Friday, February 22, 2013

An (over)abundance of caution? Why tell users it's because of an error? How vulnerable is Facebook?
Facebook blocks NBC site after reported hack
It seems Facebook is blocking links to NBC.com after the TV network's site was compromised earlier today.
… Reports about NBC's brief security breach surfaced earlier today. The network confirmed the hack, adding that no user information was compromised. Other companies, like Bitly and Google, are taking precautions after the breach by warning users before they enter NBC.com that there might be a problem with security.


Reacting to a true invasion of privacy.
As I mentioned in previous posts, Johns Hopkins’ first breach statement about OB/GYN patients who may have been secretly photographed or videotaped by a physician included a reference to “counseling” for patients. Since this was the first time I’ve ever seen a reference to “counseling” in a breach notification statement and it struck me as a potentially meaningful way to help mitigate harm from the breach, I contacted Johns Hopkins to inquire as to the scope of the counseling and whether it might include face-to-face counseling for patients who were distraught over having been secretly taped.
Today I received a statement from Johns Hopkins:
We are offering his patients free, face-to-face, professional counseling services that focus on crisis response, stabilization, and referrals for longer term treatment if/when needed. The counselors providing this service are masters and doctorate level clinicians with a minimum of 5 years general practice experience, though most have more than that. We are committed to working with people through stabilization; if conditions are assessed that indicate longer term treatment is appropriate, we will assist in making an appropriate referral. This means if the client has health insurance, we will work with that plan to find a therapist; if not, we will refer to a community mental health resource.
As I have seen them do in the past, Johns Hopkins is once again rising to the challenge of a breach, and while I realize some will not find their response satisfactory, I am impressed with their offer.
This breach is a nightmare for many patients who still don’t know whether they were among those who were photographed or videotaped, for those who worry that the doctor may have uploaded videos to gynecology fetish web sites, for the doctor’s family, and for the hospital. Seldom do I see breaches with such potential for psychological harm and/or for making patients afraid to trust doctors. Whatever Johns Hopkins can do to mitigate the harm caused by the doctor’s actions, I sincerely hope it helps.


Attention IT Departments! Did you get one for your CEO? (The benefits of good Lobbyists)
"Some two million people have bought cell-phone wireless signal boosters and have been using them to get better communication between their phones and distant cell towers. But now, the FCC says they all have to turn their boosters off and ask permission from their providers, and register their devices with those providers, before they can turn them back on."
[From the article:
Major carriers haven't said how the registration process will work, but one conceivable outcome is that they could charge customers an extra fee to use boosters, like they do with other devices that improve signals.
Wireless boosters are "saving the carriers money by not making them build more towers, but now they can charge you for improving the holes in their own network," Feld said.


Better than a tin foil hat? Perhaps we could adapt them to an urban environmant?
"Ever wonder how al-Qaeda operates under the watchful eye of the U.S. Army? Well, the Associated Press found a list of 22 of their tips and tricks on avoiding drone strikes. Most of it consists of the obvious: stay in the shadows or under thick trees, don't use wireless communications. However, there are also some less obvious solutions, like the $2,595 Russian 'sky grabber, which can track the drones. Their document (PDF) also suggests covering your roof and car with broken glass. They also claim good snipers can take out the reconnaissance drones, which fly at a lower level. Now the question is: will all of this still be relevant during the robo-apocalypse?"


The Privacy of Mobile Apps...
February 22, 2013
MEF Global Privacy Survey - challenges and opportunities
"Mobile apps offer consumers fun and functionality via the one device that stays with them throughout the day. The explosion of the apps ecosystem is driven by new business models where many apps are free or heavily discounted which of course consumers love, but where developers monetize the information they collect on their users. The report, supported by AVG Technologies, was carried out in partnership with mobile specialists On Device Research to understand global consumer understanding and perceptions of apps that gather and use personal data such as address book information and location. The ten country study of 9,500 respondents reveals consumer attitudes towards the use of their personal information by mobile app providers, scrutinizing four key factors of privacy, Transparency, Comfort, Security and Control."


There are good reasons to share medical data as long as it is done within the rules. What do you mean, “There are no rules?”
Some collaboration or sharing of patient information seems potentially useful, even if it is money motivating the sharing. Julie Bird reports:
Hospitals are looking to large drugstore chains, their vast databases and patient-outreach resources to help reduce hospital readmission rates.
With medication discrepancies doubling the risk of hospital readmissions, contracting with drugstores to monitor for prescription conflicts and follow up with patients is well worth the expense, healthcare researcher Jane Brock tells Colorado Public Radio.
Now that Medicare payments are at risk if too many patients come back within 30 days of discharge, hospitals have even more incentive to pursue drugstore partnerships.
Read more on FierceHealthcare. Of course, I’d feel a bit better if we didn’t read of so many cases where pharmacies improperly dispose of patient prescription records, but the concept of follow-up to discharge is a good one. I just wonder if patients are informed of this program and that their data will be shared while they are in-patient.


The question is, can anyone create truly anonymous data? If I know you are a Professor of Business Law at a certain Wyoming University, drive a Ferrari and have an extensive wine cellar, that sort of makes identification simple. (Okay, I led about the Ferrari – but only because I can't spell Maseratti.)
Organisations should be able to process pseudonymised data without the consent of individuals, a European Parliament committee has proposed.
The Industry, Research and Energy Committee (IREC) has outlined changes it would like to see made to the European Commission’s draft Data Protection Regulation which was originally published last year. One of those changes should be to list the processing of pseudonymised data as a “legitimate interest” of data controllers, it said.
Read more on Out-Law.com
So could a business take two already self-pseudonymized databases (i.e., databases that use user-generated pseudonyms) and aggregate them and process the larger database without user consent? How exactly would this work?

(Related) What databases are available to help de-anonymize data? (Another government “Trust us!” fails...)
The Government Accountability Office released a report this week with a scary conclusion: The Census Bureau, tasked with collecting personal information on every single American, has not adequately protected this data. Specifically, the GAO found, the Census Bureau is not fully prepared in cybersecurity, making Americans’ information vulnerable to hackers.
Read more on TownHall.com.
[From the article:
Many security protocols have been left "partially implemented" or "not implemented." This includes inadequate password protection and leaving some databases completely unencrypted.

(Related) Sharing when anonymity is not an issue?
Human Services - Sustained and Coordinated Efforts Could Facilitate Data Sharing While Protecting Privacy, GAO-13-106, Feb 8, 2013


We can learn from bad legislation. (We should learn to elect people who stay within their areas of expertise.)
State lawmakers all across the country busy at work crafting ridiculous, head-spinning laws can take the day off. There is no way they can top this.
A new bill proposed in the Illinois State Senate looks to completely wipe out any form of anonymity on the internet by requiring that the operators of basically any website on the entire internet take down any comment that isn’t attached to an IP, address, and real name-verified poster.
It’s called the Internet Posting Removal Act and was introduced on February 13th by Illinois General Assembly veteran Ira I. Silverstein [D].
Read more on WebProNews. And yes, the bill’s language is really as bad as you might expect.


Worse legislation: “We're mad and we want to shoot someone... Anyone.”
New amendment that would make internet service providers disclose the identity of users who commit crimes online. If providers refuse they will become suspects in criminal cases instead of the users.
Read more on RT.com.


Why did this take so long?
"Three independent bookstores are taking Amazon and the so-called Big Six publishers (Random House, Penguin, Hachette, HarperCollins, Simon & Schuster and Macmillan) to court in an attempt to level the playing field for book retailers. If successful, the lawsuit could completely change how ebooks are sold. The class-action complaint, filed in New York on Feb 15., claims that by entering into confidential agreements with the Big Six publishers, who control approximately 60 percent of print book revenue in the U.S., Amazon has created a monopoly in the marketplace that is designed to control prices and destroy independent booksellers."


“Hey! We're smarter than those guys!” A big win for Google?
A Wisconsin appeals court has ruled in favor of a Milwaukee area law firm that paid to use the names of a competing firm in Internet search engines to promote its own link.
The 1st District Court of Appeals ruled Thursday Cannon & Dunphy did not violate Habush, Habush & Rottier’s right of privacy.
Read more on PostCrescent.com


Not just for the inordinately curious...
February 21, 2013
Open States: Legislative Data Across All 50 States
Amy Ngai, Sunlight Foundation: "Do you ever find yourself looking up state legislative information? Instead of hopping from one legislative website to the next, Open States allows you to search and explore legislative data from all 50 states, D.C. and Puerto Rico -- from a single site. The free tool also lets you identify your state legislator, review their votes, track bills and discover upcoming events at your state house."


Eight will get you 10 that eventually every state with cassinos will follow suit.
Nevada governor signs online gambling bill law after measure fast-tracked through Legislature
… Nevada wanted to beat New Jersey, its East Coast casino rival, to the online gambling punch. New Jersey Gov. Chris Christie previously vetoed an online wagering bill but has indicated he may sign an amended version next week.


Perspective
Is Republic's $19 cell phone service too good to be true?
Republic Wireless's $19 a month plan, which includes unlimited voice, text messaging, and data, is a hard deal to beat. In fact, I don't know of any other cell service that can compete at that price. But your instincts about a "catch" are justified.
… Republic is able to offer its service so cheaply because it uses Wi-Fi to handle most of the calls, text messages, and data sessions instead of a cellular network.
Because Republic believes that its customers will be in Wi-Fi hotspots more often than they won't be, it's able to eat the cost of connecting via Sprint's network and thus keep the cost of its service lower than its competitors' prices.
The phone used on Republic's network is configured to make calls and send text messages over either Wi-Fi or a cellular network. This means that users don't have to launch a separate app to make calls over Wi-Fi. The phone is able to detect which network is available and which one is best for the call. If no Wi-Fi is available or the signal is too weak, the phone automatically dials the number over Sprint's cellular network. Users can also manually turn off the Wi-Fi calling feature to use Sprint's network.
… The other potential drawback is that in order to use Republic's service, you must buy a Republic device.


An interesting KickStarter project with some real interest...
myIDkey is a voice-activated, fingerprint secure Bluetooth / USB Drive that displays passwords and personal info online and on the go.

No comments: