Monday, January 28, 2013

This is brilliant on many levels. I may ask my Computer Security students to create a similar letter tailored to their industry. Could be a very educational project. Why didn't I think of this? (You don't need to answer that, really)
For Data Privacy Day 2013 on January 28, I’ve tried to compile a list of questions parents should ask their child’s school district about how their child’s personal information is protected. Send your letter to your district’s Superintendent with a cc: to your district’s Board of Education:
Dear ________:
As a parent of a student in this district, I have a number of questions about the protection and security of students’ personal, private, and sensitive information. For purposes of this letter, by “personally identifiable information,” I mean name, contact details, parents’ contact information, Social Security numbers, Medicaid numbers, and/or any other personally identifiable information (PII), regardless of whether the District considers any of the above “directory information” under FERPA. By “private, personal and sensitive information” (PPSI), I mean any health-related information, behavior or discipline records, religion, any financial information such as credit card or debit card numbers or parents’ financial information, and any information or records pertaining to sexual orientation, political views, etc.:
1. Are school district personnel permitted to take paper records containing students’ PII or PPSI off school district premises? If so, I would like to see any and all policies concerning the security and protection of information taken off premises, including, but not limited to, how records are to be secured in personnel’s homes, and whether records may ever be left in unattended vehicles, etc.
2. Are school district personnel permitted to store – either temporarily or long-term – students’ PII or PPSI on their personal devices such as laptops, smart phones, iPads, USB drives, etc.? If they are permitted to do so, I would like to see copies of the policies that inform personnel how they are required to secure the information on their personal devices and how they are to securely delete information or destroy devices. I am also requesting to see any policies as to how the District tracks and monitors students’ PII and PPSI that may be on employees’ personal devices.
3. Does the District provide employees with USB drives or mobile devices to perform their work-related duties? If so, are those USB drives or devices encrypted? I would also like to see all policies concerning the use and security of District-provided drives and mobile devices that may hold students’ PII and/or PPSI. And if the District does provide staff with portable devices, when was the last time the District conducted an audit to determine the location of all District mobile devices? If they were not all accounted for, how many were missing and what types of student information were on them?
4. I would like to see any District policy or policies concerning the use of employees’ personal e-mail accounts for the transmission or storage of students’ PII and/or PPSI.
5. Is there any District policy concerning personnel’s obligations to timely report any breach or potential breach involving students’ PII or PPSI (for both paper and electronic records)? If so, I would like to see the policy or policies.
6. Are students’ Social Security numbers, Medicaid numbers, and/or health insurance policy numbers stored in any electronic databases? If so: (a) are those databases connected directly or indirectly to the Internet, (b) are those databases encrypted, and (c) do any non-District personnel have access to those databases, and if so, who?
7. What is the District’s written policy as to how often the District’s IT personnel audit access logs to determine if electronic databases containing students’ PII and/or PPSI have been compromised or improperly accessed?
8. Under our state’s Freedom of Information law, I am also requesting inspection of any records relating to any privacy breaches or data security breaches the District may have experienced since January 1, 2008, including, but not limited to, hacks of databases containing students’ PII and/or PPSI, employees exceeding authorized access and accessing others’ PII or PPSI improperly, students’ using personnel’s login credentials to access databases containing students’ PII and/or PPSI, loss of USB drives or other devices containing students’ PII or PPSI (regardless of whether they are district-owned or the individual’s personal property), loss or theft of paper records containing students’ PII and/or PPSI, inadvertent web exposure or e-mail exposure of students’ PII and/or PPSI, etc.
9. If the District uses a third party web host or cloud provider, does the District have written contracts in place that cover responsibility for the security of students’ PII and/or PPSI? Who can access that information? If such vendors or contractors are involved in storing or processing students’ PII and/or PPSI, how does the District ensure that the data are not being improperly accessed or compromised?
10. If there are other District policies that I haven’t requested but that relate to data security and protection of student’ PII and/or PPSI, please tell me what they are or provide me with copies of them.
I know that some parents hesitate to do anything that might be perceived as “making waves.” Asking questions about how well your child’s district protects their privacy and the security of their information is not “making waves.” It’s being an informed parent. I would encourage parents to ask that their District devote an entire information meeting for all parents to go over the questions raised above.
It’s quite possible your child’s district may not have written policies for some of the questions raised above. If that’s the case, then your next step may be to ask them why there are no written policies and to ask them to formulate formal policies (not guidelines, but enforceable policies) to address security and protection of students’ PII and PPSI.
Happy Data Privacy Day 2013!
Note: This post may be reproduced for non-commercial use under Creative Commons License.


How fast did other branches of the military grow?
Mamas, don't let your babies grow up to be hackers
Don't let 'em click on computers and jiggle their mouse
Make 'em be doctors and lawyers and such
Pentagon to boost Cyber Command fivefold, report says
Cyberattacks and data breaches are becoming a common occurrence worldwide.
When it takes little more than a script kiddie or a downloadable toolkit to cause havoc in corporate systems -- or even transform a governmental Web site into a game of Asteroids as part of a protest, governments are in serious trouble unless they begin to invest more in the future of their digital defense.
… The Pentagon currently only has 900 members within its cybersecurity force, but that is about to change.
According to the Washington Post, although the move is yet to be formally announced, the U.S. government will be increasing this number to 4,900 within several years.
Said to be at the request of Gen. Keith B. Alexander, the Defense Department's head of Cyber Command, more staff will be assigned positions in the new-and-improved cybersecurity force to try to counter not only homegrown attacks against governmental systems, but also to "conduct offensive operations against foreign foes," according to an unnamed U.S. defense official.


Just because you don't hear much about Japan's military does not mean they don't exist.
According to the Daily Yomiuri, "Japan launched two satellites on Jan. 27 to strengthen its surveillance capabilities, including keeping a closer eye on North Korea which has vowed to stage another nuclear test. One of them was a radar-equipped unit to complete a system of surveillance satellites that will allow Tokyo to monitor any place in the world at least once a day. The other was a demonstration satellite to collect data for research and development." The Defense News version of the story says "Japan developed a plan to use several satellites as one group to gather intelligence in the late 1990s as a response to a long-range missile launch by Pyongyang in 1998. The space agency has said the radar satellite would be used for information-gathering, including data following Japan’s 2011 quake and tsunami, but did not mention North Korea by name."


More details leak. Always assume the true capabilities are at least an order of magnitude better that those you read about... Short video is worth watching. (At roughly 2:25, they mention storing a million terabytes each day.)
Watch the World’s Highest Resolution Drone-Mounted Camera in Action
… At 1.8 gigapixels, the DARPA-developed ARGUS-IS the highest resolution surveillance platform in the world, and, when mounted to a drone, can single-handedly do the work of an army of 100 predator drones watching the area of one medium-sized city.
ARGUS's view is both wide and precise. It can cover areas of up to 15 square miles at a glance while still spotting objects as small as six inches around from heights of 17,500 feet.
… You can find out more about the ARGUS-IS and other drones in PBS's Nova special "Rise of the Drones," which this clip is taken from.


To settle, or not to settle--that is the question:
Whether 'tis nobler in the mind to suffer
The slings and arrows of outrageous lawsuits
Or to take arms against a sea of troubles
And by opposing end them.
How Newegg crushed the “shopping cart” patent and saved online retail
… The company's plan to extract a patent tax of about one percent of revenue from a huge swath of online retailers was snuffed out last week by Newegg and its lawyers, who won an appeal ruling [PDF] that invalidates the three patents Soverain used to spark a vast patent war.


Still amusing...
Kim Dotcom Wants To Encrypt Half Of Internet To End Government Surveillance
In an in-depth interview, Megaupload founder Kim Dotcom discusses the investigation against his now-defunct file-storage site, his possible extradition to the US, the future of Internet freedoms and his latest project Mega with RT’s Andrew Blake.
… the timing is very interesting, you know? Election time. The fundraisers in Hollywood set for February, March [and] April. There had to have some sort of Plan B, an alternative for SOPA
… And Hollywood is a very important contributor to Obama’s campaign. Not just with money, but also with media support. They control a lot of media: celebrity endorsements and all that.
So I’m sure the election plays an important role.
RT: The US Justice Department wants to extradite you, a German citizen living in New Zealand operating a business in Hong Kong. They want to extradite you to the US. Is that even possible?
KD: That is a very interesting question because the extradition law, the extradition treaty in New Zealand, doesn’t really allow extradition for copyright. So what they did, they threw some extra charges on top and one of them is racketeering, where they basically say we are a mafia organization and we set up our Internet business to basically be an organized crime network that was set up and structured the way it was just to do criminal copyright infringement.

(Related) Is the encryption working? The Numerama article (French) suggests they asked for links (not files) to be taken down. Perhaps no encryption was involved?
Mega Passed Its First Copyright Takedown Test
In addition to protecting itself from your pirated content with its see-no-evil encryption, Kim Dotcom’s Mega service aims to stay on the law’s good side by playing nicely with copyright takedown requests and keeping that super important DMCA safe harbor status.
… So far, at least one anti-piracy group has been able to see through the encryption haze and spot some stuff that shouldn’t be on there. LeakID, a content managing service, submitted five DMCA-like takedown requests to Mega last week, pertaining to copyright infringing episodes of Naruto that were floating around. And according to Numerama, all five came down in 48 hours.


Because you never know when you might need a little knowledge...
January 27, 2013
New on LLRX - Knowledge Discovery Resources 2013
Via LLRX.com - Knowledge Discovery Resources 2013 - An Internet Annotated Link Dataset Compilation - Marcus P. Zillman's current annotated link compilation encompasses top value-added resources for knowledge discovery available through the Internet. The selected resources and sites provide a wide range of actionable knowledge and avenues for information discovery to leverage as part of your overall research project strategy.

No comments: