Best Practices for Government Datasets: Wrap-Up: Via Freedom to Tinker.

[This is the fifth and final post in a series on best practices for government datasets by Harlan Yu and me. (previous posts: 1, 2, 3, 4)]

For our final post in this series, we'll discuss several issues not touched on by earlier posts, including data signing and the use of certain non-text file formats. The relatively brief discussions of these topics should not be interpreted as an indicator of their importance. The topics simply did not fit cleanly into earlier posts.

One significant omission from earlier posts is the issue of data signing with digital signatures. Before discussing this issue, let's briefly discuss what a digital signature is. Suppose that you want to email me an IOU for $100. Later, I may want to prove that the IOU came from you—it's of little value if you can claim that I made it up. Conversely, you may want the ability to prove whether the document has been altered. Otherwise, I could claim that you owe me $100,000. [ Read more ... ]

Thousands Sign Petition Protesting Net Neutrality Loopholes for Copyright Enforcement: Via EFF.org Updates.

San Francisco - The Electronic Frontier Foundation (EFF) submitted a petition signed by more than 7000 people to the Federal Communications Commission (FCC) today demanding that the agency close a loophole for copyright enforcement in its proposed regulations for network neutrality.

The petition is part of EFF's reply comments in the FCC's net neutrality rulemaking. The FCC's proposed rules generally prohibit ISPs from discriminating or blocking lawful content, but include a loophole for 'reasonable network management' by ISPs. The proposed rules then define 'reasonable network management" to include measures taken by ISPs to block unlawful content or transmissions. This exception would effectively permit ISPs to violate net neutrality rules and block lawful activities in the name of copyright enforcement.

"We can't afford to let lawful speech become collateral damage in Hollywood's war on copyright infringement," said EFF Senior Staff Attorney Fred von Lohmann. "Net neutrality regulations should not excuse ISPs that interfere with lawful content just because they claim they were acting as copyright cops." [ Read more ... ]

Comprehensive National Cybersecurity Initiative: Via Schneier on Security.

On Tuesday, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt made the announcement at the RSA Conference. These are the 12 initiatives in the plan: [ Read more ... ]

Cyberwar Hype Intended to Destroy the Open Internet: Via Threat Level.

The biggest threat to the open internet is not Chinese government hackers or greedy anti-net neutrality ISPs, it’s Michael McConnell, the former director of national intelligence.

McConnell’s not dangerous because he knows anything about SQL injection hacks, but because he knows about social engineering:  McConnell is the nice-seeming guy who is willing and able to use fear-mongering to manipulate the federal bureaucracy for his own ends, while coming off like a straight shooter to those not in the know.

When he was head of the country’s national intelligence, he scared President Bush with visions of e-doom, prompting the president to sign a comprehensive secret order that unleashed tens of billions of dollars into the military’s black budget so they can start making firewalls and malware into military equipment. And now McConnell, back safely in civilian life as a vice president at the secretive defense contracting giant Booz Allen Hamilton, is out in front of Congress and the media, peddling the same Cybaremaggedon! gloom.

And now he says we need to re-engineer the internet. [ Read more ... ]

Government Datasets That Facilitate Innovation: Via Freedom to Tinker.

[This is the first post in a series on best practices for government datasets by Harlan Yu and me.]

There's a growing consensus that the government can increase its openness and transparency by publishing its raw data in bulk online. As several Freedom to Tinker contributors argued in Government Data and the Invisible Hand, publishing data empowers third party software developers to produce innovative new technologies that engage citizens and illuminate government's inner workings. With the establishment of Data.gov and the federal Open Government Initiative, federal agencies are quickly embracing a culture of machine-readable data release, and many states and municipalities are now following their lead.

But how usable are these datasets for developers? The answer lies primarily in the structure and contents of the datasets themselves. While all data in digital form is technically machine-readable in some sense, the ease of use for machine-readable datasets can vary widely. [ Read more ... ]

CDT Issues Report Recommending Privacy Guidelines for Digital Signage Industry: Via CDT - Center for Democracy & Technology.

Washington -- On Monday, the Center for Democracy & Technology (CDT) released a report that includes a set of privacy recommendations for the rapidly growing digital signage industry.  The report focuses on the industry's adoption of identification and interactivity technologies such as facial recognition, mobile marketing, social networking, RFID tracking and license plate scanners.

The recommendations in CDT's report, "Building The Digital-Out-Of-Home Privacy Infrastructure," are based on the widely accepted Fair Information Practices (FIPs). [ Read more ... ]

Redrawing the Route to Online Privacy: Via NYT > Privacy.

ON the Internet, things get old fast. One prime candidate for the digital dustbin, it seems, is the current approach to protecting privacy on the Internet.

It is an artifact of the 1990s, intended as a light-touch policy to nurture innovation in an emerging industry. And its central concept is “notice and choice,” in which Web sites post notices of their privacy policies and users can then make choices about sites they frequent and the levels of privacy they prefer.

But policy and privacy experts agree that the relentless rise of Internet data harvesting has overrun the old approach of using lengthy written notices to safeguard privacy. [ Read more ... ]

Technologists need to step up in privacy debate: Via Tom Mitchell: Computerworld Blogs.

Could a lack of privacy regulations in the U.S. and abusive practices lead to a backlash that negatively affects scientific research for the greater social good? That worries Tom Mitchell, a Carnegie Mellon professor and machine learning researcher, whose profile appears this week in the pages of Computerworld.

As smart phones diligently record people's locations, movements and other activities, machine learning and real time data mining can be used for the greater good. For example, real time positioning and movement data from you smart phone is already being used to track traffic congestion. Soon it could be used to change traffic light patterns in order to optimize traffic flows.

Machine learning algorithms feed on such data to make predictions for good -- or ill. Patient data could be analyzed to inform you that yesterday you came in contact with someone who has a contagious disease. But if you have the disease, do you want that information made public? What about entities that might use machine learning tools to identify you in random groups of photos that you or others have posted on the Web? How about identifying your mother or your child? [ Read more ... ]

A Good Day for Health Privacy: Via CDT.

Today’s Health IT News was focused on the Health IT Policy Committee’s discussions about adding some flexibility to the criteria that health care providers and hospitals will have to meet in order to be “meaningfully using” health IT.  Only “meaningful users” are eligible for to receive federal funds under the stimulus legislation (ARRA) to purchase electronic health records.  

  [ Read more ... ]

ACLU, EFF And Others In Court Today To Challenge Google Book Search Settlement: Via American Civil Liberties Union.

Groups And Prominent Authors Say Settlement Doesn't Protect Free Speech Or User Privacy

FOR IMMEDIATE RELEASE
CONTACT: (212) 549-2666; media@aclu.org  

NEW YORK – The American Civil Liberties Union, Electronic Frontier Foundation (EFF) and Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley, School of Law are in federal court today urging a judge to reject the proposed settlement in a lawsuit over Google Book Search because it does not include critical privacy protections for users of the online book materials. The groups filed an objection to the settlement in September 2009 on behalf of a coalition of more than two dozen authors and publishers, including ACLU Executive Director Anthony D. Romero and best-selling novelists Michael Chabon and Jonathan Lethem.

"As digital book programs like Google Book Search advance, more and more people will turn to the Internet for their reading needs. Readers should be able to expect as much privacy when they're reading a book on a Web site as they do in a library or bookstore," said Aden Fine, staff attorney with the ACLU First Amendment Working Group. "People should feel that they are free to read on the Internet without being monitored by private companies or the government." [ Read more ... ]

The top 5 mistakes of privacy awareness programs: Via Computerworld Privacy News.

Privacy consultant Jay Cline identifies the errors companies often make when trying to educate employees about data protection.

The Health Insurance Portability and Accountability Act requires it. The Payment Card Industry Data Security Standard requires it. The ISO 27001 standard requires it. In fact, every regulation that mandates that reasonable measures be taken to protect information implicitly requires companies to set up training programs to help employees understand what those measures are.

But what does training actually mean?

Many corporations have adopted a check-box approach toward compliance with this obligation. Here are five shortcuts I see them taking instead of using the opportunity to ensure that employees really know how to protect information. [ Read more ... ]

Cisco's wiretapping system open to exploit, says researcher: Via Law & Disorder Section - Ars Technica.

To meet the needs of law enforcement, most telecommunications equipment includes hardware and software that allow for the monitoring of traffic originating with the targets of investigations. The precise capabilities are often dictated by formalized standards, which allow any hardware maker to implement a compliant system. Unfortunately, these standards often leave the hardware wide open to various attacks that leave regular users vulnerable, and provide savvy surveillance targets the opportunity to evade the snooping. An IBM researcher has put Cisco's system under the microscope at a Black Hat Conference, and found it comes up short. [ Read more ... ]

Online Credit/Debit Card Security Failure: Via Schneier on Security.

Ross Anderson reports:

Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it.

In a paper I'm presenting today at Financial Cryptography, Steven Murdoch and I analyse 3D Secure. From the engineering point of view, it does just about everything wrong, and it's becoming a fat target for phishing. So why did it succeed in the marketplace? [ Read more ... ]

Bookmark/Search this post with:

• Twitter
• Digg
• StumbleUpon
• Technorati
• del.icio.us
• Facebook
• Furl
• LinkedIn
• Yahoo

FTC - Exploring Privacy: A Roundtable Series: Via FTC - Federal Trade Commission.

The Federal Trade Commission will host a series of day-long public roundtable discussions to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation. [ Read more ... ]

Privacy Recommendations for the National Broadband Plan: Via CDT - Center for Democracy & Technology.

Last week, CDT filed two sets of comments to the Federal Communications Commission regarding privacy concerns and expectations associated with broadband adoption and use. The FCC is in the process of drafting a national broadband plan and CDT has called upon the Commission to include in this plan a number of policy initiatives and reforms that could help spur the Internet’s continued growth. [ Read more ... ]

CDT Offers Recommendations For FCC “Open Internet” Rules: Via CDT - Center for Democracy & Technology.

1/25/2010

CDT Comments to the FCC on Net Neutrality

FCC's NPRM

Internet Openness & Standards

Internet Neutrality

1) CDT Offers Recommendations in FCC’s “Open Internet” Proceeding

2) Questioning the FCC’s Assertions of Jurisdiction over the Internet

3) Comments on the Proposed Rules

4) The Road Ahead and the Comcast Appeal

Read Original Article:(Via CDT - Center for Democracy & Technology.)

Comcast wants "clear rules," even if it means net neutrality: Via Law & Disorder Section - Ars Technica.

Comcast wants "clear rules" from the FCC when it comes to network management, and it wants them so badly that it's even willing to accept network neutrality as the price of getting them. What the huge ISP does not want is the kind of ambiguity that led to so much acrimony about its P2P blocking in 2008, and which is now being hashed out in a DC courtroom.

Read Original Article:(Via Law & Disorder Section - Ars Technica.)

John Morris will speak at a National Town Hall Webcast on Net Neutrality, Copyright Protection and the National Broadband Plan: Via CDT - Center for Democracy & Technology.

January 19, 2010 - 8:00am - 11:00am

John Morris

Internet Openness & Standards

Internet Neutrality

John Morris will speak at a National Town Hall Webcast on Net Neutrality, Copyright Protection and the National Broadband Plan.

Federal Communications Commission Chairman Julius Genachowski has confirmed that he will offer video remarks to kick off the Town Hall Webcast, by BroadbandBreakfast.com. [ Read more ... ]

More flash drive firms warn of security flaw; NIST investigates: Via Computerworld Security News.

The drives were certified to meet NIST standards

SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.

The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.

"It's really onerous. It's a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it," said cryptographer and computer security specialist Bruce Schneier. [ Read more ... ]

FIPS 140-2 Level 2 Certified USB Memory Stick Cracked: Via Schneier on Security.

Kind of a dumb mistake:

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations -- and this is the case for all USB Flash drives of this type.

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program's RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

Nice piece of analysis work.

The article goes on to question the value of the FIPS certification: [ Read more ... ]

PCI DSS, Come Forward and Be Judged: Via Computerworld Security News.

It wasn't supposed to be that big a deal. I was at an event in Boston put on by the 451 Group, and wasn't even sure I'd walk out of there with something to write about. Then Josh Corman, one of the firm's new analysts, got on stage and started picking apart the PCI Data Security Standard (PCI DSS) -- or, more specifically, the approach companies are taking in their compliance efforts.

Within five minutes of Corman finishing his talk, I had banged out this article and posted it:

Analyst: PCI Security a Devil, 'Like No Child Left Behind'Summary: Joshua Corman, research director for enterprise security at The 451 Group, says the private sector's obsession with PCI DSS compliance is blinding it to larger threats.

The story began: [ Read more ... ]

Vatican Admits Perfect Security is Both Impossible and Undesirable: Via Schneier on Security.

This is refreshing:

Father Lombardi said it was not realistic to think the Vatican could ensure 100% security for the Pope and that security guards appeared to have acted as quickly as possible.

It seems that they intervened at the earliest possible moment in a situation in which zero risk cannot be achieved," he told the Associated Press news agency.

"People want to see him up close and he's pleased to see them closely too. A zero risk doesn't seem realistic in a situation in which there's a direct rapport with the people."

Read Original Article:(Via Schneier on Security.)

SOC's slippery slope: good enough for movies, why not sports?: Via Law & Disorder Section - Ars Technica.

Back when we had our debate with cable's top lobbyist Kyle McSlarrow over whether to let Hollywood block analog streams to your home theater setup, I asked a worried question. If the Federal Communications Commission does give movie studios and cable companies the green light to implement Selectable Output Control (SOC) on "premium" early run movies, who else might petition for it next? [ Read more ... ]

Satellite TV to FCC: we're special, don't make us open up: Via Law & Disorder Section - Ars Technica.

If you've tried to pump your fully-paid-up cable connection into, say, a computer running Windows Media Center, you've probably come up against the closed nature of pay-TV and the severe limitations of CableCARD. And what about satellite TV? Don't even think about it.

The FCC wants to blow open the market for third-party video devices, scrapping some of the current (failed) CableCARD rules and adding satellite providers to the list. [ Read more ... ]

Fusion Centers Get New Privacy Orders Via DHS Grants: Via Untitled Source.

Last Tuesday, the Department of Homeland Security (DHS) announced the release of guidance for awarding grants for 2010. That Friday, the DHS Privacy Office publicly highlighted a provision of the guidance for the Federal Emergency Management Agency’s (FEMA) grant program that relates to fusion centers. The grant program requires fusion centers to certify compliance with the privacy and civil liberties guidelines of the Information Sharing Environment (ISE). [ Read more ... ]