Privacy Digest

Verizon plays fast and loose with the wrong 1,200 e-mail addresses - Via NetworkWorld.com Community:

This should be a vendor's first rule when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you're trying to impress.

How did Verizon do in that regard on Tuesday? They failed miserably ... and not just once.

David Williams, technology coordinator for a Texas school district, alerted me to the situation because he had read my recent post -- "Run-amok Verizon robo-caller torments 1,400 customers" -- which recounted the nine phone calls in 24 hours that were received at my house last month.

"I had something similar occur today," Williams writes. "In a period of three hours I received 14 e-mails promoting Verizon's 'Secure the Information. Secure the Infrastructure' webinar series, and three e-mails promoting their '2008 Data Breach Investigations Report Road Show.' "

The excessive volume of e-mail wasn't the half of it, though.  read more »

Lessons from the Fall of NebuAd - Via Freedom to Tinker:

With three Congressional hearings held within the past four months, U.S. legislators have expressed increased concern about the handling of private online information. As Paul Ohm mentioned yesterday, the recent scrutiny has focused mainly on the ability of ISPs to intercept and analyze the online traffic of its users-- in a word, surveillance. One of the goals of surveillance for ISPs is to yield new sources of revenue; so when a Silicon Valley startup called NebuAd approached ISPs last spring with its behavioral advertising technology, many were quick to sign on. But by summer's end, the company had lost all of its ISP partners, their CEO had resigned, and they announced their intention to pursue "more traditional" advertising channels.

How did this happen and what can we learn from this episode?  read more »

Maryland Cops Put 53 Non-Violent Activists on Terrorist List - Via Threat Level:

Maryland State police placed the names of 53 left-leaning political activists into federal and state databases, labeling them as terrorists, the state's police chief admitted Tuesday.

Evidence that the state police had been infiltrating anti-war and anti-death penalty groups first came to light in July following a government sunshine lawsuit filed by the ACLU on behalf of a prominent peace activist named Max Obuszewski.

Police added Obuszewski and others to a federal database called the Washington-Baltimore High Intensity Drug Trafficking Area database, The nation's main terrorist watch list is built from nominations from federal databases, but Maryland's current police superintendent told Maryland lawmakers that he didn't think the activists made their way onto that list, according to the Washington Post.

The Maryland spying on peace groups took place in 2005 and 2006, under the leadership of then-police superintendent Thomas Hutchins.

Hutchins defended the spying and the use of undercover informants in anti-war planning meetings, the Post reported.  read more »

Opting In (or Out) is Hard to Do - Via Freedom to Tinker:

Thanks to Ed and his fellow bloggers for welcoming me to the blog. I'm thrilled to have this opportunity, because as a law professor who writes about software as a regulator of behavior (most often through the substantive lenses of information privacy, computer crime, and criminal procedure), I often need to vet my theories and test my technical understanding with computer scientists and other techies, and this will be a great place to do it.

This past summer, I wrote an article (available for download online) about ISP surveillance, arguing that recent moves by NebuAd/Charter, Phorm, AT&T, and Comcast augur a coming wave of unprecedented, invasive deep-packet inspection. I won't reargue the entire paper here (the thesis is no doubt much less surprising to the average Freedom to Tinker reader than to the average lawyer) but you can read two bloggy summaries I wrote here and here or listen to a summary I gave in a radio interview. (For summaries by others, see [1] [2] [3] [4]).

Two weeks ago, Verizon and AT&T told Congress that they would monitor for marketing purposes only users who had opted in. According to Verizon VP Tom Tauke, "[B]efore a company captures certain Internet-usage data for targeted or customized advertising purposes, it should obtain meaningful, affirmative consent from consumers."

I applaud this announcement, but I'm curious how the ISPs will implement this promise.  read more »

Facial Recognition Technology Is Here, But Privacy Lags - Via CDT - PolicyBeta:

The San Francisco Chronicle recently reported on the rapid development of facial recognition technology. While the increased availability of these robust features are something to celebrate, the privacy implications loom especially large. Combined with online photo storage services and a lack of meaningful limits on government or corporate access to data, facial recognition technology raises serious privacy concerns.

Last month, Google incorporated facial recognition technology in its online photo sharing service, Picasa. The new feature spares us the tedium of hand-tagging personal photos one by one. By analyzing the facial features of the people in your photos, Picasa identifies all the people in your photos for you. No one can deny the positive social benefits of these kinds of services— dozens of digital images filling our pictures folders are begging to be organized and shared. However, policymakers need to address the power of facial recognition technology in the hands of government or corporate snoopers.

What’s to stop a zealous prosecutor from searching the state’s digital database of driver’s license photos for people under 21 whose online Flickr photos show them engaged in underage drinking? What’s to stop an employer from doing the same with a photo taken by a video camera in the lobby of the building where you went for your job interview?  read more »

Satellite Piracy, Mod Chips, and the Freedom to Tinker - Via Freedom to Tinker:

Tom Lee makes an interesting point about the satellite case I wrote about on Saturday: the problem facing EchoStar and other satellite manufacturers is strikingly similar to the challenges that have been faced for many years by video game console manufacturers. There's a grey market in "mod chips" for video game consoles. Typically, they're sold in a form that only allows them to be used for legitimate purposes. But many users purchase the mod chips and then immediately download new software that allows them to play illicit copies of copyrighted video games. It's unclear exactly how the DMCA applies in this kind of case.  read more »

Supremes Mull Whether Bad Databases Make for Illegal Searches - Via Threat Level:

If a false entry in a database leads to a unconstitutional police search that reveals illegal drugs, does the government get to hold it against you?

That's the question the Supreme Court will tackle on Tuesday in a case civil liberties groups such as the Electronic Privacy Information Center argue will have broad implications  in a world where we are constantly being evaluated against databases and watch lists that are riddled with frustratingly persistent errors.

"In these interlinked databases, one error can spread like a disease, infecting every system it touches and condemning the individual to whom this error refers to suffer substantial delay, harassment, and improper arrest," EPIC director Marc Rotenberg argued in a friend of the court brief (.pdf).

Not surprisingly, the government disagrees.  read more »

Gov't Database Errors Leading To Unconstitutional Searches? - Via Slashdot:

Wired is running a story about a case the Supreme Court will be hearing on Tuesday that relates to searches based on erroneous information in government databases. In the case of Herring vs. US 07-513, the defendant was followed and pulled over based on a records indicating he had a warrant out for his arrest. Upon further review, the local county clerk found the records were in error, and the warrant notification should have been removed months prior. Unfortunately for Herring, he had already been arrested and his car searched. Police found a small amount of drugs and a firearm, for which Herring was subsequently prosecuted. Several friend-of-the-court briefs have been filed to argue this case, some calling for "an accuracy obligation on law enforcement agents [PDF] who rely on criminal justice information systems," and others defending such searches as good-faith exceptions [PDF].

(Read Original Article - Via Slashdot.)

Oregon Judge Says RIAA Made 'Honest Mistake,' Allows Subpoena - Via Slashdot :

NewYorkCountryLawyer writes "In Arista v. Does 1-17, the RIAA's case targeting students at the University of Oregon, the Oregon Attorney General's motion to quash the RIAA's subpoena — pending for about a year — has reached a perplexing conclusion. The Court agreed with the University that the subpoena, as worded, imposed an undue burden on the University by requiring it to produce 'sufficient information to identify alleged infringers,' which would have required the University to 'conduct an investigation,' but then allowed the RIAA to subpoena the identities of 'persons associated by dorm room occupancy or username with the 17 IP addresses listed' even though those people may be completely innocent. In his 8-page decision (PDF), the Judge also 'presumed' the RIAA lawyers' misrepresentations were an 'honest mistake,' made no reference at all to the fact, pointed out by the Attorney General, that the RIAA investigators (Safenet, formerly MediaSentry) were not licensed, rejected all of the AG's privacy arguments under both state and federal law, and rejected the AG's request for discovery into the RIAA's investigative tactics."

(Read Original Article - Via Slashdot .)

RFID Anti-Skimming Laws Approved - Via Threat Level:

California followed Washington State's footsteps this week to become the second U.S. state outlawing so-called Radio Frequency Identification Device skimming.

Skimmers can easily pilfer information from non-encrypted RFID tags that are growing commonplace. California's bill was adopted and signed by Gov. Arnold Schwarzenegger this week after a demonstration showed that personal information skimmed from entry-card badges from statehouse workers allowed hackers access to secured areas of government offices.

The legislation came a year after the hacking of the  RFID-enabled Dutch passport, and the successful hacks of the Exxon Mobile key fob and the exposed VeriChip human RFID implant

Still, California's measure (.pdf) and the one Washington State adopted in March, don't mandate any RFID encryption. So the vulnerabilities of the Golden State statehouse's entry system remains.

(Read Original Article - Via Threat Level.)

California Governor Signs Off On New Protections for Free Speech - Via EFF.org Updates:

California Governor Arnold Schwarzenegger yesterday signed Assembly Bill 2433 and filled a significant gap in protection for anonymous speech online. Authored by Assemblymember Paul Krekorian and co-sponsored by EFF, the California Anti-SLAPP Project and the California Newspaper Publishers Association, the new law allows speakers who successfully oppose the use of bogus out-of-state litigation to obtain their identities to recover attorneys' fees. Assemblymembers Sally Lieber and Anthony Portantino co-authored the bill.

One of the most pernicious threats to anonymity is the filing of trumped-up lawsuits as an excuse to force ISPs to reveal speakers’ identities. Once such a lawsuit is filed, speakers who want to protect their anonymity must find a way to pay a lawyer to go to court and prevent disclosure of their personal information. That can be a real hardship—in fact, even the threat of having to go to court may discourage many people from speaking out in the first place.  read more »

On the “Anonymity” of the Facebook Dataset - Via michaelzimmer.org :

A group of researchers have released a dataset of Facebook profile information from a group of college students for research purposes, which I know a lot of people will find quite valuable. (Thanks to Fred Stutzman for bringing it to my attention.)

Here is the description from the Berkman Center’s announcement:

The dataset comprises machine-readable files of virtually all the information posted on approximately 1,700 FB profiles by an entire cohort of students at an anonymous, northeastern American university. Profiles were sampled at one-year intervals, beginning in 2006. This first wave covers first-year profiles, and three additional waves of data will be added over time, one for each year of the cohort’s college career.  read more »

Bookmark/Search this post with:

• Delicious
• Digg
• Reddit
• Google
• Yahoo
• Technorati

No Funding for a National “REAL ID” Database? - Via CDT - PolicyBeta:

Congress couldn’t get its act together in time to pass a proper appropriations bill for the 2009 fiscal year. Instead, last weekend it passed a continuing resolution (CR) to fund the federal government – for homeland security purposes at least – until March.

Perhaps not surprisingly, there was an allocation of $100 million to fund REAL ID, the federal effort that puts us closer to a national ID card by standardizing driver’s licenses. CDT hopes Congress will repeal the exceedingly bad law, especially in light of the 21 states that have come out against REAL ID.

But what was surprising in the CR was the limitation placed on spending for REAL ID. The Act provides that individuals can only be licensed in one state at a time, thus states are required to share information with every other state to ensure that a driver’s license (or state ID card) applicant doesn’t already have a REAL ID card from somewhere else. Referencing this requirement, Section 547 of the CR states that [emphasis added]:  read more »

Commissioner Cavoukian outlines what will need to be done to protect privacy in the 21st century - Via CNW Group | OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO:

TORONTO, Sept. 26 /CNW/ - Ontario Information and Privacy Commissioner Ann Cavoukian is unveiling a key white paper outlining what will need to be done to protect privacy in the future, at a special presentation at the University of Waterloo, on Monday, September 29, 2008.

"As a regulator, I have been called many things during my tenure," said the Commissioner, "but rarely have I been called a dreamer. But that is precisely the practice one must engage in if privacy is to not only survive, but thrive, well into the future. But dreaming is not enough. As a pragmatist, I must embed that dream into reality. One way of doing so is seeking to embed privacy into the design and architecture of all technologies, so that it may live well into the future. So you might call me a radical pragmatist, because I dream BIG - in technicolour; there is no black and white anymore."  read more »