Tuesday, April 08, 2008

My nominee for a Privacy Guardian Award! (No, they don't exist. I just made that up. No one has ever qualified before...)

http://www.pogowasright.org/article.php?story=20080407163357198

Redbox Shows Businesses How To Properly Handle A Data Breach

Monday, April 07 2008 @ 04:33 PM EDT Contributed by: PrivacyNews News Section: Breaches

Redbox rents DVD movies via vending machine in drugstores and supermarkets throughout the country, and on Friday they announced that they'd found credit card skimmers attached to three of their kiosks. What's surprising is that they 'fessed up so quickly, and in a highly public manner—they've got the text "SECURITY ALERT" at the top and bottom of their website, and the email they sent to their members is detailed, forthright, and helpful, and reposted in its entirety—along with photos of sample card skimmers—on their site. Attempts at identity theft no longer surprise us, but a competent handling of the issue by a company is pretty amazing. [Amen! Bob]

Source - The Consumerist blog



Isn't this similar to putting your trash out for collection? (Wouldn't this put an end to all those CSI TV shows?)

http://www.phiprivacy.net/?p=214

Apr-7-2008

Do People Have a Reasonable Expectation of Privacy in Abandoned DNA?

Information privacy lawyer Dan Solove has a commentary on the recent news article in the New York Times, “Lawyers Fight DNA Samples Gained on Sly,” in which he writes:

[…]

DNA is sensitive information in many people’s books, but it is also very hard to keep contained. We leave traces of DNA everywhere we go — in hair and skin we shed, in saliva, etc. It is quite easy for law enforcement officials to obtain our DNA.

DNA is one illustration of where the current Fourth Amendment regime doesn’t work very well with information privacy. It works well with papers and things — we can hide papers away in our homes or in bags, and we can have protection in our homes. But information in today’s Information Age often is hard to contain. It is hard to tuck away. The result is that our personal information is increasingly in places where the police no longer need warrants and probable cause.

Read the full commentary at Concurring Opinions


Related? The Gov-inator is not someone to make angry...

http://www.phiprivacy.net/?p=218

Apr-8-2008

Schwarzenegger Calls For Stronger Privacy Of Medical Records

Catharine Paddock, PhD has an article in Medical News Today about the recent revelations of privacy breaches at UCLA and how Governor Arnold Schwarzenegger is calling for stronger protections. Schwarzenegger himself has been in the situation of celebrity patient and reports that his privacy was invaded, too. What he describes, however, is more than just employee “snooping.” Paddock writes:

The Governor told the Times that every time he left the operating room he was told that people were going through his file. They “had white coats on”, he said, and they had snuck into the hospital, “They had nothing to do with the hospital staff at all,” he told the paper. [Did the hospital have a duty to protect those records? Bob]

Source: Medical News Today



If your organization received an email that claimed your security wasn't working, would you A) Ignore it. (Who do these people think they are?) B) Ask someone to look into it. C) Have you legal department send a letter threatening to sue?

http://www.pogowasright.org/article.php?story=20080407090404471

EXCLUSIVE: WellPoint exposed members' personal info, Rx records on the web

Monday, April 07 2008 @ 09:04 AM EDT Contributed by: PrivacyNews News Section: Breaches

Thousands of files on wellpoint.com containing what appear to be well over a million records -- many with members’ personal information or prescription information -- were indexed and cached by Google last year. WellPoint disallowed indexing of files and got them removed from Google's cache, but the data remained unencrypted and connected to the internet, where they could be accessed without any login or password for over a year.

In February 2007, just a few months after WellPoint, Inc. learned that a backup tape with unencrypted personal information on 196,000 Anthem Blue Cross and Blue Shield members had been stolen from Concentra Preferred Systems, they learned that a CD with unencrypted records on 75,000 of its Empire Blue Cross and Blue Shield members had been lost in transit. While in the midst of responding to this second data loss, WellPoint (WLP) was contacted by a customer who alerted them that thousands of files containing unencrypted and sensitive members’ records on the wellpoint.com domain had been indexed and cached by Google.

Based on screenshots of Google’s cached results provided to PogoWasRight.org, it took more than a month and a half before all of the files were removed from Google’s cache. But WellPoint’s members’ data were still vulnerable long after WellPoint was notified of security issues in February 2007. A year later, the company still maintained what appear to be at least three domains with all of the previously exposed files accessible to the world via your nearest web browser – no login or password required.

Following up on a tip from www.answerability.org, PogoWasRight.org learned that many of the files contained records that included members’ names, dates of birth, their member IDs (which appeared to be Social Security numbers in some of the earlier files), doctors’ names and the doctors’ DEA numbers, and the name and dosage of their prescriptions. Some files contained a few hundred records, while other files contained tens of thousands of records.

Other files labeled as being from WellPoint Pharmacy Management UniCare HMO contained pharmacy records sorted by diagnosis and name of provider’s group, with the member’s full name, age, the name of the doctor, the name of their pharmacy, the name of the medication, the date that the prescription was filled, and the cost. Files containing UniCare HMO records for members with diabetes, asthma, organ transplant patients, patients on narcotics/stadol, and prenatal patients were all there online for easy viewing by anyone.

All told, and as crude estimates, there may have been over 2,000,000 unique records exposed on the web, affecting over 100,000 unique individuals or what may total even hundreds of thousands of individuals. WellPoint did not respond to several inquiries about the total number of records or the total number of individuals whose records were cached in Google.....

Full story here


Related. (A bit of editorializing)

http://www.pogowasright.org/article.php?story=200804071031308

WellPoint breach highlights gaps in federal health privacy laws (commentary)

Monday, April 07 2008 @ 10:31 AM EDT Contributed by: PrivacyNews News Section: Breaches

A previously undisclosed breach involving WellPoint, Inc. reported on PogoWasRight.org today describes a web exposure incident involving unencrypted prescription records on the wellpoint.com domain. But that unintentional exposure was just part of a bigger story, because members’ information that was cached in Google remained unencrypted and accessible via the web without any password or login required for over a year.

When the largest commercial health insurer in the country exposes or leaves our personal health information vulnerable, it undermines the public's confidence in e-health databases connected to the internet. But our trust and confidence are also undermined if it turns out to be the case that we were never told that our health data were exposed because disclosure and notification were not mandated by any federal law.

Source - Chronicles of Dissent blog

[From the article:

As I understand it, the federal law known as HIPAA does not require those in possession of protected health information and who are covered by HIPAA to inform federal regulators of breaches. Nor does HIPAA require them to notify patients, members, or customers of breaches involving their health information. HIPAA requires covered entities — which generally includes health insurers — to “mitigate harm” in the event of a breach, but if there are no Social Security numbers, credit card numbers, or financial account numbers involved, then some might ask, “Where is the harm?”


Related (Slow reactions are common.)

http://www.pogowasright.org/article.php?story=20080407164728820

Army Shuts Down Site for Scrubbing

Monday, April 07 2008 @ 04:47 PM EDT Contributed by: PrivacyNews News Section: Breaches

A spreadsheet containing a "hidden" column of Social Security numbers belonging to about two dozen officers and civilian employees of one Army agency was left on the agency's website for five months after being notified of the presence of the personal information. (emphasis added by Dissent)

The Army's Acquisition Support Center has temporarily shut down its website to scrub the information from the spreadsheet, following FederalNewsRadio's request for an interview.

Source - Federal News Radio



“It is a waste of my valuable time to steal credit card data. I can buy all I want – cheap and fast.”

http://www.pogowasright.org/article.php?story=20080408061510170

Stolen identities going cheap

Tuesday, April 08 2008 @ 06:15 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

Fierce competition among identity thieves has driven the prices for stolen data down to bargain-basement levels, which has forced crooks to adopt mainstream business tactics to lure customers, according to a new report on Internet security threats.

Credit card numbers were selling for as little as US40 cents each and access to a bank account was going for $US10 in the second half of 2007, according to the latest twice-yearly Internet Security Threat Report from Symantec released Tuesday.

Source - The Age

Related - Dark Reading: New Crimeware-as-a-Service Market Thriving



This is very interesting – from several perspectives.

http://www.bespacific.com/mt/archives/018043.html

April 07, 2008

Intelligence Community Information Sharing Strategy

News release: "The Office of the Director of National Intelligence is announcing the first-ever strategy to improve the ability of intelligence professionals to share information, ultimately strengthening national security. The document, titled the U.S. Intelligence Community Information Sharing Strategy, complements a related national strategy that President Bush released last year. The document responds to needs identified in the 9/11 and WMD Commission reports, as well as mandates in executive orders and the 2004 Intelligence Reform and Terrorism Prevention Act."

[Of particular interest to me is the switch from “Need to Know” to “Responsibility to Provide” Bob]



Oh lookie there, the Emperor has no clothes! (The difference between “We can't” and “We don't want to”

http://www.pogowasright.org/article.php?story=2008040712213391

Ca: Letter to the Commissioner of the RCMP

Monday, April 07 2008 @ 12:21 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Commissioner of the RCMP, regarding provisions of the Privacy Act for public interest disclosures.

William J.S. Elliott
Commissioner of the RCMP
Headquarters Bldg
1200 Vanier Parkway
Ottawa, ON K1A 0R2

Dear Mr. Elliot:

My Office has noted with interest the statements made to the media on March 24 and 25, 2008 that the RCMP refuses to disclose, for operational and privacy reasons, statistics regarding the use of taser guns by their members. For your information, Canada’s privacy laws take into account that there are occasions when it is appropriate and reasonable to disclose personal information without consent. The Privacy Act, which protects personal information of individuals held by government institutions and agencies, does contain a provision for public interest disclosures.

Source - Office of the Privacy Commissioner of Canada

[From the article:

A Fact Sheet prepared by this Office and entitled The Privacy Act: Not an excuse to promote secrecy sets out the specific circumstances in which government institutions may disclose personal information without the individual’s consent. We have attached this Fact Sheet for your perusal.

[Get the fact sheet at: http://www.privcom.gc.ca/fs-fi/02_05_d_29_e.asp


Related?

http://www.pogowasright.org/article.php?story=20080407162233435

Article: Data Mining and the Security-Liberty Debate

Monday, April 07 2008 @ 04:22 PM EDT Contributed by: PrivacyNews News Section: Other Privacy News

Abstract:

In this essay, written for a symposium on surveillance for the University of Chicago Law Review, I examine some common difficulties in the way that liberty is balanced against security in the context of data mining. Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government's assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining's security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale.

Citation:

Solove, Daniel J., "Data Mining and the Security-Liberty Debate" . University of Chicago Law Review, Vol. 74, p. 343, 2008 Available at SSRN: http://ssrn.com/abstract=990030 (free full-text article)



Is this the result of the “We gotta do something!” syndrome?

http://techdirt.com/articles/20080407/170226779.shtml

It's Time To Play The Game: What's Comcast Blocking Now?

from the answer:-everything? dept

Broadband Reports highlights a new research report out of the University of Colorado suggesting that Comcast has changed its traffic shaping system such that it's sending RST packets for any kind of TCP traffic at times,[“As user volumes goes up, customer service goes down.” Bob] rather than just for BitTorrent traffic. Comcast has responded saying that this is not the planned change it had announced a couple weeks ago. In fact, the company itself seems confused about the report -- but given the company's own unwillingness to admit to what it was doing in the past, it's hard to know how honest the company is being. Of course, it could just be a technical error. Considering that Comcast's earlier efforts included an accidental jamming of Lotus Notes, a technical mistake might make the most sense.



Oxymoron alert: Legal Ethics I am torn. This may be simple extortion, but if it works as desired isn't it a good business strategy? Perhaps if the letters came from a non-lawyer?

http://techdirt.com/articles/20080407/002030770.shtml

File Sharing Pre-Settlement Letters In Europe Get Lawyer Banned For Six Months

from the extortion-not-appreciated dept

Earlier this year, we wrote about how common it was becoming for companies to send out "pre-settlement" letters to people they haven't yet accused of a crime. While these are well-known for groups like the RIAA, they're also used by big retailers and were famously used by DirecTV against anyone it thought might have been stealing satellite TV. The letter basically demands an upfront payment to get the company not to sue. And, of course, the letter includes all sorts of threatening legalese about how going to court will be expensive and time consuming, suggesting that it's much easier to just pay up. While these "extortion-lite" letters in the US grow in popularity, it looks like folks in Europe aren't so willing to let them pass. A lawyer representing Logistep, a company that has recently run into trouble in both Italy and Switzerland for its tactics in trying to sniff out file sharers, has been banned from practicing law for six months by the Paris Bar Council. The lawyer had been sending out these types of letters demanding 400 euros not to sue, and the Paris Bar apparently felt this was rather problematic. Somehow I doubt we'll see the same sort of thing happen in the US any time soon.



Are we missing a great scientific research opportunity here? Unlike driving while chatting/texting, here we could (in only a generation or two) determine if Darwin was right! If these people have a higher than normal mortality rate, they should be gone from the gene pool rather quickly (and because we start them so young, perhaps before they can reproduce.) Think about it – and look for Christian Fundamentalist to oppose the legislation.

http://techdirt.com/articles/20080403/144230741.shtml

Next Thing To Ban: Walking While Talking On A Mobile Phone

from the no-chatting-for-you dept

Last month we pointed to some recent studies about how people walking while talking on mobile phones tend to do things that are riskier than those not talking on mobile phones and jokingly asked when politicians would start proposing bans on walking-while-talking, to go along with the popular bans on driving while talking. It didn't take long at all, actually. Parker Mason writes in to let us know that an Illinois lawmaker has proposed a ban on talking on a mobile phone while in a crosswalk. Combine that with jaywalking and you could really piss off a person who wasn't actually doing something dangerous. Actually, this isn't the first time such a thing has been proposed. Last year a similar law was proposed in New York, though I don't believe it went anywhere. It's nice that politicians want to protect people, but at some point you really have to ask why people can't take responsibilities for their own actions?


Another People-are-too-stupid-to-live-without-our-guidance-law?

http://www.wdbj7.com/Global/story.asp?S=8127995

April 7, 2008

Virginia 1st state to require Internet safety lessons

RICHMOND, Va. (AP) -- Virginia is the first state to mandate that public schools offer Internet safety classes for all grade levels -- and it's one of many measures being taken nationally to protect young Web users.



I suspect this will become a favorite target of hackers. Politicians would do well to avoid those aroma-therapy devices. Perhaps we should make them mandatory?

http://www.infoworld.com/article/08/04/08/When-roses-wont-do-e-mail-a-frangrance_1.html?source=rss&url=http://www.infoworld.com/article/08/04/08/When-roses-wont-do-e-mail-a-frangrance_1.html

When roses won't do, e-mail a frangrance

NTT Communications will test a service that allows users to send fragrances from their cell phones

By Martyn Williams and Chiara Castañeda, IDG News Service April 08, 2008



Resource? I can see this expanding to become useful...

http://google-latlong.blogspot.com/2008/04/all-news-thats-fit-to-print-on-map-new.html

All the news that’s fit to print on a map: The New York Times in Google Earth

Monday, April 7, 2008 at 8:14 AM Posted by Wei Luo, Tech Lead Manager, Google Earth

I read a lot of news by surfing the Internet, as do many of my colleagues and friends, and I've always dreamed of a way to browse news based on geography. What's happening in Paris today? What are the top headlines in Japan?

,,, To experience this new way of getting your daily dose of news, launch the latest version of Google Earth and make sure the "Geographic Web" folder is turned on. Click on a New York Times placemark and you will see the latest news and features pertaining to that geographic region. Want to see more than just headlines? Click on the "Show this layer" button at the top of the preview bubble and you'll get a list of news articles dating back one month.



Alert Homeland Security! Drive an Ice Cream truck, go directly to Guantanamo!

http://www.thelocal.se/10952/20080407/

Swedish ice cream trucks 'a form of torture'

Published: 7 Apr 08 12:30 CET

Selling ice cream and candy with enticing melodies ought to be outlawed because it is connected to child obesity.

The suggestion comes from Bo Sjöberg, a professor at the Sahlgrenska Academy in Gothenburg, who compares the repetition of ice cream trucks’ jingle with modern torture methods.

No comments: