Group items tagged

Privacy rights are accepted and, generally, honored in Europe. The wealth - literally and figuratively - of personal information made available through the internet staggers the imagination. Staggering, too, is the prospect of privacy rights being trampled. EC Consumer Protection Commissioner Meglena Kuneva has a bone to pick with internet snooping. And she's launching an investigation into deep data mining. In an official statement (to be released March 31) she will outline concerns of vague and misleading 'term of use' for access to Web sites that can breach EC privacy rules. Commissioner Kuneva was born and raised in Bulgaria during a time when snooping on people was common, legal and nasty. The European Parliament (EuroParl) voted (March 27) overwhelmingly for recommendations in a report linking data surveillance, advertising and cybercrime. The report recommends safeguards for the privacy rights of internet users. The EuroParl called for "making use of existing national, regional, and international law." The MEPs raised the "imbalance of negotiating power between (internet) users and institutions." Internet users, said the MEPs, have the right to "permanently delete" personal details. Facebook's recent change in 'terms of use' allowing it to retain personal information brought a firestorm of criticism and the social networking portal backtracked. And the EC was watching. "It wasn't regulators who spotted the proposed change of terms at Facebook, it was one of the 175 million users," said Commissioner Kuneva's spokesperson Helen Kearns. Collecting and analyzing profile data is big business. It is "the new petroleum of the Internet world," said Ms Kearns, quoted in PC World (March 30). "If you are happy trading your data that's fine, but you should at least know how valuable it is." As Google and Microsoft have learned European Commission rules, unlike American rules, tend to set a low bar for compliance. The former pr

As online shopping becomes a greater force each year, the behavior of online shoppers becomes more and more scrutinized. Ad net AudienceScience, a key scrutinizer, announced today the findings of a commissioned study conducted on its behalf by JupiterResearch designed to measure the receptiveness of online shoppers to behavioral targeting. And the survey says: They like it -- at least that they are more responsive to ads that are behaviorally targeted than those that are contextually targeted. And they were pretty clear about it, with 65 % responding that they are more receptive to BT, and only 35% saying they paid more attention to contextual ads. "Since its inception, behavioral targeting has been an evolution of contextual advertising, and these findings are testament to its power to more effectively engage with consumers on their own level," said Marla R. Schimke, VP of Marketing, AudienceScience. "If we conduct the same study in a year, five years, ten years, I believe we'll see this already substantial gap between the two continue to widen as more and more brands and marketers realize that they can use behavioral targeting to specifically target their ideal customer."

Hundreds of credit union members are starting their holiday weekend off without their debit cards after a credit compromise forced the Winthrop Federal Credit Union to deactivate customers' cards. The credit union stayed open Friday until 6 p.m. to give cash to affected customers for the weekend. CARDS FROZEN AS A PRECAUTION Credit union officials say its card processer, Metavante, noticed suspicious activity on three of its MasterCard debit cards and notified the credit union about them. While it was not a security breach, the Winthrop Federal Credit Union decided to freeze a block of cards as a precaution, something that Metavante did not advise them to do. "We really know very little. We are working with the credit processor to identify the possible cards," said bank spokeswoman Cathleen Clark. "We always feel it's better to be safe than sorry." Because of the suspected credit compromise, the credit unions says it felt it was necessary to freeze the cards.

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. "Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says. But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.) The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes. Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations. Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk

Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information. Security experts have developed an easy-to-use, automated software tool that can remotely break into Oracle databases over the Internet to simulate attacks on computer systems, but cybercrooks can use it for hacking. The tool's authors created it through a controversial open-source software project known as Metasploit, which releases its free software over the Web. Chris Gates, a security tester who co-developed the Metasploit tool, will unveil it next week at the annual Black Hat conference in Las Vegas, where thousands of security experts and hackers will gather to exchange trade secrets. "Anyone with no skill and knowledge can download and run it," said Pete Finnigan, an independent consultant who specializes in Oracle security and who advises large corporations and government agencies.

You systems administrator knows more about you than you think.

More than one-third of information technology professionals abuse administrative passwords to access confidential data such as colleagues' salary details or board-meeting minutes, according to a survey. Data security company Cyber-Ark surveyed more than 400 senior IT professionals in the United States and Britain, and found that 35 percent admitted to snooping, while 74 percent said they could access information that was not relevant to their role. In a similar survey 12 months ago, 33 percent of IT professionals admitted to snooping. "Employee snooping on sensitive information continues unabated," Udi Mokady, CEO of Cyber-Ark, said in a statement. Cyber-Ark said the most common areas respondents indicated they access are HR records, followed by customer databases, M&A plans, layoff lists and lastly, marketing information. "While seemingly innocuous, (unmanaged privileged) accounts provide workers with the 'keys to the kingdom,' allowing them to access critically sensitive information," Mokady said. When IT professionals were asked what kind of data they would take with them if fired, the survey found a jump compared with a year ago in the number of respondents who said they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security. The survey found a six-fold increase in staff who would take financial reports or merger and acquisition plans, and a four-fold increase in those who would take CEO passwords and research and development plans.

Another report on Sears getting slapped on the wrist for questionable data collection. Gee, why don't businesses take information law seriously? Maybe because it is more profitable to ignore it and pay a small fine? Not impressed by Obama's enforcement of privacy law.

Sears today agreed to settle Federal Trade Commission charges that it failed to disclose the depth of consumers' personal information it collected via a downloadable software application. The settlement calls for Sears to stop collecting data from the consumers who downloaded the software and to destroy all data it had previously collected. If Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit, the FTC stated. Sears must also disclose whether any of the data will be used by a third party, the FTC said.

Point by Marcus Ranum THERE'S AN OLD SAYING, "Sometimes things have to get a lot worse before they can get better." If that's true, then breach notification laws offer the chance of eventual improvements in security, years hence. For now? They're a huge distraction that has more to do with butt-covering and paperwork than improving systems security. Somehow, the security world has managed to ignore the effect voluntary (?) notification and notification laws have had in other fields-namely, none.We regularly get bank disclosure statements, stock plan announcements, HIPAA disclosures, etc.-and they all go immediately in the wastebasket, unread.When I got my personal information breach notification from the Department of Veterans Affairs, it went in the trash too. Counterpoint by Bruce Schneier THERE ARE THREE REASONS for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law-"They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing"-is just wrong. Two, it provides statistics to security researchers as to how pervasive the problem really is. And three, it forces companies to improve their security. That last point needs a bit of explanation. The problem with companies protecting your data is that it isn't in their financial best interest to do so. That is, the companies are responsible for protecting your data, but bear none of the costs if your data is compromised. You suffer the harm, but you have no control-or even knowledge- of the company's security practices. The idea behind such laws, and how they were sold to legislators, is that they would increase the cost-both in bad publicity and the actual notification-of security breaches, motivating companies to spend more to prevent them. In economic terms, the law reduces the externalities and forces companies to deal with the true costs of

"The school's policy seems to violate the Genetic Information Nondiscrimination Act (GINA), says Susannah Baruch of the Genetics and Public Policy Center at Johns Hopkins University. "Most generally," she says, "GINA prohibits health insurers and employers from using your genetic information against you." The law went fully into effect Nov. 21, and it prevents health insurers from collecting genetic information to make decisions about the insurance people get or how much it costs. The law also says an employer can't use it to make decisions about hiring, firing or job promotions. There are a few exceptions. The law doesn't apply to employers with fewer than 15 workers. And while it covers health insurance, it doesn't apply to life or long-term care insurance."

"Imagine that you are vacationing and get a phone call from your neighbor telling you that your alarm just went off, but there is nothing you can do about it. You don't know what set it off and if it is just a fluke. You find yourself now wide awake, asking yourself why you got the alarm to begin with. For iPhone users, the solution to this kind of situation lies in an application provided by CAVU Mobile Surveillance Solution. This app allows you to view live footage taken from any security camera on your iPhone, transforming it into a portable advanced home security system. With the CAVU Mobile Surveillance Solution, the next time a neighbor calls to tell you that your alarm has gone off again, you can automatically see what is going on inside your house on our phone- no matter where you are. This application also lets you save footage on your phone, which is useful in case you need to show/reference the footage on the go. From your phone you can even control the position of the camera - providing you with multi-camera views. If you're thinking to yourself right now about how you wish you had been nicer to your neighbor, because then he/she would be more likely to actually call you to tell you that there is a good chance you're being robbed- stop. This iPhone app also allows for poor neighbor to neighbor relations. It provides a self sufficient, independent of any neighbor, surveillance system on your phone to tell your that there is suspicious action going on. For a cool $19.99 you can be your own FBI squad team, the C, the, S and the I in CSI Crime Scene Investigation, and most importantly, sure that your home is safe."

Is the price to safeguard America's information systems and networks on a collision course with efforts to rescue the economy? One would hope not, but the $789 billion stimulus package that contains nearly $10 billions for IT-related projects offered very little for cybersecurity. Still, the president sees protecting government and private-sector information systems as crucial to the economic vitality of the country. So, when Acting Senior Director for Cyberspace Melissa Hathaway hands the President her recommendations on securing the nation's information infrastructure later this month, a sharper picture should emerge on how much money the government will need to spend to do just that. What Price Security? The government isn't a spendthrift in protecting its IT networks; it earmarked $6.8 billion a year on cybersecurity this fiscal year, up from $4.2 billion five years ago, according to the White House Office of Management and Budget. But is that enough? Appropriating money to find new and innovative ways to protect our critical information infrastructure doesn't seem to be a government priority, at least not yet. Of the $147 billion the government planned to spend on all types of research and development this fiscal year, only $300 million or 0.2 percent was slated for cybersecurity, according to the Securing Cyberspace in the 44th Presidency report issued by the Center for Strategic and International Studies. By comparison, the budget contained five times as much money $1.5 billion for nanotechnology R&D.

A data protection group has warned that opting out of Phorm will not prevent the technology from processing data that users enter through web site search portals. Companies such as Amazon, Wikipedia and LiveJournal have taken the decision to block the controversial advertising technology from scanning their sites because of the privacy implications. However, Open Rights Group executive director Jim Killock has since admitted that, even if web sites opt out of the programme, ISPs supporting Phorm will still be able to profile users visiting those sites. "This is because Phorm can scan search requests entered in those sites, even if it cannot detect the web site pages users are viewing," Killock said. "For example, even if Google opts out of Webwise, when a user types in a Google query and they are using BT, it will still go through Phorm before it reaches BT." Killock added that Phorm does not gain permission from either senders or receivers of the information before it processes the data. Phorm uses browsing information to serve accurately targeted advertisements, and is soon to be rolled out under the Webwise brand by internet service providers BT, Virgin Media and TalkTalk. However, as the time for deployment nears, the controversy surrounding the technology only seems to be increasing.

Two high school girls are suing their local District Attorney after he threatened to file child sex abuse charges against them over a cellphone photo of themselves in their bras. Marissa Miller and Grace Kelly, both now 15, were 13 when the picture was taken at a slumber party. It is believed to show the two friends from the waist up, both wearing bras. Several of their classmates had a copy of the photo stored on their cellphone, thanks to a craze called 'Sexting', where provocative cellphone images are exchanged between young people. The girls both attend Tunkhannock Area High School, Pa. The image in question found its way to District Attorney George P. Skumanick of Wyoming County after it was discovered on one student's confiscated cellphone. Skumanick was indignant enough to threaten all of those involved - either because they were found to be in possession of the image or because they were identified from the photo - with child sex abuse charges if they did not attend a ten hour class on pornography and sexual violence. Such charges, if filed, could lead to jail time as well as potentially having to register as a sex offender for anyone convicted. Seventeen other students accepted the 'deal' and agreed to go on the course. The parents of Marissa, Grace, and one other girl, however, felt that the threat from the DA was over-zealous and are fighting back. With the help of the American Civil Liberties Union, they have filed suit against Skumanick in federal court in Scranton, Pa. The lawsuit asks the court to prevent Skumanick from filing charges against them, arguing that they had a right under the first and fourth amendments to refuse his deal and contending that his threat of sexual abuse charges was retaliatory in nature.

Stay Online on the world wide web online roulette from Contemporary sydney, Fun and Free! Now you is capable of doing Actual "www.funlivecasino.com.au" Stay Online on the world wide web online roulette for Fun in Contemporary sydney on a product new web page, FunLiveCasino.com.au. Using the newest on the world wide web operating technology, Fun Stay Gambling house allows you be a part of a genuine action occurring on a genuine desk in a genuine betting house, all approved on Live! You can see other real gamers in the betting house betting on the same outcomes you do providing you greatest believe in in the outcomes as they are not designed 'just for you a, like other action experiencing items such as 'live studios' or pc designed actions. Its awesome to think next time your really in the betting house that you might be on digicam, and individuals on the world wide web might be watching! The long run is scary! Believe one day soon this will be the only way individuals would bet on the world wide web because the worldwide web is complete of fraudsters, you have to be extremely cautious, and why would you perform Online Online on the world wide web online roulette any other way except from a Actual Gambling house you can check out, see, pay attention to and trust! Amazingly this site is absolutely 100 % 100 % 100 % free and has no determining upon up process, no junk, no pc rabbit mouse mouse clicks and no pressure. Just Immediate Fun "www.funlivecasino.com.au" 100 % 100 % 100 % free Stay Roulette! Give it a try, its value verifying out! "www.funlivecasino.com.au"Australia's Online Fun Stay Casino! Backlinks designed from http://fiverr.com/radjaseotea/making-best-156654-backlink-high-pr

It's never been easier to get information on the run. Smart devices such as the G1 and Apple iPhone let you put the Internet in your pocket and go - down the block or across the country. But this convenience could cost plenty in lost privacy, consumer advocates and tech analysts say. Once data have been collected and warehoused, you lose control of it forever. "The Big Brother aspect of it is troubling," says Rep. Edward Markey, D-Mass., former chairman of the powerful House Subcommittee on Telecommunications and the Internet. Mobile consumers are especially vulnerable, Markey says. Unlike PCs, cellphones tend to be used by one person exclusively. The information they telegraph - on Web browsing, lifestyle and more - tends to be "highly personalized." That's the main reason mobile data are so prized: The information is incredibly accurate. It's also why Markey and other privacy advocates say the debate about online privacy will become even more intense as advertising migrates to the mobile Web. Mobile advertising is still relatively new - G1 users, for now, get ads only through search results, for instance - but it's clearly a hot spot. The market is expected to reach $2.2 billion by 2012, from about $800 million now, according to JupiterResearch. Ultimately, it could surpass the traditional Web, now a $20 billion ad market. Yahoo, Microsoft and other ad-supported search engines collect information as Google does. But the sheer size and scope of Google's data-mining operation - the Web giant performs more than 80% of all desktop searches worldwide - makes it a uniquely pervasive presence, says Chester. Google and Yahoo, the two biggest players in search advertising, say their self-imposed privacy policies are sufficient to protect consumers, noting that they do not collect or store information in a way that can be directly tracked to an individual. Peter Fleischer, global privacy counsel for Google, says Google tries to make privacy language as

The row over the changes Facebook made to its terms has thrown the light on the rights people surrender when they sign up to use a website. It is likely though that until the row over Facebook's Terms and Conditions went public, few people knew what rights sites claim over the content that their members upload and share. "Less than 25% of users are making a specific point of going to the privacy settings and making changes," said Simon Davies, head of digital rights group Privacy International. Most, he said, are so keen to get using a site after registering that they do not take time to learn what will happen to any data that they are surrendering. Only later do they go back and adjust what happens to their data. "A lot of sites do have strong privacy controls," said Mr Davies. Tweaking these settings can help cut down on how much of a person's data is distributed. "It can make a difference," said Mr Davies, "particularly if the default is set in terms of maximum information flow." Blogger Amanda French looked through the pages where sites such as Facebook, MySpace, Flickr, YouTube and others spelled out their policies with regard to the data that members upload. Although the wording was different, she found that sites such as MySpace, Yahoo, Google and Twitter explicitly backed away from claiming ownership over uploaded content. A brief survey of Europe's Top 5 social sites found a similar situation. The text of the terms available on the UK sites of Facebook, Bebo, MySpace, Friends Reunited and Windows Live all back away from claiming ownership. By contrast, she wrote, the changes Facebook made to its terms were "extraordinarily grabby and arrogant".

It's often the security issue that dogs Google, Microsoft and other purveyors of personal health records (PHR): How will so much personal medical data be kept safe? A tangential question for Google, however -- one that has dogged the search giant since its Google Health offering was first made available in May 2008 -- is whether Google's search-based advertising platform creates a conflict with storing personal health data. Speaking at the Mastermind Session at Everything Channel's Healthcare Summit in San Diego in November,Google Vice President of Research and Special Initiatives Alfred Spector told health care CIOs, solution providers and other attendees that Google intended Google Health as an extension of the Google brand, and it was and would continue to be entirely separate from Google's main advertising platform. Watchdog organizations have taken Google to task over that claim, however, with one, Consumer Watchdog, even accusing Google of trying to lobby Congress to allow it to sell medical records by loosening regulatory language in the stimulus bill. "The medical technology portion of the economic stimulus bill does not sufficiently protect patient privacy, and recent amendments have made this situation worse," wrote Jerry Flanagan of Consumer Watchdog in a Jan. 27 open letter to Congress. "Medical privacy must be strengthened before the measure's final passage, rather than allowing corporate interests to take advantage of the larger bill's urgency." Flanagan in the letter states that, "Google is said to be lobbying hard ... to weaken the ban currently in the draft measure on the sale of our private medical records." While Consumer Watchdog did not cite specific evidence of Google pushing for softer restrictions, Google responded to the group's claims on its Public Policy Blog last week. "The claim -- based on no evidence whatsoever -- is 100 percent false and unfounded," wrote Pablo Chavez, Google's Senior Policy Counsel. "Google does not sell health

Data classification is a cornerstone of good privacy & security management. If you can measure it, you can manage it, right? First you have to know where it is.

Why classify data? Classifying data can help make data more accessible (or less accessible) to the users in your environment who need it. For example, suppose the Human Resources department created a folder on the file server within their department called Litigation. In this folder they place files that are needed for any litigation the company is associated with. The permissions on the folder are configured so that HR employees can edit the contents of the folder and add documents. Senior management can read the documents in the litigation folder, and the HR manager can remove documents that are no longer needed. The question is, how is it determined that a document is no longer needed and how do we apply these criteria to existing files in such a way that minimizes user interaction with them? The new classification feature in Windows Server 2008 R2 makes it possible to automatically assign classification information to files on file servers and apply policy to them based on that information. Classification in Windows Server 2008 R2 consists of several elements: properties, rules, and a policy segment including reporting and file management. Properties are the fields that you wish to assign a value for, and the rules are the criteria that set these values. There are other methods of classification available as well, including applications and scripts. More detailed examination of the methods of configuring the File Classification Infrastructure will follow in a future post. For the above example, a rule would be used to label a set of files in the Litigation folder. Adding a label such as Litigation-Case Number X (where X is the number of the case) can allow easy organization of files for each litigation case. When the classification rule is run against the specified folder, all files meeting the rule conditions would be classified with an appropriate label. You could use an expiration date here, but doing that might require reclassification of files if the ex

"The U.S. Department of Health and Human Services issued an interim final rule to beef up penalties for violations of the Health Insurance Portability and Accounting Act (HIPAA), as several Congressmen criticize the agency for leaving dangerous loopholes in the law. The new rules significantly increase penalty amounts that the U.S. Department of Health and Human Services can impose for HIPAA violations of patient privacy, according to a statement from HHS. The new rules reflect requirements enacted in the Health Information Technology for Economic and Clinical Health (HITECH) sections of the American Recovery and Reinvestment Act (ARRA) of 2009. Before HITECH, maximum penalties were $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan, or clearinghouse could be exempt from civil financial penalties if it demonstrated it did not know it violated the HIPAA rule. The HITECH act increases civil financial penalties by establishing tiered ranges of increasing minimum penalties, with a maximum $1.5 million for all violations of identical provisions. And a "covered entity" can plead ignorance as a protection only if it fixes the violation within 30 days of discovery."

"The United States House of Representatives took a major step this week toward enacting a national data breach notification law. H.R. 2221, the Data Accountability and Trust Act (DATA), cleared the House with a voice vote. In its current form, DATA requires businesses to notify customers and the Federal Trade Commission (FTC) if sensitive information has been exposed to a security breach. If the U.S. Senate can reconcile its own approach to data breach notification legislation with DATA, a new federal standard will emerge. If signed into law by President Barack Obama, a federal data breach ¬law would pre-empt the jumbled mass of dozens of state laws. "You'd be better served by federal legislation if the federal legislation has teeth and doesn't pre-empt the state's law," said California state senator Joe Simitian, speaking to executive editor Scot Petersen in September. "If there was a meaningful standard at the national level, I think many states would be happy to accept it." Aside from the data breach notification required by the HITECH Act, DATA would put into place the first national law of its kind. H.R. 2221 was sponsored by House Subcommittee Chair Rep. Bobby L. Rush of Illinois. The bill specifically states that: "Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data -- 1. notify each individual who is a citizen or resident of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security; and 2. notify the Federal Trade Commission."

"UC San Francisco said late Tuesday it has alerted 600 patients and others that an external hacker may have obtained "temporary access to emails containing their personal information" as a result of a late September phishing scam. The breach occurred about three months ago, and was investigated in mid-October, but wasn't disclosed to the public until Dec. 15. Corinna Kaarlela, UCSF's news director, told the San Francisco Business Times late Tuesday that individuals whose data may have been compromised were notified between Oct. 21, when an in-depth investigation began, and Dec. 11, when it was completed. UCSF said Tuesday that an unnamed faculty physician in the School of Medicine was victimized in late September by the alleged scam. The physician provided a user name and password in response to an email message fabricated by a hacker, that appeared as if it came from those responsible for upgrading security on UCSF internal computer servers. UCSF's Enterprise Information Security unit subsequently identified the breach and disabled the compromised password. UCSF says it conducted an investigation and in mid-October determined that emails in the physician's account ─ including some containing demographic and clinical information and, in a few cases, Social Security numbers ─ may have been exposed."