Thursday, March 08, 2007

Inadvertent” means, “We didn't know it worked that way.”

http://seattlepi.nwsource.com/national/1155AP_Census_Data_Mix_up.html

Census Bureau admits privacy breach

By STEPHEN OHLEMACHER ASSOCIATED PRESS WRITER Wednesday, March 7, 2007 · Last updated 11:23 a.m. PT

WASHINGTON -- The Census Bureau inadvertently posted personal information from 302 households on a public Internet site multiple times over a five-month period, the bureau said Wednesday.

... The information was on and off the public Web site from October to Feb. 15 as Census employees working from home tested new software, Cymber said. The workers were supposed to use fictitious information to test the site, but they inadvertently mingled data from the bureau's Current Population Survey, a monthly survey best known for generating the nation's employment statistics.

Cymber said the real and fictitious data were indistinguishable. [The test file is probably not labeled “Real Data” Why would employees working from home even have access to this data? Bob] The information could have been accessed through a search engine on the Census Bureau's Web site used to disseminate large data files. She said she didn't know whether the data actually was accessed by anyone. [Look at your logs! Bob]

... The affected households were located in Alabama, Alaska, Arkansas, Arizona, California, Colorado, Delaware, Florida, Connecticut and Washington, D.C.



Not Google's problem.

http://www.sacbee.com/101/story/133870.html

Google shock for Los Rios

By Eric Stern and Dorothy Korber - Bee Staff Writers Published 12:00 am PST Wednesday, March 7, 2007

A community college student who was "Googling" himself last month found some disconcerting information when he typed his name into the popular Internet search engine.

A Los Rios Community College District database popped up that included his name, birth date and Social Security number. The file also contained data on about 2,000 other students.

"We didn't think [all too common. Bob] the information was open to Google," said Susie Williams, a spokeswoman for the Los Rios schools. "It was a shock to learn they were able to do it."

... A Web site by Johnny Long, johnny.ihackstuff.com, includes a database of hundreds of sneaky Google-search tips, such as adding "not for distribution" or "confidential" into query searches. Typing "filetype:xls" will spit out Microsoft Excel spreadsheets.

In the case of Los Rios, staff members were testing a new online application system and "just grabbed some files" to upload, [“Live” files are not the recommended way to test applications. For one thing, they rarely contain all possible variations of the data – and should never contain “bad data” that the application must detect and “handle.” Bob] said Williams, the college spokeswoman.

"Google had come along and indexed this little test batch," Williams said. "The data was on what we thought was a secure part of our Web server." [“we thought” translates to “we assumed” Bob]

... After checking the Los Rios Web logs, which track computer addresses of people accessing the school's site, Williams said only the one student who spotted the information -- and his wife -- clicked on the file. [Have they checked the Google archives? Bob]



In case you don't know it, I like free stuff. Professor Alexander tipped me to this one... Registration required!

http://www.kmworld.com/Webinars/Details.aspx?EventID=204

What You Don’t Know Can Kill You (or At Least Your Organization)

Register now for this FREE live Web broadcast.

Tuesday, March 13, 2007 11 AM PDT / 2 PM EDT

Heavy fines and penalties await those who don’t “know what they should have known.”

* A major oil company was fined more than $2 million for not knowing and acting on the circulation of sexually harassing emails.

* A major aerospace company estimates that it averages two discovery requests a day from legal, at a cost of $1 million for every 15 emails retrieved. [Now that I don't believe. Bob]

* Companies are fined millions of dollars every year for failure to archive information — and at least 20% of these fines are not due to intentional misconduct.


I wonder if anything useful will be generated? Would be nice to see this as a webinar like in the previous article.

http://www.infoworld.com/article/07/03/07/HNvisadc_1.html

Visa summit will counter data breach hype

D.C. event will argue breach fallout not that widespread

By Matt Hines March 07, 2007

Credit-card payments giant Visa is hoping to shed new light on problems like consumer data theft and identity fraud through a conference that will bring together leaders from the business, government, and technology communities to discuss security for the electronic payments industry.

Hosted in partnership with the publishing arm of Harvard Business School, the day-long set of briefings is being held March 8 in Washington under the banner "Maintaining Trust in Payments Summit."

In a series of panels, controversial topics like the amount of time companies should be allowed to wait before disclosing data breaches to card issuers and consumers will be up for debate, as will the role of the government in providing protection for consumers and industry.



Told ya!

http://www.eweek.com/article2/0,1895,2101683,00.asp

Report: Some Companies Lose Data Six Times a Year

By Lisa Vaas March 7, 2007

TJX's massive data loss is just the tip of the iceberg.

Almost seven out of 10 companies—68 percent—are losing sensitive data or having it stolen out from under them six times a year, according to new research from the IT Policy Compliance Group. An additional 20 percent are losing sensitive data a whopping 22 times or more per year.

... The good news to come out of the group's survey is that 12 percent of surveyed organizations are losing sensitive data less than twice each year.

... "In the high-90 percent of these organizations that have very few losses consider the IT security-side data as their most important and sensitive data," he said in an interview with eWEEK. "The rest of the universe doesn't value IT and audit information as highly."

As a matter of fact, the respondents that rated financial data as their most important and sensitive data turn out to have high data losses, Hurley said.

... The takeaway is that those organizations that focus in on protecting the keys to the kingdom—i.e., those that track who has access to data and also protect the knowledge of how to get access to data—are doing "very well," comparatively, Hurley said.

... "Frequency of monitoring appears to have been stepped up by organizations doing well with lack of high data losses," he said. Those organizations doing poorly aren't paying attention to IT security controls and evidence logs of what happened during a data loss incident, he said.

Another finding: Losing data is expensive. Companies that publicly reported a data loss or breach had to shell out, on average, 8 percent per customer to report the loss, notify the customers and restore the data. The average loss of revenue was 8 percent as well. The cost on average to notify customers and to clean up and restore data was $100 per record.

[An excerpt is available at: http://www.itpolicycompliance.com/research_reports/data_protection/read.asp?ID=9



No surprise. It has to be simple enough for bureaucrats to understand.

http://it.slashdot.org/article.pl?sid=07/03/07/1817243&from=rss

RFID Passports Cloned Without Opening the Package

Posted by ScuttleMonkey on Wednesday March 07, @02:05PM from the step-one-cut-a-hole-in-a-box dept. Security Technology

Jeremy writes to tell us that using some simple deduction, a security consultant discovered how to clone a passport as it's being mailed to its recipient, without ever opening the package. "But the key in this first generation of biometric passport is relatively easy to identify/crack. It is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. The Mail found it relatively easy to identify the holder's date of birth, while the expiry date is 10 years from the issue date, which for a newly-delivered passport would clearly fall within a few days. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label."



This could never happen here...

http://it.slashdot.org/article.pl?sid=07/03/08/0417247&from=rss

Computer Foul-up Breaks Canadian Tax Filing System

Posted by samzenpus on Thursday March 08, @02:00AM from the great-white-mix-up dept. Bug IT

CokeJunky writes "During a weekend maintenance window, the Canada Revenue Agency (Fills the same role as the IRS south of the border) experienced data corruption issues in the tax databases. As a precaution, they have disabled all electronic filling services, and paper based returns will be stacking up in the mail room, as returns cannot be filed at all until the problem is fixed. Apparently on Monday they discovered tax fillings submitted electronically where the social insurance number, and the date of birth were swapped."



Business opportunity: HIPAA Privacy Plan generator! “No need to take action! Just enter a few facts (right off the complaint) and this software generates a 96 page plan that you can submit to HHA, then ignore!”

http://www.fortherecordmag.com/archives/ftr_03052007p12.shtml

Is There Bite to HIPAA’s Privacy Rule?

By Selena Chavis For The Record Vol. 19 No. 5 P. 12 March 5, 2007

Chew on this: 24,000 HIPAA-related complaints, zero fines to covered entities. Sounds like a toothless rule, but some say misconceptions mask the fact that it’s doing its job.

It’s been the typical scenario for valid privacy complaints under HIPAA, say many legal experts. Consider that a nurse leaks sensitive information about a patient’s health status to someone outside the scope of the person’s medical care. Whether malicious or accidental, it’s a privacy breach that definitively falls under the protection of the HIPAA privacy rules that were fully enacted in 2003, says attorney Heather Fesko, partner with Chicago-based McGuireWoods law firm.

In this real-world scenario offered by Fesko, a complaint was filed with the Office for Civil Rights (OCR) of Health and Human Services (HHS) by the individual who was the subject of the privacy breach. HIPAA requires that the complaint be filed against the covered entity where the offense occurred rather than an individual—in this case, a hospital client of McGuireWoods.

In an effort to show voluntary compliance, the hospital submitted a plan for necessary corrective action to the HHS. The plan satisfied the HHS, and a letter of closure was submitted to the hospital.

... The scope of HIPAA allows for CMPs of up to $100 per violation and up to $25,000 per year for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining protected health information in violation of the law. Criminal penalties can reach up to $50,000 and one year in prison for certain offenses; up to $100,000 and five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.

... Attorney Kevin Paul, HIPAA privacy expert with Denver-based Parsons, Heizer, and Paul, notes that the HHS never really considered that CMPs would be the initial course of action toward their efforts to enforce compliance. “In part, that made sense due to the size of the privacy rule,” he says, adding that the rule is filled with jargon and many new processes and procedures. “It was thought that there might be some misconceptions about the scope of the obligations.”

... A clear picture of whether entities are doing the “right thing” is exactly what is missing from the HHS, says Goldman. Relaying that there is currently no hard data available from the HHS that details the nature or severity of the complaints or the number of repeat offenders, Goldman emphasizes that it’s impossible for the general public or entities such as the Health Privacy Project to know whether voluntary compliance is truly addressing the problem.

It would be great if OCR would audit how the voluntary compliance is working,” she says, adding that without any civil enforcement actions, the only big enforcement news has been on the criminal front involving the U.S. Department of Justice (DOJ).

The HHS spokesperson also referenced these cases, noting that complaints considered more criminal in nature are most often referred for review by the DOJ. Since HIPAA, three criminal cases have been filed by the DOJ invoking HIPAA, two of which ended in convictions.

... Fesko believes that if there were more focus on individuals rather than covered entities, it would be easier for covered entities to enforce HIPAA. The OLC opinion does find that the law can apply to a few individuals, including certain directors, officers, and employees who may be criminally liable. The opinion emphasizes that criminal liability will apply especially when “the agents act within the scope of their employment.” For example, in a case where a covered entity makes a decision to sell patient data in violation of HIPAA, employees who act criminally but within their job description could be criminally liable.



Now that's good lawyering...

http://digg.com/tech_news/EFF_Lawyer_gets_Google_to_reverse_her_unfair_YouTube_DMCA_takedown

EFF Lawyer gets Google to reverse her unfair YouTube DMCA takedown

"On Chilling Effects we see many DMCA takedowns, some right and some wrong, but very few counter-notifications. Part of the problem is that the counter-notifier has to swear to much more than the original notifier."

http://wendy.seltzer.org/blog/archives/2007/03/06/we_have_putback_super_bowl_warnings_back_online.html



Geek stuff? Another example of a company offering proof that they know more about a subject (computing) than any of their competitors. Try a search on Privacy or Identity Theft...

http://www.bespacific.com/mt/archives/014174.html

March 07, 2007

Free Access to Current and Historic IBM Systems Journals Online

Via Metafilter, this link to current issues of the IBM Journal of Research and Development and the Systems Journal (no fee) as well as to a Special Report - Celebrating 50 years of the IBM Journals: "Since the first publication of the IBM Journal of Research and Development in 1957 and the IBM Systems Journal in 1962, these Journals have provided descriptions and chronicles of many important advances in information technology and related topics ranging from atoms to business solutions. To celebrate the 50th anniversary of the IBM Journals, this report highlights a selection of significant papers published in the Journals, along with brief commentaries."



So, what are you going to do about that?

http://techdirt.com/articles/20070307/103126.shtml

Law Students Say Message Board Postings Are Costing Them Job Offers

from the if-it's-online-it-must-be-true dept

As people increasingly live and document their lives online, stories about potential employers doing web searches on job candidates and turning up information candidates would rather not have them see -- information that often costs them a shot at the job -- are becoming more common. The Washington Post has a front-page story on this topic today, focusing on some law-school students who aren't having a lot of luck finding jobs, and blaming it on message board postings. What makes this story a little bit different is that the students didn't make the postings themselves, they're just the subject of certain threads and messages -- some which could possibly be viewed as defamatory, while others are simply unbecoming (such as a discussion of a female student's breasts). The employers weren't finding the students' MySpace pages or blogs, or other sites documenting their personal lives, but rather their inadvertent digital resumés were being created by other people. The article seems to put the blame on the owner of a particular site that's popular among law students, but that's misplaced -- perhaps the more questionable activity is on the part of employers who are using this information. If they're going to search the web, they need to have the understanding that people can't control what other people say or post about them (similar to the idea of hearsay in a courtroom), and that not every mention that casts a student in a poor light is true, or an indication of their character. It's also not entirely clear why potential employers should consider many of these comments relevant to their hiring decisions, though one person says law firms are afraid of candidates who could attract controversy. Of course, it's also possible that comments a person labels as "defamatory" may be unflattering, but true. While site owners have no legal liability for what third parties post on their sites, thanks to Section 230 of the Communications Decency Act, at least one company senses an opportunity here, and searches for potentially damaging content online and "destroy it on behalf of clients", which we'll assume to mean they drown site owners with cease and desist orders and threats of lawsuits akin to legal bullying. All in all, this sounds like quite a bit of overreaction -- not just on the students' parts, but from their potential employers, too.



As if using cell phones while driving isn't bad enough... (Perhaps we could get a few BMWs to test-drive?)

http://googleblog.blogspot.com/2007/03/google-maps-send-to-car.html

Google Maps Send to Car

3/07/2007 09:40:00 AM Posted by Thai Tran, Product Manager

On the Google Maps team, our goal is not only to help you find local businesses, but also to enable you to quickly connect with those businesses, wherever you are. To that end, we recently introduced the ability to call businesses in the U.S. directly from Google Maps, and, as of today, users in Germany can send a business listing found on Google Maps Deutschland directly to cars enabled with the BMW Assist service. Drivers can then set it as the destination for the in-car navigation system, or they can call the business from within the car. No more having to write down the address and re-enter it in the car -- now you can just click and drive! Here's a video showing how this feature works (German version). We've partnered with BMW because they're a leading innovator in the automotive space, and they share our vision for a network-connected world.

As additional devices come online, we're excited to see what is possible, and we'll continue working to make the information that you need available to you when and where you need it.



Google hacks. Perhaps you should look in your back yard?

http://blog.outer-court.com/archive/2007-03-07-n12.html

Wednesday, March 7, 2007

Super-Close Google Maps Zooms

Holy moly that is a close up zoom of a camel (see my screenshot above) – and it works for other place on Google Maps too! Yes, it turns out that you can zoom in much more deeply onto Google Maps by doing this:

  1. Select a location and switch to satellite view

  2. Zoom in as far as you can, and click “link to this page” at the top right

  3. Now replace the “z” parameter in the URL with a higher value, e.g. 20, 22, or 23, and wait. Some locations will now show more detailed imagery

The French Ecrans website and Geotrotter have more on this.

No comments: