Wednesday, March 14, 2007

What, again?

http://www.nytimes.com/2007/03/14/business/14insure.html?_r=2&n=Top%2fReference%2fTimes%20Topics%2fSubjects%2fP%2fPrivacy&oref=slogin&oref=slogin

Medical Data on Empire Blue Cross Members May Be Lost

By MILT FREUDENHEIM March 14, 2007

WellPoint, one of the nation’s largest health insurers, has begun notifying 75,000 members of its Empire Blue Cross and Blue Shield unit in New York that a compact disc holding their vital medical and other personal information had disappeared.

The information was on an unencrypted disc that a subcontractor recently sent to Magellan Behavioral Services, a company in Avon, Conn., that specializes in monitoring and coordinating mental health and substance abuse treatments for insurance companies.

Empire began notifying the affected consumers by mail on Saturday that their records — including their names, Social Security numbers, health plan identification numbers and description of medical services back to 2003 — had been lost.

... Before shipping the information to Magellan, the coding and passwords that protect the privacy of the information was removed [We call this a “liability multiplier” Bob by a Magellan subcontractor, Lisa Ann Greiner, an Empire spokeswoman, said yesterday.

... She said that it was not yet known whether the disc had been lost or stolen. “We are still working with the venders and U.P.S. to find the compact disc,” Ms. Greiner said. “We have no evidence that it was stolen or that members security has been breached.”

The loss, which was first reported to WellPoint’s Empire unit on Feb. 9, was the second breach of security involving WellPoint member information in recent months.

In October, WellPoint learned that electronic backup tapes with information on 196,000 WellPoint members had been stolen from a data processor in Massachusetts operated by Concentra, a national data warehouse company.

... After a preliminary investigation to identify the members, Empire began notifying their New York employers last Saturday. Some companies relayed the information to all their employees, because they are not supposed to know who among their workers may be monitored by the behavioral services company. [Another consideration when dealing with medical data... Bob]

... Magellan, for its part, said it was changing its procedures to eliminate sending information on compact discs by U.P.S., [but the un-encrypting bit is okay? Bob] said Erin Somers, a Magellan spokeswoman.



Quote-worthy?

http://www.physorg.com/news93000637.html

Hackers get bum rap for corporate America's digital delinquency

If Phil Howard’s calculations prove true, by year’s end the 2 billionth personal record – some American’s social-security or credit-card number, academic grades or medical history – will become compromised, and it’s corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.

... His report delving into the flood of escaping records and some of the related dynamics, co-authored with Kris Erickson, a UW geography doctoral student, will appear in the July edition of the Journal of Computer-Mediated Communication. [ http://jcmc.indiana.edu/ ] If anything, Howard contends the numbers they collected are conservative.

... He and Erickson also found that:

-- Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches.

-- Likely as a result of California’s law and similar legislation adopted by other states, the number of reported incidents more than tripled in 2005 and 2006 (424 cases) compared to the previous 24 years (126 cases).

-- The education sector, primarily colleges and universities, amounted to less than 1 percent of all lost records, but accounted for 30 percent of all reported incidents.

A single 2003 incident involving 1.6 billion records held by Acxiom, an Arkansas-based company that stores personal, financial and corporate data, dwarfs all others. In that case, the offender controlled a company that did business with Acxiom and had permission to access some files on Acxiom’s servers. But he illegally hacked into other records and then tried to conceal the theft, prosecutors charged.

A much different picture emerges, however, when the past quarter century is viewed in terms of the number of reported incidents. Three out of five point to organizational malfeasance of some variety, including missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online, Howard and Erickson found.



I wonder if this procedure will be imported, or if it was exported?

http://www.infoworld.com/article/07/03/13/HNgooglepolice_1.html?source=rss&url=http://www.infoworld.com/article/07/03/13/HNgooglepolice_1.html

Google offers priority reporting to Indian police

Tool will help flag objectionable material on Orkut, will not affect user data, according to Google

By John Ribeiro, IDG News Service March 13, 2007

Google has offered Indian police a special tool for priority reporting of objectionable material on its social networking site, Orkut.

Google's Orkut social networking site has come in for criticism and even litigation from groups in India that object to its depiction of India and Indian historic figures. The site also has fan clubs of Indian gangsters, and Indian police said these could be used to find new recruits.

The reporting tool does not affect the way Google treats users' data but only enables faster, direct communication, a spokeswoman for Google said Tuesday.

The police will still be required to follow an appropriate legal process in order to get user-identifying information, she added.

Some Indian newspapers and a TV channel have quoted a police official in Mumbai saying that Orkut agreed to provide the police with the IP address from which an objectionable message has been posted on the site and the ISP involved.

The Google spokeswoman confirmed that the company's legal team met with police from various states in India but said there was no question of Google sharing IP addresses with the Indian police without the appropriate legal process being followed.

The process for reporting objectionable material on Orkut remains the same, as do Google's own procedures for deciding whether or not to remove the material from the site, she added.



How NOT to catch a bad guy?

http://cyberlaw.stanford.edu/packets/200703/california-state-appellate-court-holds-actual-viewing-or-recording-unn

Court Holds Actual Viewing or Recording Unnecessary to Establish a Cause of Action for Invasion of Privacy

Plaintiffs were employed in clerical positions on campus of defendants' residential facility for abused and neglected children. In response to a tip by their computer technician that some of their computers, including the one in plaintiffs' office, were being used to access pornographic websites at night, defendants installed a motion-activated camera in plaintiffs' office without their knowledge or consent. On one occasion, the camera was installed after plaintiffs left for the day and then removed before they arrived the next morning. Thereafter, however, the functioning camera was left in plaintiffs' office, but its wireless receptor was only connected by defendants to a TV monitor and recorder on two occasions at night.

After discovering the camera, plaintiffs sued for invasion of privacy, intentional infliction of emotional distress, and negligent infliction of emotional distress. The trial court entered summary judgment for defendants on all claims, finding that plaintiffs could not prevail because 1) they were not actually recorded or viewed by means of the camera; 2) they had a diminished expectation of privacy given the characteristics of their office; and 3) defendants' need to protect the children residing at their facility overcame this diminished expectation of privacy. The appellate court reversed as to the invasion of privacy claim and affirmed as to the claims for intentional and negligent infliction of emotional distress.

The court noted the two elements of invasion of privacy: 1) intrusion into a private place, conversation or matter and 2) an achievement of this intrusion in a manner highly offensive to a reasonable person. Following the Restatement approach, the court noted that liability flows from the intrusion itself, even when there is no publication. Citing Shulman v. Group W Productions, Inc., 18 Cal.4th 200 (Cal. 1998), the court held that access to information about the plaintiffs rather than capture or observation of that information is the essential component of intrusion.

The court then found defendants had failed to establish that plaintiffs did not have a reasonable expectation of privacy in their office. Allowing that plaintiffs did not enjoy complete privacy in their office due to several of its characteristics, the court nonetheless found that it was reasonable for plaintiffs to expect images of the office would not be transmitted to another part of the building. The court then found that a reasonable jury could conclude such an intrusion is highly offensive. Finally, the court held defendants had failed to conclusively establish their surveillance was justified, both because evidence regarding the severity of the pornography problem was lacking and because, since plaintiffs themselves were not suspected of accessing pornographic websites, the camera did not need to be concealed in the office while they were working in order to address the problem.

Regarding the claim of intentional infliction of emotional distress, the court found that, as a matter of law, because defendants did not intend to spy on plaintiffs or activate the camera when they were not in the office, their conduct was not "extreme and outrageous" as required by the tort. With respect to the claim for negligent infliction of emotional distress, the court found that plaintiffs failed to allege a duty breached and that the claim was factually superfluous given the cause of action for invasion of privacy. Appeal was entered and the California Supreme Court has granted certiorari.

Published in Packets, Thursday, March 9 2007, Volume 4, No. 3

Hernandez v. Hillsides, Inc., 48 Cal.Rptr.3d 780 (Cal.App. 2 Dist. 2006), cert. granted, 53 Cal.Rptr.3d 801 (Cal. 2007).



Be careful what you say, it will come back to haunt you...

http://techdirt.com/articles/20070312/180052.shtml

Smart Card Alliance Not Particularly Concerned About Privacy Implications Of REAL ID Act

from the not-their-privacy dept

For a few years now, many have been pushing for the "REAL ID Act" which would effectively create a national ID program. The supporters of the law suggest that it would somehow make us safer, ignoring plenty of evidence that it would do the opposite by making identity theft that much easier. It's also never clearly explained how this makes anyone any safer. It certainly does make it a lot easier for people to be tracked -- and as we've seen lately, governments have a hard time resisting the urge to misuse these tools to snoop on people, even when they have no legal right to the information. So, when these very real concerns are brought up by folks like Jim Harper at Cato, you would think that supporters of the Act would have a decent response on the security and privacy issues -- but instead, they brush it off as "nothing to worry about." Harper points to the quotes from Randy Vanderhoof, the Smart Card Alliance's executive director, saying: "Privacy concerns are all perception and hype and no substance but carry considerable weight with state legislators because no one wants to be accused of being soft on privacy." It's nice of him to brush off the security and privacy concerns of everyone else without backing up his statements -- but the problem is that, if he's wrong (and he's very wrong) it's not quite a system where you can put the genie back in the bottle after the data has been leaked. Given how many stories we've seen this year alone about government data leaks, I'd say that there's plenty of substance to the concerns -- and anyone brushing them aside has lost touch with what's actually happening.



Interesting take on this case...

http://www.lessig.org/blog/archives/003734.shtml

Viacom v. YouTube

Ok, so just about 10 years after the content industry got Congress to adopt one of the most sweeping changes in American copyright law (aka, the DMCA), the content industry has decided that it doesn’t like one part of that law — the Safe Harbor Provision that protects sites such as YouTube. But rather than go to Congress to get them to change the law, the content industry, knowing Congress would not change the law, turns to its new best friend — the common law of copyright, as articulated by the Supreme Court. See, e.g., Grokster. Why burden Congress with the hassle of law making when you’ve got a Supreme Court eager to jump in and legislate? At least, that is, when there’s no Constitutional issue at stake. When the Constitution’s at stake, then it is a matter for — you guessed it — Congress. See, e.g., Eldred v. Ashcroft.

Note Count IV in the complaint - “Inducement of Copyright Infringement” - aka, the monster Grokster created.

This case — if it is really intended as a law suit and not a move in a bargaining game — should be decided on the meaning of s512(c). The question will be whether YouTube has the “ability to control” uploads before they are identified as infringing. Viacom complains that YouTube shifts to it the burden of identifying infringing content. Not true. The DMCA does. Until at least Congress amends it, or the Supreme Court adds some new common law of copyright to the statute books.



How would you change the law?

http://techdirt.com/articles/20070312/001005.shtml

YouTube Speeder Doesn't Leave Enough Evidence For Police

from the lucky-him dept

While we've seen some stories of speedy drivers getting fined for posting videos of themselves speeding on YouTube, it seems that one British motorcyclist made out just fine, after the police realized that without an official date and time on the video, [You can set any date... Bob] they had no way of making sure that the ticket was presented within 14 days of the event -- leaving him free to speed and YouTube yet again. Of course, before doing the same, you might want to check the statute of limitation on giving speeding tickets in your area... and wait to post the video until after that. Of course, how long will it be until we see laws proposed to make it illegal to film yourself speeding?



I'm surprised the Dept of Homeland Security hasn't already tried this..

http://techdirt.com/articles/20070313/065556.shtml

Should The Fed Chairman Be More Like A CEO?

from the high-tech-central-planning dept

One of the themes we've been discussing lately is the government's perpetual missteps when it comes to technology. In a piece at News.com, the CEO of software maker Tibco argues that the Federal Reserve is a tech laggard, and that it needs to improve its ability to monitor and manage the economy. Specifically, he argues that the Fed needs to embrace real-time data, and be prepared to change interest rates at a moment's notice. It's an interesting argument; essentially he's saying that the Fed needs to act more like the managers of a business would, and accordingly it needs to adopt the latest technologies. Of course, most people would argue that the economy shouldn't be managed centrally the way a business is. It's a mistake to assume that the reason government doesn't do a good job of economic planning is because it doesn't have access to real-time data. Furthermore, considering how many government tech projects have gone awry, it's hard to imagine that it would do a good job implementing such a necessarily complicated system. A better approach, it would seem, would be to make incremental improvements to the Fed's ability to monitor the economy without completely overhauling the system.



This will change, Bill's got lobbyists...

http://news.com.com/2100-1002_3-6166868.html?part=rss&tag=2547-1_3-0-5&subj=news

Federal agencies ban Windows Vista

By Joris Evers Story last modified Wed Mar 14 06:01:50 PDT 2007

As Microsoft is out touting the "wow" of Windows Vista, two federal agencies are among those saying "whoa."

The Department of Transportation (DOT) and the National Institute of Standards and Technology (NIST) cite fear of compatibility problems as one of the reasons not to allow their tens of thousands of employees to upgrade to Microsoft's latest operating system.

... Large organizations in particular tend to do a lot of testing before upgrading. The same happened when Microsoft released Service Pack 2 for Windows XP.

... "There appears to be no compelling technical or business case for upgrading to these new Microsoft software products," according to the memo.



I wonder what “logs” they are referring to? Probably only the date-time stamps of files created.

http://news.com.com/2100-1030_3-6167028.html?part=rss&tag=2547-1_3-0-5&subj=news

Police blotter: Computer logs as alibi in wife's death

By Declan McCullagh Story last modified Wed Mar 14 05:40:45 PDT 2007

"Police blotter" is a weekly News.com report on the intersection of technology and the law.

What: Douglas Plude, convicted of his wife's murder, says computer logs provide an alibi. Plude, who lived in Wisconsin, claims his expert had insufficient time before trial to review them.

When: Wisconsin Court of Appeals rules on March 6.

Outcome: Conviction upheld and no new trial granted.

What happened, according to court documents:

... What makes this case relevant to "Police blotter" is that the family had two computers, a Compaq and a Packard Bell.

On the night of October 21, shortly before Genell died, both computers were active around 10 p.m. Genell's computer shows the user conducted online searches for information on Fioricet. Plude's computer shows Internet activity and use of a photo editing program between 10 p.m. and 10:30 p.m.

Plude claims that parallel activity indicates that Genell was looking up information about Fioricet, buttressing the conclusion of suicide. He also says that Wisconsin police had seized the hard drives in 1999 but unreasonably dragged their feet in handing over the evidence until 2002, just a few weeks before his trial began. (This isn't the only time that computer evidence has become an alibi; it appeared in a Texas case last year.)

... The trial judge ruled that waiting three years to turn over key evidence was reasonable.

... Wisconsin Stat. 971.23 requires the state to turn over evidence within a reasonable time before trial, not as soon as it is in the state's possession."

... What's worth noting, though, is that the prosecution's expert witness turned out to have been lying about his qualifications. Saami Shaibani claimed to have been a clinical professor of physics at Temple University, but the defense found out after the trial that he had no affiliation with Temple at all. (That apparently came to light in another trial in which Shaibani was found to have lied as well.)

... Excerpts from the majority's opinion written by Judge Michael Hoover:

In October 2002, a change was made to the EnCase technology, making the contents of the discs more easily accessible or readable. Discs made with the new technology reached the defense on November 8, 2002. For the first time, Plude claims, the defense could see what each computer was being used for...

Around November 10 or 14, defense counsel reviewed the discs and discovered Genell's computer was used to search for information on Fioricet. On November 21, counsel hired a computer expert and began trying to make an appointment to view the actual hard drives held at the sheriff's department. The state, reluctant to allow examination of the original drives because of how readily changes can be made, eventually agreed. The appointment was for November 29, but Plude's expert was unable to make the trip because of other commitments. Plude hired a technician, Jill Claimore, from a computer store to help counsel examine the drives. Plude claims that he first became aware that the computers displayed parallel activity as a result of Claimore's inspection. At the time Genell's computer was being used to search for Fioricet, his computer was using a photo editing program.

Because it was not until November 29 that Claimore discovered the allegedly exculpatory information, Plude asserts the state's discovery obligation was not timely completed. Rather, he asserts that he did not obtain necessary information until the last business day before trial. This complicated his defense because, he asserts, he was not able to secure an expert witness to explain the computer evidence....

While we agree that turning over potentially exculpatory evidence on the last business day before trial would be unreasonable in this case, we cannot say that a span of three weeks suffers the same presumption... To the extent Plude complains that he could not effectively access that information, the state responds that Plude could have requested the state crime lab to analyze the data for him. Plude does not refute this argument. Additionally, part of Plude's difficulty appears to arise from his failure to timely hire a computer expert. This is not a delay attributable to the state.

Excerpt from dissent by Judge Thomas Cane:

To set the scene and appreciate the importance of the state's expert Dr. Saami Shaibani's false testimony, a brief prelude is necessary. At trial, conflicting expert medical testimony was presented concerning Genell's death... In order to prove its homicide case, the prosecution had to show that Genell could not have inhaled the toilet water herself. This is where Shaibani was called to testify about his variety of experiments and his expertise to conclude Genell had been forcibly drowned. In fact, it appears that this was a primary focus of the trial covering extensive pages of testimony. Unfortunately, Shaibani misrepresented his professional credentials in large part when testifying to the jury...

... His impressive credentials were undisputed at that time... [Neither side checked? In a murder trial? Bob]

No comments: