Friday, January 18, 2013

Does “finding malware” set the bar for notification higher? This is really “an abundance of caution.” Where would you draw the line?
St. Mark’s Medical Center in LaGrange, Texas notified 2,988 patients of a breach. From their notice of December 31, 2012:
On November 15, 2012, we learned that on May 21, 2012, one of our employee’s computers had become infected with malware that appears to have been designed to look for personal information stored on the computer. We immediately began an investigation and engaged a computer forensic investigation firm to examine the computer. Although the firm could not rule out the possibility, they did not find any evidence to confirm that any unauthorized person removed the personal information stored on the computer. If an unauthorized person did gain access to files stored on the computer, they would have been able to view billing files that contained patient names, account numbers, medical record numbers, dates of birth, gender, Social Security numbers, treatment dates, insurance provider names, and account balances. No medical records were accessed in the incident.


How do you secure your computers?
"For the second time in a row, Microsoft's Security Essentials failed to earn certification from AV-Test, the independent German testing lab best known for evaluating the effectiveness of antivirus software. Out of 25 different security programs tested by AV-Test, including software from McAfee, Norman, Kaspersky, and others, Microsoft's Security Essentials was just one out of three that failed to gain certification. These results are noteworthy because Microsoft Security Essentials is currently (as of December) the most popular security suite in North America and the world."


Facebook, the phone company?
The Washington Post (among many others) reports on a development from Facebook that may excite many more users than does the much-hyped announcement about richer search capabilities: after launching a Canadian trial balloon not long ago, Facebook is expanding the reach of its free in-app VoiP communications with free voice comms via the company's smartphone app.

(Related)
Frequent contributor Bennett Haselton writes with some strong cautions on a Facebook "feature" that lets you search for random phone numbers and find the accounts of users who have registered that number on their Facebook profile. This has privacy implications that are more serious than searching by email address.


Anonymous ain't?
By Dissent, January 18, 2013 8:38 am
Gina Kolata reports:
The genetic data posted online seemed perfectly anonymous — strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had no part in the study — identifying nearly 50 people.
Read more on The New York Times.


Hummm. Translating from the Queen's English is confusing.
On January 9, I had some concerns about a U.K. injunction that blocked The Sun from publishing pictures of actress Kate Winslet’s husband. Now Mr. Justice Briggs’ written judgement is available online. The ruling provides a nice recap of the multi-prong test being applied by the court in trying to determine, and balance, an individual’s Article 8 rights against the press’s Article 10 rights.
One of the points that I thought Justice Briggs made well concerned what should happen when material has already been disclosed on Facebook. In this case, he held that even though the material had been viewed by people, it was not so widely available as to make it comparable to a situation in which commercial trade secrets, once widely disclosed, have lost their confidential nature. Additional reproduction or dissemination of photos to new groups would provide new opportunities for harm or embarrassment to the individual and so preventing such future publication is appropriate when publication of the pictures is only to titillate the public or give them a chance to snigger at someone’s immature behavior.
See what you think of the ruling.


Mobile Apps are caught in their “We can, therefore we must” logic.
Bob Sullivan reports:
The element of surprise causes hard feelings when it comes to privacy violations, and mobilephone apps are ambushing consumers far too often, according to researchers at Carnegie Mellon University.
Researchers at the school’s Human-Computer Interaction Institute studied both the data gathered by the 100 most popular programs in Google’s Android app store, and how surprised users were when told what the apps were doing. On Tuesday they released a list of the 10 worst offenders in terms of transparency.
[The 10 worst offenders:
Brightest Flashlight (device ID, location)
Toss It game (device ID, location)
Angry Birds game (device ID, location)
Talking Tom virtual pet (device ID)
Backgrounds HD Wallpapers (device ID, contacts)
Dictionary.com (device ID, location)
Mouse Trap game (device ID)
Horoscope (device ID, location)
Shazam music (device ID, location)
Pandora Internet Radio (device ID, contacts)

(Related) How come my congressman never introduces privacy bills? How many technology gernerations behind is Congress?
new draft bill published today aims to increase privacy for mobile app users.
Led by U.S. Rep. Hank Johnson (D-Ga.), the bill aims to legally require app developers to publicize how they gather information and also let users request deletion of their stored data.
Read more on CNET.


412 pages should cover it (if not we can use the report to crush it)
The IRISS (Increasing Resilience in Surveillance Societies) project, funded by the EC under the 7th Framework Programme, has just published a major 412-page report entitled Surveillance, Fighting Crime and Violence. The report analyses the factors underpinning the development and use of surveillance systems and technologies by both public authorities and private actors, their implications in fighting crime and terrorism, social and economic costs, protection and infringement of civil liberties, fundamental rights and ethical aspects.
The IRISS consortium has identified the following trends: (1) a substantial growth of public sector demand for surveillance bolstered by the adoption of identity schemes and terrorist detection technologies and markets, (2) an increase in the demand for civil and commercial surveillance, (3) the development of a global industry in surveillance, (4) an increase in integrated surveillance solutions, and (5) a rise in the government use of cross-border surveillance solutions.
Read more on IRISS Project.

(Related) This complicates their assurance that “everything is safe and private” doesn't it?
"The Transportation Security Administration (TSA) has ended a contract with Rapiscan, a unit of OSI Systems Inc., manufacturer of about half of all of the controversial full-body scanners used on air passengers. TSA officials claim that Rapiscan failed to deliver software that would protect the privacy of passengers, but the contract termination happened immediately after the TSA finally got around to studying the health effects of the scanners, and Congress had a hearing on TSA's 'Scanner Shuffle'."

(Related) Just so we're clear...
TSA to Remove Naked-Image Scanners From US Airports
The Transportation Security Administration has announced that it will remove the controversial "naked image" body scanners from US airports because developers can't write software to make the images less revealing.


Excerpts from a very long post...
From their press release:
The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
… “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.
The rule is currently available only in .pdf format, and it’s a staggering 563 pp: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules
… Entities will need to perform a risk assessment that incorporates four factors:
(1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made; (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.
… In skimming, I also noticed that HHS estimates that, based on their experience, approximately 6.71 million individuals will be affected by the 19,000 breaches reported to HHS each year, which is, on average, roughly 353 affected individuals per breach.


I suppose it fits the “Safeguard and secure cyberspace” part of their mission.
"The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."


Does this reduce the possibility of abuse?
"Congresswoman Zoe Lofgren proposes a change to the Computer Fraud and Abuse Act (CFAA) which would remove the felony criminal penalty for violating the terms of service of a website and return it to the realm of contract law where it belongs. This would eliminate the potential for prosecutors to abuse the CFAA in pursuit of criminal convictions for simple violations of a website's terms of service."


Is this another indication that the case is bogus or just that DoJ is too heavy handed? “Gimme everything and I'll tell you what I think you should know.”
Timothy B. Lee reports:
An Ontario judge has refused a US request for unfettered access to the data on Megaupload servers hosted in Canada. The ruling is another sign that overseas courts are not giving US officials the degree of deference they’ve grown accustomed to in this case under US law.
Read more on Ars Technica.
Now if U.S. judges would just stop being so deferential to DOJ, too…
[From Ars Technica:
Instead, she ordered the United States and Megaupload to negotiate about which information the government should get access to under court supervision. If the parties are unable to reach an agreement, Justice Pardu herself will make the decision.

(Related)
"Kim Dotcom on Thursday used Twitter to reveal some interesting new tidbits in regards to his upcoming Mega service, which will be hosted at the New Zealand-based domain Mega.co.nz. Two days before the service is to go live, Doctom says he plans to offer 50GB of free storage to all members and is also working on bringing over users' Megaupload files and data, but has so far run into legal issues."
To say that Kim Dotcom has "run into legal issues" is like saying that Julian Assange is having a sleepover at the Ecuadorian embassy.


In one swell foop, Dilbert explains things for my Statistics, Business and Discrete Math students!


I have some students who should take this.
Take Mensa’s Free Test and Find Out If You’re a Genius
Mensa—the club for people who know they're smarter than you—is offering its home test for free during the month of January. It's an IQ test that takes 32 minutes to complete and at the end it'll tell you whether you're Mensa material.


No comments: