Privacy Digest

Verizon plays fast and loose with the wrong 1,200 e-mail addresses - Via NetworkWorld.com Community:

This should be a vendor's first rule when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you're trying to impress.

How did Verizon do in that regard on Tuesday? They failed miserably ... and not just once.

David Williams, technology coordinator for a Texas school district, alerted me to the situation because he had read my recent post -- "Run-amok Verizon robo-caller torments 1,400 customers" -- which recounted the nine phone calls in 24 hours that were received at my house last month.

"I had something similar occur today," Williams writes. "In a period of three hours I received 14 e-mails promoting Verizon's 'Secure the Information. Secure the Infrastructure' webinar series, and three e-mails promoting their '2008 Data Breach Investigations Report Road Show.' "

The excessive volume of e-mail wasn't the half of it, though.  read more »

Lessons from the Fall of NebuAd - Via Freedom to Tinker:

With three Congressional hearings held within the past four months, U.S. legislators have expressed increased concern about the handling of private online information. As Paul Ohm mentioned yesterday, the recent scrutiny has focused mainly on the ability of ISPs to intercept and analyze the online traffic of its users-- in a word, surveillance. One of the goals of surveillance for ISPs is to yield new sources of revenue; so when a Silicon Valley startup called NebuAd approached ISPs last spring with its behavioral advertising technology, many were quick to sign on. But by summer's end, the company had lost all of its ISP partners, their CEO had resigned, and they announced their intention to pursue "more traditional" advertising channels.

How did this happen and what can we learn from this episode?  read more »

Opting In (or Out) is Hard to Do - Via Freedom to Tinker:

Thanks to Ed and his fellow bloggers for welcoming me to the blog. I'm thrilled to have this opportunity, because as a law professor who writes about software as a regulator of behavior (most often through the substantive lenses of information privacy, computer crime, and criminal procedure), I often need to vet my theories and test my technical understanding with computer scientists and other techies, and this will be a great place to do it.

This past summer, I wrote an article (available for download online) about ISP surveillance, arguing that recent moves by NebuAd/Charter, Phorm, AT&T, and Comcast augur a coming wave of unprecedented, invasive deep-packet inspection. I won't reargue the entire paper here (the thesis is no doubt much less surprising to the average Freedom to Tinker reader than to the average lawyer) but you can read two bloggy summaries I wrote here and here or listen to a summary I gave in a radio interview. (For summaries by others, see [1] [2] [3] [4]).

Two weeks ago, Verizon and AT&T told Congress that they would monitor for marketing purposes only users who had opted in. According to Verizon VP Tom Tauke, "[B]efore a company captures certain Internet-usage data for targeted or customized advertising purposes, it should obtain meaningful, affirmative consent from consumers."

I applaud this announcement, but I'm curious how the ISPs will implement this promise.  read more »

Oregon Judge Says RIAA Made 'Honest Mistake,' Allows Subpoena - Via Slashdot :

NewYorkCountryLawyer writes "In Arista v. Does 1-17, the RIAA's case targeting students at the University of Oregon, the Oregon Attorney General's motion to quash the RIAA's subpoena — pending for about a year — has reached a perplexing conclusion. The Court agreed with the University that the subpoena, as worded, imposed an undue burden on the University by requiring it to produce 'sufficient information to identify alleged infringers,' which would have required the University to 'conduct an investigation,' but then allowed the RIAA to subpoena the identities of 'persons associated by dorm room occupancy or username with the 17 IP addresses listed' even though those people may be completely innocent. In his 8-page decision (PDF), the Judge also 'presumed' the RIAA lawyers' misrepresentations were an 'honest mistake,' made no reference at all to the fact, pointed out by the Attorney General, that the RIAA investigators (Safenet, formerly MediaSentry) were not licensed, rejected all of the AG's privacy arguments under both state and federal law, and rejected the AG's request for discovery into the RIAA's investigative tactics."

(Read Original Article - Via Slashdot .)

RFID Anti-Skimming Laws Approved - Via Threat Level:

California followed Washington State's footsteps this week to become the second U.S. state outlawing so-called Radio Frequency Identification Device skimming.

Skimmers can easily pilfer information from non-encrypted RFID tags that are growing commonplace. California's bill was adopted and signed by Gov. Arnold Schwarzenegger this week after a demonstration showed that personal information skimmed from entry-card badges from statehouse workers allowed hackers access to secured areas of government offices.

The legislation came a year after the hacking of the  RFID-enabled Dutch passport, and the successful hacks of the Exxon Mobile key fob and the exposed VeriChip human RFID implant

Still, California's measure (.pdf) and the one Washington State adopted in March, don't mandate any RFID encryption. So the vulnerabilities of the Golden State statehouse's entry system remains.

(Read Original Article - Via Threat Level.)

California Governor Signs Off On New Protections for Free Speech - Via EFF.org Updates:

California Governor Arnold Schwarzenegger yesterday signed Assembly Bill 2433 and filled a significant gap in protection for anonymous speech online. Authored by Assemblymember Paul Krekorian and co-sponsored by EFF, the California Anti-SLAPP Project and the California Newspaper Publishers Association, the new law allows speakers who successfully oppose the use of bogus out-of-state litigation to obtain their identities to recover attorneys' fees. Assemblymembers Sally Lieber and Anthony Portantino co-authored the bill.

One of the most pernicious threats to anonymity is the filing of trumped-up lawsuits as an excuse to force ISPs to reveal speakers’ identities. Once such a lawsuit is filed, speakers who want to protect their anonymity must find a way to pay a lawyer to go to court and prevent disclosure of their personal information. That can be a real hardship—in fact, even the threat of having to go to court may discourage many people from speaking out in the first place.  read more »

On the “Anonymity” of the Facebook Dataset - Via michaelzimmer.org :

A group of researchers have released a dataset of Facebook profile information from a group of college students for research purposes, which I know a lot of people will find quite valuable. (Thanks to Fred Stutzman for bringing it to my attention.)

Here is the description from the Berkman Center’s announcement:

The dataset comprises machine-readable files of virtually all the information posted on approximately 1,700 FB profiles by an entire cohort of students at an anonymous, northeastern American university. Profiles were sampled at one-year intervals, beginning in 2006. This first wave covers first-year profiles, and three additional waves of data will be added over time, one for each year of the cohort’s college career.  read more »

Bookmark/Search this post with:

• Delicious
• Digg
• Reddit
• Google
• Yahoo
• Technorati

Court Protects Privacy of Satellite Receiver Owners - Via EFF.org Updates:

Last month, EFF filed an amicus brief in Echostar v. Freetech, where Echostar sought the identities of every consumer who purchased a Freetech "CoolSat" free-to-air (FTA) satellite receiver during the past five years. EFF argued that this demand, issued in discovery in a lawsuit between Echostar and Freetech, represented an unwarranted intrusion into the privacy of individual consumers. Today, the court agreed, issuing an order blocking Echostar's subpoenas.

The ruling potentially sets an important precedent, as it represents the first time a federal court has explicitly rejected a third-party subpoena on the basis of the privacy interests of nonparty consumers.  read more »

BT to kick off fresh Phorm trial - Via BBC NEWS | Technology :

Telecoms giant BT is about to start further trials of a controversial internet advertising technology.

Developed by Phorm, the Webwise system watches what people do online and shows adverts tuned to their interests.

From 30 September, a sample of BT's customers will be invited to "opt in" to a trial of the technology.

Early trials ran without the consent of customers which led to complaints from rights groups who said this broke laws governing the interception of data.  read more »

Privacy concerns on speed cameras - Via Australian IT:

CRIMTRAC's planned automatic number plate recognition (ANPR) system could become a mass surveillance system, taking as many as 70 million photos of cars and drivers every day across a vast network of roadside cameras.

State and federal police forces want full-frontal images of vehicles, including the driver and front passenger, that are clear enough for identification purposes and usable as evidence in court.

"All vehicles passing through a fixed or mobile ANPR camera will have the data recorded and available for interrogation," CrimTrac told the Queensland TravelSafe inquiry into the use of ANPR for road safety.

"Existing camera applications, such as Safe-T-Cam, red light and speed cameras could be upgraded where necessary to provide constant live streaming to a central database.  read more »

YouTube Anti-Scientology Takedowns: Good News, Bad News - Via EFF.org Updates:

Now that the dust has settled on the anti-Scientology video takedown controversy, it's time to take stock. For those of you who missed this one: on September 4th and 5th, hundreds and possibly thousands of videos critical of the Church of Scientology were taken down as a result of DMCA notices reportedly sent by by American Rights Counsel, Dr. Oliver Schaper, the Schaper Company, Media House Enterprises, and ContentFactory America. It rapidly became clear that these entities did not hold the copyrights to the materials they claimed to be infringed, including footage from a Clearwater City Commission meeting and a man-on-the-street interview. In addition, many of these videos were obvious fair uses, such as independent news reports.

Here’s the good news: YouTube quickly realized something was fishy, and began investigating. Within days, YouTube suspended the accounts that had sent out the allegedly fraudulent DMCA takedown notices, reinstated the accounts that had been suspended for multiple allegations of copyright infringement, and put most of the videos back up on YouTube, all without waiting to receive DMCA counter-notices from YouTube users who had had their videos taken down.  read more »

What to Keep an Ear Out For at the Next Behavioral Advertising Hearing - Via CDT - PolicyBeta:

The Senate Commerce Committee has a hearing scheduled on Thursday to hear from ISPs about their plans for implementing behavioral advertising. CDT has been in discussions with many of these companies and believe that some have begun to make a commitment to getting policies and practices right and push others in the online industries to do the same, as they make decisions whether or not to go forward with behavioral targeting plans. Decoding congressional testimony is something of an art form; here’s what we’ll be listening for: words and phrases like “meaningful and affirmative consent,” “transparency,” and “user control.” If you check the box next to each of those you’ll know that things are on the right track, which will be a welcome change from the rhetoric we heard from the CEO of NebuAd during the last Senate hearing on behavioral advertising.  read more »

Mukasey Denies 'Dragnet' Surveillance While Demanding Telecom Spying Immunity - Via Threat Level:

U.S. Attorney General Michael Mukasey on Saturday denied that the Bush administration -- in conjunction with the nation's telecommunication companies -- devised a "dragnet" electronic surveillance program that funneled Americans' communications to the National Security Agency without court warrants.

But the attorney general also insisted that telecom companies can not prove there was no dragnet without harming national security.

"Specific information demonstrating that the alleged dragnet has not occurred cannot be disclosed on the public record without causing exceptional harm to national security," Mukasey wrote in a federal court filing in San Francisco. "However, because there was no such alleged content-dragnet, no provider participated in that alleged activity."

It was the first time Mukasey, as the nation's top law enforcement official, or the government provided an emphatic and wholesale denial of allegations contained in lawsuits accusing the Bush administration of wholesale domestic spying in the years following the 2001 terror attacks.  read more »

CDT Policy Post: Closer Look at ISP-Ad Network Partnerships - Via Center for Democracy and Technology:

CDT issued a policy post today that takes a closer look at the privacy concerns raised by the ISP-ad network partnership model within the online behavioral advertising field. Behavioral advertising involves the compilation of detailed information about an Internet user’s online activities. That data, when collected, can be turned into detailed consumer profiles including articles read, web sites visited, and items purchased. Today's policy post says the ISP-ad network model may violate federal law if it deployed without express consent of subscribers. CDT notes that Congress is taking a closer look at the practice and that online consumer privacy law may be introduced to address concerns.

(Read Original Article - Via Center for Democracy and Technology.)

Photo Ticket Cameras to Track Drivers Nationwide - Via theNewspaper.com: A journal of the politics of driving :

Vendors plan to add spy technology to existing red light camera and speed camera installations.

Monitoring centerPrivate companies in the US are hoping to use red light cameras and speed cameras as the basis for a nationwide surveillance network similar to one that will be active next year in the UK. Redflex and American Traffic Solutions (ATS), the top two photo enforcement providers in the US, are quietly shopping new motorist tracking options to prospective state and local government clients. Redflex explained the company's latest developments in an August 7 meeting with Homestead, Florida officials.

"We are moving into areas such as homeland security on a national level and on a local level," Redflex regional director Cherif Elsadek said. "Optical character recognition is our next roll out which will be coming out in a few months -- probably about five months or so."

The technology would be integrated with the Australian company's existing red light camera and speed camera systems. It allows officials to keep full video records of passing motorists and their passengers, limited only by available hard drive space and the types of cameras installed. To gain public acceptance, the surveillance program is being initially sold as an aid for police looking to solve Amber Alert cases and locate stolen cars.  read more »