Group items tagged

I was at an advertising conference last week. Some folks are concerned that privacy advocates will press the government to regulate the most common of tracking technologies: behavioral targeting. That's the system that drops a cookie onto our computers to record many of our wanderings through the Web in hopes of targeting us with relevant ads. I had just written The Next Net, about how we'll be tracked on the mobile Internet. And I was thinking that if behavior targeting worries people, the data cascading from our phone use will terrify them. But there are also plenty of reasons to worry about regulation. First, there's a divide in our society between people extremely worried about erosion of privacy and others who appear, with their Web postings, videos and Tweets, to celebrate it. Which group wins? They both can. Take a look at this new friend-finding location-based application for Facebook, Locaccino. It comes out of Carnegie Mellon. The idea is that people can fine-tune their privacy profiles, deciding who can see where exactly they are, and who gets a blurrier vision, or none at all. The point is that millions of people are clearly eager to exchange all sorts of data. It's a way for them to learn, make friends, find things, and have fun. What's more, it supports a vibrant and innovative software market in a gloom-infested tech industry. Some of the innovation will go toward protecting privacy. Because privacy is something that both sides of this debate want and need, even if they don't agree on what it is. Regulations? The most important privacy regs, in my view, should mandate clear communications on how customer data will be used, and will limit tracking to those who have chosen to participate.

If behavioral targeting is the key to providing Web users with advertising that's better tailored to their particular needs and interests--instead of banner ads that they ignore--then what's the harm to consumers? That was a central question tackled by a panel of privacy and online marketing experts Thursday at the OMMA Behavioral conference in New York. Whether online user tracking--even when anonymous--represents a growing threat to privacy has become a hotly debated issue in the last year, with FTC, Congress and state governments considering increased regulation of behavioral targeting. For Jules Polonetsky, co-chair and director of the AT&T-funded think tank Future of Privacy Forum, that debate has become almost superfluous. Whatever side one takes, he emphasized that there is now a widespread perception among consumers and regulators that online tracking is creepy at the very least. The key to diffusing the controversy is for publishers and marketers to give Web users notice that their behavior is being tracked in order to provide them with more relevant content, recommendations and marketing offers.

A group of federal agencies and private organizations, including the National Security Agency and the Department of Homeland Security, has released a set of guidelines defining the top 20 things organizations should do to prevent cyberattacks. The Consensus Audit Guidelines (CAG) describe the 20 key actions, referred to as security controls, that organizations should take to defend their computer systems. The controls are expected to become baseline best practices for computer security, following further public- and private-sector review. CAG is being led by John Gilligan, formerly the CIO for both the U.S. Air Force and the U.S. Department of Energy, and a member of the Obama transition team dealing with IT in the Department of Defense and various intelligence agencies. "We are in a war, a cyberwar," Gilligan said on a media conference call. "And the federal government is one of many large organizations that are being targeted. Our ability at present to detect and defend against these attacks is really quite weak in many cases." Borrowing an analogy he attributed to an unnamed federal CIO, Gilligan said, "We're bleeding badly and we really need triage and we need to focus on things that will keep this patient alive." The CAG initiative represents part of a larger effort, backed by the Center for Strategic and International Studies (CSIS) in Washington, D.C., to implement recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.

A group of U.S. companies, led by technology giants Microsoft, Hewlett-Packard and eBay, is set to outline recommendations for new federal data-privacy legislation that could make life easier for consumers and lead to a standard federal breach-notification law. The recommendations, which were developed by a group of industry players called the Consumer Privacy Legislative Forum, are set to be released at an upcoming privacy conference six weeks from now, according to Peter Cullen, Microsoft's chief privacy officer. The companies have been working for the past three years to encourage the adoption of federal consumer data-privacy laws and to answer the question of what federal legislation should look like, Cullen said in an interview. Other forum members include Google, Oracle, Procter & Gamble and Eli Lilly. One idea is that laws should make it easier for consumers to understand what they're getting into when they share their personal data with Web sites, Cullen said. "The whole focus on consent really puts an unfair burden on the consumer," he said. "My mom doesn't know what an IP address is." The recommendations will cover rules around data use and the ability of consumers to correct inaccurate data. And they will cover data breach notification, which is now covered by a patchwork of state laws. Simplifying breach-notification laws by creating a single federal standard is important, Cullen said Wednesday while speaking at a discussion of privacy policy in San Francisco. "It's not that there is no privacy law. There's actually too much privacy law," he said. "If you think about data-breach notification laws just as an example, there are 38 state laws, many of them very different." "We need to think about much more of a framework approach." Congress has passed some laws covering consumer data privacy, such as the 1996 Health Insurance Portability and Accountability Act (HIPAA), but existing laws do not comprehensively cover consumer privacy in general.

Feds would spend $20 billion on health IT if Senate and House agree in coming weeks. The House-passed version of the economic stimulus bill includes about $20 billion in spending for health IT. The bill, known as H.R. 1 or the American Recovery and Reinvestment Act of 2009, would make Medicare and Medicaid providers and hospitals eligible for incentive payments for using certified e-health records technology. It also supports health information exchanges, standards development and conformance testing, a chief privacy officer for health IT and other aspects of health IT. The portion of the bill called the Health Information Technology for Economic and Clinical Health Act -- the Hitech Act, for short -- and health IT spending provisions passed largely unchanged from the bills introduced earlier this month. The Senate is expected to take up a similar bill in the first week of February. The Senate bill now calls for $23 billion in health IT spending. Once it is passed, a House-Senate conference will need to resolve differences between the bills. Congressional leaders aim to send President Barack Obama the bill by mid-February.

On Monday two women from Fort Pierce were arrested for committing 300 different cases of Identity theft on the Treasure Coast and South Florida. The two women go by the names of Tychell Letrein Robinson, 33 and Patrice V. Johnson, 26. According to the Federal Trade Commission, in 2007 Florida took fifth place in nation with regards to the number of ID theft victims per 100,000 residents. The FTC also estimated that about 9 million Americans have their identities stolen every year. The Fort Pierce Police Department, the Port St. Lucie Police Department, the Sheriff's Office as well as the U.S. Postal Service worked together in a two year investigation in order to track down these two criminals. Law enforcement agencies discovered that the arrested had somehow managed to steal the personal information of several victims and open new accounts in their names. Authorities believe that the women bought a lot of their identifying information from accomplices. In a news conference on Monday afternoon, Sheriff Ken Mascara mentioned that criminal circles were well aware that the arrested would pay accomplices $50 in exchange for peoples sensitive information. Authorities discovered that the two women met while they were both under the employment of Liberty Medical. Apparently Robinson headed the criminal operation and taught Johnson all she needed to know with regards to making thousands of dollars every week through identity theft. The arrested managed to target victims in Florida from Orlando to Clearwater and even Palm Beach. The majority of victims were from St. Lucie County and the Treasure Coast. Unfortunately it is still not clear to law enforcements exactly how the women obtained all the stolen information. police.jpg It was in the early hours of Monday morning that the police arrived at the homes of the arrested with search warrants. Two vehicles, six computers and ledgers filled with victims sensitive information were confiscated by authorities, and the women w

This tip is part of SearchSecurity.com's Data Protection School lesson, E-discovery and security in the enterprise. Visit the E-discovery and security in the enterprise lesson page for additional learning resources. Most information security pros have a handle on the major data types found in their environments, but they also know that there is a whole lot more data lurking around the edges. These unknown data types can include documents used by individuals, or whole applications owned by departments that have quietly become essential to the business. Most of the time, focusing on the squeaky wheels is an acceptable strategy; if there's no "squeak" then there's no need to worry. But when it comes to litigation, and especially managing the electronic discovery process, what you don't know can hurt you. There are four major types of data in use today: paper documents; structured data sets, like databases; semi-structured applications, like email and image stores; and unstructured repositories, like file servers. Comprehending the vast volume of these varied records can be a challenge for everyone involved, which includes information technology, records management, legal staff, and even the data owners themselves. But since almost all business information is stored in digital formats today, electronic storage systems are the most popular target for the discovery motions filed as part of legal proceedings. It is most efficient for a litigator to head straight for your email, spreadsheets and applications, looking for what they term electronically stored information (ESI). Making matters worse for IT administrators, new rules for civil litigation enacted at the end of 2006 (called the Federal Rules of Civil Procedure, or FRCP) have pushed up the timetable of electronic discovery. What was once a delayed and informal process has become much more structured, with lawyers meeting to discuss available ESI, typically just a few weeks after legal action commences. When l

In this expert videocast, you will learn about Web 2.0 software, the threats they pose, and whether the benefits outweigh the risks. Key areas covered include the threats posed by services like Facebook, MySpace, and LinkedIn, as well as wikis and blogs. Our expert also dives into particular attack vectors and scenarios that are becoming popular, defensive policy, and technology best practices and Web 2.0 trends to monitor going forward. Speaker David Sherry CISSP, CISM - CISO, Brown University As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance. He had also served as Citizens' vice president for enterprise information security, overseeing the company's security operations and controls. He has taught classes at colleges in both Massachusetts and Rhode Island, as well as spoken on identity management strategy and implementation at industry conferences. He holds undergraduate and graduate degrees in business management.

Jan 15, 2009 There may be only a handful of days left in the Bush administration, but the brouhaha over White House e-mail retention policies promises to continue right up to the last day. A federal court yesterday extended a preservation order to ensure that the outgoing administration does everything it can to recover any missing White House e-mails. The White House IT staff now has five days to scour workstations for missing e-mail before administration data records are archived on Jan. 20. The ruling, by U.S. District Judge Henry Kennedy Jr., also orders staff of the Executive Office of the President (EOP) to relinquish any digital media that may contain e-mails from March 2003 and October 2005. The legal action is the latest resulting from a lawsuit filed in September 2007 by the National Security Archive against the EOP, seeking to preserve and restore White House e-mails it alleged were missing. "There is nothing like a deadline to clarify the issues," Tom Blanton, the National Security Archive's director, said in a statement. "The White House will complain about the last-minute challenge, but this is a records crisis of its own making." The Archive, an independent nongovernmental research institute based at George Washington University, is a repository of government records and does not receive U.S. government funding. The Citizens for Responsibility and Ethics in Washington (CREW), a left-wing public advocacy group, also filed suit, but its legal action was subsequently consolidated with the Archive's legal action, which is taking place in the U.S. District Court for the District of Columbia. Last May, the White House's top tech staffer acknowledged that three months of data were missing from backup tapes. In earlier testimony before a congressional committee, White House technical staff said millions of e-mails from the past eight years could potentially have been erased. Also yesterday, Magistrate Judge John M. Facciola held an emergency status con

Web sites that strip personally identifiable information about their users and then share that data may be compromising their users' privacy, according to researchers at the University of Texas at Austin. They took a close look at the way anonymous data can be analyzed and have come to some troubling conclusions. In a paper set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn't 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format. Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these "anonymized" data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with. "A lot of the time people will share information online and they'll expect that they are anonymous," Narayanan said in an interview. But if their identity can be ascertained on one social network, its possible to find out who they are on some other network, or at least make a "strong guess," he said.

WASHINGTON -- For more than a year, the nation's largest cable companies have been staking their hopes to thrive in a data-driven, interactive advertising market on Canoe Ventures. Born Project Canoe, the venture aims to cull the vast troves of data that cable companies have about their customers, from subscriber demographics to the clicks of a remote control, to bring Web-like ad targeting to the television platform. Here at the Cable Show, the annual conference hosted by the National Cable and Telecommunications Association, Canoe CEO David Verklin proclaimed that his firm is ready for prime time, with its first product set to roll out in the next six weeks. "We're going to turn television into a platform," Verklin said in a panel discussion with several cable executives. Canoe's forthcoming product, called community addressable messaging, will enable an advertiser running a national TV campaign to customize it with local insertions to reach targeted demographics defined by data supplied from the cable providers. Verklin hailed it as the first application of local insertion technology to a national campaign.

WASHINGTON -- Few tech policy debates are plumped up with more rhetoric than those concerning Net neutrality and privacy restrictions for advertisers. It should be a noisy year at the Federal Communications Commission. Here at the Cable Show, the annual conference hosted by the National Cable and Telecommunications Association, advisors to the three current commissioners outlined some of the simmering issues that are likely to boil up at the FCC this year, and those two are on the short list. Rick Chessen, acting chief of staff for interim FCC Chairman Michael Copps, said the agency could move toward adding to its Internet policy statement a fifth principle that would explicitly bar ISPs from discriminating against certain traffic on their networks. "The principle would be one of nondiscrimination, but you would recognize the need for reasonable network management," Chessen said. The FCC's broadband principles comprised the policy document that was at the center of last year's action against Comcast, where the agency found that the cable giant had unfairly blocked peer-to-peer traffic on its network without notifying its subscribers it was doing so. The new principle Chessen suggested would seek to clarify the agency's stance against the selective blocking of traffic. Comcast is challenging last year's ruling in a court case where the outcome could broadly shape how Congress proceed with Net neutrality policy. Rosemary Harold, the legal advisor to Republican Commissioner Robert McDowell, said her boss is more cautious than the two Democrats on the matter.

SAN JUAN, Puerto Rico-An identity-theft ring that catered to illegal immigrants seeking to establish themselves in the U.S. stole the personal data of 7,000 public school children in Puerto Rico, officials said Tuesday. Members of the ring broke into about 50 schools across the U.S. island territory over the past two years to steal birth certificates and Social Security numbers to sell to the illegal immigrants, the FBI and other agencies announced at a news conference. The victims were largely unaware their information had been stolen-and likely would not have learned of the thefts until they became adults and tried to buy something on credit, said assistant U.S. Attorney Julia Diaz Rex. "A kid is going to have a perfect credit history," Diaz said. "They reach 18, 20 years of age. They go buy a car and their credit is damaged." The authorities did not disclose how they uncovered the ring but said seven people have been arrested and one more is being sought. At least some of them were illegal immigrants from the Dominican Republic. Investigators determined the birth certificates and Social Security numbers were sold as a package in a number of states including Texas, Alaska and California, for up to $250, authorities said. Two suspects are accused of possessing nearly 6,000 birth certificates and Social Security cards. One was accused of intending to sell 40 Social Security cards for nearly $3,000, while another was seeking the same amount for 12 cards. The suspects in custody were being held on charges that include aggravated identity theft and social security fraud and face up to 15 years in prison, said U.S. Attorney Rosa Emilia Rodriguez. One suspect had been previously arrested for the kidnapping of a Dominican man last year that led to the shooting of a police officer during an FBI raid, said Luis Fraticelli, special FBI agent in charge of Puerto Rico. It is unclear if other members of the ring are at large, and whether they received help from sch

Emily Riley of Forrester Research presented a lot of data during her keynote presentation at today's OMMA Behavioral Conference but one point she made seemed rather salient to me: many of those marketers and data firms involved in behavioral targeting seem to skip over social media as a source of information. They might look at the data surrounding the usage of those sites but they seem to rarely do any actually monitoring, let alone interacting there. It reminded me of an experience I had with my wife. We once lived in a building where we didn't have much interaction with our neighbors, very little beyond an occasional wave in the hallway. We could, however see their mail mixed with ours and our landlord's. My wife began to notice that the landlord and our neighbor were starting to get similar envelopes from law firms. I, being the incurious mail sorter I am, didn't really think much of it. She, on the other hand, was convinced that one of them must be suing the other and was able to spin out some fairly detailed scenarios based on other clues from the hallway, the presence of exterminators one day, the thickness of paint on the front door etc. One day I encountered our neighbor in the hallway and did my customary wave. "Oh by the way," He said, "We're moving out next week." Oh really? He then regaled me with the entire story which involved a variety of things including an exterminator, paint thickness, and law firms. My wife and I were both able to glean essentially the same information. However if I had approached him and said, without any warning, "I bet you and our landlord are having one heckuva legal squabble," he probably would have punched me in the nose. I also believe that the ease with which I was able to get the whole story out of him suggests that had we interacted more it would have been I scooping my wife and not the other way around. These two approaches to gathering information are akin to the difference between following

The theft in 2006 of an employee laptop that contained personal information on millions of veterans taught the Veterans Affairs Department some hard lessons. VA became "the poster child of data breaches," said Kathryn Maginnis, the department's associate deputy assistant secretary for risk management and incident response. As a result of that incident and several breaches that followed, the department developed a comprehensive incident response program and incident resolution team that evaluates all serious exposures of sensitive data. "We have a culture of report, report, report," Maginnis said at the recent FOSE conference in Washington. The incident response program received a perfect score last year in the VA inspector general's Federal Information Security Management Act audit, and Maginnis said she expects to get another perfect score this year. The department developed two in-house online tools to help track and evaluate incidents, said Amanda Graves Scott, director of the incident resolution team. The Formal Event Review and Evaluation Tool uses a 56-question questionnaire to determine the risk category of a data breach, and the VA Incident Response Tracking System automates a manual tracking process for information technology incident response.

Hartmut Mehdorn's days as the boss of German rail operator Deutsche Bahn look to have come to an end as the embattled executive offers his resignation amid a damaging, ongoing data privacy scandal. Mehdorn said he was offering to go because the "destructive debates" over his future were damaging the company. "I have made an offer to terminate my contract with the supervisory board chairman," Mehdorn said Monday, March 20, at a press conference to announce Deutsche Bahn's annual financial results. "I assume that a successor will be appointed before the summer holidays" begin in July. Mehdorn, who has run the state-owned firm since 1999, has been under increasing pressure ever since it was revealed earlier this year that Deutsche Bahn accessed confidential staff data as far back as 1998.

In belt-tightening times, making the case for security investment is more difficult than ever. Security Catalyst founder Michael Santarcangelo details five steps risk professionals can use to communicate value effectively. The biggest challenge security teams face in their organization is one of perception, according to Michael Santarcangelo, founder of Security Catalyst, a New York-based consultancy focused on changing the way people protect information. Santarcangelo, who was recently a keynote speaker at the CSO Perspectives conference, said professionals focused on security are practiced at looking at risks and reducing them. Unfortunately, the rest of society often doesn't see risks the same way, making communication difficult (See also: Security and Business: Communication 101). "They lack relevant context," said Santarcangelo. "So security people get wrapped up in thinking: 'The CFO wants an ROI. We better work on ROI.' But what the CFO is really saying is:' I don't understand what you do. So you have to justify it to me.' Santarcangelo outlined his strategies for making the case for security investments at the three-day event held in Clearwater, Florida. He gave an audience of security professionals the details of his five step process for getting executives and boards to understand, and even approve, spending decisions in tough economic times. Create Santarcangelo believes one of the most effective ways to communicate value is to place focus back on the person to whom you are trying to make your pitch (See also: A CEO and CSO Who Actually Communicate). "The reason why someone changes a behavior or takes an action is because there is an inherent benefit to the person," said Santarcangelo. "But when many people start to create, they forget that. They tend to fall into the trap of thinking: 'I'm really smart and I know a lot of stuff. So I'm just going to say it and hope they will understand the value of it.'" Instead, Santarcangelo recommends creating

Privacy has been so poorly defined by opponents and proponents alike, that people have yet to realize its value.

While concerns about Internet privacy grab headlines, not everyone is bothered, or even aware, of how their online activities are being tracked. "On one extreme, there are Web cams in bedrooms, and the other extreme are people who won't wear a nametag at a conference," said Anne Toth, Yahoo's chief privacy officer. "Most people are in the middle. What's interesting is that consumers need to better understand how [privacy options] operate and where they can exercise their choices." Toth spoke at a consumer privacy panel here yesterday at the Tech Policy Summit. In general terms, she said "clear notice and robust choice is the right standard" for consumer privacy. But others in the audience and on the panel took issue with whether things like opt-in choices to receive information from e-tailers provide enough information or easily convey to consumers what they're agreeing to.

Top attorneys for Microsoft and Google today reiterated their companies' support for tougher government rules to protect consumer privacy. But when it comes to the details, some watchdog groups say they are concerned that Web firms will continue to fight against specific provisions that would limit the ways they can collect and use people's information to serve more targeted ads. Today's panel discussion, held here at the Computers, Freedom and Privacy conference, revisited a longstanding policy debate over the government's role in online privacy. The talk ran along some familiar plotlines, with Jeff Chester of the Center for Digital Democracy thundering about the detailed personal profiles being assembled by advertising companies who are using neuroscience to manipulate consumer behavior, while industry representatives assured the audience that their data-collection practices are benign, not to mention essential to providing free content and services on the Internet. But this wasn't just an idle debate. Rep. Rick Boucher, the Virginia Democrat who chairs a House subcommittee on the Internet, is developing legislation that could seek to impose sweeping restrictions on behavioral targeting. A few blocks up Pennsylvania Avenue at the Federal Trade Commission, the principal regulatory agency with authority over online advertising, newly minted Chairman Jon Leibowitz has spoken often about the need for industry to get serious about privacy. "The FTC's central concern here is transparency, consumer control," said Jessica Rich, assistant director of the agency's privacy and identity protection division. "We don't think consumers really know what's happening with their data."

Advertisers are your friend, and the government is here to help. If consumers don't take responsibility for their data, then all the regulation in the World won't matter.

OPT-OUT becomes untenable when users have to visit 40 - 50 or more sites to do it.

The online advertising industry and U.S. policy makers need to give online users more control over the collection of personal data and surfing habits beyond the traditional opt-out approach, some privacy advocates said Wednesday. Dozens of online ad networks allow users to opt out of being tracked as a way to deliver behavioral advertising, and in most cases, the opt-out is stored in a cookie that goes away every time the users clear their browser cookies, privacy advocates said during a discussion of online advertising at the Computers, Freedom and Privacy Conference in Washington, D.C. Some advertisers require that people opt out of targeted advertising every month, and some advertisers make the opt-out link difficult to find, said Christopher Soghoian, a fellow at the Berkman Center for Internet & Society at Harvard University. Some opt-out mechanisms aren't even functional, he said. Soghoian, while creating a single opt-out mechanism for the Firefox browser, found more than 40 advertising networks, he said. "How can we expect consumers to visit 40 or 50 different online advertisers, opt out, then revisit these sites every six months or every year, and then, when they delete their cookies, go back again?" he asked.