Privacy Digest

Average privacy policy takes 10 minutes to read, research finds - Via OUT-LAW.COM :

Website privacy policies take on average 10 minutes to read and sometimes run into thousands of words, researchers have found. While some are short, others would take over half an hour to read, researchers said.

Researchers Aleecia McDonald and Lorrie Faith Cranor of Carnegie Mellon University looked at online privacy policies and how long it would take to read them. While one policy they looked at was just 144 words long, they found one policy on a popular site that ran to 7,669 words, around 15 pages of text.

The average length of privacy policies used by the 75 most popular US websites is 2,500 words, the research found. Using the reading speed of 250 words per minute which is typical for those who have completed secondary education, the average policy would take 10 minutes to read.

The length of privacy policies is often cited as one reason they are so commonly ignored. "Studies show privacy policies are hard to read, read infrequently, and do not support rational decision making," said the researchers, acknowledging the fact that the policies are rarely read.  read more »

Judge Suppresses Report on Voting Machine Security - Via Freedom to Tinker:

A judge of the New Jersey Superior Court has prohibited the scheduled release of a report on the security and accuracy of the Sequoia AVC Advantage voting machine. Last June, Judge Linda Feinberg ordered Sequoia Voting Systems to turn over its source code to me (serving as an expert witness, assisted by a team of computer scientists) for a thorough examination. At that time she also ordered that we could publish our report 30 days after delivering it to the Court--which should have been today.

Three weeks after we delivered the report, on September 24th Judge Feinberg ordered us not to release it. This is part of a lawsuit filed by the Rutgers Constitutional Litigation Clinic, seeking to decommission of all of New Jersey's voting computers. New Jersey mostly uses Sequoia AVC Advantage direct-recording electronic (DRE) models. None of those DREs can be audited: they do not produce a voter verified paper ballot that permit each voter to create a durable paper record of her electoral choices before casting her ballot electronically on a DRE. The legal basis for the lawsuit is quite simple: because there is no way to know whether the DRE voting computer is actually counting votes as cast, there is no proof that the voting computers comply with the constitution or with statutory law that require that all votes be counted as cast.  read more »

On the “Anonymity” of the Facebook Dataset - Via michaelzimmer.org :

A group of researchers have released a dataset of Facebook profile information from a group of college students for research purposes, which I know a lot of people will find quite valuable. (Thanks to Fred Stutzman for bringing it to my attention.)

Here is the description from the Berkman Center’s announcement:

The dataset comprises machine-readable files of virtually all the information posted on approximately 1,700 FB profiles by an entire cohort of students at an anonymous, northeastern American university. Profiles were sampled at one-year intervals, beginning in 2006. This first wave covers first-year profiles, and three additional waves of data will be added over time, one for each year of the cohort’s college career.  read more »

Bookmark/Search this post with:

• Delicious
• Digg
• Reddit
• Google
• Yahoo
• Technorati

Personal Information Of 23,000 Ivy Tech Students Sent Out Over E-Mail - Via Indiana News Story - WRTV Indianapolis :

INDIANAPOLIS -- The personal information of about 23,000 Ivy Tech students was accidentally sent out in an e-mail to 1,400 people, according to a letter from the school.

In the letter Ivy Tech Indianapolis Vice President of Administration William Morris writes that the e-mail was sent during the last week of July.

He said an employee intended to e-mail the list -- which included the names, addresses and Social Security numbers of students who were enrolled in distance-education courses -- to a colleague. Instead, the file drop was sent to an e-mail group that included about 1,400 current and former Ivy Tech Indianapolis employees, including some current and former student employees.  read more »

ISPs Will All Spy on Their Customers, Professor Warns - Via Threat Level:

If there's a candidate for the worst future violator of your privacy, look no further than the company you pay for broadband.

So says University of Colorado law professor and former federal prosecutor Paul Ohm, who argues in a new article that ISPs have the means, motive and opportunity to kill your online privacy.

Nothing in society poses as grave a threat to privacy as the Internet Service Provider (ISP). ISPs carry their users’ conversations, secrets, relationships, acts, and omissions. Until the very recent past, they had left most of these alone because they had lacked the tools to spy invasively, but with recent advances in eavesdropping  technology, they can now spy on people in unprecedented ways. Meanwhile, advertisers and copyright owners have been tempting them to put their users’ secrets up for sale, and judging from a recent flurry of reports, ISPs are giving in to the temptation and experimenting with new forms of spying. This is only the leading edge of a coming storm of unprecedented and invasive ISP surveillance.

But is that true?

Ohm argues technological and economic forces virtually guarantee that ISPs will begin finding ways to make money by monitoring, categorizing and even storing everything their users do on their networks.

Those are indisputable facts.  read more »

Come Join Us Next Spring - Via Freedom to Tinker:

It’s been an exciting summer here at the Center for Information Technology Policy. On Friday, we’ll be moving into a brand new building. We’ll be roughly doubling our level of campus activity—lectures, symposia and other events—from last year. You’ll also see some changes to our online activities, including a new, expanded Freedom to Tinker that will be hosted by the Center and will feature an expanded roster of contributors.

One of our key goals is to recruit visiting scholars who can enrich, and benefit from, our community. We’ve already lined up several visitors for the coming year, and will welcome them soon. But we also have space for several more. With the generous support of Princeton’s Woodrow Wilson School and School of Engineering and Applied Sciences, we are able to offer limited support for visitors to join us on a semester basis in spring 2009. The announcement, available here, reads as follows:  read more »

Boston Court's Meddling With 'Full Disclosure' Is Unwelcome - Via Wired News: Security Blanket:

In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.

The U.S. court has since seen the error of its ways -- but the damage is done. The MIT security researchers who were prepared to discuss their Boston findings at the DefCon security conference were prevented from giving their talk.  read more »

Open-Source College Textbooks Gaining Mindshare - Via Slashdot :

bcrowell writes "The LA Times has a front-page article about how open-source college textbooks are starting to gain traction. One author says, 'I couldn't continue assigning idiotic books that are starting to break $200,' and describes attempts by commercial publishers to bribe faculty to use their books. The Cal State system has started a Digital Marketplace to help faculty find out about their options for free and non-free digital textbooks, and the student group PIRG has collected 1200 faculty signatures on a statement of support for open textbooks."

(Read Original Article - Via Slashdot .)

Judge Lifts Unconstitutional Gag Order Against MIT Students - Via EFF.org Updates:

Boston - Today, a federal judge lifted an unconstitutional gag order that had prevented three Massachusetts Institute of Technology (MIT) students from disclosing academic research regarding vulnerabilities in Boston's transit fare payment system. The court found that the Massachusetts Bay Transportation Agency (MBTA) had no likelihood of success on the merits of its claim under the federal computer intrusion law and denied the transit agency's request for a five-month injunction. In papers filed yesterday, the MBTA acknowledged for the first time that their Charlie Ticket system had vulnerabilities and estimated that it would take five months to fix.

Tuesday's ruling lifts the restriction preventing the student researchers from talking about their findings regarding the security vulnerabilities of Boston's Charlie Card and Charlie Ticket -- a project that earned them an "A" from renowned computer scientist and MIT professor Dr. Ron Rivest. The Electronic Frontier Foundation (EFF) represents the students as part of its Coders' Rights Project.  read more »

Victory for MIT Students in MBTA Lawsuit Hearing - Via EFF.org Updates:

Today, Judge George O'Toole lifted the gag order on three MIT students who were sued by the Massachusetts Bay Transportation Authority for discovering a security vulnerability in the MBTA's fare payment system. The Court found that the MBTA was not likely to prevail on the merits of its claim under the federal Computer Fraud and Abuse Act. MBTA had argued that the CFAA, which prohibits the transmission of a program that causes damage to a computer, also covers "verbal transmission," such as talking to people at conferences. Judge O'Toole, however, looked closely at the statute, and held that the CFAA does not apply to security researchers like the students talking to people. More details to follow.

(Read Original Article - Via EFF.org Updates.)

MIT Coders' Free Speech At Stake - Via EFF.org Updates:

As regular Deeplinks readers know, EFF's Coders' Rights Project is defending the rights of three MIT students who were prevented from presenting their research on security vulnerabilities in Boston's transit fare payment system. The students were hit with a temporary restraining order that silenced their planned presentation at DEFCON.

Why this is Important

At first glance, the issues at play may appear obscure, and of interest only to technical researchers and lawyers. But as we noted in a post last week, the right to publish without pre-publication review is part of the purpose of the 1st amendment, and one of the reasons Americans fought the Revolutionary War. (The MBTA's stance is all the more ironic, considering Boston's role in that war.)  read more »

Universities Quietly Fighting Back Against RIAA Tactics - Via EFF.org Updates:

Students that receive notices from the RIAA accusing them of illegal filesharing don't have many options. Innocent or not, their choices are limited to either paying the $3000-$5000 settlement, or going to court — where the RIAA's deep pockets guarantee an outrageously expensive legal battle.

But universities themselves do have ways to fight the RIAA's strong arm tactics, and more and more of them are choosing to quietly fight back. The Chronicle of Higher Education reports this week that schools are growing resentful of the constant stream of pre-litigation letters from the RIAA, and the costly investigations that come with them:

Responding to RIAA notices used to be part-time work for one person, said William C. Dougherty, assistant director for systems support at Virginia Tech. "Now he's doing it full time and has an assistant," he said. "Our attorneys are also involved on almost a daily basis, as am I."

The article describes several ways universities are resisting the RIAA. Some are refusing to forward the RIAA's letters to students, claiming that doing so conflicts with their responsibilities under the Family Educational Rights and Privacy Act. Others are trying to quash subpoenas for the identity of students linked with a given IP address by claiming such requests place an "undue burden" on the school.  read more »

Computer Scientists Ask Court to Reconsider Gag Order in DefCon Case - Via Threat Level:

Eleven computer scientists and researchers from institutions across the country have signed a letter in support of three MIT students who were barred from speaking at the DefCon hacker conference this last Sunday.

The letter was part of filings that the Electronic Frontier Foundation submitted to the U.S. District Court in Massachusetts asking a federal judge to reconsider his decision to gag the students with a temporary restraining order.

The students were scheduled to give a presentation on vulnerabilities they discovered in mag stripe and smartcard payment cards used by passengers riding Boston's T subway. The Massachusetts Bay Transportation Authority had sought a restraining order last Friday to prevent the students from disclosing information that could help hackers modify payment cards or create new ones to obtain free rides on the subway system.  read more »

MBTA Transit Official Supports MIT Students' Story - Via EFF.org Updates:

Today, Richard Sullivan, a Sergeant Detective in the Transit Police of the Massachusetts Bay
Transportation Authority (and the liaison to the FBI), filed a Supplemental Declaration. In his declaration, Det. Sullivan said:

the MIT Undergrads reiterated that they did not exploit the supposed vulnerabilities that they had identified in the MBTA's computer system, they promised that they would not do so in the future, and they promised that they would not teach others how to.

Earlier the MBTA had asserted that "At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation."

Det. Sullivan, however, says that at the meeting:

I asked the students to prepare a written summary of every vulnerability that they claimed to have discovered and how to fix these vulnerabilities. The MIT Undergrads agreed to provide me with such a paper within two weeks.

 read more »

MIT Students Submit 30-Page Report; Judge Lets Gag Order Stand -- UPDATED - Via Threat Level:

A federal judge in Boston this morning let stand for now a temporary restraining order that a separate judge had issued last Saturday against three MIT students to bar them from discussing security vulnerabilities in the Boston subway system's payment tickets and cards.  read more »