Saturday, June 09, 2007

Ignorance is bliss, until...

http://www.washingtonpost.com/wp-dyn/content/article/2007/06/08/AR2007060801704.html

U-Va. Officials Announce Database Breach

By Susan Kinzie Washington Post Staff Writer Saturday, June 9, 2007; B05

Hackers have been breaking into a University of Virginia database that included Social Security numbers and other personal information about faculty members over the past two years.

School officials announced the security breaches yesterday, about a week after they discovered that, on 54 days between April 2005 and April 2007, someone broke into the records for more than 5,700 faculty members. Officials warned professors to carefully watch their financial accounts and have offered a year of free credit monitoring to everyone affected.

... Hackers got into an academic Web site that mistakenly included the database of professors' information, officials said. [“We didn't know the data was there!” Bob]

... When officials sent out e-mail alerts, the names got mixed up, [“We have complete control...” Bob] and the school had to send follow-up messages and post a clarifying note online: "If an e-mail came to your address, your information has been exposed -- even if the name in the salutation is not yours."

... The data have been removed and security has been shored up, according to school officials. But they are concerned that more than 3,500 of those affected no longer work at U-Va. and could be difficult to contact, so they hope [Hope is not a strategy... Bob] former faculty members will check the school's Web site.




Follow-up

http://www.itworldcanada.com/a/Daily-News/b9cf3606-e1c4-49dc-98a4-6013bb7531e7.html

Bizarre incident at Sudbury clinic sparks Privacy Commissioner Order

Passing driver intercepts video image of woman providing urine sample

By: Joaquim P. Menezes IT World Canada (08 Jun 2007)

Ontario Privacy Commissioner Ann Cavoukian has issued a 16-page order, with an extensive set of guidelines, and a fact sheet on responsible video surveillance following her inquiry into what appears to be a gross breach of privacy involving a clinic in Sudbury.



So if I have a website, I must be able to spy on my users? My costs just went from zero to HUGE!

http://news.com.com/TorrentSpy+ordered+to+start+tracking+visitors/2100-1030_3-6189866.html?part=rss&tag=2547-1_3-0-5&subj=news

TorrentSpy ordered to start tracking visitors

By Greg Sandoval Story last modified Fri Jun 08 19:41:10 PDT 2007

A court decision reached last month but under seal until Friday could force Web sites to track visitors if the sites become defendants in a lawsuit.

TorrentSpy, a popular BitTorrent search engine, was ordered on May 29 by a federal judge in the Central District of California in Los Angeles to create logs detailing users' activities on the site. The judge, Jacqueline Chooljian, however, granted a stay of the order on Friday to allow TorrentSpy to file an appeal.

The appeal must be filed by June 12, according to Ira Rothken, TorrentSpy's attorney.

TorrentSpy has promised in its privacy policy never to track visitors without their consent.

"It is likely that TorrentSpy would turn off access to the U.S. before tracking its users," Rothken said. "If this order were allowed to stand, it would mean that Web sites can be required by discovery judges to track what their users do even if their privacy policy says otherwise."

The Motion Picture Association of America, which represents Columbia Pictures and other top Hollywood film studios, sued TorrentSpy and a host of others in February 2006 as part of a sweep against file-sharing companies. According to the MPAA, the search engine was sued for allegedly making it easier to download pirated files.

Representatives of the trade group could not be reached for comment.

The court's decision could have a chilling effect on e-commerce and digital entertainment sites, said Fred von Lohmann, an attorney with the Electronic Frontier Foundation. He calls the ruling "unprecedented."

Now on News.com

EFF, which advocates for the public in digital rights' cases, is still reviewing the court's decision, but von Lohmann calls what he's seen so far a "troubling court order."

This is believed to be the first time a judge has ordered a defendant to log visitor activity and then hand over the information to the plaintiff.

"In general, a defendant is not required to create new records to hand over in discovery," von Lohmann said. "We shouldn't let Web site logging policies be set by litigation."

Many Web companies keep visitor logs, which can include Internet Protocol addresses, as well as other information. Some choose not to record this data, including EFF, von Lohmann said.


Related?

http://newteevee.com/2007/06/08/does-digital-fingerprinting-work-an-investigative-report/

Does Digital Fingerprinting Work?: An Investigative Report

Written by Liz Gannes Posted Friday, June 8, 2007 at 12:00 AM PT

Audio and visual fingerprinting of copyrighted video is seen as the best way to combat infringement, but in NewTeeVee’s testing this week across multiple sites, it did not work. We were surprised to be able to upload multiple times the exact same copyrighted file, even after we explicitly told the hosting site and the fingerprinting provider about it and they took it down.

What follows is a description of our procedure, accompanied by the vehement disclaimer that we were doing this only for educational purposes.



Learn from your failures – what a concept!

http://apple.slashdot.org/article.pl?sid=07/06/08/1821215&from=rss

The Economist on Apple, the iPhone, and Innovation

Posted by Zonk on Friday June 08, @03:42PM from the talking-bout-idea-germination dept. Apple

portscan writes "This week's Economist has a special report on Apple, Inc. and innovation. 'The fourth lesson from Apple is to "fail wisely". The Macintosh was born from the wreckage of the Lisa, an earlier product that flopped; the iPhone is a response to the failure of Apple's original music phone, produced in conjunction with Motorola. Both times, Apple learned from its mistakes and tried again. Its recent computers have been based on technology developed at NeXT, a company Mr Jobs set up in the 1980s that appeared to have failed and was then acquired by Apple. The wider lesson is not to stigmatize failure but to tolerate it and learn from it: Europe's inability to create a rival to Silicon Valley owes much to its tougher bankruptcy laws.' There is also an article on the business of the iPhone and the future of the company. "



Implications for shrink-wrap?

http://games.slashdot.org/article.pl?sid=07/06/08/2017257&from=rss

Second Life Arbitration Clause Unenforceable

Posted by Zonk on Friday June 08, @05:43PM from the furries-have-rights-too-you-know dept. The Courts Role Playing (Games)

NewYorkCountryLawyer writes "In a decision that could have far-reaching implications, a federal court in Pennsylvania has held that the California arbitration clause in the 'take it or leave it' clickwrap agreement on the Second Life website is unconscionable, and therefore unenforceable. In its decision (pdf) in Bragg v. Linden Research, Inc., No. 06-4925 (E.D. Pa. May 30, 2007), the Court concluded that the Second Life 'terms of service' seek to impose a one-sided dispute resolution scheme that tilts unfairly, 'in almost all situations,' in Second Life's favor. As a result, the case will stay in Pennsylvania federal court, instead of being transferred to an arbitration forum in California."



Ed Felten's talk about Copyright

http://www.privacydigest.com/2007/06/08/what+rsquo+s+biggest+impact+it+copyright

What's the Biggest Impact of IT on Copyright?

June 8, 2007 - 3:15pm — MacRonin

On Saturday I gave a talk (’Rip, Mix, Burn, Sue: Technology, Politics, and the Fight to Control Digital Media’) for a Princeton alumni group in Seattle. The theme of the talk is that the rise of information technology is causing a ‘great earthquake’ in media businesses.


Related

http://digg.com/music/Download_Any_MP3_From_MySpace_Bands

Download Any MP3 From MySpace Bands

Forget about complex methods to downloads MP3 from MySpace, just enter the Band Name and get a list of MP3s to download. Its 100% Free!!

http://myspacemp3.org/


Related?

http://arstechnica.com/news.ars/post/20070608-for-sale-by-owner-websites-can-generate-higher-prices-than-realtors.html

"For sale by owner" web sites can generate higher prices than Realtors

By Nate Anderson | Published: June 08, 2007 - 01:37PM CT

... The study was made available yesterday (PDF) by the authors.

In a nutshell, the paper shows that the FSBO homes sold for an average price of $175,068 in Madison, while Realtor homes sold for $173,205 in the same period. After commissions are removed from that figure, the FSBO folks came out a good deal ahead.

... The New York Times had a writeup on the report today, and they note that the National Association of Realtors, one of the most powerful lobbying groups in the country, takes issue with these findings.



Tool to stimulate your CEO?

http://www.baselinemag.com/article2/0,1397,2143482,00.asp?kc=BARSS02129TX1K0000533

June 8, 2007

CIOs, Auditors To Get New Software Controls Guide on July 9

The Institute of Internal Auditors' forthcoming guide lists tests that companies can perform to make sure their controls are correct and working properly.

It's time for an audit of the application controls for every business system throughout your organization, from enterprise resource planning to e-mail programs, document imaging systems and product design software. As a CIO, are you prepared?



Definitely a work in progress... (Won't Mr. Shakespeare sue over the copyright?)

http://www.openshakespeare.org/

v0.4 of Open Shakespeare Released

A new version of open shakespeare is out.

Friday, June 08, 2007

Perhaps a Wiki to keep track of the lawsuits and other fallout?

http://www.telegram.com/apps/pbcs.dll/article?AID=/20070607/APF/706072095

Lawsuits mounting over massive data breach at TJX Cos.

By MARK JEWELL AP Business Writer Jun 7, 2007

BOSTON— TJX Cos. faces federal lawsuits in five additional states over a data theft that exposed at least 45 million credit and debit cards to potential fraud, according to a regulatory filing Thursday by the owner of stores including T.J. Maxx and Marshalls.

A quarterly filing said TJX was named in nine new lawsuits filed since the company's March 28 update on a theft believed to be the largest in the U.S. based on the number of customer records compromised.

Thursday's filing with the Securities and Exchange Commission [http://ir.10kwizard.com/contents.php?ipage=4985326&repo=tenk&source=487 ] says complaints seeking class-action designation on behalf of customers were filed in April and May in the federal courts of five additional states: Illinois, Michigan, Missouri, Ohio and Texas.

Three new lawsuits were filed over the past two months in Massachusetts, where cases had previously been brought earlier in the year. The March 28 filing had listed more than a dozen lawsuits in Alabama, California, Massachusetts, Puerto Rico and six Canadian provinces. The Massachusetts cases against Framingham-based TJX have been consolidated.

In addition to listing TJX as a defendant, some of the lawsuits also name Cincinnati-based Fifth Third Bancorp, which processed some payment card transactions for TJX.

TJX said in Thursday's filing that it "intends to defend all of these actions vigorously," and Fifth Third has said it believes there are "substantial defenses" against the claims it faces.

Most of the complaints have been filed by TJX customers whose personal data was stolen. But some have been brought by financial institutions saddled with costs to replace cards and cover fraudulent charges tied to the theft. In April, bank associations in Massachusetts, Connecticut and Maine sued TJX, the owner of nearly 2,500 discount stores.

TJX disclosed the breach on Jan. 17, and said March 28 that one or more intruders unearthed data from at least 45.7 million credit and debit cards from transactions as long ago as early 2003. Independent organizations that track data thefts say the TJX case is believed to be the largest in the U.S. based on the number of customer records compromised.

TJX says about three-quarters of the 45.7 million cards had either expired by the time of the theft, or the stolen information didn't include security code data from the cards' magnetic stripes. However, TJX also has said the intruders could have tapped the unencrypted flow of information to card issuers as customers checked out with their credit cards.

The only arrests so far have come in Florida, where 10 people who aren't believed to be the TJX hackers are accused of using stolen TJX customer data to buy Wal-Mart gift cards.

Last month, TJX said its first-quarter profit dipped 1 percent, in part due to a $12 million after-tax charge from costs related to the theft. Nevertheless, TJX reported a 6 percent increase in revenue as customer traffic remained strong despite negative publicity about the theft.



Who says these consequences were unintended? Weren't they requested by Management? designed by “IT Professionals?” and approved by the CPO?

http://www.brandonsun.com/story.php?story_id=57256

Wireless transmission from health clinics risky, privacy commissioner says

Canadian Press Thursday, June 7th, 2007

TORONTO (CP) - Ontario's privacy commissioner says the wireless transmission of internal health clinic video is a security and privacy risk.

Ann Cavoukian issued an order Thursday urging all health-related institutions, including clinics and hospitals, to review the video surveillance systems they use.

The call comes after the commissioner's office was contacted by someone who informed them it was possible to intercept video images of the inside of a women's toilet stall at a methadone clinic in Sudbury.

Cavoukian says her office was told it was possible to pick up the signal through an in-vehicle camera some new cars are equipped with for backing up. [So, the feed from these cameras should also be interceptable... Bob]

She says the clinic was immediately asked to turn off the camera and to replace the wireless system with a hardwired system.

The commissioner recommends those with access to personal health information ensure signals cannot be intercepted, that signs be clearly posted informing patients of cameras and that access to the video only be available to a small number of staff.



Perhaps we should sue Al Gore?

http://yro.slashdot.org/article.pl?sid=07/06/07/122224&from=rss

'Dangers of the Internet' Resolution Passed By Senate

Posted by Zonk on Thursday June 07, @08:49AM from the only-creepy-if-you-don't-look-then-leap dept. Censorship The Internet Politics

destinyland writes "Apparently June is national 'Internet is Dangerous' month. The U.S. Senate unanimously passed a resolution urging Americans to 'learn more about the dangers of the Internet.' And what counts as a danger? Disabling censorware, or making friends online if you ever plan to meet them in real life. Its extreme negativity is disappointing. But remember — it passed unanimously. From the tech blorge article: 'It's not just a resolution. A few corporations are actually trying to cash in on this misguided disinformation campaign, including BSafe Online, a Tennessee company which markets a PC filtering software. (I wonder if it's one of the ones that can be disabled by 31% of America's teenagers...) Their CEO has an encouraging message for parents about safety on the internet. "This is a battle they must fight everyday with their children in order to keep pornographers, sexual predators and cyber-bullies at bay." And keeping those pornographers and sexual predators away will cost you a mere $70 a year...'"


Here is one danger.

http://www.bespacific.com/mt/archives/015044.html

June 07, 2007

GAO Report Examines Challenges to Implementing a Mandatory Electronic Verification System

Employment Verification: Challenges Exist in Implementing a Mandatory Electronic Verification System, GAO-07-924T, June 7, 2007: "The opportunity for employment is one of the most powerful magnets attracting illegal immigration to the United States. The Immigration Reform and Control Act of 1986 established an employment eligibility verification process, but immigration experts state that a more reliable verification system is needed. In 1996, the former U.S. Immigration and Naturalization Service, now within the Department of Homeland Security (DHS), and the Social Security Administration (SSA) began operating a voluntary pilot program, called the Employment Eligibility Verification (EEV) program, to provide participating employers with a means for electronically verifying employees' work eligibility. Congress is considering various immigration reform proposals, some of which would require all employers to electronically verify the work authorization status of their employees at the time of hire."



Still wondering what Apple has in mind. (Still waiting for the lawsuits, too.)

http://uchicagolaw.typepad.com/faculty/2007/06/itunes_and_iden.html

June 06, 2007

iTunes and Identity-Based Digital Rights Management

Over the last week, it has been become clear that Apple is embedding some identifying information in songs purchased from iTunes, including the name of the customer and his or her e-mail address. This has raised the ire of consumer advocates, including the Electronic Frontier Foundation which addressed this again yesterday.

Last year, I published a paper entitled Mistrust-Based Digital Rights Management (online preprint available here). In that paper, I argued that as we switched from content products such as CDs and DVDs to content services such as iTunes, Google Video and YouTube, we would embrace identity-based digital rights management. This is exactly what we are seeing from iTunes. How should we assess identity-based DRM?

[Interesting comment: I hereby coin: Digital Rights Metadata as a rebranding of DRM. Bob]



Legal research from the “Duh! College of Law”

http://techdirt.com/articles/20070606/182916.shtml

Just Using Google Not Enough In County Search For Man Who Owed Taxes

from the don't-forget-the-other-ways dept

Two years ago we wrote about a case where a judge ruled that someone who was required to do a full search to reach someone should have known to try a Google search. In that case, the original person hadn't bothered to look online, and concluded that the other person was unfindable -- while a simple Google search proved that to be untrue. A new case, however, presents a slightly different situation: what if you only did a Google search? That's what folks from Northampton County did in trying to track down a guy who owed back taxes. They were unable to find him via Google, even though a phone book lookup would have found his correct phone number. A court has now ruled that just using Google isn't sufficient. [No doubt Google will appeal! Bob] So, for those of you keeping score (or being required by law to track down some missing people), this means that (a) you should use Google in your search, but (b) you shouldn't rely on only Google.



There is a certain value to education...

http://techdirt.com/articles/20070607/182345.shtml

Who Knew That Fishermen Don't Know Old Undersea Copper Cables From Important Undersea Fiber Optic Cables?

from the shocking dept

We've talked about the high price of copper is leading to crime around the world as people are looking to steal anything copper and sell it. Due to this, the Vietnamese government thought it would make sense to allow local fisherman to grab old Vietnam War-era undersea cable lines and resell it for profit. What they didn't count on was that (would you believe it?) these local Vietnamese fishermen don't know the difference between old unused war-era undersea copper... and new, important internet- and television- connecting fiber-optic lines. Yes, it seems those fisherman are digging up whatever cables they can find and shockingly, aren't bothering to make sure that it's the copper lines they're taking, rather than the vastly more important fiber ones. 27 miles of fiber optics have gone missing, [Doesn't this suggest the response from the government wasn't “instantaneous?” Bob] and it's going to cost many millions to replace. While the allowance to fish up copper lines has now been rescinded, did anyone actually believe that local fishermen would either know the difference or care enough to make sure they were only digging up the proper cable lines?



Why didn't I think of this?

http://yro.slashdot.org/article.pl?sid=07/06/08/1211203&from=rss

Company Aims To Patent Security Patches

Posted by kdawson on Friday June 08, @08:15AM from the winner-of-the-race-to-the-bottom dept. Patents Security The Almighty Buck IT

Jonas Maebe writes "Someone thought up another way to profiteer from the software patent system: when a security hole is discovered, they'll try to patent the fix in order to collect money when the affected vendors close the hole in their product. The company in question is not shy about its intentions: Intellectual Weapons will only consider vulnerabilities in high-profile products from vendors with deep pockets. Let's be thankful for yet another way software patents are used to promote science and the useful arts."



Looking for someplace to invest those idle Billions? (I'm going to share this with my Business Plan class...)

http://www.webware.com/8301-1_109-9726877-2.html

Vator.tv launching tonight: YouTube for start-ups

By Rafe Needleman – June 6, 2007, 6:00 PM PDT

Bambi Francisco, formerly of MarketWatch, is taking the wraps off her own business tonight: Vator.tv. It's a YouTube for entrepreneurs, a place where people looking for funding or partners for their business ideas can display their "elevator pitch," and connect with those who can help them out. Other people in the entrepreneurial ecosystem can also post pitches. There are venture capitalists explaining what they want to invest in, for example, as well as service providers pitching their services.

[A couple examples... http://canyonwinelogistics.com/ http://quizlet.com/ http://www.geni.com/tree/start Bob]


It never rains but it pours...

http://www.techcrunch.com/2007/06/06/incuby-social-networking-for-inventions/

Incuby: Social Networking For Inventions

Duncan Riley June 6 2007

San Antonio, Texas based Incuby is aiming to build a community where inventors can display their inventions to the general public, entrepreneurs and investors.

Thursday, June 07, 2007

Don't ya just love it!

http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9023778&taxonomyId=17&intsrc=kc_top

Mass. credit union bills TJX $590k for breach-related costs

Jaikumar Vijayan

June 06, 2007 (Computerworld) HarborOne Credit Union in Brockton, Mass., has sent The TJX Companies Inc. an invoice for $590,000 for what the financial institution says it incurred in actual costs and reputational damage as a result of the data compromise disclosed by the retailer in January.

The bill was sent to TJX on April 30, [Will this show in financial statements? Bob] but the company so far has not responded or commented on it in any fashion, said James Blake, the president and CEO of the 100,000-member, $1.4 billion credit union.

"The bill was for both direct operational costs that we incurred reissuing new debit cards to our customers, as well as the costs to us from a reputational standpoint," he said. According to Blake, the TJX breach resulted in HarborOne having to block and reissue about 9,000 cards at a cost of around $90,000. The remaining $500,000 is what Blake believes the breach cost the credit union in terms of brand damage.

"We had to notify customers of the fact that their account was breached. There were some questions on their part whether or not we were responsible [for the breach] when in fact it was TJX's responsibility," Blake said.

Rather that pursue a formal lawsuit against TJX for the amount, HarborOne has decided to give TJX a chance to do the "morally" right thing he said. [Not a snowball's chance... Bob] "Whether they will is another issue. They have chosen not to respond to any of our communications. They have run from the problem from the very beginning." [Sure looks that way to me! Bob]

According to Blake, in the last year alone, HarborOne has had to reissue debit cards more than 30 times to customers as a result of data breaches at various retailers. "You can understand why we are a little upset about this," he said.

[Another version: http://www.todaystmj4.com/news/local/7876507.html Bob]



Another case where no one seems to be certain of anything. Good luck prosecuting...

http://www.jsonline.com/watch/?watch=1&date=6/6/2007&id=24626

UPDATE: Students access personnel data

WEDNESDAY, June 6, 2007, 4:37 p.m. By Tom Kertscher

Cedarburg - School officials confirmed today that students gained access to confidential information of current and former School District employees, including names, addresses, Social Security numbers and, possibly, bank account numbers.

An undetermined number of Cedarburg High School students obtained the information from one or more school computers, Superintendent Daryl Herrick said.

Students are not allowed in the area on the computer network where the data was stored, Herrick said. However, the data should not have been stored in that particular area, because the area is accessible to school employees, he said.

Herrick said the improper storage of the data appeared inadvertent and that no actions have been taken against any School District employees.

... The breach was discovered about 11 a.m. Tuesday after a student told a teacher that students had accessed the data, Herrick said. There was evidence that students had obtained names, addresses and Social Security numbers of current and former School District employees, he said.

Bank account information also would have been available, but it was not clear whether students had accessed that information, he said.

... Herrick said "there is no correlation" between the security breach and a case involving former Cedarburg High School teacher Robert Zellner, who was fired for viewing pornography on his school computer.

Zellner's attorney has raised questions about whether others might have gained access to Zellner's computer. [Not exactly the facts in the next article, but you gotta ask yourself “Can the school prove anything?” Bob]



Technology to the rescue? Why wasn't the computer properly examined in the first place? More to learn here i think...

http://arstechnica.com/news.ars/post/20070606-substitute-teacher-spared-sentencing-for-porn-pop-ups-gets-new-trial.html

Substitute teacher spared sentencing for porn pop-ups, gets new trial

By Nate Anderson | Published: June 06, 2007 - 01:39PM CT

Julie Amero, the substitute teacher who could have received 40 years in jail after porn appeared on classroom PCs, was spared that fate—for now. Instead, Amero will get a new trial after revelations that the original computer analysis was flawed.

The backstory in a nutshell: Amero was substituting for an English class. She went to the restroom, and when she returned, students were gathered around a computer that was displaying porn pop-ups. Amero, who describes herself as a total computer novice, couldn't make them stop, and she eventually ran to the teacher's lounge to get help. In court, school officials admitted that the antivirus software installed on the PC was out of date and antispyware programs were not installed. A school official did tell parents, however, that the school district had comprehensive filtering and firewall software in place at the time.

Although it's hard to conjure up a simple explanation for why a substitute teacher would show middle-school students porn pop-ups on purpose, Amero was prosecuted on the ground that she had done this intentionally. She was eventually found guilty and faced the prospect of 40 years in jail because of the incident. A defense witness, who analyzed the computer but was unable to present all of his findings in court, called the case "one of the most frustrating experiences of my career, knowing full well that the person is innocent and not being allowed to provide logical proof." Her sentencing was scheduled for today, but the hearing instead turned into a motion for a new trial, according to the AP.

The computer in question was sent to a Connecticut state laboratory after the original trial finished, and the judge announced today that the lab findings may contradict those presented by the prosecution's computer expert at trial. Amero's lawyers asked for and received a new trial, and the request was not opposed by the prosecution. A date has yet to be set.



Gosh! Who'd a thunk it! (Attention MBA Students!)

http://news.bbc.co.uk/2/hi/technology/6729565.stm

Good privacy pays for web stores

People will pay more for goods if a website does a good job of protecting their privacy, a study shows.

The Carnegie Mellon study looked at what shoppers do when they are told what sites do with personal data.

It suggests that shoppers will pay a premium equal to about $0.60 (30p) on goods worth $15 (£7) [roughly 4% That's huge! Bob] if they are reassured about privacy.

The study was used to evaluate a tool that aims to give web users clearer information about privacy policies.

Poor choices

Before now, many studies have shown that many web users fear that the information they must surrender to buy goods and services online will be abused by some shops.

At the least, users fear their contact details will be passed on to marketing firms without their permission.

Many also worry about what is being done with credit card or bank details they hand over to make purchases.

Despite these fears many shoppers often made poor choices by surrendering valuable personal information if they thought they were getting low prices, said Lorrie Cranor, director of the Usable Privacy and Security Lab at Carnegie Mellon and lead author on the study.

"Our suspicion was that people care about their privacy, but that it's often difficult for them to get information about a website's privacy policies," Ms Cranor said.

The small study of 72 shoppers looked at how their behaviour changed if they were armed with a tool which showed how good a site's privacy policy was.

The study used a tool called the Platform for Privacy Preferences (P3P) developed by the World Wide Web Consortium to make it easier for the average net user to assess privacy policies.

The P3P tool tries to give consistent information about privacy policies across sites. However, it is currently only used by about 20% of e-commerce sites.

The results of the study suggest that people will turn toward sites with "high privacy" ratings and that they would pay slightly extra for that reassurance.



The more you censor, the more “inconsistent” search results become. How can that benefit anyone?

http://news.bbc.co.uk/2/hi/technology/6724531.stm

Censorship 'changes face of net'

Amnesty International has warned that the internet "could change beyond all recognition" unless action is taken against the erosion of online freedoms.

... Amnesty accused companies such as Google, Microsoft and Yahoo of being complicit in the problem.

... "The Chinese model of an internet that allows economic growth but not free speech or privacy is growing in popularity, from a handful of countries five years ago to dozens of governments today who block sites and arrest bloggers," said Tim Hancock, Amnesty's campaign director.

... According to the latest Open Net Initiative report on internet filtering, at least 25 countries now apply state-mandated net filtering including Azerbaijan, Bahrain, Burma, Ethiopia, India, Iran, Morocco and Saudi Arabia.

... Filtering was only one aspect of internet repression, the group said. It added that increasingly it was seeing "politically motivated" closures of websites and net cafes, as well as threats and imprisonments.

... It marks the first anniversary of Amnesty's website irrepressible.info, which is being relaunched to become an information hub for anyone interested in the future of internet freedom.



I fear this is common – because it is so easily done. More reason to have a forensic investigator look over your e-Discovery “take” (Can't be too good for the old reputation, either.)

http://techdirt.com/articles/20070606/005628.shtml

Best Buy Lawyer Altered Documents In Suit Over Illegal MSN Subscriptions

from the whoops dept

You may have heard recently about the racketeering case against Microsoft and Best Buy, where Best Buy would sign up customers for an MSN subscription without letting the subscriber know. A former Best Buy employee has explained how the whole scam worked. However, the case just got a lot more interesting, as a lawyer for Best Buy has admitted that he altered a few of the documents he handed over in the case, which certainly could end up costing the company millions more in fines. Combined with their other recent lawsuit over different versions of their website inside stores, and you have to wonder why anyone shops at Best Buy at all any more.



In theory, any student could read (podcast) their papers and we'd all be wiser...

http://research.bizreport.com/detail/RES/1179941253_704.html

Email Archiving and the Law - Expert Podcast

by MessageOne, Inc. Posted: June 6, 2007

Premieres: 12 Jun 2007, 09:00 EDT (13:00 GMT) Format: Audio Type: Podcast

ABSTRACT: An effective email archiving initiative starts with effective management decisions. CIO's need to determine what regulations to focus on, how to ensure compliance and what technology requirements need to be addressed up front. Attend this expert Podcast to learn ten essential decisions CIOs need to consider to ensure efficient email data backup and storage. Then download its companion Podcast to learn why CIOs considering email archiving need to look past compliance issues and focus on the impact electronic discovery and litigation have on email archiving.



Here's a trend we should watch carefully... Just because they pay the ISP does not mean I won't think they are SPAM. Now I have two targets for my lawsuit! Note: Today the ability to let mail through based on the senders URL is built into all filters...

http://hosted.ap.org/dynamic/stories/T/TECHBIT_E_MAIL_FEE?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

E-Mail Senders Can Pay to Bypass Filters

By ANICK JESDANUN AP Internet Writer Jun 6, 10:11 AM EDT

NEW YORK (AP) -- Four more Internet service providers will start charging banks, e-commerce sites and other large e-mail senders for guaranteed delivery.

In deals expected to be announced Thursday, Goodmail Systems Inc. is expanding its CertifiedEmail program to Comcast Corp., Cox Communications Inc., Time Warner Cable Inc.'s Road Runner and Verizon Communications Inc. Yahoo Inc. and Time Warner Inc.'s AOL became inaugural participants last year.

Individuals, businesses and organizations will be able to continue sending messages for free, but they risk finding those missives caught in increasingly aggressive spam filters. [“Let's filter anyone who can afford to pay us!” Bob]

With Goodmail, a company can pay a quarter of a penny per message to bypass those filters and reach inboxes directly. Recipients see a blue seal verifying that the message is legitimate; [Legitimate = they pay us Bob] senders get confirmations and can resend messages lost in transit.



Technology to the rescue! No doubt teens will learn to snort (and otherwise abuse) the powder...

http://www.reuters.com/article/oddlyEnoughNews/idUSPAR64994620070606

Just add water - students invent alcohol powder

Wed Jun 6, 2007 10:13AM EDT

AMSTERDAM (Reuters) - Dutch students have developed powdered alcohol which they say can be sold legally to minors.

The latest innovation in inebriation, called Booz2Go, is available in 20-gramme packets that cost 1-1.5 euros ($1.35-$2).

Top it up with water and you have a bubbly, lime-colored and -flavored drink with just 3 percent alcohol content.

"We are aiming for the youth market. They are really more into it because you can compare it with Bacardi-mixed drinks," 20-year-old Harm van Elderen told Reuters.

Van Elderen and four classmates at Helicon Vocational Institute, about an hour's drive from Amsterdam, came up with the idea as part of their final-year project.

"Because the alcohol is not in liquid form, we can sell it to people below 16," said project member Martyn van Nierop.

The legal age for drinking alcohol and smoking is 16 in the Netherlands.

In Germany, alcopops -- sweet drinks containing alcohol and in powder form -- caused quite a stir when launched on to the market. Alcohol powder, classified as a flavoring, was sold in the United States three years ago.

The students said companies interested in making the product commercially could avoid taxes because the alcohol was in powder form. A number of companies are interested, they said.


Wednesday, June 06, 2007

Isn't this obvious?

http://www.insidebayarea.com/ci_6062226

Lawyers dig into FasTrak data

By John Simerman, MEDIANEWS STAFF Article Last Updated: 06/05/2007 08:27:01 AM PDT

A car approaches the Bay Bridge toll plaza in Oakland on Monday. The FasTrak program, meant to be a private holder of account information, is now receiving info requests by law officials for legal defense. (JOANNA JHANDA - MediaNews staff)

George Orwell warned about Big Brother, but some who glide through Bay Area toll booths to the "beepbeep" of FasTrak risk an even more haunting specter: Big Angry Soon-to-be-Ex Spouse.

As the number of cash-free bridge commuters rises, so do the ranks of divorce lawyers and other civil attorneys who have subpoenaed, and received, personal driving records from the agency that oversees the regional e-toll system.



Perhaps a portable “Frisking tent” in the trunk of each police car?

http://www.pogowasright.org/article.php?story=20070605063836895

Md. court puts privacy limits on warrantless body searches

Tuesday, June 05 2007 @ 06:46 AM CDT - Contributed by: PrivacyNews - In the Courts

The state's highest court has invalidated the body search of a drug offender, effectively wiping out his conviction by ruling yesterday that police had not given him enough privacy when they checked a common drug-stashing location: between his buttocks.

Source - Baltimore Sun



The longer the contract the screwer the deal...

http://www.bespacific.com/mt/archives/015022.html

June 05, 2007

EU/US Passenger Name Record (PNR) Agreement

European Union Committee, Home Affairs (Sub-Committee F), The EU/US Passenger Name Record (PNR) Agreement, HL Paper 108 is published today Tuesday 5th June, 2007 (139 pages, PDF). [see also HTML version (browsable)]



e-Shylock?

http://news.com.com/Internet+conduct+that+crosses+the+state+line/2010-1030_3-6188929.html?part=rss&tag=2547-1_3-0-5&subj=news

Internet conduct that crosses the state line?

By Eric J. Sinrod Story last modified Wed Jun 06 04:00:04 PDT 2007

Illinois has just ordered Global Payday Loan to stop issuing loans to state residents. It also has fined the company $234,000 for charging excessive interests rates. But the decision raises the broader question of whether states should regulate Internet conduct that crosses state lines.

The investigation began after a complaint from someone who borrowed $300. The loan in question fell under an Illinois provision that capped annual finance charges at 36 percent.

State investigators found serious problems with the transaction. For one thing, the loan was written with a six-day term, which did not give the borrower sufficient time to repay the loan. Furthermore, the fees on the loan exceeded the $15.50 per $100 allowed under Illinois law.

In addition, the annual percentage rate on the loan interest rate came to 2,190 percent, as the borrower was required to repay the $300 loan plus a $90 finance charge just six days after the loan had been originated. According to the Illinois agency charged with loan oversight, Global Payday then continued to violate the borrower's rights by sending her e-mail warnings and making phone calls asserting that her account was delinquent and demanding payment.



They can, therefore they must!

http://www.eweek.com/article2/0,1759,2141371,00.asp?kc=EWRSS03129TX1K0000614

Should Police Hack?

June 5, 2007 By Larry Seltzer

We know from court decisions in the last few years in Virginia and California that it's OK for third parties (anywhere in the world) to hack into your computer to hunt for kiddie porn. The police encourage them and the courts look the other way. But what about the police?

A recent F-Secure blog by the inquisitive Mikko Hypponen explores the question of whether police should hack into suspects' computers. He starts by citing recent surveys in Europe that show a deep antipathy to the idea, although he also implies that the opposition is less fierce if police get a proper warrant.

I take that as a given: Of course the police shouldn't be hacking into people's computers without a warrant. But what about with a warrant?



Would this have been enforceable? By whom?

http://news.com.com/Police+Blotter+Judge+bans+man+from+Net+for+life/2100-1030_3-6188973.html?part=rss&tag=2547-1_3-0-5&subj=news

Police Blotter: Judge bans man from Net for life

By Declan McCullagh Story last modified Wed Jun 06 04:48:09 PDT 2007

What: Pennsylvania man appeals a lifelong ban on using any computer network at "any location, including employment or education."

When: Three-judge panel of 3rd Circuit Court of Appeals in Philadelphia unanimously rules on June 5.

Outcome: Permanent ban on Internet use thrown out.

What happened, according to court documents: An FBI investigation of a man named Wyndell Williams led agents to one of his online correspondents: a 35-year-old Pennsylvania resident named Daniel Voelker who briefly exposed the naked rear end of his 3-year-old daughter over a Webcam.

During a subsequent search of Voelker's home, the FBI claims to have found computer files containing child pornography. Voelker pleaded guilty to receiving material depicting the sexual exploitation of a minor and was sentenced to 5 years and 11 months in prison.

What makes this case unique are two special conditions that the judge imposed on him after his release that would remain in effect until his death.

Specifically, one of the permanent conditions of supervised release is: "The defendant is prohibited from accessing any computer equipment or any 'online' computer service at any location, including employment or education. This includes, but is not limited to, any Internet service provider, bulletin board system, or any other public or private computer network." A second permanent condition bars him from possessing "sexually explicit" books, movies or video games.

Read literally, this would prohibit Voelker from owning many books including the Bible, medical textbooks, and classics of modern fiction. Also prohibited would be owning a modern mobile phone or setting up a private home network to stream iTunes music between two computers.

Voelker appealed, saying the conditions were too broad.

For the most part, judges have wide discretion in imposing sentences. But it is not unchecked: conditions for supervised release have to be related to something like the actual offense, the defendant's criminal history or the need for general deterrence.

In this case, the 3rd Circuit agreed with the defendant. It threw out the conditions of supervised release and sent the case back to U.S. District Judge Alan Bloch for a second try.

Excerpts from the 3rd Circuit's opinion, written by Judge Theodore McKee:

Voelker contends that an absolute lifetime ban on using computers and computer equipment as well as accessing the Internet, with no exception for employment or education, involves a greater deprivation of liberty than is reasonably necessary...

The District Court did not explain its reasons for imposing such an unprecedented and sweeping lifetime restriction. We therefore have no way of determining if the court undertook the "careful and sensitive individualized assessment (that) is always required before such a ban is imposed."



Expect the verdict to be used in ads by the winner?

http://www.businessweek.com/ap/financialnews/D8PINH080.htm

Comcast sues Qwest over Internet ad

DENVER

Qwest's claim in television, online, and newspaper advertisements that its Internet service is as fast or faster than Comcast Corp. is being challenged in court by the cable and broadband provider.



Yeah! Why not?

http://www.technewsworld.com/rsstory/57692.html

Why Not Web Analytics?

By John Lovett E-Commerce Times Part of the ECT News Network 06/06/07 4:00 AM PT

Whether you're just starting to implement an analytics strategy within your organization or a seasoned pro, the true value of analytics is in the planning. A carefully designed strategy will allow companies to track performance and gauge effectives on business initiatives, while providing a benchmark for success.

Has your company defined a Web analytics strategy yet? If your answer is no, then ask yourself: Why not? Companies with defined analytics programs are realizing double-digit growth in new Web site visitors, returning visitor traffic and conversion rates. The barriers to entry for adopting analytics technologies that can dramatically improve online businesses have never been lower.

Web analytics evangelism is rampant and vendors like Google are making the tools available for free to businesses adopting Web analytics. These tools -- although lacking much of the functionality, sophistication and integration capabilities of the commercial products available -- are a great place to start.

Free tools -- what's the catch? The catch lies in the need to build a strategy around analytics so that the metrics measured are meaningful to your business.

Tuesday, June 05, 2007

No surprise, but should be a concern for the Board of Directors

http://www.eweek.com/article2/0,1759,2141544,00.asp?kc=EWRSS03119TX1K0000594

Businesses Struggle to Secure Data

June 4, 2007 By Brian Prince

Business leaders rank the importance of securing their own data above securing their customers' data, according to a recent survey of IT executives.

Customer data ranks third on the list of items business leaders worry about protecting from data breaches, according to a poll of 649 IT executives for a study by the Ponemon Institute. Intellectual property and confidential business information took top billing.

The report, a survey of IT executives from businesses and governmental organizations in the United States, Europe, the Middle East and Africa, included further unsettling results. Only 45 percent of IT staffers surveyed felt they were adequately protected against data loss; 40 percent of the respondents said their organizations don't monitor suspicious database activity or are they didn't know whether such monitoring occurs; and 68 percent said they felt their databases were well protected against hackers, but only 43 percent expressed confidence that they were safe from malicious insiders.

... Some of the key problems facing respondents are the sheer number of databases being used and the difficulty of knowing where those databases are and what is in them. Thirty percent of respondents said their organizations had between 101 and 500 databases, while 23 percent reported having in excess of 1,000. Another 16 percent could not determine how many databases they had.



Another take on Security

http://www.net-security.org/secworld.php?id=5217

Global computer security study reveals employees take unnecessary risks

Posted on 05 June 2007.

SurfControl released an international Trust & Risk in the Workplace Study, conducted by Dr. Monica Whitty of Queen’s University Belfast. The study surveyed 1000 mobile and desktop employees across five countries – Australia, the Netherlands, Singapore, the United Kingdom and the United States – on the risks taken over company networks. The study demonstrates that employees in all regions take security risks, and mobile users take more risks than desktop users.

The study also found that across all activities surveyed, laptop users took more risks than their deskbound colleagues and some laptop users access the Internet through potentially insecure networks. According to the study, two thirds use wireless hotspots.

... Please visit the following link for access to the complete study: http://www.surfcontrol.com/default.aspx?id=491&mid=32



Another Security Survey...

http://www.sourcewire.com/releases/rel_display.php?relid=31770&hilite=

Security survey shows uncontrolled network access causing CTO's sleepless nights

London, UK, 5 June 2007

A survey of more than 200 CTOs has revealed that internal security – protection within the Local Area Network (LAN) – is currently UK organisations’ Achilles heel, leaving them open to dangers such as loss or theft of sensitive information, fraud and litigation.

Employees with unrestricted access to all LAN assets’ was the number one concern for CTOs. [Can you think of any reason why an employee would have unrestricted access? Bob] Rounding out the top concerns were controlling contractors, protecting against malware, and documenting user activity. Together, these issues represented almost 70% of near-term investment plans to improve internal security.

This focus isn’t surprising, given that nearly half (47%) of respondents had either very basic or no network access restrictions in place. Meanwhile, almost half (44%) admitted to having little or no LAN auditing capability, leaving themselves with no formal records should litigation take place. In addition, they have no way to verify what suspect users, such as those announcing they’re leaving a company, have done on the LAN with regard to accessing inappropriate materials.

ConSentry Networks... surveyed the CTOs in April

... Additional findings that illustrate many organisations’ current vulnerabilities include:

· License to Look – when asked where respondents felt they had to invest more heavily, ‘Controlling access to the network’ was the top priority. ‘Restricting access for guests and contractors’ and ‘Controlling what information employees can reach’ each generated 18% of responses – this shows an awareness of the need to protect the LAN. However…

· Enemy at the Gates – when asked about their level of confidence in perimeter security that would protect against external threats, nearly one fifth (19%) said they had ‘little’ or ‘no confidence’

· The Devil Inside – there was even less confidence around internal security, as nearly a third of respondents (30%) had ‘little’ or ‘no confidence’

· Communication Breakdown - nearly one fifth (17%) of respondents admitted to only meeting heads of strategic functions such as Sales, HR and Finance on either a six-monthly or annual basis, leaving them out of touch with the business’ evolving technology needs



Well, it's a start... (Includes a short tour of the Bill of Rights...)

http://www.pogowasright.org/article.php?story=2007060413004918

Data Mining and the Security-Liberty Debate

Monday, June 04 2007 @ 01:00 PM CDT - Contributed by: PrivacyNews - Surveillance

Dan Solove has written an essay, "Data Mining and the Security-Liberty Debate," for an upcoming symposium on surveillance for the U. Chicago Law Review.

The essay's abstract:

In this essay, written for a symposium on surveillance for the University of Chicago Law Review, I examine some common difficulties in the way that liberty is balanced against security in the context of data mining. Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government's assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining's security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale.

Source - Concurring Opinions (blog)

Download full article: "Data Mining and the Security-Liberty Debate" [pdf]
Info on Symposium



E-surveillance

http://yro.slashdot.org/article.pl?sid=07/06/04/144243&from=rss

Concerns Over Microsoft's Internet User Profiling

Posted by CmdrTaco on Monday June 04, @10:42AM from the like-they-don't-already-know dept. Microsoft Privacy

jcatcw writes "Microsoft research on Internet user profiling could lead to tools that help repressive regimes identify anonymous dissidents, the Reporters Without Borders advocacy group warned last Friday. Microsoft's new algorithms correctly guessed the gender of a Web surfer 80% of the time, and his or her age 60% of the time. "In China, it is conceivable that this type of technology would be used to spot Internet users who regularly access such 'subversive' content as news and information websites critical of the regime," the group said."



To Google or not to Google... Shouldn't it be mandatory?

http://www.bespacific.com/mt/archives/014999.html

June 03, 2007

Harvard Business Review Case Study on Googling Job Candidates

  • We Googled You (Harvard Business Review Case Commentary), Diane L. Coutu, John G. Palfrey Jr., Danah M. Boyd, Jeffrey A. Joerres, Michael Fertik, June 1, 2007: "This case depicts an executive who, through an online search, discovers information about a job candidate that causes him concern about her qualifications. The reader considers issues such as the legal implications of Internet searching practices, the veracity of information found online, and the wisdom of expecting job candidates to have spotless online reputations."



Is this overly “picky” or a simple expectation that the lawyers control what happens?

http://ralphlosey.wordpress.com/2007/06/03/litigation-hold-is-not-enough-sanctions-imposed-under-rule-26g-for-negligent-search-and-preservaton/

Litigation Hold Is Not Enough: Sanctions Imposed Under Rule 26(g) for Negligent Collection and Preservaton

Sanctions were recently imposed under Rule 26(g) for errors in the collection and preservation of computer files. Cache La Poudre Feeds, LLC v. Land O’Lakes Farmland Feed, LLC, 2007 WL 684001 (D.Colo. March 2, 2007). Rule 26(g) requires an attorney to sign all discovery requests, responses and objections.

... Even though the sanctions imposed were relatively minor, the case is still important, not only because Rule 26(g) was applied, but also because of the facts found to be sanctionable. These facts make clear that it is not enough to simply issue a litigation hold to key employees, and then assume they will properly locate, preserve and produce the relevant computer files and other ESI. Counsel have a duty under the rules to follow-up on the hold notice, and make reasonable efforts to independently verify that the hold directive has been followed, and the relevant ESI has been preserved and produced. This is part of the so called “Zubulake duties” discussed at length in the “Duties” blog page above. See Zubulake v. UBS Warburg LLC, 229 F.R.D. 422 (S.D.N.Y.2004) (”Zubulake V“).

The defendant in this case, Land O’Lakes, sent out a litigation hold notice to key employees within days after the trademark violation suit was filed. The court found the timing was acceptable, but faulted Land O’Lakes’ in-house and outside counsel for the procedure chosen to preserve and collect the ESI, and for the poor follow-up to the hold notice.

After the written hold notice was sent, there were interviews with key witnesses, but the Land O’Lake employees were essentially on their own to locate and preserve the emails and other files that they considered to be related to the trademark dispute. The employees looked through their files, and although they located 50,000 pages of documents related to the mark “Profile”, they only found 415 emails. Counsel simply accepted all of this as correct. No attempt was made by either in-house counsel, or by outside counsel who signed the discovery responses under Rule 26, to independently verify their efforts. Counsel simply took the files they produced and assumed that it was complete and the search was thorough. Further, no system-wide key word search was ever run on defendant’s systems, or the key employees, as plaintiff’s argued strenuously should have been done.



RIAA strategy unraveling...

http://arstechnica.com/news.ars/post/20070604-riaa-throws-in-the-towel-in-atlantic-v-andersen.html

RIAA throws in the towel in Atlantic v. Andersen

By Eric Bangeman | Published: June 04, 2007 - 04:04PM CT

One of the most notorious file-sharing cases is drawing to a close. Both parties in Atlantic v. Andersen have agreed to dismiss the case with prejudice, which means that Tanya Andersen is the prevailing party and can attempt to recover attorneys fees.

... As we noted earlier today, counterclaims accusing the RIAA of all sorts of wrongdoing have become increasingly common. Late last month, Andersen filed a motion for summary judgment, saying that the plaintiffs have "failed to provide competent evidence sufficient to satisfy summary judgment standards" to show that she engaged in copyright infringement. Most notably, a forensic expert retained by the RIAA failed to locate "any evidence whatsoever" on Andersen's PC that she had engaged in file-sharing.


...resulting in:

http://arstechnica.com/news.ars/post/20070604-florida-defendant-goes-after-riaa-for-fraud-conspiracy-and-extortion.html

Florida defendant goes after RIAA for fraud, conspiracy, and extortion

By Eric Bangeman | Published: June 04, 2007 - 01:21PM CT

As the RIAA has continued its legal assault on file-sharing, defendants are responding with what amount to boilerplate defenses and counterclaims against the RIAA's allegations of copyright infringement. One recent RIAA target, Suzy Del Cid, is fighting back with a counterclaim that accuses the RIAA of all sorts of nefarious misdeeds.

UMG v. Del Cid is being heard in the US District Court for the Middle District of Florida, and in a counterclaim filed late last week, Del Cid accused the RIAA of computer trespass, conspiracy, extortion, and violations of the Fair Debt Collection Practices Act.



Dilbert introduces us to a new terror weapon!

http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert2061099070605.gif