Thursday, March 31, 2005

List of Schiavo Donors To Be Sold to Marketing Company

This is a little weird. The parents of Terri Schiavo are going to sell the list of their supporters to a direct marketing firm, according to WKMG:

Yahoo! News - List of Schiavo Donors To Be Sold:

"If you expressed your support to Terri Schiavo and her parents fight to keep her alive, you may begin to receive a steady stream of solicitations, according to a Local 6 News report.

Terri Schiavo's parents have agreed to sell their list of supporters to a direct-mailing firm, Local 6 News reported...."

See also The New York Times > Washington > List of Schiavo Donors Will Be Sold by Direct-Marketing Firm. Thanks to Boing Boing for the links.

ChoicePoint to allow people access to personal records

According to the Associated Press, ChoicePoint is planning to open up its records, allowing individuals to have access to information about them:

AP Wire | 03/31/2005 | ChoicePoint to allow people access to personal records:

"LOS ANGELES - An executive of embattled data broker ChoicePoint Inc. said the company is developing a system that would allow people to review their personal information that is sold to law enforcement agencies, employers, landlords and businesses.

'You will receive the reports that we have on you,' Don McGuffey, the firm's vice president for data acquisition, told the state's Senate's Banking, Finance and Insurance Committee on Wednesday.

ChoicePoint's announcement comes a month after it disclosed that thieves used previously stolen identities to create what appeared to be legitimate businesses seeking personal records. The bandits, who operated undetected for more than a year, opened up 50 accounts and received vast amounts of data on consumers, including their credit reports..."

The only thing I have to add is that they had better make sure that people are who they say they are before handing over records ....

Japan privacy law comes into force this week

Japan's new privacy law is coming into force this week. PC World has a nice summary of the new law:

PCWorld.com - Japan Tightens Personal Data Protection:

"TOKYO -- Starting April 1, businesses throughout Japan, including foreign companies, must comply with legislation that sets out new rules for handling personal data.

The Personal Information Protection Law, effective April 1, applies to any company with offices in Japan that holds personal data on 5000 or more individuals, according to Kazuhito Masui, an attorney at Shiba International Law Offices, a major international law firm based in Tokyo.

Personal data as defined by the law includes a person's name, address, date of birth, sex, home and mobile phone numbers, and also a person's e-mail address if that address is recognizably the person's name. The 5000 minimum includes company employees, Masui said in an interview last week...."

Wednesday, March 30, 2005

Yes Virginia, there is a free-standing non-statutory right to employee privacy in Ontario. Maybe. This month.

In December of '04, I blogged about a case in which an arbitrator ruled that employees in the provincially regulated private sector in Ontario have no right to privacy. (See PIPEDA and Canadian Privacy Law: Employees in Ontario (and perhaps other Canadian provinces) have no right to privacy.) Since this area is consistently inconsistent, here is a rececent decision of an Ontario arbitrator who has decided, yes Virginia, there is a free-standing non-statutory right to employee privacy in Ontario, at least under "arbitral law": LIUNA, Loc. 625 v. Prestressed Systems Inc.

Employees expect their privacy to be protected. Sometimes a tribunal will side with the employee. Sometimes it will side with the employer. The easiest thing to do is assume that there is a right to privacy, adopt the reasonableness standards adopted by the pro-privacy adjudicators and privacy commissioners, and fight it out only if you need to.

Incident: Encrypted tapes containing health information on hundreds of thousands of Albertans missing or tampered with

It appears a bit coincidental that I posted this morning that organizations should encrypt data to prevent privacy breaches (PIPEDA and Canadian Privacy Law: Managing privacy risks using basic technology) and I've just discovered the Calgary Herald is reporting that encrypted mainframe tapes containing health records of "hunreds of thousands" of Albertans have gone missing. I hope this is a "non-incident", but in any event the Information and Privacy Commissioner of Alberta is on the case:

Alberta health records go astray: 'Hundreds of thousands' of files feared breached:

"Confidential health records of 'hundreds of thousands' of Albertans disappeared or were tampered with while in the hands of a courier earlier this month, prompting an investigation by the province's Information and Privacy Commissioner.

Details were scarce, but government sources told the legislature bureau on Tuesday that Privacy Commissioner Frank Work has been called in to investigate after data -- digitized, encrypted, and stored on large reel-to-reel tapes -- went missing or was otherwise tampered with while in transit between two government facilities.

It appears the tapes were backups, mainly for archival purposes. The information is considered confidential and could include medical records, prescriptions and billing history.

Sources would not confirm if the tapes were recovered or the police were investigating.

The sources said Health and Wellness Minister Iris Evans was assured by an expert with IBM Canada that a mainframe computer system and the proper encryption code would be needed to read the data.

Nonetheless, there is some concern that organized criminal gangs could have the ability to crack the code and use the highly private information...."

Update:

CBC Calgary - Privacy commissioner looking into missing health info:

"...'There are names, health care and payroll numbers, payroll rates and the family status of the names on it,' Deere said. 'So there's no real personal health information on it, per se.

'But we take any potential breach of privacy quite seriously, and that's what this is, a potential breach. So we've reported it to the privacy commissioner and he's investigating.'

Deere said birth dates weren't part of the information on the tapes...."

ATM Fraud and Security Whitepaper

Thanks to Cryptome for linking to a very interesting whitepaper produced by Diebold, one of the leading makers of banking machines. Entitled ATM Fraud and Security, the whitepaper provides an overview of the state of the art in ATM Fraud, including skimming, shoulder surfing, overlays, and PIN interception. Scary stuff, but good to know about.

Managing privacy risks using basic technology

Over the last year and a bit, I've noticed dozens of privacy incidents (PIPEDA and Canadian Privacy Law: Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law). So often, the incidents are too similar. When I read about a new incident, I often think that nobody must have been paying attention to any of the earlier ones, since the same mistakes are repeated over and over again.

One thing that is painfully obvious is that too few organizations are encrypting their data. Encryption is easy and you have probably already paid for the function (if you run Windows XP). If any of the organizations involved in the following incidents had encrypted their data, they likely would have avoided much of the damage chronicled below:

Computers, even servers, are highly portable and very easily stolen. Encryption of data on the hard drive (or backup tape) is the last line of defence. It is amazing to see that too few organizations do it. To state what should be obvious: encrypt your data.

Privacy fears over UK medical database

A number of folks, including physicians, are concerned about the possible privacy impact of a central electronic health records system being implemented in the UK: BBC NEWS | Health | Privacy fears over NHS database

It sounds a lot like the system being rolled out in Nova Scotia, which has encountered some privacy-related turbulence. Physicians, who are responsible for patient information under PIPEDA are not keen to trust the government with this information. The provincial government, on the other hand, isn't subject to PIPEDA and doesn't really see it as its problem. It is the province's problem if it wants a provincial electronic medical record....

PEI Privacy commissioner resigns

According to the CBC - Charlottetown, Karen Rose has resigned as the island's Information and Privacy Commissioner: CBC Prince Edward Island - Privacy commissioner resigns. I saw her speak a few times and she was always impressive. No news or speculation on who her replacement will be.

Tuesday, March 29, 2005

Putting together the pieces

I teach Internet and Media Law at Dalhousie Law School. Last night we had a guest speaker, Lisa Taylor, a CBC journalist and law school grad. One of the topics discussed was publication bans and how they are inadvertently compromised when different media outlets choose to disclose limited -- but different -- information. This got me thinking about other ways of piecing together information.

A while ago, I blogged about an article in the Halifax paper related to stores leaving card numbers unobscured on receipts (PIPEDA and Canadian Privacy Law: Article: Who has your number?). I've noticed that more and more stores are omitting many of the digits on debit card and credit card receipts.

While emptying the loads of junk from my pockets at the end of the day, I glanced at the pile of papers I had accumulated in the previous twenty four hours. I was happy to see that all of the stores I had visited had blocked out digits of my card numbers, presumably to protect their customers. When I took a closer look, I noticed that they are completely inconsistent in how they do it. Some leave only the first four and last four digits. Some omit the last digits. So if you took my little pile of papers, you could completely recreate my debit card number. Hm... Perhaps we need a little consistency in how we protect identities. If I had emptied my pockets into the garbage, anybody trolling through my trash for personal information would be able to get the card numbers. And expiry dates for credit cards. Perhaps the debit terminal manufacturers and distributors could get together and figure this out.

DHS spins RFID ... presto! Contactless integrated circuits!

The Department of Homeland Security is learning that RFID has negative connotations. According to Wired News, they're trying to rename them, at least in their cards:

Wired News: RFID Cards Get Spin Treatment:

"... The distinction is part of an effort by the Department of Homeland Security and one of its RFID suppliers, Philips Semiconductors, to brand RFID tags in identification documents as 'proximity chips,' 'contactless chips' or 'contactless integrated circuits' -- anything but 'RFID.' ..."

I suppose they didn't want to call them "auto id chips" or "spy chips".

Incident: Stolen Berkeley Laptop Exposes Data of 100,000

Yet another university to add to the incident file. Someone walked off with a University of California Berkeley laptop containing personal information related to almost 100K students, alumni, applicants, etc. Thanks to the California privacy law, the University is required to inform each affected individual.

Stolen Laptop Exposes Data of 100,000:

"A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society's vulnerability to identity theft.

University officials waited until Monday to announce the March 11 crime, hoping that police would be able to catch the thief and reclaim the computer. When that didn't happen, the school publicized the theft to comply with a state law requiring consumers be notified whenever their Social Security numbers or other sensitive information have been breached...."

See also Yahoo! News - Stolen Laptop Exposes Data of 100,000, ABC News: Stolen Laptop Exposes Data of 100,000 and The New York Times > National > Thief Takes Laptop With Berkeley Data.

Monday, March 28, 2005

Your data, for all the world to see

The Daily Pennsylvanian has an article/opinion pience about Abika.com, an internet-based data aggregator and background check service. (See previous mentions: PIPEDA and Canadian Privacy Law: CIPPIC complaint raises a number of novel and interesting issues, PIPEDA and Canadian Privacy Law: Jurisdictional limits on Canadian privacy law, and PIPEDA and Canadian Privacy Law: CIPPIC v Abika.com: Part deux.)

I am sure the author is not alone in his opinions:

dailypennsylvanian.com - Your data, for all the world to see:

"Tucked away in the rodeo-ridden town of Cheyenne, Wyo., is a small, seven-person company that is quietly blurring the conventional boundaries between public and private life. Founded by India-born Jay Patel, Abika.com is a self-proclaimed "worldwide leader in people information, verifications and profiling" in the emerging field of person-to-person search technology. The firm utilizes proprietary person-based data query/extraction systems (akin to old-fashioned intelligence gathering) in addition to online algorithmic searches to deliver "All Best Information Known Accurately."

The company has its roots in the most precarious of human endeavors -- dating (coincidentally, Abika was also the name of the man responsible for compiling the ancient knowledge found in the Kamasutra). In a recent interview with The Times of India, Patel described meeting an intriguing woman at a local Sam's Club and thereafter rushing home to his computer to dredge up every piece of her personal history he could find on the Internet. On the next date he surprised her with intimate details of her life and, fortunately for Patel, wasn't immediately branded as a stalker. Three weeks later, they were married.

...

Abika's overwhelming success -- the company processed more than three million personal information requests just last year -- combined with its relative ease of use has slowly attracted the attention of both domestic and foreign privacy watchdogs. The Electronic Privacy Information Center in Washington, for example, has warned of the perils of unregulated data mining, lax enforcement of the Fair Credit Reporting Act (a federal law enacted to prevent improper disclosure of personal financial history) and the overarching potential for identity theft.

...

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has expressed similar concerns, particularly over the inaccuracies of Abika's psychological profiling methods and their potential for unfair discrimination and commercial abuse, and has filed complaints against Abika with the privacy commissioner of Canada and the U.S. Federal Trade Commission. To date, however, neither EPIC nor CIPPIC has made any progress toward curtailing this nascent industry.

Critics of these privacy groups note that most of the information in question is technically "public," albeit fragmented, and hence companies like Abika cannot be faulted for the mere acts of aggregation and inference. In an increasingly connected world, the rise of Abika and its brethren seem almost inevitable -- natural by-products of globalization and the growing culture of communication. Early warnings by parents and grade-school teachers ("don't say or do anything you might later regret") come to mind, with substantially more bite.

A potential error in this line of reasoning, however, lies in equating "public" with "equally publicly accessible." As EPIC has often noted, much of the information gleaned by data-mining companies comes from the expensive purchase of consumer records from other companies, an endeavor far from the reach of the average citizen. Accordingly, an immediate institutional and monetary bias in access is realized, forging an intrinsic difference in the meaning of "publicly accessible" for the individual and "publicly accessible" for the corporation, the latter being more comprehensive and inclusive.

As a result, individuals are inherently disadvantaged not only in knowing what information is known about them but also, importantly, who knows such information and whether it is indeed correct. This becomes acutely germane when faulty conclusions are drawn upon incorrect information (say, when a firm rejects a job applicant based upon erroneous data concerning past criminal/social history) or when extrapolated statistical conclusions are used to predict future behaviors (say, when law enforcement personnel, who are becoming quite fond of Abika's services, are identifying suspects)...."

Sunday, March 27, 2005

US Privacy Law: Not 'if' but 'when'

Today's Toledo Blade has a lengthy article on the current privacy/security incidents and the push toward new legislation:

toledoblade.com:

"ID theft: Not 'if,' but 'when'
Computer breaches spur calls for new laws

Many people learned a lesson the hard way recently: Big Brother barely has his eyes open when it comes to the data brokers that gather personal information on millions of Americans.

Which means, security and consumer experts warn, that unless states and Congress institute tough laws, all the paper-shredding in the world will not protect an increasing number of people from falling victim to identity theft...."

Saturday, March 26, 2005

Did TSA mislead the public on passengers' private data? DHS thinks so.

According to an investigation by the Department of Homeland Security, and reported on by Yahoo news (Report: TSA Misled Public on Personal Data), the Transportation Security Administration misled the public about its role in getting passenger information from airlines while testing its passenger profiling software.

CBS News has a strongly-worded headline for its coverage of the story: CBS News | Airline Passenger Privacy Betrayed

Friday, March 25, 2005

Incident: Purdue warns hackers hit some computers

Once again, a university computer system containing personal information has been compromised by hackers. There is no confirmation that sensitive personal information has been compromised, but Purdue University officials are notifying students and employees that their information may have been disclosed:

Purdue warns hackers hit some computers:

"WEST LAFAYETTE, Ind. -- Purdue University officials have sent letters to more than 1,200 employees, students, graduates and business affiliates, alerting them that their personal information might have been illegally obtained through computers on campus.

Officials discovered Jan. 27 that someone hacked into the computers in the College of Liberal Arts' Theatre Division.

The hacking probably started in November when someone used special software to access the theater computers and two other campus systems, school officials said. 'While this information was vulnerable, we cannot say with certainty whether it actually was accessed,' Joseph Bennett, vice president for university relations, said Thursday. 'We take this very seriously because files on these computers contained information that could be used to commit identity theft.'"

Incident: NWU's Kellog School of Management systems hacked

Another one for the incident file (Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law). The Kellog School of Management is reporting that their computer systems have been hacked. All that is suspected to have been lost are userids and passwords, but other personal information may have been compromised. From WBBM 780:

WBBM780:

" - EVANSTON, IL -- Computer hackers apparently went to work at Northwestern University's Kellogg School of Management. WBBM's Bob Conway reports...

A security breach has been detected in the computer server system at Northwestern University's Kellogg School of Management.

...

Thus far, no one at Kellogg has reported any unauthorized use of their information.

When the server problem was discovered on March 20, the affected systems were immediately taken off-line and rebuilt. On Wednesday, Kellogg Information Systems determined that Kellogg user IDs and passwords, which provide access to various information sources on the Northwestern system, were potentially obtained by the hackers.

While the university said it has no evidence that personal identification was accessed, Northwestern has taken the precautionary measure of disabling all passwords and user IDs for Kellogg School faculty and staff (approximately 500) and students (approximately 3,000) affected. Kellogg Information Systems is also working to create new passwords for approximately 18,000 of the school's alumni whose passwords were also potentially obtained.

An investigation is ongoing and it appears that the servers were not targeted to obtain personal information. Stay tuned to WBBM Newsradio 780 for the latest developments "

Who is dumber, the phisher or the phished?

Getting personal information by "phishing" isn't new, but I've only recently received my first phising e-mail. It actually is a bit funny since whoever wrote it is pretty stupid. It's also a bit scary because I'm sure it has snagged more than a few folks. Here's the message, with some of my favorite bits highlighted:

[Graphic]

Dear Bank of Oklahoma customer. Please read this message and follow it's [sic] instructions.

Unauthorized Account Access

We recently reviewed your account, and we suspect an unauthorized ATM based transaction on your account. Therefore as a preventive measure we have temporary limited your access to sensitive Bank of Oklahoma features.

To ensure that your account is not compromised please login to Bank of Oklahoma Internet Banking and Investing by clicking this link, verify your identify and your online accounts will be reactivated by our system.

To get started, please click the link below:

[link removed]

Important information from Bank of Oklahoma.

This e-mail contains information directly related to your account with us, other services to witch you have subscribed, and/or any application you may have submitted. Bank of Oklahoma and its service providers are committed to protecting your privacy and ask you to send sensitive account information through e-mail.

If your bank demonstrates its "commitment to protecting your privacy" by asking you to send sensitive account information via e-mail, you are being scammed or you are with the wrong bank.

While looking into this particular scam, I happened upon the Anti-phishing Workgoup, which has more info on the Bank of Oklahoma e-mail and many, many more.

Survey Reveals That People Will Give Away Their Identity For A Chance To Win Theatre Tickets

Infosecurity Europe did a little research on the streets of London, showing that most people will trade away sensitive personal information for a chance to win something. I'd like to see some followup research to find out how people actually felt about giving up that information. I bet more than a few felt a little squeamish, but gave it up anyway:

HNS - Survey Reveals That People Will Give Away Their Identity For A Chance To Win Theatre Tickets:

"... The first question researchers asked was, "What is your name?", which seems reasonable enough if someone is potentially going to send you some vouchers, 100% of those surveyed gave their names. They were then asked a series of questions about their views on the theatre in London. People were then asked if they knew how actors came up with their stage name. They were then told it was a combination of their pets name and mothers maiden name and were asked what they thought their stage name would be. Ninety four percent (94%) of respondees then went on to give their mothers maiden name and pet's name. To obtain the address and post code, researchers asked for their address details in order to post them the vouchers if they won, 98% gave their address and post code. To find out the name of their first school the question was asked, "Did you get involved in acting in plays at school?" and then "What was the name of your first school?". Ninety six percent (96%) gave the name of their first school, this answer along with mother's maiden name are key pieces of identity information used by banks.

In order to find out date of birth researchers said that in order to prove they had carried out the survey they needed their date of birth, 92% gave their date of birth and 92% also gave their home phone number in case there was a problem delivering the vouchers. At the end of a 3 minute survey, the researchers were armed with sufficient information to open bank accounts, credit cards, or even to start stealing their victim's identity. The researchers did not give any verification of their identity, their only tool was a clipboard and the offer of the chance to win a voucher for theatre tickets...."

Their techniques were sneaky and misleading, but someone trying to steal identities will be sneaky and misleading.

The Fed now requires customer notificatioin of security breaches under GLBA

The Office of the Comptroller of the Currency, Board of Governors of the Federal Reservem, the Federal Deposit Insurance Corporation, Office of Thrift Supervision, yesterday released a guidance document under the Gramm-Leach-Bliley Act requiring banks to notify customers of security breaches involving their sensitive personal information:
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

"III. Overview of Final Guidance

The final Guidance states that every financial institution should develop and implement a response program designed to address incidents of unauthorized access to customer information maintained by the institution or its service provider. The final Guidance provides each financial institution with greater flexibility to design a risk-based response program tailored to the size, complexity and nature of its operations. The final Guidance continues to highlight customer notice as a key feature of an institution’s response program. However, in response to the comments received, the final Guidance modifies the standard describing when notice should be given and provides for a delay at the request of law enforcement. It also modifies which customers should be given notice, what a notice should contain, and how it should be delivered. A more detailed discussion of the final Guidance and the manner..."

Thursday, March 24, 2005

And the month isn't even over yet ...

The Register ran a story yesterday (that I would have otherwise missed - Thanks, PrivacySpot) about the litany of privacy stories that have appeared in the spotlight this March. The title is "ID theft is inescapable", but the story also has other lessons...

ID-theft and privacy are real issues for consumers. The media now much more likely to run with the stories. Though I have no hard facts to back this up, I do not think this March madness is a symptom of increased hacking and criminality. Rather, it is a reflection of how ordinary consumers are concerned, how the media report on the issue and how legislators are stepping in to address this concern. Much of this activity would have been unreported had it not been for the California law that requires notification for security lapses. But that law was a response to consumer fears.

The lesson is that how organizations manage and protect consumer information is under the spotlight and bright light is pretty unforgiving. I have seen, first hand, that a growing group of consumers are making decisions based on how companies respect their privacy. You can call them "privacy concerned." A large portion can be called neutral, and they'll walk if a company doesn't respect their privacy. This is now a simple reality for companies that deal with personal information.

ID theft is inescapable The Register:

"March 2005 might make history as the apex of identity theft disclosures. Privacy invasion outfit ChoicePoint, payroll handler PayMaxx, Bank of America, Lexis Nexis, several universities, and a large shoe retailer called DSW all lost control of sensitive data concerning millions of people.

Credit card and other banking details, names, addresses, phone numbers, Social Security numbers, and dates of birth have fallen into the hands of potential identity thieves. The news could not be worse...."

It's ten o'clock in Alberta. Do you know where your medical records are?

The Red Deer Advocate is reporting that a sudden medical clinic closure has left the town's residents wondering where their medical records are:

Medical records being sought:

"Mar 22 2005

By andrea miller

A women's health clinic that suddenly closed last week is being questioned about missing medical records.

The Alberta College of Physicians and Surgeons is trying to find out what happened to the medical files of hundreds of patients of the clinic, said spokeswoman Kelly Eby.

The province's privacy commissioner is also looking for answers to ensure compliance with the Freedom of Information and Protection of Privacy Act.

The Healthporte Medical Clinic in Red Deer closed last week after struggling to find enough doctors since opening last July.

Patients and the clinic's two doctors arrived last Tuesday to find a closure notice on the building in Cronquist Business Park...."

ChoicePoint still under fire, from all sides

(Sorry for the light blogging in the last day or so. I was in Newfoundland for a commercialization seminar.)

ChoicePoint is continuing to come under fire for a number of reasons ...

Wired news is running a story on alleged problems with their background checks:

Wired News: ChoicePoint's Checks Under Fire:

"As data broker ChoicePoint wrestles with the fallout from the sale of personal data to identity thieves and an investigation into two executives' sale of company stock, it faces questions on another front: its background-checking services.

Several lawsuits and consumer complaints in the last few years have accused ChoicePoint of providing inaccurate and out-of-date information in its criminal background reports, resulting in unfair job losses for applicants...."

Thanks to Privacy Digest for the link.

I expect there'll be some fuss about the company raising the CEO's bonus from $1.5M to $1.8M:

News from The Associated Press:

"WASHINGTON (AP) -- ChoicePoint Inc., which sells consumer data and recently acknowledged a major security breach, raised its top executive's 2004 bonus to $1.8 million from $1.5 million a year before, according to a regulatory filing Wednesday...."

And execs are being investigated for stock sales before the privacy incident was made public:

SEC investigating ChoicePoint stock sales:

"MAR. 4 8:13 A.M. ET Data collector ChoicePoint Inc. announced the Securities and Exchange Commission is investigating stock sales by its top two executives. The company also said it will also stop selling personal information about consumers to small businesses...."

Tuesday, March 22, 2005

How RSS can reduce privacy risks

Here's an interesting comment on The Information Security News blog from Clearwater Associates on using RSS instead of mailing lists to reduce your privacy risks. In short, if you don't have a mailing list that can be compromised, you effectively reduce the risk of having your mailing list compromised. And it gives complete control to your readers. Check it out here:

The Information Security News - Blog Archive - Editorial: How RSS can reduce privacy risks:

"Offering web site content updates via an RSS feed rather than by opt-in email can reduce the risk of privacy exposures. Because subscribing to an RSS feed is a 'pull' technology, it avoids the collection of personal information (email address, name, etc.) that would normally get collected in order to maintain a subscription to a site update alert, newsletter or digest..."

Media coverage of UC-Chico hacker incident.

A few days ago, I blogged about a hacking incident at the University of California, Chico (see PIPEDA and Canadian Privacy Law: Incident: Hacker Accesses Thousands of Personal Data Files at CSU Chico). In the meantime, the mainstream media have really picked up on the story, as evidenced by Google News. This is just one in a series of university hacking incidents, but in this post-ChoicePoint age, the media is taking notice in a serious way. Just google it here.

beSpacific: Another Antispyware Bill Introduced Today

Sabrina I. Pacifici's fantastic blog, beSpacific, is reporting that yet another anti-spyware bill has been introduced in the US Congress:

beSpacific: Another Antispyware Bill Introduced Today

Press release: "U.S. Senator Ron Wyden (D-Ore.) today announced the introduction of legislation to prohibit a variety of surreptitious practices that result in spyware, adware and other unwanted software being placed on consumers’ computers. The bipartisan SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) Act, introduced with Senator Conrad Burns (R-Mont.), would prohibit the installation of software on a computer without the owner’s notice and consent. The legislation also requires reasonable “uninstall” procedures for all downloadable software. Spyware, adware and other hidden programs often secretly piggyback on downloaded Internet software without the user’s knowledge, transmitting information about computer usage and generating pop-up advertisements. Frequently such software is designed to be virtually impossible to uninstall."

  • Related legislation: H.R. 29, the Spy Act.

  • Taking "googling yourself" to the next level

    Rob Hyndman sent me a link yesterday to an article in the Globe and Mail about a service called Zoominfo:
    Globetechnology: Startup helps control personal info on Web:

    "...The practice of typing your name into an Internet search engine and seeing what pops up is now common, but the results can be unpredictable. The Internet holds surprising amounts of personal information between its ever-expanding corners, and some of it may be outdated, inaccurate or embarrassing.

    ZoomInfo's computers have compiled individual Web profiles of 25 million people, summarizing what the Web publicly says about each person. The service, launched Monday, allows Web surfers to search for their profile, then change it for free...."

    It looks like it scrapes the internet for information about people and compiles it into one handy-dandy place. I put in my name and was surprised about what it had to say about me. Thankfully, most of it was positive, but it was also a bit scary. I put my wife's name and it knew all about her too, based on media interview she had done at the beginning of the year. It says you can control what is in it, but I doubt too many people will use that feature. I also wonder how they authenticate people. Can they tell the two hundred David Frasers apart?

    You can even look up by "company". The Central Intelligence Agency may have some concerns about this ... ZoomInfo Search: central intelligence agency. Or the National Security Agency ... ZoomInfo Search: national security agency.

    Debate over Solove and Hoofnagle's privacy proposal

    I blogged a little while ago about a new proposed privacy regime put forward by Daniel Solove and Chris Hoofnagle (see PIPEDA and Canadian Privacy Law: Daniel Solove, Chris Hoofnagle propose a new model privacy regime for the United States) and I've been waiting for Denis Bailey of the Open Society Paradox to comment on it. He's posted a summary of his thoughts on his blog, which provide food for thought: The Open Society Paradox: The Whole Kit and Caboodle - Solove and Hoofnagle Go For Regime Change.

    Monday, March 21, 2005

    Tune in today ... ROB TV at 5:00 eastern

    I've been invited to be on Squeeze Play on Report on Business TV this afternoon. They are looking for a discussion on PIPEDA's first full year of implementation, commentary on the most recent privacy fiascoes in the United States and where we are headed in Canada. I'll be on ROBTv this afternoon around 5:15 (EST), or you can catch it on their internet archive available at http://www.robtv.com/shows/past_archive.tv?day=mon. I think ROBTV's on basic cable from coast to coast.

    Update: The direct link to the video is here.

    Addressing privacy when moving medical records online

    From today's Contra Costa Times (registration required), an article on the promise and perils of online medical records:

    ContraCostaTimes.com | 03/21/2005 | Online health records arrive, with privacy concerns:

    ".... Recently, feeling curious about whether she needed more tests several years after a benign biopsy for breast cancer, she reread her detailed biopsy report online and felt reassured.

    'It was very comforting,' said Perlman, a 51-year-old former CEO who lives in Menlo Park and now consults for high-tech companies. 'I feel like I've been able to be much more proactive with things like figuring out for myself what's the right schedule for a physical.'

    Perlman's online ventures in medical care are just the beginning. Not far in the future, your entire medical record could be online, available to your doctors, the local emergency room, even the Lake Tahoe hospital that treats you when you break your leg skiing.

    The idea is to move those bulging paper patient charts into the digital age, creating a record that travels with you rather than gathering dust in your doctor's office or a hospital's storage warehouse.

    Electronic medical records, say health experts, can help cut health care costs and improve patient safety. For example, they can help doctors avoid prescribing a drug that might interact badly with one you're already taking or eliminate duplicative -- and expensive -- lab tests...."

    How-to: Erase Old Hard Disks

    Engadget - a must-bookmark for the gadget obsessed - ran a piece last week on how to completely erase the contents of a hard-drive: How-to: Erase Old Hard Disks - Engadget - www.engadget.com.

    Scrutinizing online privacy statements for transparency and disclosure

    Rusty Weston and Keith Dawson, in Optimize Magazine (a part of the TechWeb Business Technology Network), scrutnize online privacy statements of a number of companies to look at how transaparent they really are. The article focuses on whether the companies disclose offshore processing of customer information, but the article is a usefull lesson on how to be transparent to gain customer trust.

    Optimize Magazine > Global Issues << Shining Light On Privacy Policies >> March 2005:

    "If you read a few dozen corporate privacy policies, you may be excused for believing that the same guy who drafts the fine print in rental-car contracts wrote these while moonlighting. There is some truth to that notion: It's easy to find boilerplate privacy forms on the BBB OnLine site. These policies generally are so vague--and cookie-cutter in style--it appears that they exist to give attorneys wiggle room if the disclosure is ever challenged in court.

    The premise of our review of privacy statements by companies engaged in outsourcing of various kinds (they don't in all cases offshore customer data to third parties) is to determine how these firms handle the concept of customer disclosure. What policy language is the state of the art? Which statements need a serious policy review?...."

    Investigators Argue for Access to Private Data

    The New York Times, which has had great coverage of the latest privacy debate, is running an article in today's edition giving the private investigator's perspective on data aggregators:

    The New York Times > Technology > Investigators Argue for Access to Private Data:

    "Diany Castillo, a 54-year-old home health care aide who lives in Brooklyn, says she is grateful that the fragmented bits of her past - her moves from one state to another, her marriages and her name changes - can be found in the vast commercial databases that contain personal information on tens of millions of Americans.

    Last October, a private investigator in Los Angeles used those digital bread crumbs to track down Ms. Castillo and send her a letter. Her estranged daughter, Diani Ramos, adrift for nearly a decade on the streets of southern California, was looking for her, the letter said.

    The two were reunited in November.

    In the heated debate over privacy rights and the sale of personal information by the data-mining industry, the story of Ms. Castillo and Ms. Ramos may represent a contrarian's view. "

    Sunday, March 20, 2005

    What your photocopier knows about you ...

    The Alberta Information and Privacy Commissioner's office is raising the alert about security and privacy issues related to newer photocopiers and fax machines. Their hard-drives may store information without the user's knowledge:

    Yahoo! News - Alta privacy office says hi-tech fax machines an overlooked security risk:

    "CALGARY (CP) - In the realm of high-tech dangers, few would consider the lowly fax machine or photocopier a security risk.

    That would be naive, says Tim Chander, research manager of Alberta's Office of Information and Privacy.

    'It's not your grandfather's printer anymore - these things are computers with hard drives that can be connected to the Internet,' said Chander.

    'Anything you're photocopying (is) copied and stored on the hard drives unless they are overwritten.'

    Chander said most businesses, government offices and health authorities lease their office equipment without considering the security ramifications.

    'We haven't had a complaint come to our office. We just want organizations to be aware that anyone photocopying personal, business or health information to realize that when your lease is up, your information is going out the door,' he said...."

    Surveillance cameras coming to Halifax's public places

    In the wake of a number of "swarmings" on Spring Garden Road, Halifax's main shopping street, the local merchants' association is proposing to subsidise video surveillance of the entire area:

    The Daily News

    Crime watch

    By Richard Dooley

    EYES ON THE ROAD: Spring Garden Road Area Business Association manager Bernard Smith says the group has offered to subsidize outdoor night-vision surveillance cameras for merchants, to scan the streets for trouble, after a series of downtown swarmings. (Photo: DARRELL OAKE)

    A series of swarming-style robberies in downtown Halifax over the last two weeks — the latest early yesterday — has convinced businesses in the area to ask for more police feet in the street and eyes in the sky. The Spring Garden Road Area Business Association is quietly telling downtown businesses it will subsidize exterior night vision surveillance cameras set up to scan the street for potential trouble.

    The association is also asking for the return of beat cops to Spring Garden Road...."

    So far, I haven't heard of a privacy backlash, but I expect there may be one forthcoming.

    Saturday, March 19, 2005

    InternetCases.com: Time Warner Ordered to Identify Sender of Offensive Email

    InternetCases is running a summary of a recent Maine decision in which the Court ordered cable provider Time Warner to disclose the identity of an individual who allegedly impersonated the plaintiff in the case, sending an offensive cartoon. The US legislation requires that the cable company give the John Doe notice of the request; in this case, the unnamed individual was represented at the hearing:

    InternetCases.com: Time Warner Ordered to Identify Sender of Offensive Email:

    "In the case of Fitch v. Doe, the Supreme Court of Maine has held that while the Cable Communications Policy Act of 1984 generally prohibits a cable operator's disclosure of subscriber information, an exception provided in the Act allows disclosure to nongovernmental entities pursuant to court order, so long as the subscriber has received notification thereof.

    On Christmas Eve 2003, an anonymous person sent an email under Plaintiff Fitch's name with a derogatory cartoon attached. Fitch filed suit in Maine state court against the unknown sender of the email (John or Jane Doe). Fitch then sought an order directing Time Warner (the ISP of the account from which the message was sent) to disclose Doe's identity. Doe's counsel objected to the disclosure, arguing that the disclosure was forbidden by the Cable Communications Policy Act of 1984, 47 U.S.C.A. s 551 (the 'Act'), and that Doe did not consent to allow Time Warner to disclose his identity. The trial court ordered disclosure, finding that Doe's agreement with Time Warner provided such consent.

    Doe appealed to the Maine Supreme Court, but the lower court's decision to order disclosure was affirmed. Although the court concluded that the lower court erred in determining Doe had consented to disclosure, such disclosure was authorized under an exception found in the Act...."

    Canton: Non-secure ID database scary prospect

    David Canton's regular column in the London Free Press is about the insecurity of databases that are used to establish identity and government initiatives to make ID more secure:

    London Free Press: Business Section - Non-secure ID database scary prospect:

    "After the terrorist attacks of Sept. 11, 2001, governments began looking for solutions to identification problems that had plagued them for decades. The United Kingdom and the United States suggested introducing national identification cards and driver's licences respectively with 'smart card' radio frequency identification (RFID) technologies. Canada has also considered the idea...."

    LexisNexis Tightens Data Security

    LexisNexis is following Westlaw's lead in restricting access to social security numbers and drivers license numbers:

    Yahoo! News - LexisNexis Tightens Data Security:

    "NEW YORK - LexisNexis, which last week said intruders had accessed dossiers on about 32,000 people in one of its database products, has restricted access to individuals' Social Security (news - web sites) and drivers license numbers...."

    Friday, March 18, 2005

    BC outsourcing fight not over yet

    The BC union that kicked off the Canadian debate over privacy, outsourcing and the USA Patriot Act has taken their arguments to court, according to ITBusiness. The article doesn't really say what the legal basis of their attempt to derail the government's ousourcing plans are, particularly after the government amended the public sector privacy law:

    ITBusiness.ca:

    "The British Columbia Government and Service Employees' Union on Wednesday ended the third and final day of a Supreme Court case to block the outsourcing of its Medical Services Plan database management to a U.S. firm.

    Union lawyers told the court that privatization of the Medical Services Plan (MSP) would violate the Canada Health Act and potentially jeopardize the privacy of patient data. The province has already signed a $324-million with Reston, Virginia-based Maximus Inc., which will deliver its services through two new Canadian subsidiaries, Maximus BC Health Inc. and Maximus BC Health Benefit Operations Inc. The BCGEU has asked for an injunction that would prevent the partnership from moving ahead until the broader issues in the case can be resolved. The Supreme Court had not made a decision at press time...."

    AOL's EULA: Fear, confusion and a fanatical devotion to legalese ...

    The editorial staff of the Harvard Crimson have produced an opinion piece related to the AOL Instant Messenger privacy fuss. Though the focus is on jargon-laden EULAs (end-user license agreements), privacy notices have may of the same characteristics:

    The Harvard Crimson Online :: Opinion:

    "You've Got Jargon: AOL’s two main weapons are fear, confusion, and a fanatical devotion to legalese

    By THE CRIMSON STAFF

    We do it without a moment’s thought. We click the box and accept the “terms” without pause. What are the actual terms? No one really knows—and, more often than not, no one really cares. But perhaps we should pay more attention to the content of these curious provisos—these End-User License Agreements (EULAs) that accompany most any piece of software. If the new changes to the terms of service of one of America Online (AOL) Inc.’s most popular applications are any indication, it’s easy to pull a fast one on unassuming customers without any real accountability. In their current, indecipherable form, however, it’s safe to assume that people will continue to “agree” to these terms without thinking. It is essential that EULAs be more up-front and comprehensible; they should be written in “plain English” to avoid any underhanded policies that might require signing away one’s soul—inadvertently.

    The changes in question affect something very dear to almost any Harvard student, and increasingly almost any person who owns a personal computer, cell phone, or other trendy technological device that allows for epistolary e-interaction. And it stirs paranoia in anyone who generally enjoys the world of impersonal, anti-social online banter. That is, it affects the users of the ubiquitous AOL Instant Messenger (AIM).

    AOL’s new terms, affecting anyone who downloaded AIM after Feb. 4, 2004 as well as anyone planning to update the program in the future, explain that, “by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium. You waive any right to privacy.” Frightening words, indeed....."

    Daniel Solove, Chris Hoofnagle propose a new model privacy regime for the United States

    Danile Solove of GWU Law School and Chris Hoofnagle of EPIC have jointly produced a model of privacy regulation as a basis for discussion for privacy law reform in the United States. Reading it from a Canadian perspective, it looks a lot like the Canadian Standards Association Model Code for the Protection of Personal Information that is now the law, via the Personal Information Protection and Electronic Documents Act.

    SSRN-A Model Regime of Privacy Protection by Daniel Solove, Chris Hoofnagle:

    "Abstract:
    VERSION 1.1

    Privacy protection in the United States has often been criticized, but critics have too infrequently suggested specific proposals for reform. Recently, there has been significant legislative interest at both the federal and state levels in addressing the privacy of personal information. This was sparked when ChoicePoint, one of the largest data brokers in the United States with records on almost every adult American citizen, sold data on about 145,000 people to fraudulent businesses set up by identity thieves.

    In the aftermath of the ChoicePoint debacle, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

    What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as Choicepoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We welcome input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We invite criticisms and constructive suggestions, and we will update this Model Regime to incorporate the comments we find most helpful and illuminating. We also aim to discuss some of the comments we receive in a commentary section. To the extent to which we incorporate suggestions and commentary, and if those making suggestions want to be identified, we will graciously acknowledge those assisting in our endeavor.

    Notice, Consent, Control, and Access
    1. Universal Notice
    2. Meaningful Informed Consent
    3. One-Step Exercise of Rights
    4. Individual Credit Management
    5. Access to and Accuracy of Personal Information

    Security of Personal Information
    6. Secure Identification
    7. Disclosure of Security Breaches

    Business Access to and Use of Personal Information
    8. Social Security Number Use Limitation
    9. Access and Use Restrictions for Public Records
    10. Curbing Excessive Uses of Background Checks
    11. Private Investigators

    Government Access to and Use of Personal Data
    12. Limiting Government Access to Business and Financial Records
    13. Government Data Mining
    14. Control of Government Maintenance of Personal Information

    Privacy Innovation and Enforcement
    15. Preserving the Innovative Role of the States
    16. Effective Enforcement of Privacy Rights "

    Thanks to PrivacvSpot for the pointer: Draft of a Model Privacy Regime (Part One) | PrivacySpot.com - Privacy Law and Data Protection.

    Incident: Hacker Accesses Thousands of Personal Data Files at CSU Chico

    Yet another university security incident involving personal information, this time from CSU Chico:

    Hacker Accesses Thousands of Personal Data Files at CSU Chico:

    "Officials at CSU Chico are notifying thousands of current, former and prospective students, faculty and staff that a computer hacker accessed their names and Social Security numbers.

    The letters detailing the personal information breach are going out now. The university's computer monitoring system caught some unauthorized software on the network in early February and determined that someone had broken into a computer server at the university's housing and food service center last July. The hacker had installed software to store files on the server. The individual also attempted to break into other computers.

    In the eight months since the breach, university officials said it doesn't appear the hacker actually accessed personal data. 'Even though we didn't find proof that the data had been compromised, because the person had access to the system we wanted to send out the notification as a precaution,' said CSUC Information Security Officer Brooke Banks...."

    Thursday, March 17, 2005

    Westlaw Agrees to Stop Selling Social Security Numbers, Schumer Urges Other Companies to Follow Suit

    Thanks to Sabrina at beSpacific (beSpacific: Westlaw Announces Restricted Access to Personal Data) for pointing me to the following press release by Senator Schurmer, who is announcing that Westlaw has agreed to limit access to social security numbers in its databases:

    Westlaw Agrees to Stop Selling Social Security Numbers, Schumer Urges Other Companies to Follow Suit:

    "FOR IMMEDIATE RELEASE: March 17, 2005

    Westlaw Ends SSN Sales to Private Companies, Greatly Limits Sale to Law Enforcement, Other Public Agencies

    Senator Introducing Comprehensive Privacy Legislation Soon, Westlaw Supports Provisions in Schumer ID Theft Prevention Bill

    After meeting with top executives last night, Sen. Charles Schumer (NY) announced today that Westlaw would be taking major steps to close large loopholes in its data search systems which previously allowed access to millions of Social Security numbers and other personal information. Peter Warwick, the head of Westlaw, thanked Sen. Schumer for raising important questions about privacy, and he has directed his company to take decisive action to close the privacy loopholes Schumer highlighted in letters and conversations. Westlaw undertook a complete review of its systems and made significant changes in its dealings with its clients.

    Schumer said, “The steps that Westlaw has taken to close privacy loopholes and protect consumers from identity theft are a model for the rest of the data broker industry. This is a victory for consumers and big loss for criminals who want to steal your Social Security number and your identity. Identity theft costs consumers and businesses an estimated $5 billion per year and I’m happy that we’re making progress reduce that financial burden on American families.”

    In their meeting on Wednesday night, Westlaw informed Sen. Schumer that:

    • 85% of those who had access to Social Security numbers on Westlaw’s database do not anymore.
    • No corporate clients have access to Social Security numbers anymore.
    • Eliminated government clients’ access for full Soc. Sec. numbers, including the U.S. Senate, and are working to restrict access to non-law enforcement personnel at other government agencies.
    • Will not sign new contracts that would allow full access to Soc. Sec. numbers.
    • Individuals who still have access will be screened by Westlaw, and are working towards individualized password access for those who have been screened.

    Westlaw also expressed its support for Schumer’s efforts to enact legislation addressing ID theft, including the distribution and sale of Social Security numbers except to law enforcement; support regulation of data brokering."

    Incident: Boston College alumni database breached

    Not only another one to add to the incident list (PIPEDA and Canadian Privacy Law: Summaries of incidents cataloged on PIPEDA and Canadian Privacy Law), but yet another university incident:

    Boston College reveals alumni data breach | Tech News on ZDNet: "Boston College is fighting against an attack on its fund-raising databases, which may have exposed the personal data of more than 100,000 alumni.

    College representatives said Thursday that the school was the target of a virus attack on a computer housed in a campus calling center used by students to solicit donations from alumni. According to Boston College spokesman Jack Dunn, the machine in question is managed by a third-party IT service, which the school has chosen not to publicly identify.

    Dunn said the company noticed a spike in the computer's activity during a routine maintenance operation and discovered a virus on the device that was attempting to use the database to launch attacks on other systems. The machine was then taken offline and examined in order to determine the extent of the attack.

    No other computers were found to be affected by the virus, he said...."

    Wednesday, March 16, 2005

    Letters to HIV positive Palm Beach County residents come as a surprise following e-mail gaffe

    A little while ago, I blogged about the accidental e-mailing of a list of HIV positive residents of Palm Beach County in Florida (see PIPEDA and Canadian Privacy Law: E-mail gaffe reveals HIV, AIDS names). Now, a number of HIV patients in the same county have received anonymous letters indicating their names had appeared on a list of HIV/AIDS patients in the county. County officials say the incidents are unrelated, but the coincidence is puzzling:

    Letters a shock to HIV positive:

    "Palm Beach County's health chief says an anonymous mailing is separate from the e-mail leak.

    By Jane Daugherty
    Palm Beach Post Staff Writer

    Wednesday, March 16, 2005

    WEST PALM BEACH — Three law enforcement agencies have launched a criminal investigation to find out who is sending letters threatening the privacy of the 4,500 AIDS patients and 2,000 people who are HIV-positive in Palm Beach County.

    One of the recipients of a letter postmarked March 8 told The Palm Beach Post Tuesday, "I'm very upset about this. I've been HIV-positive for a long time and, thankfully, I'm OK, but I'm looking for a job. Who is going to hire me if someone reveals my HIV status? This is a terrible thing."

    He gave his name and phone number but asked that he not be identified in print because of the stigma associated with AIDS.

    The otherwise innocuous letter with no return address that he and others received at their homes last week said, "Your name appeared on a list of HIV/AIDS patients for Palm Beach County."

    A list of patients was inadvertently e-mailed last month to 800 Palm Beach County Health Department employees, but health officials do not believe the recent mailing used the same list because it did not include addresses.

    "This is a separate incident, and I regard this as terrorism," department Director Dr. Jean Malecki said Tuesday. She confirmed that she turned two of the letters over to law enforcement investigators Tuesday and asked for a criminal investigation...."

    NYT: How Billions of Pieces of Information Are Bought and Sold

    The New York Times is continuing their coverage of the Senate hearings on the ChoicePoint/BofA/Lexis incidents with an article on what information is bought and sold, and where it comes from:

    The New York Times > Business > How Billions of Pieces of Information Are Bought and Sold (reg'n req'd):

    "How much data on how many Americans are they dealing with?' Sen. Richard C. Shelby, the Alabama Republican, asked the head of the Federal Trade Commission last Thursday, during a hearing on identity theft and the data broker industry.

    The F.T.C.'s chairwoman, Deborah Platt Majoras, explained that the industry's scope was difficult to gauge. But individual data brokers 'can have billions of pieces of data regarding consumers,' she said.

    'A treasure trove of all the financial privacy information, in a sense, isn't it?' Mr. Shelby asked.

    'Yes, indeed,' said Ms. Platt Majoras, who delivered similar testimony before a House subcommittee on Tuesday of this week..."

    Conference: The PIPEDA Project

    On Friday, the University of Toronto is hosting a conference entitled Implementing PIPEDA: A review of Internet privacy statements and on-line practices. It looks like a good program. I'm particularly looking forward to the session about the meaning of the Englander v Telus decision, which includes Mathew Englander himself and Telus' privacy officer.

    I am also informed that it will be available the the world at large via webcast. Go to Conference Webcast Information for info on how to hook up via Real Player and how to post questions for the panelists via the public forum.

    The root causes of identity theft

    Dennis Bailey in the Open Society Paradox raises a very interesting question about the root causes of identity theft. In his view, it is not the fault of the organization that leaks personal information to identity thieves. Rather, he says, it is the credit grantors who provide credit facilities to the impostors.

    The Open Society Paradox: Tonight's Reflection on ChoicePoint:

    "ChoicePoint is being crucified for not having done due diligence to verify the identity of the individuals who stole data. Why aren't financial institutions being held to the same standard when it is their giving of accounts to identity thieves which is at the core of the problem. Don't they also have a responsibility to verify the identity of their customers? Fix that part of the equation with improved identification and biometrics and ChoicePoint's data becomes a non-issue. Can't anyone see the waterfall for the river that Congress is heading down? If I've said it once, I've said it a million times, you can't lock down data in the information age. You can only prevent its misuse."

    It does take two to tango ...

    What's the root of identity theft

    Dennis Bailey in the Open Society Paradox raises a very interesting question about the root causes of identity theft. In his view, it is not the fault of the organization that leaks personal information to identity thieves. Rather, he says, it is the credit grantors who provide credit facilities to the impostors.

    The Open Society Paradox: Tonight's Reflection on ChoicePoint:

    "ChoicePoint is being crucified for not having done due diligence to verify the identity of the individuals who stole data. Why aren't financial institutions being held to the same standard when it is their giving of accounts to identity thieves which is at the core of the problem. Don't they also have a responsibility to verify the identity of their customers? Fix that part of the equation with improved identification and biometrics and ChoicePoint's data becomes a non-issue. Can't anyone see the waterfall for the river that Congress is heading down? If I've said it once, I've said it a million times, you can't lock down data in the information age. You can only prevent its misuse."

    It does take two to tango ...

    Tuesday, March 15, 2005

    ChoicePoint CEO on the hot seat in Senate Committee Hearings

    As reported last week, the US Senate Banking Committee is holding hearings to investigate the recent rash of incidents involving personal information (See: PIPEDA and Canadian Privacy Law: Senate Banking Committee to hold hearings on security of sensitive consumer information and PIPEDA and Canadian Privacy Law: Senate Banking Committee hearings on recent privacy incidents).

    The CEO of ChoicePoint was scheduled to appear last week, but the committee ran out of time. Well, he appeared today and, according to MSNBC, he was put on the hot seat by the members of the committee:

    MSNBC - ChoicePoint CEO grilled by Congress:

    "Members of Congress grilled ChoicePoint CEO Derek Smith on Tuesday, demanding the company do more to protect customers in the wake of the massive information leak at the database giant.

    'The incident has caused us to go through some serious soul searching,' Smith said, testifying at a hearing held by the House Subcommittee on Commerce, Trade, and Consumer Protection."

    I expect that the prepared statements and transcripts will soon be available from the Committee's website: U.S. Senate Committee on Banking, Housing, and Urban Affairs.

    Update: The New York Times has coverage of the hearing here: The New York Times > Business > Data Broker Executives Agree Security Laws May Be Needed

    New PIPEDA finding: Collection of health information by employer

    The first summary finding of 2005 has been released by the Canadian Privacy Commissioner. In it, the Commissioner concludes that the complainant's employer did not violate PIPEDA by seeking medical information about the employee who occupies a "safety sensitive" position. The complainant also alleged that the employer collected information directly from his/her physician without consent, a complaint that was well-founded.

    Commissioner's Findings - PIPEDA Case Summary #287: Request for medical information deemed reasonable, but consent procedures not properly followed - January 5, 2005 - Privacy Commissioner of Canada:

    "...An employee of a transportation company made two allegations against his employer: (1) that his employer was requiring him to provide more medical information than necessary and would not allow him to return to his position until he supplied the information; and (2) that the company obtained medical information about him from his doctor without his consent...."

    I am informed by a colleague who made an inquiry of the Office of the Privacy Commissioner that finding summaries are going to be published less frequently than in the past. This is unfortunate. Desipte their serious shortcomings, these findings provide the only insight into the Commissoner's thought process and also make good case studies to teach companies how to deal with PIPEDA.

    Monday, March 14, 2005

    AOL goes back to the drafting board on its AIM Privacy Policy

    CNET News is reporting that AOL is planning to redraft its "inartfully drafted" privacy statement to clarify that they do not require users to waive their rights to privacy. Or, depending upon whom you believe, to back off from their original plan to have users waive their rights to privacy.

    AOL clarifies IM privacy guarantee | CNET News.com:

    "America Online said late Monday that it plans to revise its user agreement in response to concerns that instant messages sent through the company's service could be monitored.

    The new policy for AOL Instant Messenger, or AIM, will stress that the company does not eavesdrop on customer's conversations except in unusual circumstances such as a court order, an AOL spokesman said..."

    I bet there's a room full of lawyers busily redrafting the policy while I write this.

    As a more than casual observer of privacy incidents and damage control, it will be interesting to see what the blogsphere will have to say about this. Many, I am sure, will be waiting for the final re-draft before cutting AOL any slack. My next prediction: The mainstream media will pick up on the original story for tomorrow's papers. To AOL's distress, I predict that many will not cover the proposed re-draft, resulting in more adverse publicity and greater damage control efforts.

    Rob Hyndman wades into the AOL debate

    Fellow Canadian blogger and technology lawyer, Rob Hyndman, is quoted in eWeek discussing the AOL Terms of Service that have caused such a stir recently. I have to say that I agree with his observations about how easy it is to draft something heavily in favour of your client which may not be entirely appropriate given the circumstances. Read his contributions here:

    AOL: AIM Conversations Are Safe:

    "....Rob Hyndman, a technology lawyer based in Ontario, pointed out that the terms of service covers the entire AIM product and does not explicitly exclude instant messaging.

    'I think the AOLs of the world don't take the impact their TOS [terms of service] have on users seriously enough, generally because they have market power and the customer doesn't,' Hyndman told eWEEK.com, arguing that the AIM terms of service appears all-encompassing."

    eLegal Canton: RFID in schools

    David Canton's most recent technology law column for the London Free Press focuses on RFID in schools and a controversial pilot project that took place in California: Program a privacy concern (subtitle: RFID - A New Type of Tag at School).

    Experiment: Tracking an anticipated privacy backlash

    This is just an experiment. I predicted in an earlier post that the mainstream media will likely pick up on the AOL Instant Messenger Terms of Use controversey that is ripping through the geek scene and the blogosphere (See: PIPEDA and Canadian Privacy Law: AOL makes users waive privacy and purports to own users' instant messages). I may be wrong, but I'm going to do an experiment. I'll try to stay on top of the story to see if the ordinary media pick up on it, if there is a backlash and to see how AOL handles it.

    At the moment, the story is mostly confined to the Slashdot, FARK and blog scene. Google News search is showing at least nine stories on the sites it regularly spiders:

    AOL Instant messenger users `waive right to privacy
    PC Pro, UK - 25 minutes ago
    AOL has raised some eyebrows - to say the least - over licence changes to its AIM instant messaging service. Under the revised terms ...

    AOL's Terms of Service Update for AIM Raises Eyebrows
    eWeek - Mar 12, 2005
    America Online, Inc. has quietly updated the terms of service for its AIM instant messaging application, making several changes ...

    N0 privacy 4 u, LOL!!!!!
    Houston Chronicle - Mar 12, 2005

    By DWIGHT SILVERMAN. . . . .by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents ...

    America Online updated TOS raises Privacy Issues
    TechWhack, India - 9 hours ago
    America Online quietly updated their terms of usage of the AOL Instant Messenger which included many changes big enough to upset privacy advocates. ...

    AOL's TOS Change Sparks PR Crisis
    WebProNews, KY - 21 hours ago
    The blogosphere is buzzing this morning over a major privacy change to AOL Instant Messenger's ... The change is sparking outrage because of this quote... ...

    No More Privacy For AOL Instant Messenger Users
    Gear Live, WA - Mar 12, 2005
    At a time when privacy on the Internet is of the utmost importance to many people, AOL has added a new provision to their AIM Terms of Service contract. ...

    AIM's New Terms Of Service
    Slashdot - Mar 11, 2005
    acaben writes "AOL has posted new terms of service for AIM, that include the right for AOL to use anything and everything you send through AIM in any way they ...

    AOL kills AIM privacy
    p2pnet.net, Canada - 12 hours ago
    p2pnet.net News:- You no longer have any right to privacy if you use America Online's AIM software downloaded on or after February 5 last year. ...

    AOL's TOS Update for AIM hackles privacy advocates
    GameSHOUT - Mar 12, 2005
    The revamped terms of service, which apply only to users who downloaded the free AIM software on or after Feb. 5, 2004, gives AOL ...


    AOL is already feeling the heat. The author of the Houston Chronicle Techblog, Dwight Silverman, had a bit of a back and forth with AOL over the topic:

    HoustonChronicle.com - AOL explains its privacy policy:

    "America Online spokesman Andrew Weinstein responded to a request for more information about AOL Instant Messenger's terms of service, which I wrote about Saturday after spotting it on Slashdot.

    The terms would appear to indicate that anything generated using AIM is fair game for AOL to use, which would mean private IM communications are not so private.

    But Weinstein said that's not the case.

    The clause in question specifically refers to something an AIM user might post in a public forum, Weinstein says. He writes:

    The related section of the Terms of Service is called "Content You Post" and, as such, logically and legally it relates only to content a user posts in a public area of the service.

    If a user posts content in a public area of the service, like a chat room, message board, or other public forum, that information may be used by AOL for other purposes. One example of this might be a user who posts a "Rate a Buddy" photo and thus allows AIM to post it for other AIM users to vote on it. Another might be AOL taking an excerpt from a message board posting on a current news issue and highlighting it in a different area of the service.

    ....

    Update: Looks like Weinstein spent his Sunday afternoon hittin' the phones & e-mail, trying to put out this fire. His comments have shown up in several other places, including Steve Rubel's MicroPersuasion blog. Note that a Rubel reader responds there, and remains dubious:

    Andrew I'm glad you posted here but what you are saying makes no sense. By using AIM it is implied I agree to the TOS. The TOS specifically state:
    1) I waive my rights to privacy.
    2) AOL can make money off of the content.

    Content is defined as: Content - Information, software, games, communications, photos, video, graphics, music, sound and other materials provided by or through the AOL Services.

    Communications includes email, does it not?"

    This issue is already causing some problems for AOL. I'll keep you posted on where it goes next ...

    Sunday, March 13, 2005

    Communities Adjust to Medical Privacy Laws

    The Associated Press, via Yahoo! news, is running a story about how health privacy laws mark the end of an era in small town America:

    Yahoo! News - Communities Adjust to Medical Privacy Laws:

    "NELIGH, Neb. - Practices which helped neighbors stay connected in this community of 1,200 and others like it across the country are largely gone - partly because of the nation's new medical privacy laws under the Health Insurance and Portability and Accountability Act.

    It used to be easy for Hope Weaver to comfort friends when they were in the hospital. If she didn't hear that someone needed a visit by word-of-mouth, she'd simply pick up the newspaper, tune in her radio or look at the patient list posted in the hospital's front lobby. 'You like to send people a card or keep in touch with them,' the 79-year-old resident notes...."

    If the communities are so keen on broadcasting the names of those in hospital, why don't they just ask everyone, upon admission, if they want their information spread "the old fashioned way"?

    Debate about MATRIX and its creator

    I've started following The Open Society Paradox, a blog by Dennis Bailey, which offers an alternative to much of the debate on privacy that one sees around the 'net. In one of his latest postings, Dennis discusses an article in Vanity Fair profiling Hank Asher and the very controvertial MATRIX system. MATRIX stands for "Multi-State Anti-Terrorism Information Exchange" designed to mine vast databases to pick out potential terrorists.

    In The Open Society Paradox: A Balanced Article on Privacy, Bailey praises the article for its balance and engages in some blog-to-blog combat with Adam Shostack of Emergent Chaos. I'm not going to wade into the debate but suggest you check out the Vanity Fair article, Dennis' post and Adam's post.

    Saturday, March 12, 2005

    AOL makes users waive privacy and purports to own users' instant messages

    It pays to read the fine print. AOL's Instant Messenger software (AIM) is one of the more popoular IM platforms. Privacy Digest just pointed a reference to AIM's new Terms of Service, which purport to give AOL a blanket right to do whatever they want with users' private messages and require the user to waive all rights to privacy with respect to those messages.

    AIM Terms of Service:

    "...Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy. You waive any right to inspect or approve uses of the Content or to be compensated for any such uses...."

    This is exactly the sort of thing that will backfire on a company. It was posted to Slashdot early yesterday (Slashdot | AIM's New Terms Of Service) and it is getting pretty wide coverage. The above terms will make people think that AOL is a proxy for "big brother" or that it is heavy handed or both. I don't think it'll be long before it gets to the conventional media (it's already referred to in the Houston Chronicle Techblog: HoustonChronicle.com - N0 privacy 4 u, LOL!!!!!), which will threaten AOL's proposed move into VOIP services. "If they eavesdrop on my instant messages, can I trust them with my phone calls?."

    It'll be interesting to see how this plays out.

    What's in a name? When it's "Spamalot" perhaps you should expect alottaspam

    Today's New York Times has an interesting and slightly amusing article about a computer glitch on the Spamalot (the Broadway musical) website that may have exposed more than 31,000 to alottaspam.

    The New York Times > Theater > News & Features > What to Expect of 'Spamalot'? A Lot of Spam:

    "'Spamalot' fans who signed up for a newsletter on the Broadway musical's official Web site may end up getting, well, spammed a lot. 'Movin' Out' devotees may have the same problem. A security glitch - now fixed - exposed the names and postal and e-mail addresses of more than 31,000 people to savvy computer users.

    Up until Thursday evening, when a reporter from The New York Times pointed out the problem to the Web sites' developer, visiting a specific address on the shows' sites produced a long page with mailing-list data. The security hole was not obvious to casual Web surfers because the address was buried in the site's code. But it could have been discovered by someone deliberately seeking the list data, or by a kind of program used by spammers to scour the Web for new e-mail addresses to bombard.

    Both montypythonsspamalot.com, where 19,000 people had signed up for a newsletter, and movinoutonbroadway.com, where 14,000 had, were built by Mark Stevenson, a designer in Croton-on-Hudson, N.Y...."

    I'm not sure if this qualifies as an incident as the article only refers to the glitch's potential to expose addresses. I suppose the site maintainer would be able to look at their logs to find out if the page with all the names was ever viewed.

    So many privacy incidents are caused by simple human error, whcih I expect is the cause of this one. I'm on the board of an industry association that recenly allowed the local economic development agency to send an e-mail to its members announcing a very specific event. Unfortunately, someone thought that using a "distribution list" in Outlook would shield all the addresses. Not quite. Every single address was in the "To:" field. So far nobody has complained, but I expect we'll hear more of it. One minor misunderstanding of the technology and it had the potential to upset quite a few people.

    Thanks to Rob Hyndman for reminding me about the article. I saw it very early this morning but forgot to bookmark it for later blogging.

    MSN implements shortened, layered privacy notices on its sites

    According to CNet News, Microsoft has just moved to a shortened privacy statement on all the MSN sites. These provide a high-level overview of the information collected from a specific site and allow you to click for more detail. The window below contains the general MSN Summary Privacy Statement:

    MSN sites get easy-to-read privacy label | CNET News.com:

    "... A standard notice contains six sections covering the scope, information collected, use of the information, consumer choices and company contact information. It also includes a section for important notices to the consumer.

    While their appearance is much simpler, the notices are difficult to write in plain language, McDade said.

    'It was a very hard challenge to summarize (our practices) into a short snapshot and to write it in such a way that people thought it was a fair representation,' she said.

    Microsoft has not yet implemented the shorter form on its main Web site. "

    I usually recommend that my clients use privacy notices that are as reader-friendly as possible. One of the key elements is to make sure the reader does not have to wade through a bunch of stuff to get their questions answered. Once you figure out what most customers who read the notices want to know, put it in a summary at the beginning or somehow highlight those sections in the text. Customers read privacy notices because they are suspicious or have a question. You want to answer the question and alleviate their suspicions. Notices like those implemented by MSN look like they'll do a good job at communicating their policies and practices.

    Incident: Personal information taken in Nevada DMV office break-in

    Thieves made off with a computer from a Nevada DMV office that contained sensitive personal information of 8,900 individuals who had applied for drivers' licenses between November 25 and March 4. The DMV originally said that the drives were encrypted (which would render the information inaccessible to the thieves), but this was not the case. From the Las Vegas Sun:

    Las Vegas SUN: Personal information taken in Nevada DMV office break-in:

    "NORTH LAS VEGAS, Nev. (AP) - Personal information from more than 8,900 people was stolen when thieves broke into a Nevada Department of Motor Vehicles office, officials said Friday.

    A computer taken during the break-in contained names, ages, dates of birth, Social Security numbers, photographs and signatures of southern Nevada residents who obtained driver's licenses between Nov. 25 and March 4 at the North Las Vegas office, state DMV chief Ginny Lewis said...."

    Thanks to PrivacySpot for the pointer: Nevada DMV Thieves Get Personal Information | PrivacySpot.com - Privacy Law and Data Protection.

    Friday, March 11, 2005

    What to do if patient information is stolen

    Doctors Nova Scotia (formerly the Medical Society of Nova Scotia) this week asked me to write a brief article for their website and magazine about what physicians should do if the security of patient information is compromised. The question arises most often in the form of "what if my computer [or PDA] is stolen?"

    I was happy to help since DoctorsNS has been extremely proactive in helping its members to address PIPEDA. In fact, it was for DoctorsNS that I originally wrote the Physician's Privacy Manual (e-mail me - david.fraser at mcinnescooper.com - if you are interested in purchasing a copy).

    Q. With the new privacy law now in force, what measures do physicians have to take to prevent the theft of computers and the like containing confidential patient information and what should physicians do if something like this were to happen?

    A. Since January 1, 2004, the collection, use and disclosure of personal information by private practice physicians in Nova Scotia has been regulated by the Personal Information Protection and Electronic Documents Act, commonly know by its acronym “PIPEDA”. The law covers all aspects of physicians’ responsibilities with respect to patient information and specifically includes an obligation to safeguard personal information against a wide range of risks. Among those risks are loss, theft and inappropriate access. The law does not dictate what specific technological or security measures must employ but it does provide say that the safeguards must be proportional to the sensitivity of the information in question. Because medical records are among the most sensitive, a physician’s responsibilities in this area are proportionately high.

    While PIPEDA is a new law, it does not replace the obligations that physicians have always had to exercise due care to protect their patients from harm caused by the physician’s actions or omissions. The inappropriate disclosure of personal information can undoubtedly cause harm, particularly in this age of identify theft. In addition, individuals entrust their physicians with very sensitive information that may have significant consequences if it is disclosed to others. For example, a patient’s record may contain information about a particular condition that, if disclosed to the individual’s employer, could result in the individual being fired. The inappropriate disclosure of information about a battered spouse may have severe safety repercussions for that patient.

    These rules apply to all patient information, regardless of whether it is written on paper or stored in a computer. Use of electronic systems pose additional risks, simply because large amounts of information may be stored in an easily stolen form. Also, external hackers might access an under-protected system, leaving very little sign that the information has been compromised. Physicians should take all reasonable measures to protect this information against the sorts of threats that may exist, depending upon the circumstances. Locks on doors, virus scanners and computer firewalls immediately come to mind. The encryption of electronic data may also be the last line of defence, meaning that data stored on a stolen hard drive still cannot be accessed by a thief who does not have the password.

    So what should a physician do if he or she believes that patient information may have been compromised? PIPEDA does not specifically say, unlike Ontario’s new Personal Health Information Protection Act which requires all health information custodians to inform an individual at the first reasonable opportunity if that individual’s personal information is stolen, lost, or accessed by unauthorized persons. While physicians likely should contact all affected patients to inform them of a breach or possible breach, whether they are under a legal obligation to do so is unclear. Because the unauthorized access to personal information may put individual patients at risk, the only way that this risk may be mitigated is to inform the patients so that steps can be taken to minimize the harm. The following checklist may be helpful to assist with a physician who believes that patient information may have been lost, stolen or inappropriately accessed:

    • If the incident relates to a theft or malicious intrusion attempt, the police should be notified as soon as possible.
    • The College of Physicians and Surgeons should be notified.
    • Your liability insurer and/or the Canadian Medical Protective Association should be notified.
    • Immediate steps should be taken to prevent the recurrence of the loss; for example, computer servers should be immediately disconnected from potential avenues for intrusion, such as external networks and modems; locks should be changed on the doors if the incident relates to a physical break-in.
    • Carefully consider whether patients should be contacted to allow them to mitigate the effects of the incident.

    Physicians should not attempt to cover up or gloss over any of these incidents, as such actions tend to compound the problem and undermine patient confidence in physicians generally.

    If you have any concerns about the way that personal information is safeguarded in your practice, Doctors Nova Scotia is able to help by referring you to information and specialists that can help minimize the risk to the security of your patient information.

    I note that this article is not legal advice and only pertains to provinces where private practice physicians are governed solely by the Personal Information Protection and Electronic Documents Act (NS, NL, PE, NB and not BC, AB, SK, MB, QC, ON).