CIPP Information Privacy & Security News

"For more than a decade, Web companies have said that behavioral targeting, or tracking people anonymously as they navigate around the Internet and then serving them targeted ads, doesn't harm users. On the contrary, they argue, such targeting benefits people by providing them with more relevant messages, and also lets marketers spend their ad dollars more efficiently.

When privacy advocates complain about behavioral targeting techniques, industry executives tend to respond by condemning the critics as ivory-tower elitists. But new research is increasingly casting doubt on the idea that the average consumer doesn't care about behavioral targeting. "

"House lawmakers stepped up their questioning of companies that collect and store information about consumers both on the Internet and in real life.

In a hearing today, lawmakers interested in drafting legislation that would place restrictions on how Internet and marketing firms collect consumer information, asked Wal-Mart, WPP and privacy advocates detailed questions about how personal information is gathered and used. Reps. Rick Boucher (D-Va.), Bobby Rush (D-Ill.) and Cliff Stearns (R-Fla.) have been considering a bill, but a draft will most likely not be released until early next year. (See interview with Rush.)

The House Energy and Commerce Subcommittees on Comerce, Trade, and Commerce Protection and Comunications, Technology, and the Internet held a joint hearing on the topic--although it was poorly attended by members.

"We've moved from an era of privacy keepers to one of privacy peepers and data-mining weepers who want to turn our information into products," said Rep. Ed Markey (D-Mass.). "The product is our records, our privacy, our family's history. We wouldn't let the government do this, so we have to protect against companies that want to do this."

"It is understandable that most Americans simply do not trust that their personal information is properly protected," said Rep. Doris Matsui (D-Calif.). "

"As the federal government readies the third iteration of Einstein, privacy concerns over the intrusion detection system were voiced at a Senate hearing on Tuesday.

Philip Reitinger, Department of Homeland Security deputy undersecretary for the National Protection and Programs Directorate, told the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security that DHS envisions deploying Einstein 3 as an intrusion prevention system.

Einstein 1 monitors network flow and Einstein 2 detects system intrusions.

"This more robust version of Einstein would provide the federal government with an improved early warning and an enhanced situational awareness; the ability to automatically detect malicious activity; and the capability to prevent malicious intrusions before harm is done," Reitinger said.

But Gregory Nojeim, senior counsel and director of Project Freedom, Security and Technology at the Center for Democracy and Technology, cited press accounts that Einstein 3 would rely on pre-defined signatures of malicious code that might contain personally identified information, and threaten the privacy of law-abiding citizens.

"While Einstein 2 merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening Internet traffic before it reaches a government system, raising additional concerns," Nojeim testified.

Einstein 3 reportedly could operate within the networks of private telecommunications companies, and Nojeim wondered if the technology could analyze private-to-private communications. "If Einstein were to analyze private-to-private communications, that would likely be an interception under the electronic surveillance laws, requiring a court order," he said. "

"Big Brother is watching. That is the message corporations routinely send their employees about using email.

But recent cases have shown that employees sometimes have more privacy rights than they might expect when it comes to the corporate email server. Legal experts say that courts in some instances are showing more consideration for employees who feel their employer has violated their privacy electronically.

Driving the change in how these cases are treated is a growing national concern about privacy issues in the age of the Internet, where acquiring someone else's personal and financial information is easier than ever.

"Courts are more inclined to rule based on arguments presented to them that privacy issues need to be carefully considered," said Katharine Parker, a lawyer at Proskauer Rose who specializes in employment issues.

In past years, courts showed sympathy for corporations that monitored personal email accounts accessed over corporate computer networks. Generally, judges treated corporate computers, and anything on them, as company property.

Now, courts are increasingly taking into account whether employers have explicitly described how email is monitored to their employees."

"The Network Advertising Initiative will unveil a new tool on Thursday that allows people who want to avoid behavioral targeting to permanently preserve their opt-out cookies.

Currently, Web users who don't want to receive targeted ads can opt out via cookies. But those cookies have notoriously short lives -- often because users who want to avoid tracking frequently delete all of their cookies, including the opt-out cookies. Once the opt-out cookies disappear, behavioral targeting companies revert to tracking users and serving them targeted ads. "

"I heard a rumor that I hope isn't true. Specifically, I heard that opting out of behavioral profiling may not stop advertising companies from tracking you as you travel across the Web. Rather, according to the rumor, in many cases you merely opt out of seeing the tailored ads your web history might otherwise trigger.

The ability to opt out of behavioral profiling essentially underpins the argument for self-regulation by the industry. The idea is that (1) people like tailored ads and (2) those that worry about the practice, for instance, from a privacy perspective, can opt out of it. Setting aside the apparent frailty of cookie-based opt out (when you delete your cookies, you delete your opt out as well) and the availability of other means to track users (like flash cookies), this seems pretty straightforward and convincing.

But what does "opting out" mean, exactly? A close look at the Network Advertising Initiative website, which offers an opt out tool on behalf of most major online advertisers, turns up no guarantee that opting out will stop a company from logging where a user has traveled."

"As Congress makes headlines on healthcare and financial industry oversight reform, online data privacy watchdogs are hammering away behind the scenes on the Hill. A joint hearing on online and offline data collection scheduled for later this week, and a planned series of Federal Trade Commission data privacy events have advocacy groups from as far away as California visiting Washington to make sure their voices are heard.

"What we're concerned about is the amount of surveillance and tracking going on without consumer consent," said Lee Tien, senior staff attorney at the San Francisco-based Electronic Frontier Foundation. Though often skeptical of government regulation, EFF recently joined lobbying groups including Center for Digital Democracy in recommending that Congress pass clear consumer privacy legislation. "

"Recently, the Federal Trade Commission (FTC) has gotten tough with US companies that have not lived up to their own privacy promises to European consumers. In particular, it has filed complaints against seven US companies that claimed that they were adhering to the European Union's Safe Harbor Program, but allegedly were not. (The FTC issues or files a complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaints themselves are not a finding or ruling that the named parties have violated the law.)

By taking action, the FTC has shown that the Safe Harbor program, as applied to US companies, is not a set of empty promises. Rather, the FTC is keeping watch over businesses and will sanction those that misrepresent their own policies.

In this column, I will explain how the Safe Harbor program works, and also discuss the recent FTC enforcement actions."

"
One of the biggest security risks that companies face is employees who fall victim to phishing e-mails, which can lead to stolen log-in credentials and virus infections. SocialPET is a simple Web-based testing tool that lets businesses run their own phishing tests to find out which employees understand security procedures and which are at risk to falling prey to real phishing scams. "

"The U.S. Department of Health and Human Services issued an interim final rule to beef up penalties for violations of the Health Insurance Portability and Accounting Act (HIPAA), as several Congressmen criticize the agency for leaving dangerous loopholes in the law.

The new rules significantly increase penalty amounts that the U.S. Department of Health and Human Services can impose for HIPAA violations of patient privacy, according to a statement from HHS. The new rules reflect requirements enacted in the Health Information Technology for Economic and Clinical Health (HITECH) sections of the American Recovery and Reinvestment Act (ARRA) of 2009.

Before HITECH, maximum penalties were $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan, or clearinghouse could be exempt from civil financial penalties if it demonstrated it did not know it violated the HIPAA rule.

The HITECH act increases civil financial penalties by establishing tiered ranges of increasing minimum penalties, with a maximum $1.5 million for all violations of identical provisions. And a "covered entity" can plead ignorance as a protection only if it fixes the violation within 30 days of discovery."

"Yesterday, a "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your phone right now!" message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.

Through a combination of port scanning and OS fingerprinting of T-Mobile's 3G IP range, a Dutch teenager has for the first time automatically exploited a known security vulnerability introduced on jailbroken iPhones - the SSH daemon which unless modified remains running with default users root and mobile, using the same password on each and every device."

"Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey released this week by Javelin Strategy and Research.

Approximately 11 percent of U.S. consumers have received a data breach notification letter in the past 12 months with a third of the breaches involving Social Security numbers and 15 percent involving ATM PINs, according to Javelin's third annual survey of nearly 5,000 U.S. consumers, released Tuesday.

Of those who have received a data breach notification letter in the past year, 19.5 percent said they were the victims of fraud associated with identity theft, compared to 4.3 percent who have not received a notification but were victimized.
"It wasn't just a statistical anomaly," Robert Vamosi, a Javelin risk fraud and security analyst and the author of the study, told SCMagazineUS.com on Wednesday. "In 2007 and 2006, we saw a similar pattern, so this isn't a blip. This is something that has been going on for a while.""

"A new proof-of-concept (PoC) application enables an attacker to remotely activate a BlackBerry microphone and listen in on surrounding sounds and conversations.

The application, called PhoneSnoop, was released last week on the blog of security researcher Sheran Gunasekera. To download and install the application, an attacker would need physical access to a BlackBerry device and to know a PIN, if the owner uses one to lock his or her device.

After PhoneSnoop is installed on a device, when a call is received from a preconfigured number, the BlackBerry automatically answers the phone, allowing an attacker to listen in, Marc Fossi, senior researcher at Symantec Security Response told SCMagazineUS.com on Thursday. Once the call is connected, the BlackBerry is set to speakerphone, increasing the microphone's sensitivity to pick up sound from far distances.

"First and foremost, the most important thing about this is it's a proof of concept, Fossi said. "It's not something you need to worry about right now.""

"A New York computer technician has been charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to orchestrate a scheme that netted him more than $1.1 million, prosecutors said this week.

Adeniyi Adeyemi, 27, of Brooklyn was indicted Wednesday on charges of grand larceny, identity theft and money laundering for crimes allegedly committed between Nov. 1, 2001 and April 30, 2009, according to a news release from Manhattan District Attorney Robert Morgenthau.

According to prosecutors, Adeyemi, who was employed as a computer technician working at the headquarters of Bank of New York, stole the personal information of dozens of bank employees, primarily from individuals in the information technology department. He then used the identities to open bank and brokerage accounts, which served as "dummy accounts" to receive stolen funds.

Adeyemi then stole money from the bank accounts of numerous charities and nonprofit organizations, and transferred the funds into the dummy accounts, which he later withdrew or transferred to other accounts, prosecutors said."

"A new study from the Pew Charitable Trust has found that every one of the credit cards offered by the country's 12 largest credit card issuers are bad deals for consumers and have practices the Federal Reserve has defined as "unfair or deceptive."



The Trusts' Health Group's Safe Credit Cards Project, titled STILL WAITING: "Unfair or Deceptive" Credit Card Practices Continue as Americans Wait for New Reforms to Take Effect also compared credit union card programs and found them sharply better.



"Although credit unions control only a small portion of credit card outstandings, comparisons between credit union and bank product models illustrate options available to consumers and potential benchmarks for future regulatory rulemaking efforts," the organization said.



The observed credit unions presented a distinct alternative to credit card pricing and other practices of the observed banks, the report said.



"In July 2009, median advertised interest rates on cards from the 12 largest credit unions were between 9.90 and 13.75% annually, depending on a consumer's credit profile-approximately 20% lower than comparable bank rates," the report said. "Meanwhile, credit union penalties were generally less severe than those of banks." "

"A new report from Javelin Strategy and Research suggests that many credit and debit card holders fail to understand the importance of a notice saying that a credit card or debit card has been breached and do not protect themselves from fraud.



The company's research found that people notified of a breach of their secure data were four times as likely as the public at large of actually experiencing financial or other fraud within a year of the notification.



Further, those who experienced a breach in their secure data and then an incident of fraud very rarely link the fraud to the breach.


"Among consumers who received a data breach notification in the past 12 months, 19% suffered fraud, yet only 2% attributed their fraud to a data breach, the firm reported. "It seems as if consumers are not connecting the dots on data breach notifications to fraud events. They are aware, in the abstract, some personal records of theirs have been compromised, but when they become a victim of fraud they do not make the connection to the breach notification.""

A new malware variant called Silon is targeting Internet Explorer users, attempting to intercept their sessions and steal credentials.

"Researchers at security vendor Trusteer Inc. issued an advisory warning that the Silon Trojan can detect when a user initiates a Web login session in Internet Explorer. It intercepts the login session, encrypts the data and sends it to a command-and-control server where it is collected with credentials from other victims.

In a more sophisticated attack, the Trojan targets people logging into their online bank accounts. New York, N.Y.-based Trusteer said Silon can inject sophisticated dynamic HTML code into the login flow between the user and their bank's Web server. The method involves using a webpage displaying a phony message asking the victim to verify their login details. If the victim complies with the request, the login credentials are sent to the command-and-control server, said Amit Klein, chief technology officer of Trusteer. "

"Sun Microsystems, Inc. and Deloitte today announced a collaborative initiative to help companies develop efficient, cost-effective and sustainable technology and business processes to address their unique regulatory compliance and technology governance challenges.

As part of this initiative, Sun and Deloitte today announced their plans for the Center for Technology Governance and Compliance (CTGC), which combines Deloitte's consulting and advisory services with Sun's IT management solutions and services, including its Information Lifecycle Management (ILM) and Identity Management technology portfolios. Access to the professionals and services within the CTGC is available through Sun Solution Centers. To learn more, please visit http://www.sun.com/compliance or http://www.deloitte.com/ .

As a worldwide leader in network computing systems, Sun provides scalable solutions designed to protect and manage business-critical information through its lifecycle. The combination of Deloitte and Sun brings together complementary competencies to deliver a business-driven, technology-enabled framework for creating and implementing technology governance and compliance strategies and programs."

"Mozilla's flagship Firefox browser is vulnerable to at least 11 "critical" vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing.

The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser's form history."

"Rogue security software, also dubbed scareware, is an "ongoing threat" that is impacting largely users from English-speaking markets, according to findings from a year-long study by Symantec.

Released Tuesday, Symantec's report on rogue security software noted that 250 rogue security programs launched some 43 million attempts to prompt user installation between July 2008 and June 2009. "