This is brilliant on many levels. I
may ask my Computer Security students to create a similar letter
tailored to their industry. Could be a very educational project.
Why didn't I think of this? (You don't need to answer that, really)
For Data Privacy Day 2013 on January
28, I’ve tried to compile a list of questions parents should ask
their child’s school district about how their child’s personal
information is protected. Send your letter to your district’s
Superintendent with a cc: to your district’s Board of Education:
Dear ________:
As a parent of a
student in this district, I have a number of questions about the
protection and security of students’ personal, private, and
sensitive information. For purposes of this letter, by “personally
identifiable information,” I mean name, contact details, parents’
contact information, Social Security numbers, Medicaid numbers,
and/or any other personally identifiable information (PII),
regardless of whether the District considers any of the above
“directory information” under FERPA. By “private, personal and
sensitive information” (PPSI), I mean any health-related
information, behavior or discipline records, religion, any financial
information such as credit card or debit card numbers or parents’
financial information, and any information or records pertaining to
sexual orientation, political views, etc.:
1. Are school
district personnel permitted to take paper records containing
students’ PII or PPSI off school district premises? If so, I would
like to see any and all policies concerning the security and
protection of information taken off premises, including, but not
limited to, how records are to be secured in personnel’s homes, and
whether records may ever be left in unattended vehicles, etc.
2. Are school
district personnel permitted to store – either temporarily or
long-term – students’ PII or PPSI on their personal devices such
as laptops, smart phones, iPads, USB drives, etc.? If they are
permitted to do so, I would like to see copies of the policies that
inform personnel how they are required to secure the information on
their personal devices and how they are to securely delete
information or destroy devices. I am also requesting to see any
policies as to how the District tracks and monitors students’ PII
and PPSI that may be on employees’ personal devices.
3. Does the
District provide employees with USB drives or mobile devices to
perform their work-related duties? If so, are those USB drives or
devices encrypted? I would also like to see all policies concerning
the use and security of District-provided drives and mobile devices
that may hold students’ PII and/or PPSI. And if the District does
provide staff with portable devices, when was the last time the
District conducted an audit to determine the location of all District
mobile devices? If they were not all accounted for, how many were
missing and what types of student information were on them?
4. I would like to
see any District policy or policies concerning the use of employees’
personal e-mail accounts for the transmission or storage of students’
PII and/or PPSI.
5. Is there any
District policy concerning personnel’s obligations to timely report
any breach or potential breach involving students’ PII or PPSI (for
both paper and electronic records)? If so, I would like to see the
policy or policies.
6. Are students’
Social Security numbers, Medicaid numbers, and/or health insurance
policy numbers stored in any electronic databases? If so: (a) are
those databases connected directly or indirectly to the Internet, (b)
are those databases encrypted, and (c) do any non-District personnel
have access to those databases, and if so, who?
7. What is the
District’s written policy as to how often the District’s IT
personnel audit access logs to determine if electronic databases
containing students’ PII and/or PPSI have been compromised or
improperly accessed?
8. Under our
state’s Freedom of Information law, I am also requesting inspection
of any records relating to any privacy breaches or data security
breaches the District may have experienced since January 1, 2008,
including, but not limited to, hacks of databases containing
students’ PII and/or PPSI, employees exceeding authorized access
and accessing others’ PII or PPSI improperly, students’ using
personnel’s login credentials to access databases containing
students’ PII and/or PPSI, loss of USB drives or other devices
containing students’ PII or PPSI (regardless of whether they are
district-owned or the individual’s personal property), loss or
theft of paper records containing students’ PII and/or PPSI,
inadvertent web exposure or e-mail exposure of students’ PII and/or
PPSI, etc.
9. If the District
uses a third party web host or cloud provider, does the District have
written contracts in place that cover responsibility for the security
of students’ PII and/or PPSI? Who can access that information? If
such vendors or contractors are involved in storing or processing
students’ PII and/or PPSI, how does the District ensure that the
data are not being improperly accessed or compromised?
10. If there are
other District policies that I haven’t requested but that relate to
data security and protection of student’ PII and/or PPSI, please
tell me what they are or provide me with copies of them.
I know that some parents hesitate to do
anything that might be perceived as “making waves.” Asking
questions about how well your child’s district protects their
privacy and the security of their information is not “making
waves.” It’s being an informed parent. I would encourage parents
to ask that their District devote an entire information meeting for
all parents to go over the questions raised above.
It’s quite possible your child’s
district may not have written policies for some of the questions
raised above. If that’s the case, then your next step may be to
ask them why there are no written policies and to ask them to
formulate formal policies (not guidelines, but enforceable policies)
to address security and protection of students’ PII and PPSI.
Happy Data Privacy Day 2013!
Note: This post may be reproduced
for non-commercial use under Creative
Commons License.
How fast did other branches of the
military grow?
Mamas,
don't let your babies grow up to be hackers
Don't let 'em click on computers and jiggle their mouse
Make 'em be doctors and lawyers and such
Don't let 'em click on computers and jiggle their mouse
Make 'em be doctors and lawyers and such
Pentagon
to boost Cyber Command fivefold, report says
Cyberattacks and data breaches are
becoming a common occurrence worldwide.
When it takes little more than a script
kiddie or a downloadable toolkit to cause havoc in corporate systems
-- or even transform a governmental Web site into
a game of Asteroids as part of a protest, governments
are in serious trouble unless they begin to invest more in the future
of their digital defense.
… The Pentagon currently only has
900 members within its cybersecurity force, but that is about to
change.
According to the
Washington Post, although the move is yet to be formally
announced, the U.S. government will be increasing this number to
4,900 within several years.
Said to be at the request of Gen.
Keith B. Alexander, the Defense Department's head of Cyber
Command, more staff will be assigned positions in the
new-and-improved cybersecurity force to try to counter not only
homegrown attacks against governmental systems, but also to "conduct
offensive operations against foreign foes," according to an
unnamed U.S. defense official.
Just because you don't hear much about
Japan's military does not mean they don't exist.
According to the Daily Yomiuri, "Japan
launched
two satellites on Jan. 27 to strengthen its surveillance
capabilities, including keeping a closer eye on North Korea which has
vowed to stage another nuclear test. One of them was a
radar-equipped unit to complete a system of surveillance satellites
that will allow Tokyo to monitor any place in the world at least once
a day. The other was a demonstration satellite to collect data for
research and development." The Defense
News version of the story says "Japan developed a plan to
use several satellites as one group to gather intelligence in the
late 1990s as a response to a long-range missile launch by Pyongyang
in 1998. The space agency has said the radar satellite would be used
for information-gathering, including data following Japan’s 2011
quake and tsunami, but did not mention North Korea by name."
More details leak. Always assume the
true capabilities are at least an order of magnitude better that
those you read about... Short video is worth watching. (At roughly
2:25, they mention storing a million terabytes each day.)
Watch
the World’s Highest Resolution Drone-Mounted Camera in Action
… At 1.8 gigapixels, the
DARPA-developed ARGUS-IS the highest resolution surveillance platform
in the world, and, when mounted to a drone, can single-handedly do
the work of an army of 100 predator drones watching the area of one
medium-sized city.
ARGUS's view is both wide and precise.
It can cover areas of up to 15 square miles at a glance while still
spotting objects as small as six inches
around from heights of 17,500 feet.
… You can find out more about the
ARGUS-IS and other drones in PBS's Nova special "Rise
of the Drones," which this clip is taken from.
- To settle, or not to settle--that is the question:
- Whether 'tis nobler in the mind to suffer
- The slings and arrows of outrageous lawsuits
- Or to take arms against a sea of troubles
- And by opposing end them.
How
Newegg crushed the “shopping cart” patent and saved online retail
… The company's plan to extract a
patent tax of about one percent of revenue from a huge swath of
online retailers was snuffed out last week by Newegg and its lawyers,
who won an appeal ruling [PDF]
that invalidates the three patents Soverain used to spark a vast
patent war.
Still
amusing...
Kim
Dotcom Wants To Encrypt Half Of Internet To End Government
Surveillance
In an in-depth interview, Megaupload
founder Kim Dotcom discusses the investigation against his
now-defunct file-storage site, his possible extradition to the US,
the future of Internet freedoms and his latest project Mega with RT’s
Andrew Blake.
… the timing is very interesting,
you know? Election time. The fundraisers in Hollywood set for
February, March [and] April. There had to have some sort of Plan B,
an alternative for SOPA
… And Hollywood is a very important
contributor to Obama’s campaign. Not just with money, but also
with media support. They control a lot of media: celebrity
endorsements and all that.
So I’m sure the election plays an
important role.
RT: The US Justice Department wants to
extradite you, a German citizen living in New Zealand operating a
business in Hong Kong. They want to extradite you to the US. Is
that even possible?
KD: That is a very interesting question
because the extradition law, the extradition treaty in New Zealand,
doesn’t really allow extradition for copyright. So what they did,
they threw some extra charges on top and one of them is racketeering,
where they basically say we are a mafia organization and we set up
our Internet business to basically be an organized crime network that
was set up and structured the way it was just to do criminal
copyright infringement.
(Related) Is the encryption working?
The Numerama article (French) suggests they asked for links (not
files) to be taken down. Perhaps no encryption was involved?
Mega
Passed Its First Copyright Takedown Test
In addition to protecting itself from
your pirated content with its see-no-evil encryption, Kim Dotcom’s
Mega service aims to stay on the law’s good side by playing nicely
with copyright takedown requests and keeping that super important
DMCA safe harbor status.
… So far, at least one anti-piracy
group has been able to see through the encryption
haze and spot some stuff that shouldn’t be on there.
LeakID, a content managing
service, submitted five DMCA-like takedown requests to Mega last
week, pertaining to copyright infringing episodes of Naruto
that were floating around. And according to Numerama,
all five came down in 48 hours.
Because
you never know when you might need a little knowledge...
January 27, 2013
New
on LLRX - Knowledge Discovery Resources 2013
Via LLRX.com
- Knowledge
Discovery Resources 2013 - An Internet Annotated Link Dataset
Compilation - Marcus P.
Zillman's current annotated link compilation encompasses top
value-added resources for knowledge discovery available through the
Internet. The selected resources and sites provide a wide range of
actionable knowledge and avenues for information discovery to
leverage as part of your overall research project strategy.
No comments:
Post a Comment