Sunday, July 31, 2005

A new way to authenticate your identity?

What is the root cause of the identity theft "crisis". That depends upon what you consider "identity theft". The term is often used to refer to simple credit card or debit card fraud, but the definition that I use involves impersonating another person to fraudulent obtain a benefit, such as credit facilities. The root cause of this sort of fraud is that it is very easy to impersonate someone, at least to the extent that banks and credit grantors would extend credit on the basis of the faked identity.

Though conventional identification methods, such as drivers licenses, can be faked or can be fraudulently obtained, credit grantors often do not even use such methods to confirm that the applicant is who s/he says s/he is. In most online applications, it seems the credit grantors assume your identity if the information you provide matches what's retrieved from your credit file.

MSNBC is today running an article on two responses to this challenge. The first would be mandatory "fraud alerts" on credit files, so that the credit bureaus are required to confirm that the owner of a credit file consented to its disclosure before handing it over to a lender. The second is a technological method to displace the social security number as the universal identifier.

A new way to authenticate your identity? - Consumer Security - MSNBC.com

"...Several identity theft watchdogs say the bills would neglect the deeper reason why financial fraud is relatively easy: Speed, not identity assurance, is the main priority of U.S. financial institutions that issue credit.

To be sure, the fact that many companies use Social Security numbers essentially as a password — not only are they the key to getting credit, they can also unlock access to an account over the phone — magnifies the problem. That's why Congress hopes to hide the numbers better — by reducing the ways they can be sold, for example, or by prohibiting them from being printed on benefit checks.

Even so, keeping the numbers and other personal data out of the wrong hands likely will remain tricky.

"It's too easy to get to data no matter what the key is, from insiders or hackers or mistakes," said Jody Westby, head of the security and privacy practice at PricewaterhouseCoopers LLP. "What we have to do is make it harder to use the data."

Westby's solution would be quite simple: universal use of the fraud alert, which identity theft victims are allowed to put on their credit reports for seven years. Before any new credit is granted, a card issuer or loan provider is supposed to call them and doublecheck that they, rather than an impostor, really made the application.

Putting everyone on fraud alert status would be a simple way of bringing more personal control to the system, Westby argues, just as do-not-call lists let people decide for themselves whether to talk to telemarketers.

In contrast, the data bills pending in Congress would make a lot of changes at once. Consumer advocates like many of the provisions, such as allowing people to refuse to give businesses their Social Security numbers, requiring more encryption of financial records and demanding widespread disclosure of data breaches....

Australian transit authority flunks Data Security 101

Geoffrey Huntley, an Australian Unix engineer bought a bunch of used servers from a government auction. When he got back to his office, he fired 'em up. He found that the earlier owners had not even deleted any of the contents of the drives, let alone wiped 'em. Transit administrations stuff may be boring, but payroll and e-mail info is much more interesting. Being a blogger, he has written about his find: Geoffrey Huntley - Archive - Data Security 101. Slashdot is dissecting the incident at Slashdot | Govermental Servers Wiped? Never!.

Saturday, July 30, 2005

Hacking in-room hotel systems

In many hotels these days, you can use the room's television to check your bill, check your e-mail and check out of your room. Will miracles never cease? I, for one, never gave any thought to how secure these systems are. That's pretty naive.

If it moves, whirs, clicks, plugs in or connects anything to anything else, someone will try to figure out how it works and what mischief can be accomplished with it. Wired news has interviewed a hacker who, in a fit of boredom and a desire to watch pay movies for free, has figured out the system. What he has found is more than a bit troubling:

Wired News: A Hacker Games the Hotel

"... But one of the most serious vulnerabilities he found was in the billing system. Hotel guests can use their TV to check their account balance. The bill is tied to the room number, which in turn has a unique address that's assigned to the TV.

Laurie could view the bills of other guests and see their room numbers simply by going to a menu that displayed the address of the TV in his room and changing a number in the address to make the TV think it was in a different room.

"If I change that address -- it was A161 and I've now changed it to A162 -- I'm now looking at the bill of the guy next door," he said.

If he wanted to know the names and room numbers of all the guests in a hotel, he could automate the process by writing a simple script to call up sequential TV addresses, then set a video camera on a tripod in front of the TV to capture the bills as they came up.

"That tells me who's in there, who's sharing (the room) with who and what they've been doing," he said. This sort of hack would be useful to any number of people, including paparazzi stalking celebrities and private detectives hired by spouses.

"Why would they connect (the TV) to a billing system?" Laurie asked. "Because they don't think. As far as the hotel is concerned, you're the only person who can see (your bill). But they're sending you confidential data over the air through a broadcast system. It's the equivalent of running an open wireless access point. If I tune my TV to your channel, then I get to see what you're doing."

Laurie could view certain activities of other guests by tuning to other channels or by scanning through all possible channels in the system. That's because when a guest purchases premium content or TV internet access, the hotel system assigns a channel to the guest's room through which to deliver the service. All Laurie had to do was surf the channels.

He produced a slide of his TV screen showing another hotel guest sifting through business proposals in his e-mail.

"He's happily typing away in his room thinking he's privately viewing his e-mail," Laurie said. "But I could be anywhere else in the building watching what's going on (from) the TV. If I was a business rival staying in the same hotel at a conference, I could do a little corporate espionage. I see the (bid) proposal he's putting in and I could go in and put one in that's 10 bucks cheaper." ..."

Don't worry, your data is password protected. Yeah? How?

Many security and privacy incidents are caused by stolen computers, both laptops and desktops. Often you hear the phrase "Don't worry, the information is password protected." The next question has to be "What kind of password protection?"

Many people think that requiring login passwords in Windows provides an effective level of security for the data on the computer.

Not true.

Ok, maybe it'll take a determined hacker a month to get through?

Not true.

Maybe you need the kind of James Bond tools that the CIA and computer forensics folks have access to?

Not true.

This may be old news to those in the security business, but anybody with an internet connection and physical access to the computer in question can use a free online system to "recover" those pesky passwords that you've "lost". Thanks to Inter-Alia for pointing to Windows XP Login Recovery, which is a free online service that'll crack the password file that you can get off any XP computer with a simple boot disk. I assume that once you have the password, you can have access to all the stuff on the drive that has been encrypted using Windows' native encryption, too.

Scary stuff.

Incident: Detroit Doctor's Office Faxes Woman's Records To Stranger

Rescue 4 from Detroit got a call from someone who had received a stranger's medical records via fax machine. The documents were meant for the woman's lawyer, but the doctor misdialed: Doctor's Office Faxes Woman's Records To Stranger - Yahoo! News.

Incident: Austin Peay State Has Security Breach On Website

Yet another security/privacy incident at a US university:

Austin Peay State Has Security Breach On Website: "

"There's been a security breach at Austin Peay State University. Social Security numbers, grades and other personal information of nearly 1,500 students were accessible to anyone visiting the school's Web page...."

Incident: Computer breach leaves San Diego county personnel vulnerable

System administrators at the San Diego County Employees Retirement Association have discovered that someone has illicitly gained access to the Association's database that contains sensitive personal information about members, including current law enforcement officers:

Computer breach leaves county personnel vulnerable North County Times - North San Diego and Southwest Riverside County News

"SAN DIEGO ---- A computer breach may have exposed more than 32,000 current and former San Diego County employees to financial danger and may have revealed the closely guarded home addresses of some 5,000 law enforcement personnel, officials said Friday.

Two computers containing names, Social Security numbers, dates of birth and addresses of current and retired San Diego County employees and their assigned departments were apparently hacked last week, San Diego County Employees Retirement Association leaders said.

...

Brian White, executive director of the association, the independent agency that manages the county's $6.3 billion pension fund, said Friday that the association was busily mailing warnings to its members about the breach.

...

However, a number of officials on Friday said they were even more troubled by the fact the information ---- if it was downloaded ---- contained the home addresses of all current and retired members of the San Diego County Sheriff's Department and district attorney's office.

Friday, July 29, 2005

CardSystems made its choices clear

The chorus in favour of stronger privacy protections is getting louder. Daniel Handson, at SecurityFocus, has written an opinion piece at that website, calling for greater laws to deal with incidents like the CardSystems breach:

CardSystems made its choices clear

"... The latest news in this escapade is that CardSystems has now lost the contracts it had, and also faces corporate extinction. Now some reading this may be cheering a little, or perhaps a lot, at the karmic balance of CardSystems potentially paying the ultimate price for their cavalier attitude. However other people are suggesting that this corporate extinction might come as a result of misguided notification laws implemented in California, and that without the mandated public disclosure and the resulting firestorm of controversy, the company could have fixed its problems quietly and kept on serving its shareholders and customers. I think that both of these views are misguided and miss the truth.

CardSystems violated a contractual agreement that was put in place by the companies it served. It's that simple. CardSystems kept data in an insecure fashion, with no concern given to the minimum security and encryption standards that it was required to implement. I fail to see why legislation on data protection would change this situation. CardSystems was already required to maintain a certain level of security and failed to do that. In one report, Bruce Schneier, mentioned that this was a common problem with contractual obligations: the fact that auditing is hard. Therefore I cannot see why changing a contractual agreement into a legislated law will make auditing any easier. To draw another comparison, did the fact that they were violating laws affect the behavior of the people at Enron?

Many companies have a long way to go in the security world, and yet the one sector of our civilian society that tends to get information security is the banking and financial industry. Sure they aren’t perfect, but in my experience they are heads and tails better than almost anyone else that I deal with at understanding data privacy. In the case of CardSystems, however, the industry insisted that minimum standards be maintained, outlined what those minimum standards were, and yet much of that was ignored. CardSystems, if it does go bankrupt, will have done so because they willfully violated a contractual obligation, not because of disclosure laws, or public pressure. Would you use a company that had willfully violated previous contracts? Would you want your credit card company to supply your data to that company? I cannot see why repealing disclosure laws and helping to mitigate the lynch mob mentality that can follow a mistake changes the fact that CardSystems violated a contract, and that contract violation is what has brought about this imminent death. I await the forthcoming laws that attempt to prevent something like this from ever happening again. Meanwhile, I continue to check my credit-card statement, bank statements and never give out my Social Insurance Number (or SSN) unless I absolutely have to. I wonder if any of the legislators who are outraged by this would give me their mother’s maiden name, birth-date and the name of their first pet? ..."

The language of privacy

Timothy Grayson at recrusiveProgress has been mulling over the recent decision of the federal Privacy Commissioner about secondary marketing (see The Canadian Privacy Law Blog: PIPEDA and non-personalized secondary marketing). He's also been thinking about what Professor Michael Geist has had to say about it (see: Michael Geist - Building a Privacy Culture from the Ground Up). All of this has left him a little confused about what this has to do with "privacy" as the term is understood by most people:

recursiveProgress: I guess I just don't understand Privacy.

"...What makes less sense is what comes of that foundational premise. First, the Commissioner and Geist take the position that these "secondary marketing" materials are an unauthorized use of customers' personal information. Interesting. With reference to the online practice of ensuring opt-out from mailings of "other interesting and valuable information from associated companies," I see the consistency. I, a customer, did not specifically allow you, the business, to send me any information beyond that which relates directly to the service you are providing. OK. But what does that have to do with privacy?

The bank under scrutiny notes that it bulk mails such enclosures to all its customers with their regular statements. The mailings are apparently not individuated and personalized by customer. Moreover, the envelope is a means to convey an essential element in the provision of the service: the statement. That it also affords a fabulous, paid channel to the individual for added messaging is a bonus not especially different than having sponsor's signs painted on hockey rink boards, commercials on television, ads in magazines, or . . . Yes, no doubt, the paper that is received inside the envelope, inside my house, is much more insidiously annoying and difficult to block out like those other ads. Yes, they are inside my house and therefore have breached my territory (without my desire or approval). All true. So what? ..."

In a further posting (recursiveProgress: I still don't understand privacy, but maybe it's a language barrier), he muses that perhaps there is a problem with the language and terminology of this particular discussion.

"...The point of this entire pedantic diatribe is that I think the language -- the vocabulary --we're using to create and discuss digital identity is a holdover from a different time and place. While it is valid and necessary to some degree during this transitional period because it creates a shorthand for getting to ideas and provides essential continuity with the past, the baggage that this vocabulary brings with it is weighing down and impeding effective discussion about what is and where it's going. In this case, we're applying 17th or 18th-century definitions of private and privacy in a 21st-century world.

Some people like the old vocabularies: they're comfortable and easy. New vocabularies are hard work and cause tremors of their own accord. Some would suggest it is more important to focus on the practical issue at hand than with the pissy notion of the vocabulary by which we discuss these issues. Others -- like the Cluetrainers and Kim Cameron, even Dick Hardt -- are busy dealing with changing the language. Is "identity meta-system" an appropriate word or description? Maybe, maybe not. Doesn't really matter. What matters is that the word is (sort of) new and the opportunities for it are endless.

Thanks to Rob Hyndman for pointing me to Grayson's postings.

Survey: ID theft takes time to wipe clean

A nationwide survey of 1,097 ID theft victims in the US shows that it takes quite some time and effort for victims to clear their names. One third of the victims blame the internet for disclosing their information. Other info:

USATODAY.com - Survey: ID theft takes time to wipe clean

"...The typical ID-theft victim is in his or her 40s, white, married, college-educated and with annual income of $50,000 to $75,000, the Nationwide survey says.

Someone such as Scott Cummins, 45, who works at an insurance company in Ohio. He did not take part in Nationwide's survey, but his case is indicative of what happens to many ID-theft victims.

In early 2003, a crook who swiped Cummins' name and Social Security number opened two credit card accounts under the name C. Scott Cummins.

More than $4,000 was charged to the cards. Cummins discovered the fraud when a collection-agency rep called him, demanding payment, in October. Cummins requested a credit report, contacted the card issuer and, 45 days later, the mess was cleaned up, he says. "The biggest hassle I've ever been a part of in my life." Cummins isn't taking any chances. "I'm on my second shredder," he says."

Thursday, July 28, 2005

Automatic Surveillance Via Cell Phone

Bruce Schneier always has interesting things to say about privacy and security. Today, he points to a research project carried out at MIT in which volunteers allowed their cell phones to report back tracking data. The aggregated data was mined to reveal interesting insights into the individual phone users.

Schneier on Security: Automatic Surveillance Via Cell Phone:

"...This is worrisome from a number of angles: government surveillance, corporate surveillance for marketing purposes, criminal surveillance. I am not mollified by this comment:

People should not be too concerned about the data trails left by their phone, according to Chris Hoofnagle, associate director of the Electronic Privacy Information Center.

'The location data and billing records is protected by statute, and carriers are under a duty of confidentiality to protect it,' Hoofnagle said.

We're building an infrastructure of surveillance as a side effect of the convenience of carrying our cell phones everywhere."

There's some interesting discussion in the post's comments, too.

EU Data Retention Directive

Thanks to beSpacific for pointing to a draft European Union directive for the retention of communications data.

"The European Commission has finally produced its draft directive on data retention. According to the Commission, all fixed and mobile telephony traffic and location data from all private and legal persons should bestored for 1 year. Data about communications 'using solely the internet protocol' should be stored for 6 months."

Summary of US federal legislative privacy initiatives

Declan McCullagh and Anne Broche of CNET News.com have a handy summary of the legislative initiatives to deal with ID theft that are currently stewing in various congressional committees over the summer: Senate moves toward new data security rules | CNET News.com.

Congress Urged to Get Tough on Identity Theft; Consumers Union Outlines Needed Reforms as Senate Committees Take Up ID Theft Protection Bills

Consumers Union is wading into the debate on law reform around ID theft and privacy incidents. The group has issued a press release that calls for the following protections:
CongressUrged to Get Tough on Identity Theft; Consumers Union Outlines Needed Reforms as Senate Committees Take Up ID Theft Protection Bills - Yahoo! News

"Meaningful notice about data security breaches: Consumers need to be notified whenever sensitive information about them has been compromised so they can take steps to protect themselves against identity theft. Congress shouldn't allow the company that has experienced the breach to decide on its own when the breach may cause harm to consumers. Consumers cannot count on companies to do a good job evaluating whether they are at risk of identity theft when so many of them have demonstrated such a poor track record keeping information safe.

Strict new data security rules: Congress must impose strong requirements on information brokers to protect the information they hold and to screen and monitor the persons to whom they make that information available.

Protect Social Security numbers: In this information age, Social Security numbers have become widely accessible and are the key used by crooks to steal identities and unlock credit files. Restrict the sale, collection, use, sharing, posting, display and secondary use of Social Security numbers.

Give all consumers the right to freeze credit files: A security freeze enables consumers to prevent anyone from looking at his or her own credit files for purposes of granting credit unless the consumer chooses to let that particular business look at the information. This gives the consumer control over who has access to the information needed to process a credit application and prevents crooks from opening up new accounts using stolen information. When the consumer is applying for credit, the freeze can be lifted temporarily so the application can be processed. Ten states have adopted some form of security freeze for consumers.

Limit preemption of state safeguards: States have been innovators in the field of identity theft and Congress should preserve the ability of states to develop new ways of protecting consumers. Congress should set a minimum standard of consumer protection for everyone, allowing states to give their residents additional safeguards."

Wednesday, July 27, 2005

Are Subway Searches Legal? - The rules for searching bags

Since cops in New York have started searching subway passengers' bags, I'm sure that there are a number of people asking the question answered in today's Slate: Are Subway Searches Legal? - The rules for searching bags. By Daniel Engber.

Tuesday, July 26, 2005

Bill Gates will be frisking you with a simple point and click

Users who visit the Microsoft website looking for patches and upgrades will find their computers and software being probed as part of an attempt to crack down on priated software. To be eligible for patches (other than security fixes), software will audit to see if "U R Legit". No surprise, but there are some concerns about privacy when Microsoft rummages through your PC, particularly after other companies have covertly collected personal information through similar means.

The Globe and Mail: Bill Gates will be frisking you with a simple point and click

"It sets an extremely negative precedent," Pam Dixon, executive director of World Privacy Forum, a non-profit public-interest research centre in San Diego, said of the company's initiative. "Microsoft is saying, 'Before I let you do anything at all, you have to open your computer to us.' I really object to this."

The company will scan machines for a variety of information, including product keys or software authorization codes, operating-system version and details on the flow of data between the operating system and other hardware, such as printers.

It is access to this information that particularly upsets the privacy advocates. Ms. Dixon says the only information Microsoft needs to fight piracy is the product key and the operating-system version, and she says that Microsoft will be able to identify users uniquely based on some of the information the company collects.

"They are grabbing more information than they need to deter piracy," she said.

...

Microsoft said no personal data will be collected during the validation process, and information will remain completely anonymous. The company said it commissioned TÜV-ITÖ, an independent German security auditor, to test how well its Windows Genuine Advantage program protects customers' data, and the firm concluded that Microsoft does not collect any personal information that would allow it to identify or contact a user.

Main Street in the Cross Hairs

The New York Times is reporting on how small retailers without the security or IT expertise of their larger competitors are becoming easy pickings for data thieves who use basic wireless technology to take personal and credit card data from the airwaves: Main Street in the Cross Hairs - New York Times.

Who's minding the store (of private data you gave up)?

Today's USA Today has an OP/ED on privacy and the little bits of data that consumers are willing to give up in exchange for a bit of convenience or a discount. There aren't any great revelations in the article, but it is an example of how the call for greater regulation is moving front and centre in the mainstream media:

USATODAY.com - Who's minding the store (of private data you gave up)?

"Several recent developments have chipped away at privacy:

• Invisible surveillance. Information is increasingly collected without the knowledge, much less permission, of those giving it up. "Black boxes" the size of cigarette packs have been installed in 40 million vehicles to monitor speed, seat-belt use and more. Only five states require that car buyers be informed of its presence. From Philadelphia to Chicago to Los Angeles, surveillance cameras are on silent watch in public spaces. London's recent success in capturing photos of terrorists has fed the calls for more.

• Collection mania. Data mining is big business. Companies vacuum up data from public and private sources, aggregate it, analyze it and sell it to buyers ranging from private companies to the CIA. Any one item is not very invasive, but when birth certificates, credit histories, real estate deeds, military records and insurance claims are pulled together, they paint intimate pictures. If errors exist, the public has no way to know or demand fixes.

• Data thefts. In recent months, breaches involving banks, credit card processors, colleges and the biggest of the data brokers, ChoicePoint, have left millions of people vulnerable to identity theft. Legislators and the companies themselves have done little to correct the problem.

• Government mischief. Collection of information by the government is often fraught with errors and overreaching. The Transportation Security Administration's "no-fly" list has repeatedly ensnared innocent travelers. The agency was rapped again Friday for violating privacy while trying to create another program to screen fliers.

It's easy to sympathize with the goals of much of this data collection, whether safer driving or terrorism prevention. But it might be possible to reach those goals less invasively.

Congress and state lawmakers need to establish basic protections for all information. Businesses need to realize they can profit more by viewing consumers as partners, not as pesky subjects for dossiers. Individuals will need ways to monitor data about themselves.

Fighting technology is no answer. It won't work. Nor is surrendering to Big Brother. A palatable compromise should involve an active government, private ingenuity and an involved public. Perhaps that's what's finally taking off in Orlando."

Monday, July 25, 2005

N.Y. Diabetes-Tracking Plan Draws Concern

I blogged a little while ago about a plan by the City of New York to collect personal information about diabetics in that city without the consent of the individual patients (see The Canadian Privacy Law Blog: City Officials Aim to Track How Diabetics Manage Illness). The plan is starting to attract more criticism, according to an article from the Associated Press, via Yahoo!:

N.Y. Diabetes-Tracking Plan Draws Concern - Yahoo! News

"... Diabetes is different, threatening no one but the people who have it.

"This isn't smallpox," said James Pyles, an attorney who represents health care groups concerned with medical privacy. "The state, or the city in this case, does not have a compelling interest in the health of an individual that overrides that individual's right to privacy."

Pyles praised the intent of the program, but said unless diabetics are asked for their consent, it would be "an outright violation of the constitutional right to privacy" for the government to obtain their identities.

The city's program wouldn't initially get consent to collect data, but would allow patients to opt out later. The database would also be tightly controlled, off limits to anyone but department staff, the patients and their doctors, health officials say.

Over time, doctors could receive letters, telling them whether their patients have been getting adequate care. People who skip checkups might get a note from their doctors, reminding them of the dangers of untreated diabetes.

The plan is akin to the surveillance system put in place in 1897 to fight tuberculosis. At first, doctors were outraged they had to report TB cases to the government, but it became a model after deaths plummeted....

UPDATE: You may not be surprised by the Wired News headline on this one: Wired News: Big Brother Wants to Be Diet Cop

LaForest Named as Special Advisor to Review Information and Privacy Mandates

There has been some buzz in the privacy law community about the possibility of merging the Office of the Privacy Commissioner with that of the Access to Information Commissioner. The PMO today announced that Gerard V. LaForest, the retired Supreme Court Justice, has been appointed to be a special advisor to the Minister of Justice to make recommendations on whether this merger is advisable: Prime Minister of Canada: Prime Minister Announces Special Advisor to Review Information and Privacy Mandates.

Alberta offers online service for student loan applicants

Alberta is introducing an online system for applying for student loans and other financial assistance:

Camrose Canadian, Camrose, AB

"Students can apply on-line
Application procedure streamlined

Amanda Kuttnick-Dyer, Staff Reporter
Sunday July 24, 2005

Camrose Canadian — Post-secondary students will be able to access a wealth of financial assistance and resources this fall.

Alberta students will be able to complete an on-line application for student loans, grants and bursaries giving them access to a greater range of faster, more flexible and user friendly, electronic services through a new electronic application system.

The new system allows post-secondary students to apply on-line for financial assistance, and have their application processed instantaneously and now immediately how much they will be receiving. Full-time students attending private vocational institutions can also use this new system.

Electronic

The system will also provide post-secondary institutions with the ability to electronically notify the finance departments of student registration. The idea is to reduce lineups, as the institutions will no longer have to approve student federal or provincial loan certificates.

It’s expected that this new process will assist in the processing of 45,000 full time applications. In a single day between 2,000 and 3,000 students will assessed.

To access the system, all students will be required to input an Alberta Student Number, a Social Insurance Number and some standard personal information. Additional input requirements differ for first time students and returning students. For more information on access and requirements, visit www.alis.gov.ab.ca/studentsfinance/eap/main.asp or call 1-800-222-6485."

Sounds like a good idea, but it reminds me too much of various incidents I've read about in the last little while, such as this one: The Canadian Privacy Law Blog: Inicdent: hacker may have read applicant files at University of Southern California.

It's not just about the stuffers

Last week, I wrote about a new finding from the office of the Privacy Commissioner that faulted a bank for not allowing people from opting out of receiving marketing materials with their credit card bills. (See: The Canadian Privacy Law Blog: PIPEDA and non-personalized secondary marketing.)

In his regular Law Bytes column, Michael Geist has some interesting comments on the decision itself and where it fits into the bigger picture. See his column on his website here.

Lawsuits broach data-security breaches

The Fort Wayne Journal Gazette is carrying an informative article originally from the Wall Street Journal on class action lawsuits stemming from the recent rash of security/privacy incidents.
Journal Gazette | 07/25/2005 | Lawsuits broach data-security breaches

"... The Marin County, Calif., salesman, along with two other plaintiffs, has filed a class-action lawsuit in California Superior Court in San Francisco against CardSystems Solutions Inc., which last month acknowledged that hackers had obtained information on approximately 200,000 credit- and debit-card accounts. The payment-processing concern might have put the personal information of as many as 40 million consumers at risk, including Schultz’s Visa debit-card account.

Schultz, 52, hasn’t discovered fraudulent activity in connection with his Visa account; and even if he wins, he isn’t likely to recoup much money for the time and trouble of monitoring his account and changing his automatic-payment arrangements.

But his suit against CardSystems, of Tucson, Ariz., might help answer one of the biggest questions arising from the recent rash of data-security breaches: Who should pay for damages?

In an earlier era, when little was known about particular hackings, accountability was difficult and data losses were deemed an unavoidable annoyance. Now, merchants, banks, payment processors, credit-card associations and even security auditors and software makers face the prospect of liability for lax practices.

“There is going to be a flood of lawsuits by both consumers and businesses,” said Mark Rasch, a former Justice Department prosecutor and now senior vice president for Solutionary Inc., a security-audit firm in Bethesda, Md. ..."

Politics and privacy: New Brunswick MLA resigns from cabinet over alleged violation of NB's privacy laws

After being found to have broken the province's privacy laws by an investigation by the New Brunswick Ombudsman's Office, Brenda Fowlie has resigned from her cabinet post as Minister of Environment and Local Government. The investigation stemmed from statements in and out of the legislature that an opposition MLA had violated zoning laws. See: CBC New Brunswick - Fowlie resigns from cabinet.

Saturday, July 23, 2005

Italian privacy authority says no to transparent garbage bags

The overseer of privacy in Italy has advised municipalities in that country that requiring the use of transparent garbage bags is a violation of privacy, as it could unduly expose personal information. The municipalities had required see-through bags to make sure citizens are following sorting guidelines:

WATCHDOG FOR PRIVACY: TRANSPARENT BIN BAGS 'OUTLAWED' :

"(AGI) - Rome, Italy, Jul 22 - The obligation set by some municipalities for citizens to use transparent or with labels for 'door-to-door' garbage collection bin bags involve a breach of privacy. Instead it is allowed to have bags with bar codes, microchips or 'intelligent labels' (RFID). No to indiscriminate controls, but bags can be inspected only in cases in which the citizen who did not respect the sorting of household waste is not identifiable in any other way. With a general measure, proposed by Giuseppe Fortunato, the Watchdog for Privacy replied to questions of local authorities and many complaints and citizen's warnings who lamented a possible violation of privacy, deriving especially by the method of garbage collection and administrative controls, regarding personal data observed through the bags themselves or inspecting their contents. There are, in fact, many personal belongings (mail, phone bills, bank statements) that end up in rubbish, sometimes also regarding health (medicine, prescriptions, etc.) or political, religious or union memberships. This information, if not treated fairly, or if abused, can involve serious inconveniences to people. The Watchdog observed that the sorting of household waste, expected by specific norms, is in the public interest, but did not consider the obligation placed by some local authorities to use transparent bags for the 'door-to-door' collection fair, as anyone can easily see the contents. The norm involving labels with the name and address of the owner of the garbage, especially if left on the street, also involve a violation of privacy. (AGI)"

Changing credit card numbers won't help

Over at Schneier on Security, there's been a bit of a discussion in the comments about how to deal with the increasingly reported security incidents involving credit card processors. One commentator suggested a novel approach to protecting his own accounts:

Schneier on Security: Visa and Amex Drop CardSystems:

"Me? I request replacement credit and debit card numbers every six months, and watch my account activity carefully."

Interestingly, Dr. Don at Bankrate.com just fielded a question on the practice:

Changing credit card numbers won't help:

"Dear Kim,

Your idea about rotating credit card numbers is inventive but it could actually wind up increasing the odds that you find yourself a victim of identity theft or credit card theft. Getting a new credit card number every quarter would mean that you will have credit cards in your mailbox four times a year vs. once every three to four years, and fraud programs that recognize when your spending patterns don't jibe with past purchases aren't going to be effective, because the account won't have a transaction history for comparison.

It's also likely to hurt your credit rating because your credit history will show a series of accounts closed at your request every three months -- unless the series of account numbers is treated as a single account relationship by the credit card provider. For this to happen it would have to be a practice established by the credit card provider in reporting your history to the credit bureaus. It isn't something that you can do on your own...."

Friday, July 22, 2005

Latest fashion/political statement in New York: "I do not consent to being searched"

In the aftermath of the second London bombing, New York authorities have announced they will be doing random searches of passengers in that city's transit system. This has spawned a reaction, including T-shirts that read "I do not consent to being searched." (From the village voice > NYers to NYPD: 'I Do Not Consent to Being Searched'. If you want a T-shirt of your own, go to No Consent : CafePress.com.

CardSystems threatened with extinction due to Visa and AMEX termination

The CEO of CardSystems testfied before the US House Financial Services Subcommittee that his company is likely to shut down because Visa and Amex is ending their relationship with the company that was faulted with allowing a breach of personal information of 40M people.

Credit Data Firm Might Close - Yahoo! News:

"As a result of coming forward, we are being driven out of business," John M. Perry, chief executive of CardSystems Solutions Inc., told a House Financial Services Committee subcommittee considering data-protection legislation. He said that if his firm is forced to shut down, other financial companies will think twice about disclosing such attacks. ...

Perry called the decisions by Visa and American Express draconian and said that unless Visa reconsiders, CardSystems would close and put 115 people out of work. CardSystems handles only a small percentage of American Express transactions, while Visa accounts for a large part of its business.

Perry said closing his company could disrupt the ability of merchants to complete transactions, since it might take time for them to arrange for alternate payment processors. For that reason, Visa said it is not cutting off the company until Oct. 31.

While Perry said his company is doing everything it can to ensure that such a breach never occurs again, Visa said it could not overlook that CardSystems knowingly violated contractual requirements for how long credit card data were supposed to be stored and how they were secured...."

Yet another university incident: Personal Info For 43,000 Colorado University Students, Staff Breached

Yet another university incident, this time at Colorado University:

TheDenverChannel.com - Technology - Personal Info For 43,000 CU Students, Staff Breached:

"...The school said Thursday that someone gained unauthorized access to a computer server in the College of Architecture, which has personal information for 900 students and faculty members, and a computer server in the health center, which holds information for 42,000 students and staff.

Both computers contain names, Social Security numbers, addresses and dates of birth. Although no credit card information was on either computer, the school is warning students, staff and faculty to be on the lookout for signs of identity theft...."

Privacy concerns prompt meth ordinance revision

I blogged a little while ago about privacy issues and the response of Clovis, New Mexico, to concerns about people buying over the counter cold remedies which are precursors to methamphetamines (The Canadian Privacy Law Blog: Privacy and the regulation of the sale of OTC cold remedies). In response to some privacy concerns, the proposed ordinance has been amended:

Privacy concerns prompt meth ordinance revision

"....The ordinance states that anyone wishing to purchase a pseudophedrine product must write their name and address on a log. In response to privacy concerns, the ordinance now states that retailers must conceal the log in a folder or in some other manner to prevent observation by other customers. The purchaser still must present photo identification.

Another added provision dictates the log must be picked up from retailers by law enforcement on “about a weekly basis,” according to Van Soelen. The logs must be destroyed by law enforcement after 3 to 6 months, Van Soelen said. ..."

Thursday, July 21, 2005

Tipper database "outs" skinflints online, using names lifted from credit cards

When you go to a restaurant, you probably expect that your credit card number is used to process your payment and, perhaps, so your server can buy cool stuff online. But what about your name? Well, if your server thinks you are cheap, your name may end up in the [BEEP] Tipper Database ("beep" is what my son would say, with a sly grin), along with editorial comments about how unpleasant a customer you are. Kottke.org has a bit of discussion about this site, which provides disgruntled foodservice employees an opportunity to vent about customers using the names lifted from credit cards:

The [BEEP] [BEEP] Tipper database (kottke.org)

Does the [BEEP] Tipper Database seem wrong to anyone else? I'm all for underpaid service staff venting and attempting to raise public awareness about bad tipping (which, in the absence of poor service, amounts to an unjust pay-cut determined completely by some random idiot customer). But since when is anything under 17% considered shitty? $0 on a $125 bill, that's shitty. 15% (on the pre-tax amount, I might add) is still the industry standard, no matter how much it sucks to get exactly the minimum for adequate service.

More importantly, what gives these people the right to take someone's full name off of a credit card (procured on the job, BTW) and put it up on the web because of some completely subjective gauge of service provided? If I'm eating somewhere, my expectation is that my credit card is being used only for payment and not for any personal use by the employees of the restaurant. If I don't leave someone what they think was deserved, they should catch me on the way out and ask me about it. Perhaps I forgot or miscalculated. Or maybe the service was a bit off in my mind. If I left no tip, I probably talked to the manager about why I did so and they'll be hearing about it from them. But to be all passive aggressive and get my name from my CC and post it on some internet message board...that suggests to me that maybe they didn't deserve a good tip in the first place."

So if you are going to tip less than fifteen percent and want to remain anonymous, use cash like the "bunch of soccer moms" from Halifax:

Tipper's Name: Some Pub Crawl for Soccer Mom's

Where it happened: Halifax NS

Total bill / Tip amount / Percentage: $110.00 / $0.17 / 0%

What happened:

This bitter old hag bought many rounds of shooters for her washed up friends who were in their late forties and trying to look like britney spears. She didn't tip all night, but I was still all (fake) smiles and joy, until I brought around their last round for last call. When I gave her change, she proceded to hold up one of the loonies (a dollar coin) and asked me to make change for it so she could finally tip me. I told her I didn't have small change, thats the smallest I have, so instead of just givin up that pathetic dollar she proceded to open up her wallet and dropped a dime, nickel and two pennies on my serving tray. SEVENTEEN CENTS! After slaving for them all night! ..."

Alberta Commissioner releases report concerning disclosure and security of personal information by a collection agency

On the privacy front, Alberta is apparently where it's at:

Commissioner releases report concerning disclosure and security of personal information by a collection agency

Commissioner Frank Work authorized an investigation under the Personal Information Protection Act ("PIPA" or "the Act") after receiving a complaint alleging that CBV Collection Services Ltd. ("CBV") contravened the Act.

The complainant reported that CBV faxed a form to the complainant's place of employment, and specifically to a non-confidential fax machine. In so doing, the complainant alleged CBV failed to adequately protect her personal information from possible disclosure to other colleagues and employees in her workplace

The investigator found that although CBV did have some policies and procedures in place to address information privacy and confidentiality requirements, a CBV employee acted to the contrary. As a result:

  • CBV disclosed the complainant's personal information when it faxed the form to the complainant's place of employment.
  • CBV contravened section 19 of the Act as the disclosure in this case was not for a reasonable purpose.
  • CBV contravened section 34 of PIPA by failing to make reasonable arrangements to mitigate the risks associated with sending personal information by fax.
  • In response to the incident and this Office's investigation, CBV revised its process and internal policy documents with respect to requesting verification of employment (VOE), particularly when doing so by fax, and developed a plan to communicate the new process to all offices across Canada. Among other things, the new process requires that:

    • A Collection Supervisor verify that a VOE is authorized in the circumstances.
    • The collector pre-arrange sending the VOE with the appropriate receiving party.
    • Fax transmissions must be sent to a confidential fax machine and must include a confidential cover sheet that does not state the name of the debtor.
    • The collector must confirm receipt of a fax or email within 30 minutes of sending it.

    The circumstances in this case illustrate that organizations need to be diligent in reviewing information privacy and confidentiality policies and procedures with their staff on an ongoing basis, and in following-up any failure to comply.

    With respect to transmitting personal information by fax, organizations must ensure their employees are aware of the potential risks involved, and implement appropriate measures to mitigate that risk."

Click here to download Investigation Report P2005-IR-006.

The Globe and Mail: Firms get wrists slapped over privacy breach

The legal page in the Globe and Mail Report on Business section has picked up the story about the finding of the Alberta Information and Privacy Commissioner that faulted two law firms for their handling of personal information in the course of a business acquisition (Background: The Canadian Privacy Law Blog: Alberta Privacy Commissioner faults two companies and their law firms for handling of employee information). The article is informative, but the real lesson is the fact that it was reported nationally, it names the law firms and this page is read by the colleagues, contemporaries and competitors of the lawyers in question. Privacy law is not just the domain of geeky privacy lawyers. Even corporate and securities lawyers need to know about it to keep their clients and their firms on the right side of the law and out of the news papers. See The Globe and Mail: Firms get wrists slapped over privacy breach.

Bank Lawyer's Blog: The High Price of Privacy Breaches

The Bank Lawyer's Blog has some things to say about the latest CardSystems news, not surprisingly from the perspective of a bank's lawyer:

Bank Lawyer's Blog: The High Price of Privacy Breaches:

"...A couple of obvious points: (1) make certain that the bank's contracts with payment processors contain provisions that meet not only the privacy and security requirements of the law (for example, those imposed by Gramm-Leach-Bliley and its implementing regulations), but the privacy and security requirements of other interested parties that might be imposed upon the bank and its contractors, such as VISA and Amex, and that permit the bank to terminate in a timely manner the processing agreement for a breach of those obligations; and (2) that even though a bank builds obligations into the contract, ongoing monitoring by the bank and/or a third party (such as an annual SAS 70 audit), is an essential part of a vendor management program.

This incident also demonstrates that 'reputational risk' is real. The processor retained and used 'for research purposes' personal data that it had agreed not to retain and use. Existing and future customers will have to consider carefully whether such an organization is to be trusted not to renege on its obligations in the future. That's an ugly fact of life...."

Break-in costs ChoicePoint millions

The financials are in for ChoicePoint's second quarter and CNet is reporting that the data aggregator has taken a total charge fo $11M related to the privacy incident that took place some months ago. That's real money and has a direct impact on the shareholder's value:

Break-in costs ChoicePoint millions | CNET News.com:

"Data broker ChoicePoint took a $6 million charge in its second quarter to cover costs related to the leak of information on about 145,000 Americans, it said Wednesday.

The charge is in addition to the $5.4 million in costs the company recorded in the first quarter. Of the total $11.4 million, about $2 million in charges through June 30 were for communications to individuals whose data has been exposed as well as credit reports and monitoring services for those people, the company said in a statement.

The remaining $9.4 million was for legal and other professional fees, ChoicePoint said...."

Chief of Card Processor Fires Back at Visa

The CEO of CardSystems has fired back at Visa after the credit card company announced that it was instructing its member banks not to use CardSystems to process visa transactions. John M. Perry said that the decision effectively puts them out of business and that the penalty has not been invoked before: Chief of Card Processor Fires Back at Visa - New York Times.

Due Diligence: Pondering Privacy

Tim Oren at Due Diligence is pondering privacy and has some interesting observations, particularly his "hierarchy of unease":

Due Diligence: Pondering Privacy:

"... I haven't seen a domain with more zealots since the early crypto market. There are zealous marketers sure they can make their customers more loyal and profitable if only can pool all the known data about them. There are privacy zealots, who often don't seem to believe in marketing at all - or maybe even markets. And there are zealous computer scientists and security experts, sure the whole matter can be resolved with the right algorithms. And now that the press and politicians are coming to the party, we can expect the discourse to become even more informative...."

The "hierarchy of unease", which he discusses in his blog posting, is a categorization of the sorts of privacy issues that individuals fear, in order of severity:

  1. Direct Financial Loss, or Threat of Same
  2. Intrusion
  3. Compartment Breach
  4. Loss of Information Asymmetry
  5. Everything Else

Wednesday, July 20, 2005

Incident: Theft of banking information from Arizona county clerk and state agency

A group of accused fraudsters have been arrested in Arizona for allegedly taking bank account information from, among other places, the court clerk's office, making fake cheques and cashing them all over town. Police found drugs and a gila monster in houses searched as part of the investigation. We've heard before about the fraud/methamphetamine connection, but this is the first fraud/large lizard link I've seen:

Officials break up ID-theft racket 6 held in scheme that took bank data from 2 agencies - Yahoo! News:

"... The group stole bank-account information from the Clerk of Pima County Superior Court, the Arizona Department of Economic Security and five people, created counterfeit checks using a computer and cashed at least $20,000 at Sahuarita-area stores, said Detective Pat Willson of the Sheriff's Department fraud division.

She wouldn't say how they stole the account numbers or how they spent the money.

Willson said the investigation into 'extensive fraud activity' turned up methamphetamine and marijuana in three houses authorities searched, in the 700 block of East Linden Street north of Downtown; in the 200 block of West Duval Road in Green Valley; and in the 1300 block of West Calle Del Ensayador in Sahuarita. Officers also found a Gila monster in the house on Linden.

The investigation began with three or four suspects and a victim, but the detectives noticed similarities in other cases and broadened the scope of the case, said John Cotsonas, a special investigator with the Sahuarita Police Department...."

Though the term "ID theft" is used, this looks like basic fraud since there isn't a suggestion that the alleged fraudsters impersonated anybody or obtained credit using someone else's identity.

Tuesday, July 19, 2005

CIPPIC files complaint against info-broker

From the CIPPIC website:

CIPPIC files complaint against info-broker:

"CIPPIC has filed a complaint under the federal Personal Information Protection and Electronic Documents Act against a Canadian data-broker. In its complaint, CIPPIC alleges that InfoCanada combines publicly available data from telephone books with geographically aggregated demographic data from Statistics Canada, to compile lists of individuals by demographic feature, for sale to marketers. CIPPIC argues that this act of data-matching invokes PIPEDA, and that InfoCanada fails to obtain the consent of individuals to its use and sale of their personal information, however inaccurate, contrary to PIPEDA."

New technology sure to upset some privacy advocates

I'm a regular reader of Engadget to satisfy my inner nerd. Today, there are two goodies to satisfy my inner privacy nerd. Well, goodie may not be the right word. In any event, check out the new surveillance technology to make sure that only the appropriate minimum number of warm bodies are in the high occupancy lane of your local highway: U.K. tests infrared HOV-compliance cam. While you're there, take a look at the new time card system that uses fingerprint recognition to make sure you aren't punching your buddies on- and off-shift: No more "buddy punching" with the Kronos 4500 Touch ID.

Visa to cut ties with card processor at center of massive breach

The Associated Press is reporting that VISA is ordering all of its card-issuing banks to cut all ties with CardSystems after VISA concluded that the company was not compliant with security requirements and could not get its stuff together.

This is the equivalent of the "death penalty" and I expect that it will be a loud wake-up call for all third-party processors of personal information. I am sure that other card issuers will be soon to follow.

Via KVOA TV in Tuscon: Visa to cut ties with card processor at center of massive breach.

UPDATE: AMEX is following suit according to AP via Forbes: Update 2: Visa to Cut Ties With Card Processor - Forbes.com.

Better include an assignment clause in your agreements

In a new finding under PIPEDA, the Assistant Commissioner was satisfied that a bank had discharged its obligations under PIPEDA when it sold its credit card portfolio to another bank. The original and new cardholder agreements contained a clause that said the bank reserved the right to assign its rights under the cardholder agreement and to transfer personal information to a purchaser. See: Commissioner's Findings - PIPEDA Case Summary #307: Customer alleges that sale of his personal information by one bank to another occurred without his knowledge and consent - July 14, 2005.

PIPEDA and non-personalized secondary marketing

It has always been clear that using a list of customers to send marketing information is a "secondary use" of personal information for which PIPEDA demands consent. It has, however, been the opinion of many that "envelope stuffers" or "invoice stuffers" that do not differentiate among customef are not really a "use" of personal information.

The Assistant Privacy Commissioner of Canada has today weighed in on the question, in PIPEDA Case Summary #308: Opting-out of marketing inserts in account statements, and has concluded that it does amount to a use of personal information. Furthermore, banks and others are required to allow customers to opt-out of this form of marketing.

The finding includes:

  • The bank in this case contended that the inserts were not addressed personally to the client but rather were placed, without distinction, in the account statement addressed to the client. The Assistant Commissioner, however, noted that the customer’s personal information was still being used, and the goal of placing such inserts was nevertheless one of marketing and was secondary to the reasons for which the complainant initially gave his personal information, namely to receive a credit card.
  • The bank informed the complainant through its agreement and disclosure statements that clients might receive marketing information with their account statements. While the bank believed it reasonable for customers to opt-out of secondary telephone or direct marketing, and offers customers the option to refuse such marketing, it did not believe it reasonable for customers to opt-out of statement inserts, many of which concern products or services that have nothing to do with the service for which the customer provided his or her personal information. As the Assistant Commissioner noted, marketing is marketing, whether it arrives in a bank statement or in the form of a telephone call. The bottom line is that, under the Personal Information Protection and Electronic Documents Act, individuals have the right to opt-out of secondary marketing.
  • The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1.

Crunch Time For Payment Processors

New rules for payment processors have recently come into effect, to prevent another CardSystems-type incident. Bank Systems & Technology is running an article on efforts that processors are making to bring themselves into line with the new rules:

Bank Systems & Technology: Crunch Time For Payment Processors:

"...As of June 30, any entity that stores, processes, or transmits cardholder data had to comply with the Payment Card Industry Data Security standards, which require access-control measures, regular network monitoring and testing, and an information-security policy. Annual security audits and quarterly network scans also are required.

Just how many transaction-processing companies are compliant with the Payment Card Industry requirements isn't clear. Visa has published a list of about 150 compliant services providers, which it says represent most major payment processors. But Ordonez says there are hundreds of smaller processors for whom compliance costs could cause many to fold.

Companies that experience breaches and are found not to be in compliance face stiff penalties. Banks are responsible for ensuring compliance of the service providers they use and their merchant's service providers. Visa can fine banks up to $500,000 per incident for any merchant or service provider that's compromised and not compliant..."

Monday, July 18, 2005

Kids are easy prey for ID theft

The Associated Press is distributing an eye-opening article on the plight of a toddler in Indiana whose identity has been stolen more than once. On one occasion, someone used her SSN to claim her unlawfully as a dependent on a tax return. On another occasion, her info was used to set up phone number in her name. See the Indy Star: Identify thief picks on toddler.

Apparently, it is not "fraud" according to the Deputy Chief of Police, since there was no financial loss to the young girl. I guess they don't count a damaged credit history even before she can crayon a signature on a credit card slip.

"Dr. Busybody's" diabetic database

The New York Post isn't too keen on the proposed New York registry of diabetics (see The Canadian Privacy Law Blog: City Officials Aim to Track How Diabetics Manage Illness):

DR. BUSYBODY'S DATABASE - Yahoo! News:

"... Name-specific registries for certain communicable diseases - such as HIV/AIDS and hepatitis - make sense.

The early-20th century Typhoid Mary demonstrated the need for public-health authorities to prevent individuals from spreading highly contagious diseases.

Diabetes doesn't fall into that category.

This would be the first time that a complete record would be assembled for a non-communicable, chronic affliction.

As far as privacy goes, Frieden notes that the confidentiality of the department's registries haven't been compromised in more than 140 years.

That anybody knows about, of course.

Indeed, the potential of large private databases being compromised by hackers and criminals is sharper than it's ever been - as demonstrated by the recent cases involving MasterCard and the ChoicePoint identification-and-verification service. And health-insurance companies and potential employers would have no interest in Frieden's database? Yeah, right.

It's time for New Yorkers to say enough is enough.

And if all this information depresses you, and drives you to drink? Well, expect a visit from Dr. Frieden presently.

He'll be there to help."

Sunday, July 17, 2005

Privacy and the regulation of the sale of OTC cold remedies

The community of Clovis, New Mexico, is considering passing an ordinance to regulate the sale of over the counter cold and allergy remedies because they are essential ingredients for making methamphetamines. The ordinance will require that the drugs be kept behind the counter, purchasers will have to provide photo ID (the details of which will be logged) and they will be limited to three packages per purchase. Some are questioning the ordinance, from a privacy perspective and about whether it will be effective. One person is quoted saying that she and her husband live in the country and have allergies. Their weekly consumption of the drugs may give the police probable cause to search their house. Since the police usually use SWAT team tactics in executing meth-related warrants, I can just imagine how unpleasant a "false positive" could be. See the story online: Detractors question effectiveness of meth strategy.

Saturday, July 16, 2005

A Pass on Privacy?

Recently, the writers of the Sunday New York Times have consistently had interesting things to say about privacy-related topics. This week, Christopher Caldwell talks about the creeping appearance of tracking technologies into daily lives and how their uses can be easily expanded:

A Pass on Privacy? - New York Times

"Anyone making long drives this summer will notice a new dimension to contemporary inequality: a widening gap between the users of automatic toll-paying devices and those who pay cash. The E-ZPass system, as it is called on the East Coast, seemed like idle gadgetry when it was introduced a decade ago. Drivers who acquired the passes had to nose their way across traffic to reach specially equipped tollbooths -- and slow to a crawl while the machinery worked its magic. But now the sensors are sophisticated enough for you to whiz past them. As more lanes are dedicated to E-ZPass, lines lengthen for the saps paying cash.

E-ZPass is one of many innovations that give you the option of trading a bit of privacy for a load of convenience. You can get deep discounts by ordering your books from Amazon.com or joining a supermarket ''club.'' In return, you surrender information about your purchasing habits. Some people see a bait-and-switch here. Over time, the data you are required to hand over become more and more personal, and such handovers cease to be optional. Neato data gathering is making society less free and less human. The people who issue such warnings -- whether you call them paranoids or libertarians -- are among those you see stuck in the rippling heat, 73 cars away from the ''Cash Only'' sign at the Tappan Zee Bridge.

Paying your tolls electronically raises two worries. The first is that personal information will be used illegitimately. The computer system to which you have surrendered your payment information also records data about your movements and habits. It can be hacked into. Earlier this year, as many as half a million customers had their identities ''compromised'' by cyber-break-ins at Seisint and ChoicePoint, two companies that gather consumer records.

The second worry is that personal information will be used legitimately -- that the government will expand its reach into your life without passing any law, and without even meaning you any harm. Recent debate in Britain over a proposed ''national road-charging scheme'' -- which was a national preoccupation until the London Tube bombings -- shows how this might work. Alistair Darling, the transport secretary, wants to ease traffic and substitute user fees for excise and gas taxes. Excellent goals, all. But Darling plans to achieve them by tracking, to the last meter, every journey made by every car in the country. It seems that this can readily be done by marrying global positioning systems (with which many new cars are fitted) with tollbooth scanners. The potential applications multiply: what if state policemen in the United States rigged E-ZPass machines to calculate average highway speeds between toll plazas -- something easily doable with today's machinery -- and to automatically ticket cars that exceed 65 m.p.h.?..."

What to Do After Your Data Is Stolen

A writer at the New York Times had the unpleasant experience of someone going on a two day shopping spree (if $1772 is a spree) with her debit card and thought it would be of interest to let her readers know about her experience with fraud alerts, credit freezes and the like: What to Do After Your Data Is Stolen - New York Times.

Commentary: Verizon puts your privacy in precarious position

It is interesting how sensitive some are becoming to privacy issues. I don't think we would have seen a commentary like this one a year ago:

Connected: Verizon puts your privacy in precarious position

"Would you give your credit card number to a company if you knew it was to be used for anything else besides taking your payment? That is exactly what is happening for thousands of people nationwide who have signed up for Verizon's VoiceWing Voice over IP telephone service.

VoiceWing is different from Verizon's traditional telephone service in several ways, one of which is that the company only accepts credit cards as payment. It will not direct bill you. So you must provide your card to get the service. Once you have the service, Verizon debits your card monthly -- and also uses the last four digits of your card number to verify who you are when you call for support.

According to Margo Hammar, chief privacy officer at Verizon, using your credit card digits this way is just like paying for your gas at the pump, then crumbling the receipt and throwing it away.

But it's not the same. At the pump, the credit card is inserted for a one-time transaction and not saved by the gas station. It is you who makes the decision on the spot to provide the card data; and it is you who decides whether to print the receipt and crumble it (or keep it). In the VoiceWing scenario, your credit card information is placed into a database at Verizon -- and then the last four digits are shown to any customer support rep who pulls up your record -- even if no transaction is taking place.

Hammar told me that "Verizon takes the safeguarding of client information very seriously" and that the company has created a method and procedure to be used by employees with a need to know. As the key privacy person, she has pushed the company to move away from using Social Security numbers for customer authentication, but has not yet provoked the company to stop using this credit card data for the same task.

According to Dean Ocampo, product marketing manager for security software developer Check Point Software Technologies, using only the last four digits minimizes risk compared to using the entire number, "but ideally you don't want to use any of it." He says the issue goes deeper than whether the company is using the digits. It involves the processes they employ and the depth of security.

In the Verizon situation, your credit card digits are displayed to first-tier customer support reps -- people who are not in a "need to know" position regarding your credit card. In one call that I made to VoiceWing support, I refused to give the CSR my digits, which made him exclaim that the digits are right in front of him already; it's not like I'm revealing anything new to him.

That, in fact, is the problem. The digits should not be in front of him. He has no reason to see a customer's credit card data, no matter how ethical he is. Check Point's Ocampo agrees: "The more you put private data through the company, the more likely it can be hacked and stolen." He cites instances in which companies have not properly secured the data at every juncture, even though it thinks it has. Recent news items about security problems at Citibank, ChoicePoint and CVS provide examples. Ocampo's examples include points of attach within the company, including PCs living around the perimeter of the network that have not been completely secure.

Since businesses make decisions over time, other factors may later create security risks. For instance, a move to outsourcing customer support offshore would put your credit card data in a rep's hands in another country -- perhaps a country that doesn't have the same protection laws that are in force in the United States. Securing customer privacy is not a science. What's good for the business is not always good for privacy, and vice versa. Companies are always dealing with the trade-offs when making business decisions.

Verizon's published privacy policy promises that the company will use SSL (a security mechanism) whenever it transmits your credit card, but it doesn't promise to use your card number only for your transactions. As long as Verizon continues to use customer credit card numbers as authentication, in whole or in part, it is putting the customer at risk, no matter how slight."

Former Alleghany County, Virginia, employee indicted for perusing info of fellow employees

In Alleghany County, Virginia, a former county employee has been charged under various hacking provisions for gaining access to and perusing sensitive personal information of other county employees:

News from The Roanoke Times -Former Alleghany County employee indicted on 36 computer charges

"... Alleghany County grand jury that met Tuesday handed down the indictments, charging Jackson with one felony computer fraud charge and 35 misdemeanor charges that include altering computer data, computer trespassing, copying data and invasion of privacy.

Jackson is accused of examining employment, salary, credit and other personal records of county employees, including County Administrator Tammy Stephenson, Deputy County Administrator Rick Hall and Safety Coordinator Ryan Muterspaugh...."

Friday, July 15, 2005

Thinking About Technology: Papers on Privay and Vehicle Safety Communication Technologies

Michael Zimmer has posted two privacy-related conference papers on his website:

Thinking About Technology: Papers on Privay and Vehicle Safety Communication Technologies:

"I am on my way to The Netherlands to particpate in two exciting conferences. I will be presenting my paper 'Surveillance, Privacy and the Ethics of Vehicle Safety Communication Technologies' [PDF] at the International Conference of Computer Ethics: Philosophical Enquiry. And I will be presenting my paper 'Privacy and the Design of Vehicle Safety Communication Technologies' [PDF] at the International Conference of the Society for Philosophy and Technology. "

Go directly to his site for the links to the papers and more info on the conferences.

Privacy, national security and the Karl Rove affair

My friends and family are probably getting pretty tired of hearing that just about everything has a privacy angle. Sorry, it's everywhere.

The latest political story out of Washington, DC has a privacy angle with a national security twist, according to David Lazarus of the San Francisco Chronicle:

Privacy is easy to breach

"The fracas over whether Karl Rove, one of President Bush's most trusted advisers, publicly outed an undercover CIA operative highlights the ease with which personal information on virtually anyone can be obtained.

It also points to the need for privacy laws -- and, in this case, national-security laws -- recognizing the harm that can be done with only a few computer keystrokes.

That harm, as a slew of recent security breaches makes clear, can include identity theft, credit card fraud and other invasions of one's personal-data space.

It can also represent a graver danger if the work you do is of interest to terrorists and other enemies of this country.

I found out how significant this threat can be when I attempted to identify the CIA agent in question for myself, based solely on what Rove is known to have told a journalist.

The results were troubling, to say the least.

...

It's not my place to say whether Rove crossed that line in his discussion with Cooper. But I can say what I was able to do with the information Rove reportedly supplied.

First of all, I knew from published reports that the full name of the author of the critical op-ed piece was Joseph C. Wilson IV. A Google search quickly told me that he was born in 1949.

So I went to ZabaSearch.com, which readers of this space know is a powerful online people-search tool that rapidly combs through public records - - for free.

My first nationwide search for a Joseph C. Wilson born in 1949 turned up too many matches, so I narrowed the search by guessing that he likely lives in Washington, D.C.

Bingo. Now I had his home address. But I didn't know his wife's name.

So I went to the Web site of LexisNexis, a prominent data broker, and did a public-records search for Joseph Wilson in Washington, D.C., subsequently narrowing the search with Wilson's street address. Bingo again.

"Spouse name: Wilson, Valerie E."

For non-subscribers, LexisNexis is available online on a pay-per-search basis. It's also accessible via acquaintances at universities, law schools and a wide variety of private companies.

I did another LexisNexis search for Valerie E. Wilson in Washington, D.C. This confirmed she lives at the same address as Joseph C. Wilson. It also took me the next step.

"Former name: Plame, Valerie E."

I now had the identity of a covert CIA agent (who was using her maiden name as part of her cover as an energy-industry analyst working for a firm called Brewster Jennings & Associates, now known to be a CIA front company).

It took me less than a half-hour to identify her.

I then went back to Google and got a map of Plame's neighborhood and directions to her home. Google also allowed me to study a high-resolution satellite photo of Plame's house.

I could see that the property appears to be in a quiet residential community and looks approachable from all sides. It also offers ready access by car to major thoroughfares.

And I now possess all this information simply because I know (from Karl Rove, via Matt Cooper) that Joseph Wilson's wife "apparently works at the agency on WMD issues."

Little effort required

Rove's questionable judgment aside, this episode underlines how little effort is required in this info-rich age to identify and locate virtually anyone. You don't even need that person's name.

This should alarm anyone who relies on a measure of secrecy for his or her well being, as well as all others who value their privacy.

It also should serve as a wake-up call for legislators that existing privacy and national-security laws haven't kept pace with dazzling improvements in information technology.

The intent of current laws might be to keep certain info under wraps. The reality is that nearly all data are exposed and accessible, there for the taking by anyone with a computer and a small measure of resourcefulness.

With little effort, I pinpointed a working CIA agent. I did so only to make a point.

Can we be sure that the intentions of the next person to commence such a search will be as benign? "

Thursday, July 14, 2005

Google balances privacy, reach

"You are what you google," is good quote from this article from CNet News, which discusses the privacy implications of what google knows about consumers and what the company can do with that information: Google balances privacy, reach | CNET News.com.

Commissioner says posting info on website vioated PIPEDA

A second finding from the Privacy Commissioner's Office was released today. This one found that a dog breeder violated PIPEDA by posting personal information about a former customer on the site as part of a dispute between the parties. Because the website was for the purpose of promoting a business, it was deemed to be a collection, use or disclosure of personal information in the course of commercial activities. See: Commissioner's Findings - PIPEDA Case Summary #305: Internet posting violates PIPEDA - February 4, 2005

Privacy Commissioner considers access request to physician's notes of an independent medical exam

A new finding from the Office of the Privacy Commissioner deals with an individual's request for access to the examination notes from a physician who conducted an independent medical examination of an insured under an insurance policy. The physician refused the request, first stating that the notes were not "personal information" because they did not form a part of the individual's medical record. Not surprisingly, the Assistant Commissioner didn't buy that argument.

The physician argued that even if it was personal information, it was protected by two exceptions to the access principle: (i) that it was solicitor client privileged, and (ii) was generated in the course of a formal dispute resolution process. The Assistant Commissioner did not agree with either arguments, principally because the medical exam was conducted in order to determine whether benefits under the policy should be continued but before any dispute resolution process had been initiated.

See the Assistant Commissioner's findings at: Commissioner's Findings - PIPEDA Case Summary #306: Physician refuses to provide access to individual's personal information - March 17, 2005

Patients sue doctor over discarded computer

According to the Kansas City Star (registration required), a plastic surgeon is at the centre of a class action lawsuit because he is alleged to have taken home an office computer and to have left it at the curb with his garbage without securely removing patient information. The claim is for negligence, invasion of privacy and breach of fiduciary duty: Kansas City Star | 07/14/2005 | Patients sue doctor over old computer.

I just googled the name of the surgeon and came upon the following:

Medical Newswire - Healthcare, Biotechnology News Release Service

Erase PHI Before You Discard Old Hard Drives

"KANSAS CITY, KS (HIPAA Wire) You must strip all data from your computer's hard drive before you throw it in the scrap pile -- or risk exposing patients' PHI.

That's the lesson Daniel Bortnick, a Kansas City plastic surgeon, learned after patients' before-and-after photos and other PHI were found on a computer the surgeon had deposited in his curbside trash.

Robert Dickerson discovered the information and voluntarily gave the computer and its contents to KCTV. The news station then began contacting patients -- who turned to the surgeon's employer, Monarch Plastic Surgery Group, for answers.

Monarch requested and was granted a restraining order that forbids KCTV from "using, publishing, disseminating, broadcasting, distributing, or disclosing" the PHI found on the computer. But KCTV isn't giving up its fight to expose the surgeon's lax privacy and security policies.

"We either have to violate the order, we've got to [edit] the story in a way that doesn't violate it, or we have to say, 'We've got an important story to tell you that the courts won't let us yet. Stay tuned,'" the station's lawyer Bernard Rhodes told the Kansas City Star. Rhodes is taking the case to the Kansas Supreme Court for resolution.

Bottom Line: Protect both your organization's reputation and your patients' PHI by double checking that all data stored on your computer is destroyed -- before you send your hard drives to the trash pile."

Social Security has 'no tolerance' for worker fraud

An employee of the US Social Security Administration has been indicted for using information obtained on the job to commit fraud, including taking out loans in the name of someone else: Social Security has 'no tolerance' for worker fraud.

Wednesday, July 13, 2005

The Potter Injunction - It Could Have Been Worse

If you are a regular reader of Michael Geist's blog or any other form of media known to humanity, you have heard about the injunction obtained by Raincoast Books about the accidental sale of a few copies of the latest Harry Potter novel. Some, including Michael, have been very critical of the order obtained by the Canadian publisher. While I won't comment on that, Michael's posted a summary of what the publisher was asking for, but didn't get. The judge declined to order that anyone who got their hands on the book should hand over information about anyone who may have been privy to any discussion of the embargoed book:

Michael Geist - The Potter Injunction - It Could Have Been Worse

"...There are two things to take from this additional level of detail. First, Raincoast Books sought an order that not only would curtail basic freedoms but it also targeted individual privacy by literally seeking legal authority to compel disclosure about anyone who may have learned of the contents of the book. Second, the judge that issued this order did indeed consider the consequences of the order and amazingly felt that it was appropriate to limit the freedom to read, freedom of speech, and the freedom of personal property."

Incident: Backup tapes containing sensitive health information on 57,000 stolen from Arizona HMO

From AZCentral.com:

Medical firm's files stolen

"The personal information of 57,000 Blue Cross Blue Shield of Arizona customers was stolen from a Phoenix-based managed care company.

Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, began last Friday notifying customers and providers whose information was lost in the latest theft in which financial, personal or medical records were taken.

The stolen information included policyholders' addresses, phone numbers, Social Security numbers and dates of birth. They also contained partial treatment histories for some patients and certain information about the doctors who provided that care, Biodyne spokeswoman Erin Somers said.

...

Biodyne reported to police on June 29 that a safe containing computer backup tapes was stolen from its office at 8900 N. 22nd Ave., Suite 206...."

Tuesday, July 12, 2005

Alberta Privacy Commissioner faults two companies and their law firms for handling of employee information

Hot off the presses ...

The Information and Privacy Commissioner of Alberta has just released a decision that should make business, securities and labour lawyers look more closely at the information that is made available in the course of business acquisitions and that is filed electronically in compliance with securities regulations.

In this particular decision, the Commissioner was responding to a complaint brought by an employee of the vendor company whose personal information was provided to the purchaser and was subsequently posted on SEDAR, the online repository for information about public companies. The vendor apparently provided, as a schedule to the purchase agreement, a list of employees that included home addresses and social insurance numbers. This schedule was provided to the purchaser by the vendor's counsel. The purchaser's counsel subsequently posted the agreement, including the complete schedule, on SEDAR.

Provincially regulated organizations in Alberta are subject to the Personal Information Protection Act (PIPA), which has been deemed to be "substantially similar" to PIPEDA by the federal cabinet. PIPA covers employee information, but also contains what is often called the "business transaction exception", meaning that employee consent is not required for certain disclosures of personal information that are necessary and connected to a business transaction, such as a sale of a business. In this case, the Commissioner's investigator found that the exception did not apply because employee home addresses and social insurance numbers were not necessary for the purposes of the transaction.

While the Commissioner concluded that counsel was acting as agents for their clients, both the clients and their law firms were at fault. The decision contains two particularly strong statements with respect to the law firms:

"[47] We suggest generally that [vendor's counsel] and other law firms have shown a lack of attention to the impact of privacy laws on the myriad legal processes involving the collection, use and disclosure of personal information, including client information and third party information that are common in the type of work they perform on behalf of their clients. Privacy laws are complex, and have implications for their clients on many different types of transactions, including mergers and acquisitions such as in the present case. We believe that lawyers and law firms require heightened awareness and knowledge of privacy laws in order to properly recognize these implications."

The Commissioner also made strong recommendations to the firms. To purchasers' counsel:

  • enact a privacy policy and appoint a Calgary-based Privacy Officer [though the national firm already had a Toronto-based privacy officer];
  • conduct comprehensive in-house privacy training with all lawyers and staff;
  • ensure that lawyers develop professional awareness and knowledge of privacy law by supporting participation in privacy law seminars and courses and encouraging ongoing education in this regard;
  • communicate these findings to all lawyers and staff;
  • review its processes when representing clients on business transactions where personal information may be collected, used or disclosed and address any gaps that are identified;
  • review the processes and controls employed by Stikemans when material contracts or other filings are posted on SEDAR and address any gaps that are identified.

From the Commissioner's website:

Investigation Report P2005-IR-005

Commissioner releases investigation report into improper disclosure of home addresses and SINs onto the Internet by two organizations and their law firms.

Click to view more information Investigation Report P2005-IR-005

Incident: Car thief drives away with personal data

What can possibly go wrong when you get out of your car, leave the door open, leave the engine running and leave personal information about job applicants in the car while you use the bank machine? Not too hard to guess what happened next in Bellevue, Wasthington:

kingcountyjournal.com - Car thief drives away with personal data:

"The woman was also a Bellevue Parks Department employee, and in her car were records of Washington State Patrol background check on some 20 people who had recently applied for jobs.

Those files, said Bellevue Police Officer Michael Chiu, contained ``Social Security numbers, addresses, dates of birth, names -- you name it. Definitely a lot of sensitive personal information.''..."

How much do security breaches cost?

Mark Rasch, in Security Focus, talks about the cost of security breaches and also discusses the recent class action lawsuit brought against CardSystems as a result of their breach: The Price is Right.

Monday, July 11, 2005

Feds seek authority to tap airborne broadband

Federal law enforcement in the US are seeking to extend the current system of the Communications Assistance for Law Enforcement Act to cover broadband systems being implemented in airliners. This would require them to build in wiretap ability that can be activated within minutes of receiving a court order. See: Wired News: Feds Fear Air Broadband Terror.

184 Japanese financial institutions lose customer data

The watchdog of financial institutions in Japan has reported in a press conference that 184 financial institutions in that country have reported to have "lost" customer data. The report doesn't define "lost", but it can't be good PR: 184 financial institutions lose customer data: FSA.

Federal/provincial/territorial consultation on ID theft

Michael Geist is reporting that a federal/provincial/territorial consultation on identity theft has been launched, beginning with a background paper:

Michael Geist - Canadian Consultation Launched on Identity Theft:

"The Consumers Measures Committee, a committee comprised of federal, provincial, and territorial consumer protection representatives, has launched a public consultation on identity theft. The background paper identifies several potential legislative solutions including a requirement for organizations to notify consumers affected by a security breach; the placement of a fraud alert on a consumer's credit file; the ability for consumers to put a freeze on the sharing of their credit reports without prior notice; and a requirement for credit bureaus to take reasonable steps to authenticate persons accessing credit reports. Comments on the paper are due by September 15, 2005. "

Sunday, July 10, 2005

Spy in the bank

The Guardian Unlimited's Observer is carrying a story about how a UK bank has "found a way round" the UK's privacy law so that its insurance division can use customers' banking and credit information to determine insurability. The article isn't clear about the "way round", but does give an overview of how insurers use credit information to assess whether an individual is likely to present an insurance risk:

The Observer | Cash | Spy in the bank

"The general insurance division of one of Britain's biggest banks believes it has 'found a way round' the data Protection Act enabling it to use customers' banking details to underwrite insurance policies.

Barclays Insurance intends to 'score' potential customers according to their banking records. The insurer says those with poor scores - perhaps because they have missed bill payments or are constantly in the red - are more likely to make claims than richer customers with good banking records. Clients with very poor scores may be charged more or not be offered cover at all, enabling the insurer to offer cheaper premiums to richer clients with better scores.

Adrian Grace, the managing director, told Cash he thinks the company will be able to start using the customers' banking information as soon as September or October.

'Affluence underwriting', as insurance credit scoring is often called, is common in the US. One American insurer, Progressive Direct, says it has found credit history 'to be predictive of future accidents, which is why we, and most insurers, use this information to help develop more accurate rates'...."