Monday, April 12, 2010

Is there a philosophical (if not legal) description of what privacy laws (or privacy ethics) should achieve?

http://www.databreaches.net/?p=11165

(follow-up) Data theft puts LPL clients at risk

April 11, 2010 by admin

Bruce Kelly of Investment News has more on the recent LPL Financial breach reported previously here. Kelly reports that LPL’s chief risk officer, John McDermott, says that LPL advisers guilty of mishandling or losing client data face an escalating series of punitive measures — “starting with a formal reprimand, then fines and ultimately termination.”

McDermott disagrees with any suggestion that the firm has had more problems with data security with other firms:

“We don’t feel our instances of these are high, compared to the rest of the industry — we have a very large and widely distributed adviser force,” Mr. McDermott said.

That’s possible, of course, as we don’t get to see all breach notices from all states and LPL is reportedly the nation’s largest independent-contractor broker-dealer. That said, having PII stolen because a device is left in a car is somewhat unacceptable in this day and age, isn’t it?

Kelly also reminds us of what the federal laws do not require:

Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC’s Regulation S-P would add this.

That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending. It is unclear when it will be finalized.

Both bodies recommend — but don’t mandate — the use of encryption to protect client personal data.

In a companion piece on Investment News, Brandon Tavelli of Proskauer Rose provides an overview of the patchwork of privacy laws that apply to investment advisors.


(Related) Is this a political ad or something more sinister? (Can politicians tell the difference?) Want to bet we see something similar in the US?

http://www.phiprivacy.net/?p=2422

UK: Labour attacked over mailshot to cancer patients

By Dissent, April 12, 2010 7:09 am

Chris Hastings, Maurice Chittenden and Nyta Mann report:

The Conservatives and the Liberal Democrats have attacked the Labour Party for sending “alarmist” literature to cancer patients, and called for an inquiry into whether NHS databases had been used to identify recipients.

The row erupted after Labour sent cancer patients mailshots saying that their lives may be at risk under a Conservative government.

[...]

Labour sources deny that the party has used any confidential information. However, the sources admit that, in line with other political parties, it uses socio-demographic research that is commercially and publicly available. [Should we conclude that your medical information is “commercially and publicly available?” Bob]

[...]

The cards are being distributed by Ravensworth, part of Tangent Communications, which has won accounts sending out mail for the Department of Health and Cancer Research UK.

Tangent claims that it specialises in “highly targeted marketing”.

[...]

Experian, the data management company, confirmed that both Labour and the Conservatives use its Mosaic database, which divides voters into 67 groups. The databases can use anonymised hospital statistics, including postcodes and the diagnoses of patients, to identify the likely addresses of those with particular illnesses.

Conservative former shadow home secretary David Davis called on Labour to ensure the company responsible for the mailshot made the sources of its address lists available for independent review. If it turned out that they had used private medical data, it would be “a scandal of enormous magnitude”, said Mr Davis.

A Labour spokesman said: “The Labour Party would never specifically target any material at people suffering from a medical condition. To suggest otherwise is categorically untrue. [So they didn't target cancer patients, it was just a coincidence that everyone who got this literature had cancer? Bob]

Read more on TimesOnline.

If commercial databases can be used to identify the likely addresses of those with particular diagnoses so that they can be addressed by name in a mailing, such databases should be barred for commercial and political use. The NHS has already been criticized repeatedly over data breaches and over the fact that too many people have access to sensitive information. This situation, assuming that the NHS databases weren’t directly used for the mailing, makes it clear how much sensitive health information may also be in the hands of commercial data brokers. Did NHS patients ever consent to have their diagnoses become part of an “anonymized” database that could eventually be linked back to them by data mining? How many demonstrations do we need to see that “anonymized” databases can be de-anonymized?

Receiving a postcard with your name and revelation that you suffer from a particular illness or diagnosis is a horrifying disregard for patient privacy. Even if Labour obtained the list via legal means, shame on them for not considering that their mailing may have revealed health information about people that should be treated as confidential.



Should this information be made public before they have had time to fix the problems? Of course, hackers would assume some percentage of organizations would fail to follow Best Practices (or use common sense)

http://www.databreaches.net/?p=11167

B.C. Ferries’ data security system flawed, audit finds

April 11, 2010 by admin

Gary Mason reports:

B.C. Ferries customers who pay with a credit card are being put at risk by flaws in the company’s data security system.

Recent internal audits conducted by the ferry corporation have identified glaring deficiencies in the way in which the company is protecting sensitive customer credit card information.

[...]

In order to be compliant with industry standards, there needs to be zero gaps identified in any audit. However, one audit the company conducted last fall revealed as many as 45 deficiencies in its data security system.

[...]

According to an internal company document, PCIDSS sets out requirements that any organization processing credit or debit cards must follow in order to be compliant. For instance, all personnel authorized to access credit card information should have unique identification to ensure users are traceable. The Ferries audit found that the same user ID was being used by multiple people.

PCIDSS insists all access passwords be stored in an unreadable format. The audit uncovered instances of passwords stored in plain text formats. Also, all database access should be monitored. The report found that “auditing was not enabled on the database.”

Perhaps most concerning of all, security standards insist that an archiving policy must be in place and data should only be stored as long as required. But B.C. Ferries has several years worth of unnecessary credit card data remaining in various databases. The report says that data are being duplicated across a half dozen databases.

Read more in The Globe and Mail.



First, you have to have a functioning system in place, THEN you can require registration.

http://yro.slashdot.org/story/10/04/11/1930249/Mexico-Will-Shut-Down-259-Million-Cell-Phones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Mexico Will Shut Down 25.9 Million Cell Phones

Posted by timothy on Sunday April 11, @03:33PM

Several months ago, as a way to prevent the use of cellular phones in criminal activities, the government of Mexico started a program to require all phone owners to register cell phones in their own names. The registry associates each phone with the listed owner's Clave Unica de Registro de Poblacion (CURP) [CURP, in English], which is supposed to be a unique ID for every Mexican citizen. Now, as nanahuatzin writes,

Yesterday the timeline to register the cell phones expired, and there are [approx 26] million cell phones yet unregistered (English translation of the Spanish original). While the procedure is simple, sending a text message with the CURP to a special number, most people do not want to register: some are wary of the uses to which the government will put the data; others did not understand or did not know the procedure. So far, only 69% have registered, most of them in the last few days, while the system to register has been oversaturated. So in an unprecedented move for any country, the Mexican government is announcing the shutdown of 25.9 million cell phone lines. Meanwhile, as a measure of protest, hundreds of people have registered their cell phones in the name of the president of Mexico, Felipe Calderon Hinojosa, to show how pointless is the registry."



Transparently silly? Would it have been better to use a phoney name or an anonymous re-mailer?

http://politics.slashdot.org/story/10/04/11/2352245/Ex-Googler-Obama-Appointee-Gets-Buzzed?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Ex-Googler Obama Appointee Gets Buzz'ed

Posted by timothy on Sunday April 11, @08:07PM

theodp writes

"Hillicon Valley reports that Rep. Darrell Issa of the House Oversight Committee is pressing White House Deputy CTO Andrew McLaughlin to explain his relationship with Google, where McLaughlin was employed as Google's chief lobbyist. 'The American people have a right to expect that White House employees are working to advance the public interest and not the interests of the lobby shops who formerly employed them,' Issa noted in the letter. 'The use of a Gmail account to communicate with lobbyists and evade transparency laws is at odds with President Obama's promises to limit the influence of lobbyists.' Concerns emerged after screenshots of McLaughlin's Google Buzz account emerged showing that a number of the search giant's top employees subscribed to the deputy Web chief's updates."



Tools & Techniques

http://www.makeuseof.com/dir/infosniper-find-the-geographic-location-of-an-ip-address/

InfoSniper: Find The Geographic Origin Of Any IP address

Your IP address isn’t just a random series of numbers: it can be used to identify where you are geographically. In fact, almost all IP addresses can be traced to a geographic location somewhere on earth. InfoSniper can not only find out where the computer identified by any IP address is geographically, but it also goes one step further by showing you where this location is on a Google Map (Windows Live and Yahoo Maps are both offered as alternatives.)

www.infosniper.net

Similar tools: FindMeByIP, WhatIsMyIPAddress, ServerCheck, You Get Signal and MyIPNeighbors.



Another use: Listen to what you write! Does it sound silly?

http://www.makeuseof.com/dir/text-voice-firefox-extension-vocalizes-highlighted-words/

Text To Voice: Firefox Extension Vocalizes Highlighted Words

… Simply highlight the text you want read out loud, click a single button and a new tab will open. In this new tab will be a simple media player playing back a voice version of the text you highlighted.

… The voice in the new tab is provided courtesy of Vozme, a free online text to voice service. The main benefit of using this extension instead of simply using Vozme directly is that you don’t need to copy or paste the text: you only need to highlight the text you want spoken out loud.

Best of all, you can download an MP3 of the reading. You could highlight an entire newspaper article and put it on your iPod to listen to later!

Check out Text to Voice @ mozilla.org (via nirmaltv)

Similar tools: Howjsay and Odiogo.



Better Googling...

http://www.nytimes.com/external/gigaom/2010/04/02/02gigaom-10-simple-google-search-tricks-58674.html?src=1

10 Simple Google Search Tricks



For my students

http://howto.wired.com/wiki/Make_Your_Facebook_Account_Private?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Make Your Facebook Account Private

From Wired How-To Wiki

Facebook recently (in December, 2009) unveiled a radically revamped set of privacy controls. They are better and more forward-thinking than its previous efforts, but Facebook made one very important change in late 2009: almost all user data is now made public by default.

… For more details on these privacy changes, see the Electronic Frontier Foundation's overview.

No comments: