Privacy Digest

Verizon plays fast and loose with the wrong 1,200 e-mail addresses - Via NetworkWorld.com Community:

This should be a vendor's first rule when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you're trying to impress.

How did Verizon do in that regard on Tuesday? They failed miserably ... and not just once.

David Williams, technology coordinator for a Texas school district, alerted me to the situation because he had read my recent post -- "Run-amok Verizon robo-caller torments 1,400 customers" -- which recounted the nine phone calls in 24 hours that were received at my house last month.

"I had something similar occur today," Williams writes. "In a period of three hours I received 14 e-mails promoting Verizon's 'Secure the Information. Secure the Infrastructure' webinar series, and three e-mails promoting their '2008 Data Breach Investigations Report Road Show.' "

The excessive volume of e-mail wasn't the half of it, though.  read more »

Wink Wink: RealNetworks Says Don't Copy Rented DVDs - Via Threat Level:

While urging a federal judge not to pull the plug on its DVD-copying software, RealNetworks told a federal judge there's no harm to the movie studios because consumers are only supposed to reproduce their personal movies, not rented ones.

The argument was taking a page right out of head shops that warn consumers that the colorful glass bongs and pipes on display are for tobacco use, not "illegal substances." 

RealNetworks' made the statement at the tail end of a three-hour federal court hearing Tuesday to U.S. District Judge Marilyn Hall Patel. She was hearing last-ditch arguments on why she should not bar the sale of RealNetworks' $30 DVD copying software.  read more »

World Bank Under Cyber Siege in 'Unprecedented Crisis' - Via FOXNews.com :

The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.  read more »

Piracy Statistics and the Importance of Journalistic Skepticism - Via Freedom to Tinker:

If you've paid attention to copyright debates in recent years, you've probably seen advocates for more restrictive copyright laws claim that "counterfeiting and piracy" cost the US economy as much as $250 billion. When pressed, those who make these kinds of claims are inevitably vague about exactly where these figures come from. For example, I contacted Thomas Sydnor, the author of the paper I linked above, and he was able to point me to a 2002 press release from the FBI, which claims that "losses to counterfeiting are estimated at $200-250 billion a year in U.S. business losses."

There are a couple of things that are notable about this. In the first place, notice that the press release says counterfeiting, which is an entirely different issue from copyright infringement. Passing stronger copyright legislation in order to stop counterfeiting is a non-sequitur.

But the more serious issue is that the FBI can't actually explain how it arrived at these figures. And indeed, it appears that nobody knows who came up with these figures and how they were computed. Julian Sanchez has done some sleuthing and found that these figures have literally been floating around inside the beltway for decades. Julian contacted the FBI, which wasn't able to point to any specific source. Further investigation led him to a 1993 Forbes article:  read more »

Lessons from the Fall of NebuAd - Via Freedom to Tinker:

With three Congressional hearings held within the past four months, U.S. legislators have expressed increased concern about the handling of private online information. As Paul Ohm mentioned yesterday, the recent scrutiny has focused mainly on the ability of ISPs to intercept and analyze the online traffic of its users-- in a word, surveillance. One of the goals of surveillance for ISPs is to yield new sources of revenue; so when a Silicon Valley startup called NebuAd approached ISPs last spring with its behavioral advertising technology, many were quick to sign on. But by summer's end, the company had lost all of its ISP partners, their CEO had resigned, and they announced their intention to pursue "more traditional" advertising channels.

How did this happen and what can we learn from this episode?  read more »

Freedom Not Fear 2008 - Via EFF.org Updates:

Freedom Not Fear is the world's ongoing demonstration against the encroachment of civil liberties by anti-terrorist laws -- particularly in the online world. This year the protests take place this Saturday, October 11th in nearly thirty countries, including the very first events in the Americas.

The origin of the campaign comes from Europeans' anger at the EU's 2006 data retention directive, a pan-European law that requires ISPs to log email and web traffic data for a minimum of six months, and often more. Terabytes of personal data on millions of innocent Europeans are now being collated, paid for by customers and taxpayers, and open for access by any criminal or civil investigation, no matter how trivial.

Freedom Not Fear has since evolved into a more general warning: showing how fundamental freedoms like privacy, freedom of expression, and democratic participation lose when reactionary surveillance systems penetrate our open networks, justified by a hyperbolic rhetoric of fear.  read more »

Government Painfully Fuzzy on the Effects of Infringement - Via EFF.org Updates:

Last week, the U.S. Chamber of Commerce urged President Bush to sign the PRO-IP Act, claiming that "counterfeiting and piracy of [intellectual property] is a growing problem that costs U.S. businesses nearly $250 billion in revenue each year [and] has already caused the loss of an estimated 750,000 American jobs..." Both figures, $250 billion and 750,000 jobs, are cartoonishly large and have activated the investigatory instincts of some smart reporters. What have they found?  read more »

Average privacy policy takes 10 minutes to read, research finds - Via OUT-LAW.COM :

Website privacy policies take on average 10 minutes to read and sometimes run into thousands of words, researchers have found. While some are short, others would take over half an hour to read, researchers said.

Researchers Aleecia McDonald and Lorrie Faith Cranor of Carnegie Mellon University looked at online privacy policies and how long it would take to read them. While one policy they looked at was just 144 words long, they found one policy on a popular site that ran to 7,669 words, around 15 pages of text.

The average length of privacy policies used by the 75 most popular US websites is 2,500 words, the research found. Using the reading speed of 250 words per minute which is typical for those who have completed secondary education, the average policy would take 10 minutes to read.

The length of privacy policies is often cited as one reason they are so commonly ignored. "Studies show privacy policies are hard to read, read infrequently, and do not support rational decision making," said the researchers, acknowledging the fact that the policies are rarely read.  read more »

Opting In (or Out) is Hard to Do - Via Freedom to Tinker:

Thanks to Ed and his fellow bloggers for welcoming me to the blog. I'm thrilled to have this opportunity, because as a law professor who writes about software as a regulator of behavior (most often through the substantive lenses of information privacy, computer crime, and criminal procedure), I often need to vet my theories and test my technical understanding with computer scientists and other techies, and this will be a great place to do it.

This past summer, I wrote an article (available for download online) about ISP surveillance, arguing that recent moves by NebuAd/Charter, Phorm, AT&T, and Comcast augur a coming wave of unprecedented, invasive deep-packet inspection. I won't reargue the entire paper here (the thesis is no doubt much less surprising to the average Freedom to Tinker reader than to the average lawyer) but you can read two bloggy summaries I wrote here and here or listen to a summary I gave in a radio interview. (For summaries by others, see [1] [2] [3] [4]).

Two weeks ago, Verizon and AT&T told Congress that they would monitor for marketing purposes only users who had opted in. According to Verizon VP Tom Tauke, "[B]efore a company captures certain Internet-usage data for targeted or customized advertising purposes, it should obtain meaningful, affirmative consent from consumers."

I applaud this announcement, but I'm curious how the ISPs will implement this promise.  read more »

Judge's Top Secret Decision Blocks Sale of DVD-Copying Software - Via Threat Level:

A federal judge has issued a secret, interim order blocking the sale of RealNetworks' DVD-copying software, RealDVD, two sources said Monday.

In an unusual move, the judge presiding over the MPAA's federal copyright lawsuit against RealNetworks also instructed both parties not to disclose the existence of the restraining order to the public.

U.S. District Judge Marilyn Hall Patel, who previously presided over the original Napster litigation, issued the tentative decision late Friday, the sources said. As of this writing, the electronic court docket does not reflect a sealed decision in the case, although RealNetworks informed consumers on its websitethat, "Due to recent legal action taken by the Hollywood movie studios against us, RealDVD is temporarily unavailable."  read more »

Beyond the Bailout: Congress Passes a Flurry of ‘Child Safety’ Bills - Via CDT - PolicyBeta:

While the public’s attention was focused on the drama unfolding around the economic bailout, it was actually a busy time for other bills to get pushed – sometimes under the cover of the bailout darkness. Just before recess, Congress considered parts of four “child safety” bills, acted on three, and sent two to the White House. While not all the provisions in these bills raise red flags, some language gives free expression advocates plenty to worry about.

One bill that is awaiting a Presidential signature confronts child pornography head on in a constructive way is S. 1738, the “PROTECT Our Children Act of 2008. Among the important and positive steps taken in this new law are (a) a dramatic increase in funding for fighting child pornography, (b) a mandate to the Department of Justice that it develop a real strategy to fight such material, and (c) the provision of new forensic and other resources to help state law enforcement protect kids. These provisions should – if the bailout leaves any money to actually spend on law enforcement – really help in the fight against child pornography.

Congress should have stopped there; it didn’t. Some in Congress insisted that the core parts of S. 519 – the “SAFE Act” – be added to S. 1738 before passage. Among the most problematic provisions in S.519 – which was never publicly debated by any committee–is the outsourcing of significant law enforcement investigative functions to the National Center for Missing & Exploited Children (NCMEC), which as a non-governmental entity operates outside of the core constitutional and legal protections that govern (or should govern) our criminal justice system (such as the 4th Amendment, the Privacy Act, the Freedom of Information Act, etc.). Although NCMEC makes valuable contributions in the child safety arena, the growing trend in Congress to outsource law enforcement functions to a nominally private group—without any serious oversight or procedural protections— takes us down a dangerous path.  read more »

Facial Recognition Technology Is Here, But Privacy Lags - Via CDT - PolicyBeta:

The San Francisco Chronicle recently reported on the rapid development of facial recognition technology. While the increased availability of these robust features are something to celebrate, the privacy implications loom especially large. Combined with online photo storage services and a lack of meaningful limits on government or corporate access to data, facial recognition technology raises serious privacy concerns.

Last month, Google incorporated facial recognition technology in its online photo sharing service, Picasa. The new feature spares us the tedium of hand-tagging personal photos one by one. By analyzing the facial features of the people in your photos, Picasa identifies all the people in your photos for you. No one can deny the positive social benefits of these kinds of services— dozens of digital images filling our pictures folders are begging to be organized and shared. However, policymakers need to address the power of facial recognition technology in the hands of government or corporate snoopers.

What’s to stop a zealous prosecutor from searching the state’s digital database of driver’s license photos for people under 21 whose online Flickr photos show them engaged in underage drinking? What’s to stop an employer from doing the same with a photo taken by a video camera in the lobby of the building where you went for your job interview?  read more »

Satellite Piracy, Mod Chips, and the Freedom to Tinker - Via Freedom to Tinker:

Tom Lee makes an interesting point about the satellite case I wrote about on Saturday: the problem facing EchoStar and other satellite manufacturers is strikingly similar to the challenges that have been faced for many years by video game console manufacturers. There's a grey market in "mod chips" for video game consoles. Typically, they're sold in a form that only allows them to be used for legitimate purposes. But many users purchase the mod chips and then immediately download new software that allows them to play illicit copies of copyrighted video games. It's unclear exactly how the DMCA applies in this kind of case.  read more »

China to make foreign firms reveal secret info - Via DAILY YOMIURI ONLINE (The Daily Yomiuri):

The Chinese government plans to introduce a new system requiring foreign firms to disclose secret information about digital household appliances and other products starting from May, sources said Thursday.

The envisaged system is likely to target products such as IC cards, digital copiers and possibly flat-panel TVs.

If a company refuses to disclose such information, the Chinese government plans to ban the firm from exporting the product to the Chinese market, as well as bar production and sales in the country, according to the sources.

Critics worry that such a system risks seeing the intellectual property of foreign firms passed onto their Chinese competitors.  read more »

Oregon Judge Says RIAA Made 'Honest Mistake,' Allows Subpoena - Via Slashdot :

NewYorkCountryLawyer writes "In Arista v. Does 1-17, the RIAA's case targeting students at the University of Oregon, the Oregon Attorney General's motion to quash the RIAA's subpoena — pending for about a year — has reached a perplexing conclusion. The Court agreed with the University that the subpoena, as worded, imposed an undue burden on the University by requiring it to produce 'sufficient information to identify alleged infringers,' which would have required the University to 'conduct an investigation,' but then allowed the RIAA to subpoena the identities of 'persons associated by dorm room occupancy or username with the 17 IP addresses listed' even though those people may be completely innocent. In his 8-page decision (PDF), the Judge also 'presumed' the RIAA lawyers' misrepresentations were an 'honest mistake,' made no reference at all to the fact, pointed out by the Attorney General, that the RIAA investigators (Safenet, formerly MediaSentry) were not licensed, rejected all of the AG's privacy arguments under both state and federal law, and rejected the AG's request for discovery into the RIAA's investigative tactics."

(Read Original Article - Via Slashdot .)