Privacy Digest

Report: Data Mining Ineffective Anti-Terrorist Tool - Via CDT - PolicyBeta:

A new National Research Council report cautions that government data mining programs cannot effectively identify patterns of terrorist activity. Pattern-based or predictive data mining was singled out as likely to generate huge numbers of useless leads. Because of this, the authors warned, pattern-based data mining should not be used to deny a person rights and liberties. This mirrors past conclusions that CDT and others have drawn about data mining efficacy.

The Committee that drafted the October 7th report, entitled “Protecting Individual Privacy in the Struggle Against Terrorists,” recommended that all U.S. data mining programs be re-evaluated according to criteria set forth in the 376-page document. The authors – which included former Secretary of Defense William Perry – made the case that even well-managed data mining efforts are of only limited usefulness and can infringe on Americans’ privacy.  read more »

World Bank Under Cyber Siege in 'Unprecedented Crisis' - Via FOXNews.com :

The World Bank Group's computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.  read more »

Exclusive: Inside Account of U.S. Eavesdropping on Americans - Tonight on Nightline - Via ABC News: Nightline :

U.S. Officers' "Phone Sex" Intercepted; Senate Demanding Answers

Despite pledges by President George W. Bush and American intelligence officials to the contrary, hundreds of US citizens overseas have been eavesdropped on as they called friends and family back home, according to two former military intercept operators who worked at the giant National Security Agency (NSA) center in Fort Gordon, Georgia.  read more »

Lessons from the Fall of NebuAd - Via Freedom to Tinker:

With three Congressional hearings held within the past four months, U.S. legislators have expressed increased concern about the handling of private online information. As Paul Ohm mentioned yesterday, the recent scrutiny has focused mainly on the ability of ISPs to intercept and analyze the online traffic of its users-- in a word, surveillance. One of the goals of surveillance for ISPs is to yield new sources of revenue; so when a Silicon Valley startup called NebuAd approached ISPs last spring with its behavioral advertising technology, many were quick to sign on. But by summer's end, the company had lost all of its ISP partners, their CEO had resigned, and they announced their intention to pursue "more traditional" advertising channels.

How did this happen and what can we learn from this episode?  read more »

Freedom Not Fear 2008 - Via EFF.org Updates:

Freedom Not Fear is the world's ongoing demonstration against the encroachment of civil liberties by anti-terrorist laws -- particularly in the online world. This year the protests take place this Saturday, October 11th in nearly thirty countries, including the very first events in the Americas.

The origin of the campaign comes from Europeans' anger at the EU's 2006 data retention directive, a pan-European law that requires ISPs to log email and web traffic data for a minimum of six months, and often more. Terabytes of personal data on millions of innocent Europeans are now being collated, paid for by customers and taxpayers, and open for access by any criminal or civil investigation, no matter how trivial.

Freedom Not Fear has since evolved into a more general warning: showing how fundamental freedoms like privacy, freedom of expression, and democratic participation lose when reactionary surveillance systems penetrate our open networks, justified by a hyperbolic rhetoric of fear.  read more »

Opting In (or Out) is Hard to Do - Via Freedom to Tinker:

Thanks to Ed and his fellow bloggers for welcoming me to the blog. I'm thrilled to have this opportunity, because as a law professor who writes about software as a regulator of behavior (most often through the substantive lenses of information privacy, computer crime, and criminal procedure), I often need to vet my theories and test my technical understanding with computer scientists and other techies, and this will be a great place to do it.

This past summer, I wrote an article (available for download online) about ISP surveillance, arguing that recent moves by NebuAd/Charter, Phorm, AT&T, and Comcast augur a coming wave of unprecedented, invasive deep-packet inspection. I won't reargue the entire paper here (the thesis is no doubt much less surprising to the average Freedom to Tinker reader than to the average lawyer) but you can read two bloggy summaries I wrote here and here or listen to a summary I gave in a radio interview. (For summaries by others, see [1] [2] [3] [4]).

Two weeks ago, Verizon and AT&T told Congress that they would monitor for marketing purposes only users who had opted in. According to Verizon VP Tom Tauke, "[B]efore a company captures certain Internet-usage data for targeted or customized advertising purposes, it should obtain meaningful, affirmative consent from consumers."

I applaud this announcement, but I'm curious how the ISPs will implement this promise.  read more »

Beyond the Bailout: Congress Passes a Flurry of ‘Child Safety’ Bills - Via CDT - PolicyBeta:

While the public’s attention was focused on the drama unfolding around the economic bailout, it was actually a busy time for other bills to get pushed – sometimes under the cover of the bailout darkness. Just before recess, Congress considered parts of four “child safety” bills, acted on three, and sent two to the White House. While not all the provisions in these bills raise red flags, some language gives free expression advocates plenty to worry about.

One bill that is awaiting a Presidential signature confronts child pornography head on in a constructive way is S. 1738, the “PROTECT Our Children Act of 2008. Among the important and positive steps taken in this new law are (a) a dramatic increase in funding for fighting child pornography, (b) a mandate to the Department of Justice that it develop a real strategy to fight such material, and (c) the provision of new forensic and other resources to help state law enforcement protect kids. These provisions should – if the bailout leaves any money to actually spend on law enforcement – really help in the fight against child pornography.

Congress should have stopped there; it didn’t. Some in Congress insisted that the core parts of S. 519 – the “SAFE Act” – be added to S. 1738 before passage. Among the most problematic provisions in S.519 – which was never publicly debated by any committee–is the outsourcing of significant law enforcement investigative functions to the National Center for Missing & Exploited Children (NCMEC), which as a non-governmental entity operates outside of the core constitutional and legal protections that govern (or should govern) our criminal justice system (such as the 4th Amendment, the Privacy Act, the Freedom of Information Act, etc.). Although NCMEC makes valuable contributions in the child safety arena, the growing trend in Congress to outsource law enforcement functions to a nominally private group—without any serious oversight or procedural protections— takes us down a dangerous path.  read more »

Facial Recognition Technology Is Here, But Privacy Lags - Via CDT - PolicyBeta:

The San Francisco Chronicle recently reported on the rapid development of facial recognition technology. While the increased availability of these robust features are something to celebrate, the privacy implications loom especially large. Combined with online photo storage services and a lack of meaningful limits on government or corporate access to data, facial recognition technology raises serious privacy concerns.

Last month, Google incorporated facial recognition technology in its online photo sharing service, Picasa. The new feature spares us the tedium of hand-tagging personal photos one by one. By analyzing the facial features of the people in your photos, Picasa identifies all the people in your photos for you. No one can deny the positive social benefits of these kinds of services— dozens of digital images filling our pictures folders are begging to be organized and shared. However, policymakers need to address the power of facial recognition technology in the hands of government or corporate snoopers.

What’s to stop a zealous prosecutor from searching the state’s digital database of driver’s license photos for people under 21 whose online Flickr photos show them engaged in underage drinking? What’s to stop an employer from doing the same with a photo taken by a video camera in the lobby of the building where you went for your job interview?  read more »

Supremes Mull Whether Bad Databases Make for Illegal Searches - Via Threat Level:

If a false entry in a database leads to a unconstitutional police search that reveals illegal drugs, does the government get to hold it against you?

That's the question the Supreme Court will tackle on Tuesday in a case civil liberties groups such as the Electronic Privacy Information Center argue will have broad implications  in a world where we are constantly being evaluated against databases and watch lists that are riddled with frustratingly persistent errors.

"In these interlinked databases, one error can spread like a disease, infecting every system it touches and condemning the individual to whom this error refers to suffer substantial delay, harassment, and improper arrest," EPIC director Marc Rotenberg argued in a friend of the court brief (.pdf).

Not surprisingly, the government disagrees.  read more »

RFID Anti-Skimming Laws Approved - Via Threat Level:

California followed Washington State's footsteps this week to become the second U.S. state outlawing so-called Radio Frequency Identification Device skimming.

Skimmers can easily pilfer information from non-encrypted RFID tags that are growing commonplace. California's bill was adopted and signed by Gov. Arnold Schwarzenegger this week after a demonstration showed that personal information skimmed from entry-card badges from statehouse workers allowed hackers access to secured areas of government offices.

The legislation came a year after the hacking of the  RFID-enabled Dutch passport, and the successful hacks of the Exxon Mobile key fob and the exposed VeriChip human RFID implant

Still, California's measure (.pdf) and the one Washington State adopted in March, don't mandate any RFID encryption. So the vulnerabilities of the Golden State statehouse's entry system remains.

(Read Original Article - Via Threat Level.)

On the “Anonymity” of the Facebook Dataset - Via michaelzimmer.org :

A group of researchers have released a dataset of Facebook profile information from a group of college students for research purposes, which I know a lot of people will find quite valuable. (Thanks to Fred Stutzman for bringing it to my attention.)

Here is the description from the Berkman Center’s announcement:

The dataset comprises machine-readable files of virtually all the information posted on approximately 1,700 FB profiles by an entire cohort of students at an anonymous, northeastern American university. Profiles were sampled at one-year intervals, beginning in 2006. This first wave covers first-year profiles, and three additional waves of data will be added over time, one for each year of the cohort’s college career.  read more »

Bookmark/Search this post with:

• Delicious
• Digg
• Reddit
• Google
• Yahoo
• Technorati

No Funding for a National “REAL ID” Database? - Via CDT - PolicyBeta:

Congress couldn’t get its act together in time to pass a proper appropriations bill for the 2009 fiscal year. Instead, last weekend it passed a continuing resolution (CR) to fund the federal government – for homeland security purposes at least – until March.

Perhaps not surprisingly, there was an allocation of $100 million to fund REAL ID, the federal effort that puts us closer to a national ID card by standardizing driver’s licenses. CDT hopes Congress will repeal the exceedingly bad law, especially in light of the 21 states that have come out against REAL ID.

But what was surprising in the CR was the limitation placed on spending for REAL ID. The Act provides that individuals can only be licensed in one state at a time, thus states are required to share information with every other state to ensure that a driver’s license (or state ID card) applicant doesn’t already have a REAL ID card from somewhere else. Referencing this requirement, Section 547 of the CR states that [emphasis added]:  read more »

Huge System for Web Surveillance Discovered in China - Via NYTimes.com :

SAN FRANCISCO — A group of Canadian human-rights activists and computer security researchers has discovered a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words.

The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service.

The discovery draws more attention to the Chinese government’s Internet monitoring and filtering efforts, which created controversy this summer during the Beijing Olympics. Researchers in China have estimated that 30,000 or more “Internet police” monitor online traffic, Web sites and blogs for political and other offending content in what is called the Golden Shield Project or the Great Firewall of China.

The activists, who are based at Citizen Lab, a research group that focuses on politics and the Internet at the University of Toronto, discovered the surveillance operation last month. They said a cluster of eight message-logging computers in China contained more than a million censored messages. They examined the text messages and reconstructed a list of restricted words.  read more »

Chinese Skype Software Secretly Logs Political Chat Messages - Via Threat Level:

Editor: Interesting graphic removed. Go to original site for that [...]

A Chinese-language version of Skype scans users' chat messages for keywords such as "democracy," and sends a copy of the offending message to the company's servers, according to a report released Thursday by a Canadian online human rights group.

That's despite adamant claims by the Ebay-owned company that its software offers encrypted, safe communication.

Nart Villeneuve of the University of Toronto's Citizen Lab found that a Chinese version of the popular chat and internet phone-call software sent the full text of millions of messages with 'sensitive' keywords to servers controlled by Skype's Chinese partner TOM Online.

Captured messages discuss sensitive topics such as Taiwanese independence, tainted milk and the banned Falun Gong group.  read more »