Aargh! “Yes we encrypted the data,
but then we put the key ON THE SAME SERVER so we wouldn't need to
remember it.” Clearly, this one is going in my collection of
“Worst Practices.”
HealthITSecurity.com has obtained
more
details on the breach affecting almost 10,000 patients of
Presbyterian Anesthesia Associates. Apparently the
data were encrypted, but the encryption key was acquired by whomever
attacked the
E-Dreamz server hosting the practice’s
database.
The dynamic of a security breach
changes a bit when the 'victims' are corporations with deep pockets
and a good legal team.
Ryan Nakashima reports:
Lawyers for
JPMorgan Chase & Co. are asking financial news and data company
Bloomberg LP to turn over any records it has of reporters looking up
the log-in and usage data of JPMorgan employees.
A formal letter
was sent this week, a person familiar with the matter said. The
person wasn’t authorized to speak publicly and spoke on condition
of anonymity.
[From the article:
The letter seeks data going back to
2008 as the bank examines whether the seller of ubiquitous
trading-data terminals was in breach of contract, the person said.
It comes after the revelation Friday
that, until recently, Bloomberg reporters had special access to
client usage data and sought to use it to break stories. On
Monday, Bloomberg News Editor-in-Chief Matthew Winkler apologized for
the practice, which he said had been going on since the 1990s.
He said the special access for reporters had been cut off last month
after Goldman Sachs complained.
… The Federal Reserve is also
looking into whether Bloomberg journalists tracked data about
terminal usage by top Fed officials.
So anyone (newspaper, school, police
department, individual) could do this.
Today
The New Yorker unveiled
a project called
Strongbox,
which aims to
let
sources share tips and leaks with the news organization in a secure
manner. It makes use of the TOR network and encrypts file
uploads with PGP. Once the files are uploaded, they're transferred
via thumb-drive to a laptop that isn't connected to the internet,
which is erased every time it is powered on and booted with a live
CD. The publication
won't
record any details about your visit, so even a government request
to look at their records will fail to find any useful information.
"There’s a growing technology gap: phone records, e-mail,
computer forensics, and outright hacking are valuable weapons for
anyone looking to identify a journalist’s source. With some
exceptions, the press has done little to keep pace: our
information-security efforts tend to gravitate toward the parts of
our infrastructure that accept credit cards." Strongbox is
actually just
The New Yorker's version of a secure
information-sharing platform called DeadDrop,
built
by Aaron Swartz shortly before his death.
DeadDrop
is free software.
“We designed it so we could and we
saw no reason to turn this function off for the App vendors.”
Jaikumar Vijayan reports:
Several users of
devices running Google’s Android operating system have filed an
amended version of an earlier lawsuit accusing the company of
illegally collecting, and allowing others to collect, extensive
amounts of mobile user data without proper notice or consent.
The lawsuit, filed
last week in the U.S. District Court for the Northern District of
California, is an updated version of a consolidated lawsuit from
January 2012. It alleged that Google’s actions had harmed the
privacy, security and financial interests of the six named plaintiffs
in the case.
An interesting argument.
Long-time readers may remember the case
of Nina Yoder, a nursing student who was expelled from the University
of Louisville School of Nursing [SON] in 2009 for allegedly breaching
the honor code and confidentiality agreements she had signed by her
posts on MySpace. A district judge had
ordered her reinstatement in August 2009, and Yoder eventually
graduated from the program, but it seems the part of her lawsuit
dealing with damages and constitutional issues of free speech and due
process had not been addressed and remained in the courts.
The question of what nursing or medical
students or staff can say online that might be subject to
disciplinary action is an important one, as it may pit notions of
protected speech against an entity’s or employer’s legitimate
concerns about disclosures. The issue also raises questions about
whether online speech during off-duty hours on one’s own computer
can be subject to disciplinary action. Since the time this case
first arose, a number of schools have attempted to regulate
off-campus online speech in attempts to deal with cyber-bullying.
But what about adults disclosing information learned on the job or in
their internships or rotations if they’ve signed a confidentiality
agreement?
In an opinion issued by the Sixth
Circuit Court of Appeals on the free speech claim, the court notes
the absence of relevant precedent:
In addition, both
parties rely heavily on Supreme Court cases that govern student
speech standards, none of which considers the unique circumstances
posed here. Yoder has not identified any case—nor are we aware of
any—that undermines a university’s ability to take action against
a nursing (or medical) student for making comments off campus that
implicate patient privacy concerns. Defendants have legal and
ethical obligations to ensure that patient confidentiality is
protected, and that nursing students are trained with regard to their
ethical obligations. See, e.g., Ky. Rev. Stat. § 314.031(4)(d),
(k); id. § 314.111. Yoder gained access to the Patient through the
SON’s clinical program, and patients allow SON students to observe
their medical treatment in reliance on the students’ agreement not
to share information about their medical treatment and personal
background. Under such circumstances, Defendants could not “fairly
be said to ‘know’ that the law forb[ids] [discharging a student
under these circumstances].” Harlow, 457 U.S. at 818.
You can read the full opinion
here
(pdf). They do not seem to reach the issue of whether Yoder’s
speech was protected speech, but analyze whether the university
officials had reasonable grounds to believe that Yoder had waived any
First Amendment rights because she had signed the confidentiality
agreement and other documents.
We just had a decision that continuous
monitoring of location data (from cell phones) eventually constituted
a search under the 4th Amendment. Purchasing data from a
vendor does not. Even if you supplied the initial information (DMV
records)
sosadmin writes:
Did you know that
a private company which hoards detailed information about your
driving habits also has plans to create the largest private sector
law enforcement database in the world, by combining
plate reads with commercial databases, face recognition technology
and more?
Vigilant Video is
a private corporation. It maintains a database called the National
Vehicle Location Service (NVLS), containing hundreds of millions of
data points showing the travel patterns of millions of people in the
United States. The data in the system comes from a
variety of sources including government
agencies, other companies like tow
truck and repo firms, and a fleet of company cars that drives around
sucking up license plate information on our streets and in our
neighborhoods.
(Related) “Our business is based on
extracting information about you for our customers, but extracting
information about you for you is something else entirely. We don't
know how to do that.”
"Contrary to recent reports,
data broker Acxiom is not planning to give consumers access to all
the information they've collected on us. That
would be too great a challenge for the giant company,
says spokesperson Alexandra Levy. Privacy blogger Dan Tynan recently
spoke with Jennifer Barrett Glasgow, Chief Privacy Officer at Acxiom
(she claims to be the very first CPO) about how
the company collects information and what they do with it. This
should give you some small measure of comfort: 'We don't know that
you bought a blue shirt from Lands End. We just know the kinds of
products you are interested in. We're trying
to get a reasonably complete picture of your household and what the
individuals who live there like to do,' says
Glasgow."
(Related)
Cops
Should Get Warrants to Read Your E-Mail, Attorney General Says
Attorney General Eric Holder became the
White House’s highest ranking official to support sweeping privacy
protections requiring the government, for the first time, to get a
probable-cause warrant to obtain e-mail and other content stored in
the cloud.
“It is something that I think the
Department will support,” Holder
testified
before the
House
Judiciary Committee, when questioned about the Justice
Department’s position.
Last month, the Senate Judiciary
Committee
approved
a package that nullifies a provision of federal law allowing the
authorities to acquire a suspect’s e-mail or other stored content
from an internet service provider without showing probable cause that
a crime was committed if the content is 180 days or older.
Under the current law, the 1986
Electronic
Communications Privacy Act, the government can obtain e-mail
without a warrant as long as the data has been stored on a
third-party server — the cloud — for 180 days or more. The
government only needs to show, often via an
administrative
subpoena, that it has “reasonable grounds to believe” the
information would be useful to an investigation.
Holder, who was speaking at a Justice
Department oversight hearing, said that warrants are
unnecessary for non-criminal investigations. [Should I read that as:
“We don't need a warrant if we're going to sue you?” OR “We
can't tie you to a crime yet, but we want to look at all your emails
to see if we can find a crime.” Bob]
Perhaps being elected Governor makes
you stupid or willing to go to rediculous lengths to posture for
re-election? If one of the Service Academies asked for a high school
transcript, would they be denied?
WRCB reports:
Governor Nathan
Deal signed an executive order Wednesday which prohibits the state
from collecting or sharing with the federal government any personally
identifiable data on students or their families.
The order focuses
on multiple areas of education and points out that intrusive data
tracking is an invasion of privacy and the federal government has no
constitutional right to determine how children in the State of
Georgia should be educated.
The text of the Executive Order reads
as follows:
WHEREAS:
The federal government has no constitutional right to
determine how children in the State of Georgia will be educated; and
[ … ]
NOW,
THEREFORE, PURSUANT TO THE AUTHORITY VESTED IN ME AS GOVERNOR OF THE
STATE OF GEORGIA, IT IS HEREBY
ORDERED:
That no educational standards shall be imposed on Georgia by
the federal government.
[ ... ]
IT IS
FURTHER ORDERED: That no personally identifiable data on
students and/or their families’ religion, political party
affiliation, biometric information, psychometric data and/or voting
history shall be collected, tracked, housed, reported or shared with
the federal government.
IT IS
FURTHER ORDERED: That no student data shall be collected
for the purpose of the development of commercial products or
services.
This __15th__ day
of May, 2013.
While the student privacy aspect is
certainly attractive, keeping the federal government out of
educational issues totally has some drawbacks, particularly if you,
like me, follow cases pursued by the Department of Justice Office of
Civil Rights, which has investigated Georgia districts over
segregation and discrimination claims. Barring districts from
sharing data with the federal government may result in students in
special education and minority students having less protections and
fewer services than they currently have. The Executive Order would
also seemingly permit local districts to decide to teach the Bible
and not evolution, and to teach that homosexuality is bad, etc.
So privacy interests notwithstanding, I
think this Executive Order is very problematic.
What could possibly go wrong?
"In their ongoing battle
against websites said to infringe music copyrights, record
labels have initiated a fresh wave of actions aimed at forcing UK
ISPs to carry out domain blocking. This third wave is set to be the
biggest so far, affecting as many as 25 domains and including some of
the world's largest torrent sites and file-hosting search engines.
Furthermore, the BPI – the entity coordinating the action – will
ask courts to block U.S.-based music streaming operation,
Grooveshark."
(Related)
cluedweasel writes
"A Federal
judge in Medford, OR has dismissed a piracy case lodged against 34
Oregonians. Judge Ann Aiken ruled that Voltage Pictures LLC unfairly
lumped the defendants into what she called a
'reverse class action suit' to save on legal expenses
and possibly to intimidate
them into paying thousands of dollars for viewing a movie that
could be bought or rented for less than $10."
The judge was not enthused that they
offered to settle for $7500 while noting that potential
penalties could be as much as $150,000.
Eventually we may be able to take an
idea from regulation “A” and a concept from law “B” and come
up with some decent guidance.
I’ve been looking for an English
language report on the new breach guidelines in Belgium and finally
found one. Cédrine Morlière and Ludo Deklerck of Bird & Bird
write:
When the data
breach results in a “public incident” (when a data breach results
in a public leakage of private data), according to the guidance, the
Data Protection Commission is to be informed of the causes and
consequences of the incident within 48 hours. In addition, a public
information campaign should be rolled out within 24-48 hours after
notifying the Data Protection Commission.
The Belgian Data
Protection Commission also announced its intention to reinforce the
present legal framework. There is already a legal obligation for
data controllers to put adequate security measures in place pursuant
to the Belgian Data Protection Act, however, this obligation is not
being implemented seriously enough, according to the Commission. The
Commision will now lobby the Belgian legislator in order to be
entitled to make its recommendations on security measures legally
binding.
Read more about the new guidelines on
Bird
& Bird. As always, I’m skeptical of the value of certain
reporting demands such as notification to the public within 48 hours.
Rushing to notify often leads to errors and necessitates revised
notifications with more cost and more frustration or anger for those
affected by a breach.
Something for the “How that legal
stuff works” bookshelf.
May 15, 2013
Updated
Edition of Benchbook Now Available
US
Courts: "The
6th
edition of the Benchbook for U.S. District Court Judges, a
publication of the Federal Judicial Center, is now available online.
The book, last updated in 2007, is
a concise and
practical guide to situations federal judges are likely to encounter
on the bench. The Benchbook covers procedures that are
required by statute, rule or case law, with detailed guidance from
experienced trial judges. And although new judges may benefit the
most from the Benchbook, even experienced judges may find useful
reminders about how to deal with routine matters, suggestions for
handling more complex issues, and helpful starting points in new
situations. The 6th Edition includes a primer on a prosecutor's duty
to disclose favorable information to defendants under Brady v.
Maryland. There's a new section on civil pretrial case management
focusing on the judge's role as an active case manager, and a
completely revised section on sentencing, which contains an extensive
colloquy for the sentencing hearing. There also are subsections on
handling disruptive or dangerous defendants, and
expanded jury
instructions on the use of social media. Due to budgetary
constraints,
this
edition of the Benchbook is published in electronic format only."
Something new for the terrorist
toolkit? “Computer Assisted Sniping” – Take your shot while
sipping a latte at your local Starbucks, immediately post the video
to Youtube.
"A story on NPR reports that
the TrackingPoint
rifle went on sale today, and can
enable a 'novice' to hit a target 500 yards away on the first try.
The rifle's scope features a sophisticated color
graphics display (video). The shooter locks a laser on the
target by pushing a small button by the trigger... But here's where
it's different: You pull the trigger but the gun decides when to
shoot. It fires only when the weapon has been pointed in exactly the
right place, taking into account dozens of variables, including wind,
shake and distance to the target. The rifle has a built-in laser
range finder, a ballistics computer and a Wi-Fi transmitter
to stream live video and audio to a nearby iPad. Every
shot is recorded so it can be replayed, or posted to YouTube or
Facebook."
Global Warming! Global Warming!
Another article that I apparently don't understand.
"Global warming is changing
the location of Earth's geographic poles, according to a study
published this week. Researchers at the University of Texas, Austin,
report that increased melting of the Greenland ice sheet — and to a
lesser degree, ice loss in other parts of the globe — helped to
shift the North Pole several centimeters east
[...and
here I was taught that the only direction you could go from the North
Pole was South. Bob] each
year since 2005. From 1982 to 2005, the pole drifted southeast
towards northern Labrador, Canada, at a rate of about 2
milliarcseconds — or roughly 6 centimetres — per year. But in
2005, the pole changed course [So
Global Warming began to melt the ice in 2005? Bob] and
began galloping east towards Greenland at a rate of more than 7
milliarcseconds per year (abstract).
The results suggest that tracking polar shifts can serve as a check
on current estimates of ice loss. Scientists can locate the north
and south poles to within 0.03 milliarcseconds by using Global
Positioning System measurements to determine the angle of Earth's
spin. When mass is lost in one part of a
spinning sphere, its spin axis will tilt directly towards the
position of the loss [Clearly
a pound of ice weighs more than a pound of melted ice... Bob]
— exactly as the team observed for Greenland."
(Related) Global Cooling! Global
Cooling! (Next lecture will feature Al Gore in a parka an mukluks.)
May 15, 2013
NOAA
- April temperatures were coolest since 1997
"The
April
average temperature for the contiguous U.S. was 49.7°F, which
was
1.4°F
below the 20th century average. April 2013 ranked as the
23rd
coolest such month on record and marked the coolest April since
1997 when the monthly average temperature for the contiguous U.S.
was 48.0°F."
Purely for Academic purposes, I will
seek a grant to carefully and completely find and measure all the
porn on the Internet. Contributions gratefully accepted...
The
Internet’s Dirty Secret: Nobody Knows How Much Porn There Is
For my Math students (It can't hurt)
Mad 4 Maths is an addictive and
interactive game for kids (and adults) that enhances mental
arithmetic abilities of the player. While this game is aimed at kids
to get them familiar with basic arithmetic operations (addition,
subtraction, multiplication and division) it also can be enjoyable
for adults to practice their basic math skills. It is available for
free download for Android and Blackberry platforms.