar, a law professor at the UC Hastings, said its not uncommon for judges to clean up their opinions, but that 180-degree reversals are certainly not everyday occurrences.

"It's much more unusual to change course, but it is not unheard of," Amar said.

While the law still favors employers' rights over employees' rights when it comes to computer use, the new ruling benefits not just employees, but also employers, Granick said.

"If an employee has no expectation of privacy then the police can come and seize their computer and the employer can't suppress the search, except maybe by filing a civil suit," Granick said. "Actually by giving employee rights, it gives employers rights as well."

Anthony Gallagher, one of the federal public defenders representing Ziegler, said in a phone interview that he still believed the court's ruling was wrong, but that they were still deciding whether or not to ask the panel to think again. Other options for Ziegler include asking a full panel of the Ninth Circuit to re-hear the case or to ask the Supreme Court to take up the decision.

Related Posts: Odd Legal Turn, Feds Can Search Computer if Boss Says OK



Sic 'em kid!

http://hosted.ap.org/dynamic/stories/M/MUSIC_DOWNLOAD_SUIT?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Teen Accuses Record Companies of Collusion

By JIM FITZGERALD Associated Press Writer Jan 31, 12:46 AM EST

WHITE PLAINS, N.Y. (AP) -- A 16-year-old boy being sued by five record companies accusing him of online music piracy accused the recording industry on Tuesday of violating antitrust laws, conspiring to defraud the courts and making extortionate threats.

In papers responding to the record companies' lawsuit, Robert Santangelo, who was as young as 11 when the alleged piracy occurred, denied ever disseminating music and said it's impossible to prove that he did.

Santangelo is the son of Patti Santangelo, the 42-year-old suburban mother of five who was sued by the record companies in 2005. She refused to settle, took her case public and became a heroine to supporters of Internet freedom.

The industry dropped its case against her in December but sued Robert and his sister Michelle, now 20, in federal court in White Plains. Michelle has been ordered to pay $30,750 in a default judgment because she did not respond to the lawsuit.

Robert Santangelo and his lawyer, Jordan Glass, responded at length Tuesday, raising 32 defenses, demanding a jury trial and filing a counterclaim against the companies that accuses them of damaging the boy's reputation, distracting him from school and costing him legal fees.

His defenses to the industry's lawsuit include that he never sent copyrighted music to others, that the recording companies promoted file sharing before turning against it, that average computer users were never warned that it was illegal, that the statute of limitations has passed, and that all the music claimed to have been downloaded was actually owned by his sister on store-bought CDs.

Robert Santangelo also claims that the record companies, which have filed more than 18,000 piracy lawsuits in federal courts, "have engaged in a wide-ranging conspiracy to defraud the courts of the United States."

The papers allege that the companies, "ostensibly competitors in the recording industry, are a cartel acting collusively in violation of the antitrust laws and public policy" by bringing the piracy cases jointly and using the same agency "to make extortionate threats ... to force defendants to pay."

The Recording Industry Association of America, which has coordinated most of the lawsuits, issued a statement saying, "The record industry has suffered enormously due to piracy. That includes thousands of layoffs. We must protect our rights. Nothing in a filing full of recycled charges that have gone nowhere in the past changes that fact."



Let's hope they do better at securing their computers than the election folks did. (see next article) Will there be a huge “used hand-held computer sale” immediately after the census?

http://hosted.ap.org/dynamic/stories/C/CENSUS_TECH?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Census Bureau to Go High-Tech

Jan 31, 1:08 AM EST

CHICAGO (AP) -- In the upcoming 2010 census, the Census Bureau for the first time will equip its temporary work force of 500,000 people with hand-held computers made by Harris Corp., to help them make a more precise count of more than 300 million people living in the 50 states and Puerto Rico.

... Accuracy is critical, since census numbers determine how federal and state governments divvy up $200 billion in annual funding. The data is also used for redistricting congressional representation and community planning.

... Surprisingly, about half of census-recording errors come from mapping mistakes, Waite said. In the past, the bureau printed paper maps identifying each U.S. household. But census-takers often had trouble deciphering the maps. This time, they'll use computer maps that pinpoint each address to an accuracy of 3 meters. That's particularly important in high-density areas in cities and also helps with rural locations, where remote farm houses can be hard to track down.



The more detail they release, the less likely their story becomes.

http://www.freedom-to-tinker.com/?p=1115

Why So Many Undervotes in Sarasota?

Tuesday January 30, 2007 by Ed Felten

... Several explanations have been proposed, but only two are at all plausible: ballot design and machine malfunction.

The ballot design theory says that the ballot offered to voters on the iVotronic’s screen was misdesigned in a way that caused many voters to miss that race. Looking at screenshots of the ballot, one can see how voters might miss the congressional race at the top of the second page. (Depressingly, some sites show a misleading photo that the photographer angled and lit to make the misdesign look worse than it really was.) It’s very plausible that this kind of problem caused some undervotes; and that is consistent with the reports of many voters that the machine did not show them the congressional race.

... Each voter, before finalizing his vote, was shown a clearly designed confirmation screen listing his choices and clearly showing a no-candidate-selected message for the congressional race. Did so many voters miss that too? And what about the many voters who reported choosing a candidate in the congressional race, only to have the no-candidate-selected message show up on the confirmation screen anyway?

The malfunction theory postulates a problem or malfunction with the voting machines that caused votes not to be recorded. There are many types of problems that could have caused lost votes. The best way to evaluate the malfunction theory is to conduct a careful and thorough study of the machines themselves. In the next entry I’ll talk about the efforts that have been made toward that end. For now, suffice it to say that no suitable study is available to us.

If we had a voter-verified paper trail, we could immediately tell which theory is correct, by comparing the paper and electronic records.



Same argument as searching through your garbage, right? You abandoned it, so it's fair game.

http://blog.wired.com/biotech/2007/01/seattle_blood_b.html

Bodyhack

by Kristen Philipkoski, with Randy Dotinga and Scott Carney Tuesday, 30 January 2007

Seattle Blood Bank Helps Self to Your DNA

Topic: Genetics

If you plan to donate to a local blood bank, be warned. Your blood may not be the only thing that gets collected:

For the first time, the Puget Sound Blood Center will begin collecting, testing and storing the DNA of blood donors.

Donors may opt out of the program, part of a study funded by the Defense Department to develop better ways of identifying blood types. And the Blood Center is firm that the effort will be limited to that purpose and not shared with the government.

Even so, privacy watchdogs worry that this latest move is just part of an increasingly long list of governments and other agencies that are storing people's DNA coding -- with few laws overseeing its use.

There's also this interesting tidbit: "Stored DNA will be labeled with a code that doesn't directly identify the donor."

Well that certainly sounds secure. It's not like anyone could screw up and distribute private information to the public. Oh wait…

The story doesn't make it clear if other blood banks in the country are doing the same thing. If you've heard of something similar in your neck of the woods, drop a line in the comments.

And check out our previous Bodyhack coverage of genetics and privacy:



While we're on the subject.

http://www.pogowasright.org/article.php?story=20070130122704809

Recent CRS Reports on Surveillance

Tuesday, January 30 2007 @ 12:27 PM CST - Contributed by: PrivacyNews - Surveillance

Two recent surveillance-related reports from the Congressional Research Service are now available, courtesy of Steven Aftergood and Secrecy News blog of the Federation of American Scientists Project on Government Secrecy:



Same subject... I grew up with kids whose parents (or their parents) came from the old country. We always had wine (watered down) when I ate meals at their homes. Apparently, Pequannock has no immigrants?

http://localnewsleader.com/jackson/stories/index.php?action=fullnews&id=52926

High school to expand alcohol testing

Staff and agencies 30 January, 2007

By DAVID PORTER, Associated Press Writer 14 minutes ago

PEQUANNOCK, N.J. - Some teenagers who drink over the weekend could be in big trouble come Monday morning: A New Jersey school district plans to institute random urine tests capable of detecting whether alcohol was consumed up to 80 hours earlier.

"This is a major issue for America," School Superintendent Larrie Reynolds said Tuesday. "There are more kids that die each year in alcohol-related traffic deaths than there are soldiers who have died in Iraq. The numbers are staggering."

Pequannock teenagers who participate in sports or other extracurricular activities, or drive to school, are already tested for illegal drugs, under a 2005 program prompted by the heroin overdose of a student.

"That‘s going to give our kids riding in the back seat of someone‘s car a very powerful reason to say no," he said.

The new test worries civil-liberties advocates and others who oppose school drug testing as an invasion of privacy.

"Medical care and treatment are issues between parents and children," said Deborah Jacobs, executive director of the American Civil Liberties Union of New Jersey.

The EtG test costs about $20, Reynolds said. The school‘s overall testing program is funded by a three-year, $120,000 federal grant.



1) Is this do-able. 2) How could it be enforced? 3) Is Google working for Osama?

http://www.infoworld.com/article/07/01/30/HNgermansatellitedata_1.html?source=rss&url=http://www.infoworld.com/article/07/01/30/HNgermansatellitedata_1.html

Germany to curb commercial satellite data

As a national security measure, the proposed legislation would restrict companies' ability to create and distribute 'militarily relevant' data attained by satellites

By John Blau, IDG News Service January 30, 2007

The German government is taking a lead in Europe with draft legislation to control data generated by nongovernmental orbital systems.

The draft Satellite Data Security Law aims to significantly curb the ability of commercial companies to create and distribute satellite-generated data of the country.

The law will require anyone operating an "advanced orbital reconnaissance system" to obtain a permit from the government.

... Under the proposed law, operators must also conduct and document a series of checks on customers to ensure that requests for data don't pose a threat to national security.

... The legislation refers to all sensor-generated signals that could be used to create photos, digital models, and other images as "militarily relevant" data.



This is interesting. Could it be expanded into a tool for notifying potential victims of identity theft?

http://www.bespacific.com/mt/archives/013790.html

January 30, 2007

Indiana Launches Statewide Victim Notification Network

"The Indiana Department of Corrections has started implementation of the new Statewide Automated Victim Information and Notification (SAVIN) network, the result of legislation approved unanimously in 2005. The automated network will allow Indiana residents to receive real-time information about the custody status of offenders in all 92 counties. Development of the program has already begun and a system launch date is anticipated for April 2007. Information about 80 percent of Indiana offenders will be available by the end of this year, with the remainder added in 2008. In the last two years, Congress approved $17 million to fund the implementation of SAVIN systems nationwide. Indiana received $1.25 million to begin and operate the program."



Very straight forward, low start-up cost, ready market... A great business plan!

http://techdirt.com/articles/20070129/110725.shtml

Inside A Money-Laundering-From-Home Operation

from the how-it-works dept

Steve Bryant, over at GoogleWatch, has gone through a recent subpoena from US Immigration and Customs to Yahoo where they're trying to catch an online counterfeit money laundering scammer that gives you a decent idea of how the scam works. Basically, the scammers (in Ghana) advertise online for people in the US who want to "work from home." They then send them packages of counterfeit travellers checks. The recipient is asked to take the bundles out of one FedEx box, move them to another and ship them to someone else's house. The next person (who thinks they're dealing with an entirely different company), is told to cash the checks, keep 10% for themselves, and then send the rest to someone else outside the country who likely doesn't exist and is simply a place for the money to go. That way, the scammers send a bunch of counterfeit money into the US, it gets moved around a few times making it harder to track, and then is converted to valid currency by someone who doesn't realize they're using counterfeit money. You would think that those who sign up for such money-laundering-from-home operations would be a bit more suspicious, but as long as they're getting paid for shipping around boxes or wiring money, they don't seem to care very much.



Proof the Great Britain is more technologically advanced than the US? Think of the problems associated with all that old data stored on obsolete or orphaned technologies...

http://news.bbc.co.uk/1/hi/technology/6314251.stm

PC World says farewell to floppy

The time has come to bid farewell to one of the PC's more stalwart friends - the floppy disk.

Computing superstore PC World said it will no longer sell the storage devices, affectionately known as floppies, once existing stock runs out.



http://digg.com/tech_news/Are_Librarians_Becoming_Totally_Obsolete

Are Librarians Becoming Totally Obsolete?

Many predict that the digital age will wipe public bookshelves clean, and permanently end the centuries-old era of libraries. Technology ’s baffling prowess and progress even has one librarian predicting the institution’s demise. Here are 33 reasons librarians are still extremely important...

http://www.degreetutor.com/library/adult-continued-education/librarians-needed



Fair is fair.

http://www.scholarships-ar-us.org/scholarships/white-scholarship-guide.htm

The White Man’s Guide to Getting a Minority Scholarship

No comments: