Group items tagged

Concerned that Google knows too much about you? The company provides many ways to protect your privacy online -- you just need to find them. Here are six good ones. 1. Know your privacy rights: Use the Google Privacy Center. This site includes all of Google's privacy policies, as well as privacy best practices for each of its products and services. Although the "legalese" of privacy policies can be difficult to understand, Google's Privacy Channel offers a library of short YouTube videos with practical tips on protecting your data when using Google products and services. Try the "Google Search Privacy" and "Google Privacy Tips" series. 2. Protect your content on the services you use. Some content that Google stores for you, such as photos uploaded in Picasa Web Albums, are public by default. You can protect your privacy when you upload photos by choosing the appropriate checkbox. Choices include "unlisted" (accessible only if you have the Web link, and not indexed by Web search engines) or private (viewable only by named users who must sign in). Another example: You can take a Google Chat "off the record" if you don't want the instant messaging transcript stored. In contrast, Google Latitude, which tracks your whereabouts by way of GPS-enabled cell phones, does not share your location data by default. You must authorize others to see it. Latitude stores your last known location, but not your history. 3. Turn off the suggestion feature in the Chrome browser. By default, Chrome retains a history of Web sites you've visited -- and the full text of those pages -- so it can try to guess which Web address you want as you type in the "Omnibox." You can turn the feature off by going to "Under the Hood" under Options and unchecking the "Use a suggestion service" box. You can also select other privacy options, including surfing in Chrome's "incognito" mode. 4. Turn off Web History. You may have turned on the Web History option, also called Personalized Search, when yo

"Drug store chain Walgreens now enables its pharmacy patients to download their prescription history from the Walgreens.com Web site to a personal health record on the Microsoft HealthVault platform. The Deerfield, Ill.-based chain announced last June it would link to HealthVault. Patients registered on Walgreens' site already can access their complete prescription history. Now, that history can also reside in a HealthVault PHR and be automatically updated. Patients can enroll with HealthVault directly from the Walgreens site. The partnership will promote stronger collaboration among patients, pharmacists, physicians and other providers, says Don Huonker, senior vice president of health care innovation at Walgreens. More information is available at walgreens.com/pharmacy and healthvault.com. "

Think twice before giving MicroSoft your personal health care information.

As arguments swirl over online privacy, a new survey indicates the issue is a dominant concern for Americans. More than 90 percent of respondents called online privacy a "really" or "somewhat" important issue, according to the survey of more than 1,000 Americans conducted by TRUSTe, an organization that monitors the privacy practices of Web sites of companies like I.B.M., Yahoo and WebMD for a fee. When asked if they were comfortable with behavioral targeting - when advertisers use a person's browsing history or search history to decide which ad to show them - only 28 percent said they were. More than half said they were not. And more than 75 percent of respondents agreed with the statement, "The Internet is not well regulated, and naïve users can easily be taken advantage of." The survey arrives at a fractious time. Debate over behavioral advertising has intensified, with industry groups trying to avoid government intervention by creating their own regulatory standards. Still, some Congressional representatives and the Federal Trade Commission are questioning whether there are enough safeguards around the practice. Last month, the F.T.C. revised its suggestions for behavioral advertising rules for the industry, proposing, among other measures, that sites disclose when they are participating in behavioral advertising and obtain consumers' permission to do so. One F.T.C. commissioner, Jon Leibowitz, warned that if the industry did not respond, intervention would be next. "Put simply, this could be the last clear chance to show that self-regulation can - and will - effectively protect consumers' privacy," Mr. Leibowitz said, or else "it will certainly invite legislation by Congress and a more regulatory approach by our commission." Some technology companies are making changes on their own. Yahoo recently shortened the amount of time it keeps data derived from searches. It is also including a link in some ads that explains how

This post is one in a series on Privacy & Security, and covers some of the intersections of these domains for those who are not practitioners with in-depth understanding of the associated disciplines.
History Points to Privacy's Future
Today's post explores the history of privacy a bit mor

The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money. Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data: * Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history. * Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders

A Constitutional History Lesson with David Bisno.Protection of individual rights from government abuse has been at the center of constitutional debates since the country's founding, but scholars and politicians have stopped short of claiming an explicit "right to privacy" until recently. Bisno, an M.D. turned "silver-haired scholar," discusses the history of privacy in the Constitution.

Customers of CVS' pharmacy will be able to import their prescription records into a Google Health account as a result of an expanded deal between the two companies. The deal was announced Monday. An earlier deal already allowed workers whose company uses CVS Caremark to handle drug benefits to use Google Health to store their drug records. The new deal expands this to customers of CVS' network of retail pharmacies. "We now offer all of our consumers the ability to download their prescription and medication history into their Google Health Personal Health Record, whether they are CVS/pharmacy customers, CVS Caremark plan participants or visitors to our MinuteClinic locations," said CVS Caremark Executive Vice President Helena Foulkes in a statement. "By enabling patients to download their prescription information directly into their personal health record, we are helping to close the gap in today's fragmented health care system and provide a full view of a patient's health." To use the tool, the companies said, consumers need to sign up for the prescription management feature on CVS.com as well as be authenticated. With the latest deal, Google said it now believes more than 100 million Americans will have the option of viewing their drug history within Google Health. Microsoft, which is also trying to sign consumers up for its HealthVault service, announced a deal with New York-Presbyterian Hospital on Sunday which will allow patients of that hospital system to export their records to a HealthVault account.

Hackers, possibly from Asia, have stolen about a decade's worth of personal information on current and former UC-Berkeley students, the university announced Friday. The breaches involved records dating to 1999 at the school's health center that included Social Security numbers, health insurance information, immunization history and the names of treating physicians. No other treatment-related records were stolen, the university said, although self-reported medical histories of students who studied abroad were hacked. The school on Friday sent e-mails and letters to 160,000 people, including about 3,400 Mills College students who used or were eligible for University of California-Berkeley medical services. About 97,000 people are most at risk because their names and Social Security numbers could be connected by the hackers, said Steve Lustig, the university's associate vice chancellor for health and human services. "What's been taken is bits of data that the thief might put together into an identity," he said. The university traced the hackers back to Asia, possibly China, but the exact origin could not be pinpointed. UC and FBI investigators are probing the breaches, which apparently occurred over several months. An FBI spokesman said the agency was informed of the hacking immediately, but declined to provide more information. The thefts were discovered about a month ago, but system administrators did Advertisement not realize the breadth of the attack until April 21. The hackers disguised their work as routine operations and then left taunting messages for UC-Berkeley employees, said Shelton Waggener, the university's associate vice chancellor for information technology. The thieves accessed the information through the university Web site, he said. "You should think of it as a public building," Waggener said. "They got into the building properly, but then they broke into secure areas." Administrators at Mills College, which contracts with UC-Berkeley for

Veterans suffering anxiety and paranoia following the theft of a government hard drive containing the medical histories and Social Security numbers of 198,000 of their brethren cannot recover financial damages, a federal appeals court says. The 11th U.S. Circuit Court of Appeals, in largely dismissing a class-action, ruled Wednesday that the veterans could recoup at least $1,000 under the Privacy Act if they could show financial damages, not mental anguish. What's more, the Atlanta-based court noted that the veterans - some already suffering post-traumatic stress syndrome from their Vietnam War days - likely could recover damages for mental anguish associated with the data breach if the lawsuit was before a different court. That's because the courts of appeal across the nation have issued conflicting interpretations of the Privacy Act of 1974, which allows people to sue the government for privacy breaches and recover "actual damages." Precedent in the 11th Circuit, which includes Alabama, Florida and Georgia, interprets "actual damages" as money losses only. So 198,000 veterans - whose life history was on a hard drive that vanished from a Birmingham, Alabama Veterans Administration hospital - are out of luck, even if their war-time paranoia was exacerbated by the breach. The 11th Circuit noted (.pdf) that the 5th U.S. Circuit Court of Appeals and the 10th U.S. Circuit Court of Appeals "do not restrict 'actual damages' under the Privacy Act to pecuniary losses." And the Supreme Court has refused to resolve the circuit splits.

In the 2002 film Minority Report, video billboards scanned the irises of passing consumers and advertised to them by name. That was science fiction back then, but today's marketers are creating digital signs that can display targeted ads based on information they extract from examining the contours of individual human faces. These smart signs are proliferating in commercial establishments and public places from New York's Times Square to St. Louis area shopping malls. They are a powerful innovation in advertising, but one that raises compelling privacy issues - issues that should be addressed now, before digital signs that monitor our behavior become the new normal. The most common name for this medium is digital signage. Most digital signs are flat-screen TVs that run commercials on a continuous loop in airports, gas stations, and anywhere else marketers think they can get your attention. However, marketers have had difficulty determining exactly who sees the display units, which makes it harder to measure viewership and target ads at specific audiences. The industry's solution? Hidden facial recognition cameras. The tiny cameras can estimate the age, ethnicity and gender of people passing by and can track how long a given person watches the display. The digital sign can then play an advertisement specifically targeted to whomever happens to be watching. Tens of millions of people have already been picked up by digital signage cameras. While camera-driven systems are the most common, the industry is also utilizing mobile phones and radio frequency identification (RFID) for similar purposes. Some companies, for example, embed RFID chips in shopper loyalty cards. Digital kiosks located in stores can read the information on the cards at a distance and then display ads or print coupons based on cardholders' shopping histories. Facial recognition, RFID and mobile phone tracking are powerful tools that should be matched by business practices that protect consu

In the 2002 film Minority Report, video billboards scanned the irises of passing consumers and advertised to them by name. That was science fiction back then, but today's marketers are creating digital signs that can display targeted ads based on information they extract from examining the contours of individual human faces. These smart signs are proliferating in commercial establishments and public places from New York's Times Square to St. Louis area shopping malls. They are a powerful innovation in advertising, but one that raises compelling privacy issues - issues that should be addressed now, before digital signs that monitor our behavior become the new normal. The most common name for this medium is digital signage. Most digital signs are flat-screen TVs that run commercials on a continuous loop in airports, gas stations, and anywhere else marketers think they can get your attention. However, marketers have had difficulty determining exactly who sees the display units, which makes it harder to measure viewership and target ads at specific audiences. The industry's solution? Hidden facial recognition cameras. The tiny cameras can estimate the age, ethnicity and gender of people passing by and can track how long a given person watches the display. The digital sign can then play an advertisement specifically targeted to whomever happens to be watching. Tens of millions of people have already been picked up by digital signage cameras. While camera-driven systems are the most common, the industry is also utilizing mobile phones and radio frequency identification (RFID) for similar purposes. Some companies, for example, embed RFID chips in shopper loyalty cards. Digital kiosks located in stores can read the information on the cards at a distance and then display ads or print coupons based on cardholders' shopping histories. Facial recognition, RFID and mobile phone tracking are powerful tools that should be matched by business practices that protect consu

"It's one of the newest and most popular stops on the Washington, D.C. tour, and its artifacts of history leave clues for how information security professionals should approach their future. The International Spy Museum has just celebrated its 7th year and its 5 millionth visitor, says Executive Director Peter Earnest, a former CIA officer who's run the museum since its inception. In an exclusive interview, Earnest discusses: the museum's goals and growth plans; who visits the museum and what they get from the experience; lessons to be learned by today's information security professionals. Earnest is a 35-year veteran of the Central Intelligence Agency (CIA). He served 25 years as a case officer in its Clandestine Service, primarily in Europe and the Middle East. He ran intelligence collection and covert action operations against a range of targets including Soviet Bloc representatives and Communist front organizations. As Museum director, he has played a leading role in its extraordinary success as a Washington attraction. He edits the Museum's book ventures and has frequently been interviewed by the major media in radio, TV, and the press on current intelligence issues."

"Mozilla's flagship Firefox browser is vulnerable to at least 11 "critical" vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing. The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser's form history."

Even a booster of electronic systems like David Blumenthal, who just started his Washington post as the national coordinator of health IT, points to a myriad of challenges when it comes to digitizing the nation's medical records. Just take a look at his piece this month in the New England Journal of Medicine, in which he cites technical concerns and worries about patient privacy, among other things. In an interview with the WSJ, he said problems can crop up if the systems are installed too quickly and without enough technical support. There are plenty of potential advantages that electronic records can bring, from helping hospitals and doctors get information quickly on patients' medical histories to making catches when two drugs are being prescribed that may interact dangerously together. But there are also risks: Take a look at a study in Pediatrics that cites the case of Children's Hospital of Pittsburgh, which initially saw a rise in the death rate for certain patients after computerizing its order-entry system, perhaps because it took longer to begin their treatment. (The hospital told the WSJ the study was "flawed," adding the mortality rate had fallen since then.) The WSJ also cites the case of a patient who was initially given an incorrect diagnosis based on a mix-up involving electronic records and a test result for another patient. Health Blog Question of the Day: What's been your experience with electronic records? Do they prevent safety problems or create new risks?

More consumers are growing comfortable with online behavioral targeting, perhaps as a result of an increase in familiarity, but the majority remain uneasy with the practice. That's according to a new study conducted by TNS on behalf of the privacy group Truste. For the study, consumers were asked whether they agreed or disagreed with the statement: "I am comfortable with advertisers using my browsing history to serve me relevant ads, as long as that information cannot be tied to my name or any other personal information." Twenty-eight percent of respondents agreed, up from 24% who agreed when the same study was conducted last year. At the same time, 51% said they disagreed that they were comfortable with anonymous behavioral targeting. While that figure represents a slim majority, it's down from last year, when 57% of respondents said they disagreed. At the same time, more respondents than in the past now say they delete cookies. Almost half--48% of survey respondents--said they erase cookies at least weekly, up from 42% last year. It's not clear how much overlap there is between the respondents that regularly delete cookies and those who say they're uncomfortable with behavioral targeting. Colin O'Malley, vice president of strategic business at Truste, attributed the increase in the proportion of consumers who said they were comfortable with behavioral targeting to increased publicity over the issue. He said the recent attention to the issue in the mainstream media has helped to increase transparency. He added that the increased cookie erasures showed that consumers want to be able to manage their experience. "Cookie deletion is just one more indication that consumers are seeking tools to increase their level of control," he said.

From 2003 to 2007, there were 10 bank failures in the U.S. In 2008 that number more than doubled, reaching 25. 2008's lowlight was the collapse of Washington Mutual on September 25--the biggest bank failure in American history. Thus far, 13 banks have failed in 2009.

Last week, President Barack Obama convened a health-care summit in Washington to identify programs that would improve quality and restrain burgeoning costs. He stated that all his policies would be based on rigorous scientific evidence of benefit. The flagship proposal presented by the president at this gathering was the national adoption of electronic medical records -- a computer-based system that would contain every patient's clinical history, laboratory results, and treatments. This, he said, would save some $80 billion a year, safeguard against medical errors, reduce malpractice lawsuits, and greatly facilitate both preventive care and ongoing therapy of the chronically ill. Following his announcement, we spoke with fellow physicians at the Harvard teaching hospitals, where electronic medical records have been in use for years. All of us were dumbfounded, wondering how such dramatic claims of cost-saving and quality improvement could be true. The basis for the president's proposal is a theoretical study published in 2005 by the RAND Corporation, funded by companies including Hewlett-Packard and Xerox that stand to financially benefit from such an electronic system. And, as the RAND policy analysts readily admit in their report, there was no compelling evidence at the time to support their theoretical claims. Moreover, in the four years since the report, considerable data have been obtained that undermine their claims. The RAND study and the Obama proposal it spawned appear to be an elegant exercise in wishful thinking. To be sure, there are real benefits from electronic medical records. Physicians and nurses can readily access all the information on their patients from a single site. Particularly helpful are alerts in the system that warn of potential dangers in the prescribing of a certain drug for a patient on other therapies that could result in toxicity. But do these benefits translate into $80 billion annually in cost-savings? The cost-savings from avoi

A consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves, has agreed to settle Federal Trade Commission charges that it violated federal law. Under the settlement, the company and its principal must ensure that they provide credit reports only to legitimate businesses for lawful purposes, use a comprehensive information security program, and obtain independent audits every other year for 20 years. The settlement also imposes a $500,000 penalty but suspends payment due to the defendants' inability to pay. According to the FTC, the defendants use sensitive financial data from other consumer reporting agencies to create reports that landlords use to assess potential renters. These reports contain consumers' names, Social Security numbers, birth dates, bank and credit card account numbers, credit histories, and other personal information. The Commission alleges that the company failed to properly screen new customers. The company allegedly requested only publicly-available information from applicants seeking credit reports, and it did not request supporting documentation to establish that an applicant was actually a landlord renting property. As a result, identity thieves posing as property owners were given an account with unlimited online access to credit reports, and the account was used to access at least 318 reports containing sensitive personal information. The FTC charged the defendants with violating the Fair Credit Reporting Act (FCRA) by furnishing credit reports to persons who did not have a permissible purpose to obtain them, and by failing to maintain reasonable procedures to prevent such impermissible disclosures and to verify their customers' identities and how they intended to use the information. The agency also charged them with violating the FTC Act by failing to employ reasonable and appropriate security measures to protect sensitive consumer inform

The team that ran the most technologically advanced presidential campaign in modern history is finding it difficult to adapt that model to government. WhiteHouse.gov, envisioned as the primary vehicle for President Obama to communicate with the online masses, has been overwhelmed by challenges that staffers did not foresee and technological problems they have yet to solve. Obama, for example, would like to send out mass e-mail updates on presidential initiatives, but the White House does not have the technology in place to do so. The same goes for text messaging, another campaign staple. Beyond the technological upgrades needed to enable text broadcasts, there are security and privacy rules to sort out involving the collection of cellphone numbers, according to Obama aides, who acknowledge being caught off guard by the strictures of government bureaucracy. "This is uncharted territory," said Macon Phillips, White House director of new media, which was a midlevel position in previous administrations but has been boosted by Obama to a "special assistant to the president."

Richard Acton-Maher of San Francisco was in nearby Berkeley last month and wanted to meet friends for lunch. Instead of making calls to see who was around, he looked at a digital map on his iPhone that plotted their locations. "One of my friends was also there," said Acton-Maher, 24, who used a service from a startup company called Loopt Inc. "I gave him a call and met him for lunch. It just enhances the communications tools that I already have." Google Inc., encouraged by people's willingness to share their personal lives on sites like Facebook, is betting more people like Acton-Maher will post their whereabouts online. The owner of the most popular search engine started a program this month called Latitude, seeking to compete with mobile networking services such as Loopt, Match2Blue, Whrrl and Limbo. Besides competition, Google's effort to turn mobile phones into tracking devices faces criticism from privacy advocates. Useful for friends and family, location data would also be valuable to the government, said Kevin Bankston, an attorney with the San Francisco-based Electronic Frontier Foundation, a not-for-profit organization focused on civil-liberties. "This is certainly valuable information to investigators and potentially to civil litigants," Bankston said. "This type of location information presents a very new sensitive data flow." Google says its privacy settings address such concerns. People using Google's mobile maps can opt not to use Latitude and choose whom they share their information with. The program also only stores the user's last known location, not a full history of their travels, said Steve Lee, a Google product manager. 'Ephemeral Data' While Google doesn't plan to store the data, the government could still go to court to ask for the company's help in tracking someone during an investigation, Bankston said.

Eight years ago, a woman we'll call Sarah discovered that she was not biologically related to the father she had known all her life. Sarah, her mother revealed, was "donor-conceived." Her parents, after trying without success for a pregnancy of their own in the late 1970s, turned to a fertility center, where Sarah's mother was artificially inseminated with sperm from an anonymous donor. At the time sperm banks did not offer detailed donor profiles. Upon discovering the truth, Sarah was told what her parents had been told about her biological father: He was a medical student, possibly of Scandinavian ancestry. Sarah, who describes her family as "loving and stable," was shocked. Today she is also sick. A year before finding out about her conception, she began to experience severe, unexplained bladder problems. She has been seeing doctors at Johns Hopkins; so far they haven't figured out the cause. Recently married, Sarah worries that she may pass the illness on to future children. The medical history of her biological father could provide a crucial piece of the diagnostic puzzle. But in the early days of artificial insemination, clinics often shredded or burned files to ensure donor anonymity and client privacy. Sarah's father's identity may be locked away in storage somewhere, or it may have been destroyed. Although aware of the likely futility of her search, Sarah still continues-writing the clinic, nurses, her doctor-in the hope that someone can help. Faced with stories like this, the fertility industry and a few state governments are trying to come up with a way to ensure that future donor-conceived children will have access to their fathers' medical files. A national registry, for example, could allow banks to monitor how many times a man donates semen and how many children are born from his seed, to share updates about medical issues and to facilitate long-term research on health outcomes. But any such registry poses a threat to the p