Something for all students (and
parents) Trivial numbers, unless you happen to be included.
University
of Arizona server exposes personal data on 7,700
Yes, right, sure we’ll let
universities amass oodles of personal info on students…
Carol Ann Alaimo reports:
Thousands who
received payments from the University of Arizona last school year are
at risk of identity theft after their personal data
was mistakenly put online for more than a month during an
upgrade of UA’s financial systems.
About 7,700
vendors, consultants, guest speakers and UA students had their names
and Social Security numbers compromised in the incident that occurred
in February and early March, a school official said.
The
problem came to light when a UA student Googled herself and her
private information popped up on a UA computer server accessible to
the public, said Cathy Bates, the university’s
information security officer.
Read more on
Arizona
Daily Star. I cannot find any statement on the university’s
web site at the time of this posting.
Wasn't this inevitable? After all, war
is an economic event.
Flame
and Stuxnet Cousin Targets Lebanese Bank Customers, Carries
Mysterious Payload
A newly uncovered espionage tool,
apparently designed by the same people behind the state-sponsored
Flame malware that infiltrated machines in Iran, has been found
infecting systems in other countries in the Middle East, according to
researchers.
The malware, which steals system
information but also has a mysterious payload that could be
destructive, has been found infecting at least 2,500 machines, most
of them in Lebanon, according to Russia-based security firm Kaspersky
Lab, which discovered the malware in June and published an
extensive
analysis of it on Thursday.
The spyware, dubbed Gauss after a name
found in one of its main files, also has a module that targets bank
accounts in order to capture login credentials. The malware targets
accounts at several banks in Lebanon, including the Bank of Beirut,
EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also
targets customers of Citibank and PayPal.
Can this be significant if the vast
majority of people (even victims) have never heard of it?
"Over the past three years,
about 21 million patients have had
their unencrypted medical records exposed in data security
breaches that were big enough to require they be reported to the
federal government. Each of the 477 breaches that were reported to
the Office for Civil Rights (OCR) involved 500 or more patients,
which the government posts on what the industry calls 'The
Wall of Shame.' About 55,000 other breach reports involving
fewer than 500 records where also reported to the OCR. Among the
largest breaches reported was TRICARE Management Activity, the
Department of Defense's health care program, which reported 4.9
million records lost when backup tapes went missing. Another five
breaches involved 1 million or more records each. Yet,
only two of the organizations involved in the breaches have been
fined by the federal government."
What a concept!
ABA:
Lawyers Must Implement Reasonable Data Security for Client
Information
Back on August 2, in response to yet
another
breach
involving a law firm’s records, I wrote to the American Bar
Association to ask what the ABA advised members in terms of disposal
of records. I got a pro forma response that was totally
non-responsive to the question I had posed to them. I wrote back and
tried again. This time I got no answer at all. Way to go, ABA.
Thankfully, Jim Brashear has blogged
about this very issue. He writes, in part:
This week, the
American Bar Association (ABA) House of Delegates adopted changes to
Model Rule 1.6 of the ABA Model Rules of Professional Conduct. New
subsection (c) adds the following sentence to the model rule:
“A lawyer shall
make reasonable efforts to prevent the inadvertent disclosure of, or
unauthorized access to, information relating to the representation of
a client.”
In comments to the
revised model rule, the ABA provides a non-exclusive list of factors
to be considered in determining the reasonableness of the lawyer’s
data security efforts. They include:
the sensitivity of the
information,
the likelihood of disclosure if
additional safeguards are not employed,
the cost of employing additional
safeguards,
the difficulty of implementing the
safeguards, and
the extent to which the safeguards
adversely affect the lawyer’s ability to represent clients (e.g.,
by making a device or important piece of software excessively
difficult to use).
So… if most of the records are part
of court records that are publicly available, does the lawyer have a
duty to shred/securely dispose of the records or not? It almost
sounds like they wouldn’t, but I hope that’s not the case.
Update: I put the
question to Jim Brashear, who answered me in a series of tweets:
@pogowasright
Exsting rules say client files belong to the client; lawyers must
keep information related to the representation confidential.
@pogowasright
New ABA rule clarifies existing ethics obligations. No lawyer
should dispose of client files before making them unreadable.
@pogowasright
Ethics rules and opinions are set by state bars, not the ABA, but
dumping unshredded client files clearly is an ethics breach.
Well, I think they are an ethics
breach, too, if not a violation of state law, but I wonder how often
such breaches involving lawyers or law firms are brought to state bar
associations.
Privacy or “automatic criminal?”
App
for disposable phone numbers launches
Meghan Kelly reports on disposable
mobile phone number app that launched today:
Burner launched
today, an app that gives you one-off numbers that go dark after
you’re done using them. But what happens when those numbers are
used by criminals? The privacy-focused company says it is ready to
deal with illicit behavior, and will comply with U.S. court orders.
“Burner is a
very focused product around anonymity and privacy,” said Burner
chief executive Greg Cohn in an interview with VentureBeat. “Part
of the reason we’re doing this company is because we’re privacy
advocates.”
Burner
lets you buy a number to use for a certain amount of time before it
is “burned” or goes inactive. Think of Craigslist
transactions. You don’t want that guy who tried to sell you a
crappy TV to have your real number sitting around. A Burner number
allows you to cut off ties from that person quickly, and keeps you
identifying information out of their hands.
Our
Deletion of Your Personal Data and other information:
One of the
features of the Services allows you to “burn”, or delete,
individual phone numbers from your phone at any time, as well as
automatically upon the expiry of a number that you elect not to
renew. If you delete a number via this feature, we delete all of its
history and message content from the application on your phone and
from our primary working server. Backup copies of this data are not
immediately deleted, however, and some aspects of user history are
maintained for longer periods of time so that we can reconcile our
records and manage our business. Please be advised that we have no
control over data that may be captured by third parties through your
use of the Services, including but not limited to your carrier,
internet service provider, Apple, and third-party vendors we may rely
on to perform the services, except that we will not disclose Personal
Data to third parties other than as permitted in this Privacy Policy.
If you would like
to delete your entire account history, please contact us via email at
privacy@adhoclabs.co.
It would be helpful if that statement
were more specific about for how long user data are retained
following non-renewal or deletion, and what types of user data are
retained for them to “reconcile their records” or manage their
business.
Depending on your motives for using a
disposable number, this might be a useful app, but if you’re doing
anything illegal or worried about repressive regimes, it will
probably not afford you the protection you might want.
Oh, that's what they meant...
Disclosing
(unnecessary) personal info on parking ticket violates DPPA – Court
In September 2010, I blogged about a
case in Palatine, Illinois after Jason Senne sued the village for the
amount of personal information it needlessly exposed in a parking
ticket left on his windshield. Some of the original court filings
were linked from that
blog
entry. In August 2011, the district
court
ruled that the practice did not violate the Driver’s Privacy
Protection Act. Mr. Senne appealed, but a panel of the appellate
court affirmed.
Not giving up, Mr. Senne requested
re-hearing en banc and the full court agreed with him:
Mr. Senne’s
appeal requires that we examine the scope of the DPPA’s protection
of personal information contained in motor vehicle records and the
reach of its statutory exceptions. We now conclude that the parking
ticket at issue here did constitute a disclosure regulated by the
DPPA, and we further agree with Mr. Senne that, at this stage of the
litigation, the facts as alleged are sufficient to state a claim that
the disclosure on his parking ticket exceeded that permitted by the
statute. Accordingly, we reverse the judgment of the district court
and remand for further proceedings consistent with this opinion.
[...]
On appeal, the
Village contends that the placement of the citation on Mr. Senne’s
windshield was permitted under the statute either because the
disclosure was “[f]or use by a[] . . . law enforcement agency[] in
carrying out its functions,” id. § 2721(b)(1), or “[f]or use in
connection with any civil[] . . . [or] administrative[] . . .
proceeding . . ., including the service of process,” id. §
2721(b)(4).11 The Village does not describe in any
length how all the information printed on the ticket served either
purpose; instead, it maintains, in effect, that the statute does not
require that analysis. In the Village’s view, as long as it can
identify a subsection of the law under which some disclosure is
permitted, any disclosure of information otherwise protected by the
statute is exempt, whether it serves an identified pur pose or not.
We cannot accept
the Village’s position.
You can read the Seventh Circuit Court
of Appeals opinion in full
here.
It’s a privacy-protecting interpretation of DPPA that affirms that
unnecessary disclosures of personal information are not permitted by
the statute.
Will the RIAA and MPAA find a way to
nuke this?
An anonymous reader writes with news
that
The
Internet Archive has started seeding about 1,400,000 torrents.
In addition to over
a
million books, the Archive is seeding thousands and thousands of
films, music tracks, and
live concerts. John Gilmore of the EFF said, "The Archive
is helping people to understand that
BitTorrent isn't
just for ephemeral or dodgy items that disappear from view
in a short time.
BitTorrent is a great way to get
and share large files that are permanently available from libraries
like the Internet Archive." Brewster Kahle, founder
of the Archive,
told
TorrentFreak, "I hope this is greeted by the BitTorrent
community, as we are loving what they have built and are very glad we
can populate the BitTorrent universe with library and archive
materials. There is a great opportunity for symbiosis between the
Libraries and Archives world and the BitTorrent communities."
Another case of “We can, therefore we
must” or maybe too much Homeland Security money? I too have
trouble explaining the banking interest.
NYPD,
Microsoft Launch All-Seeing “Domain Awareness System” With
Real-Time CCTV, License Plate Monitoring
Neal Ungerleider reports:
The New York
Police Department is embracing online surveillance in a wide-eyed
way. Representatives from Microsoft and the NYPD announced the launch
of their new Domain Awareness System (DAS) at a Lower Manhattan press
conference today. Using DAS, police are able to monitor thousands of
CCTV cameras around the five boroughs, scan license plates, find out
the kind of radiation cars are emitting, and extrapolate info on
criminal and terrorism suspects from dozens of criminal databases …
all in near-real time.
[...]
According to
publicly
available documents, the system will collect and archive data
from thousands of NYPD- and private-operated CCTV cameras in New York
City, integrate license plate readers, and instantly compare data
from multiple non-NYPD intelligence databases. Facial recognition
technology is not utilized and only public areas will be monitored,
officials say. Monitoring will take place 24 hours a day, seven days
a week at a specialized location in Lower Manhattan. Video will be
held for 30 days and then deleted unless the NYPD chooses to archive
it. Metadata and license plate info collected by DAS will be
retained for five years, and unspecified “environmental data”
will be stored indefinitely.
Read more on
FastCompany
and then explain to me how/why Pfizer is involved. And why would
banks or stock brokerage firms really want to spend their time
sitting in the control center watching?
The DAS system is
headquartered in a lower Manhattan office tower in a
command-and-control center staffed around the clock by both New York
police and “private stakeholders.” When this reporter visited,
seats were clearly designated with signs for
organizations such as the Federal Reserve, the Bank of New York,
Goldman Sachs, Pfizer, and CitiGroup.
Legislation by implication – not
worth the paper it's written on?
Article:
The Life, Death, and Revival of Implied Confidentiality
Woodrow Hertzog has uploaded a new
paper to SSRN. Here’s the abstract:
The concept of
implied confidentiality has deep legal roots, but it has been largely
ignored by the law in online-related disputes. A closer look reveals
that implied confidentiality has not been developed enough to be
consistently applied in environments that often lack obvious physical
or contextual cues of confidence, such as the Internet. This absence
is significant because implied confidentiality could be one of the
missing pieces that help users, courts, and lawmakers meaningfully
address the vexing privacy problems inherent in the use of the social
web.
This article
explores the curious diminishment of implied confidentiality and
proposes a revitalization of the concept based on a thorough analysis
of its former, offline life. This article demonstrates that courts
regularly consider numerous factors in deciding claims for implied
confidentiality; they have simply failed to organize or canonize
them. To that end, this article proposes a unifying and
technology-neutral decision-making framework to help courts ascertain
the two most common and important traditional judicial considerations
in implied obligations of confidentiality – party perception and
party inequality. This framework is offered to demonstrate that the
Internet need not spell the end of implied agreements and
relationships of trust.
You can download the full article from
SSRN.
Cooler heads prevail?
Justice
Dept. won't appeal computer fraud dismissal
… The decision means the 9th U.S.
Circuit Court of Appeals' rejection of the case against David Nosal,
who was accused of illegally misappropriating trade secrets from his
employer, will stand. In a 9-2 ruling, the court found in April that
the 1984 federal Computer Fraud and Abuse Act
was
being interpreted too broadly and warned that millions of
Americans could be subjected to prosecution for harmless Web surfing
at work under the prosecutors' reading of the law.
Interesting video from local news.
Apparently New Zealand sees this as a big story – why else a 10
nimute news report?
New
Zealand Police Try to Justify Paramilitary Raid on Kim Dotcom
A New Zealand court is looking into the
paramilitary raid on filesharing kingpin Kim Dotcom’s mansion in
January, having already found that the warrant justifying it was
illegal.
Dotcom’s mansion was raided at dawn
by helicopter, which dropped off four heavily armed agents to launch
the assault. They were followed by even more agents and dog
handlers. The raid on the founder of Megaupload was coordinated, the
government admits, with help from the FBI.
… Agents said the concern was that
Dotcom would delete evidence, though as Dotcom pointed out in court,
speaking directly to the government, there was little chance of that.
“You knew the FBI was in the data
center, prior to you arriving,” he said. “There was no chance
for anyone to do anything with that evidence.”
(Related) At least there were no
'black helicopters' involved.
"LendInk, a community for
people interesting in using the lending features of the Kindle and
Nook, has been shut down after some authors
mistakenly thought the site was hosting pirated ebooks.
The site brought together people who wanted to loan or borrow
specific titles that are eligible
for lending, and then sent them to Amazon or BarnesAndNoble.com
to make the loans. Authors and publishers who were unaware of this
feature of the Kindle and Nook, and/or mistakenly assumed the site
was handing out pirated copies, were
infuriated. LendInk's hosting company received hundreds of
complaints and shut
the site down. LendInk's owner says: 'The
hosting company has offered to reinstate Lendink.com on the condition
that I personally respond to all of the complaints individually.
I have to say, I really do not know if it is worth the effort at
this point. I have read the comments many of these people have
posted and I don't think any form of communication will resolve the
issues in their eyes. Most are only interested in getting money from
me and others are only in in for the kill. They have no intentions
of talking to me or working this out. So much for trying to start a
business and live the American Dream.'"
I will be following to see which
candidate proposes something like this for the US. A new currency
for buying votes?
"The Indian government is
finalizing a $1.2 billion plan
to hand out free mobile phones to the poorest Indian families
(around six million households, according to some estimates). The
Times of India reports: 'Top government managers involved in
formulating the scheme want to sell it as a major empowerment
initiative... While the move will ensure
contact with the beneficiaries of welfare programmes
(sic) ..., there is also a view the scheme will provide an
opportunity for the (government) to open a direct line of
communication [Vote
for ___TBD___ Bob] with a sizable population
that plays an active role in polls.'"
For the non-iPhone crowd.
"Some time ago, Google admitted
that the biggest threat was not other search engines but services
like Siri. However, Google just bridged that gap with Google
Voice Search, already available in Jelly
Bean, but also available via downloadable
app. [So
I should be able to run it on my PC Bob]
Google also submitted
this app to the iOS App Store and is currently waiting approval.
However, Slashdotters are no doubt recalling to mind the 'Google
Voice' fiasco, in which Apple refused to allow it to appear, saying
that it replaces a native function. It wasn't until Apple was
brought before Congress to answer questions on how it approves or
rejects apps that Google Voice was brought in."
The running joke continues?
Linux
Copyright Troll SCO Files for Double Secret Bankruptcy
SCO Group — the company behind a
number of lawsuits relating Linux — has filed for Chapter 7
bankruptcy, a step beyond the more common Chapter 11 bankruptcy
status. It’s not the end of the road for the much-hated company,
but it’s close.
For my geeks...
"Employment research firm Foote
Partners says U.S. labor statistics from last month reveal an
increase of some 18,200 jobs in IT, which represents the
largest such monthly jump since 2008. 'The overall employment
situation in the U.S. is lackluster, in fact this is the fifth
consecutive month of subpar results,' says David Foote. 'But the
fact that more than 18,000 new jobs were created last month for
people with significant IT skills and experience — and nearly
57,000 new jobs added in the past three months — is incredibly good
news.'"
Perspective Think it's just a geek
thing?
Viewers
opted for the Web over TV to watch Curiosity's landing
The future is certification of skills,
not classroom lectures...
"Back in the day, getting
traction for a new programming language was next to impossible.
First, one needed a textbook publishing deal. Then, one needed a
critical mass of CS profs across the country to convince their
departments that your language was worth
teaching at the university level. And after that, one still
needed a critical mass of students to agree it was worth spending
their time and tuition to learn your language. Which probably meant
that one needed a critical mass of corporations to agree they wanted
their employees to use your language. It was a tall order that took
years if one was lucky, and only some languages — FORTRAN, PL/I, C,
Java, and Python come to mind — managed to succeed on all of these
fronts. But that was then, this is now. Whip up some online
materials, and you can kiss your textbook publishing worries goodbye.
Manage to convince just one of the new Super Profs at Udacity
or Coursera
to teach your programming language, and they can reach
160,000 students with just one free, not-for-credit
course. And
even if the elite Profs turn up their nose at your creation, upstarts
like Khan Academy or Code
Academy can also deliver staggering numbers of students in a
short time. In theory, widespread
adoption of a new programming language could be achieved in weeks
instead of years or decades, piquing
employers' interest. So, could we be on the verge of a
programming language renaissance? Or will the status quo somehow
manage to triumph?"
About time...
Pinterest
lets users sign up without an invite
One of the Internet's
most popular social networks pushed its doors wide open
today -- Pinterest has started
open
registration.
Still waiting for an 'Emily Post'
article...
We
Read the Stanford Encyclopedia of Philosophy's New Article on Social
Media Ethics
As far as online encyclopedias go, the
Stanford Encyclopedia of Philosophy may be the best.
Created
in 1995 by Stanford Professor Edward Zalta, it took one of the
first stabs at creating a truthful, rigorous reference resource that
could thrive on the web. Experts write and edit and update its
articles. College professors use it in their syllabi throughout the
world.
So when it publishes a new article,
it's a signal: This thing is an increasingly big deal in the
philosophical world.