Group items tagged

"Can personal medical data that has been stripped of its identifiers to protect privacy later be used to identify a specific person? That is the question that the Health and Human Services Department is hoping a research contractor can answer. HHS intends to hire a contractor to demonstrate either the "ability or inability" to re-identify data from a data set that has been de-identified under the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, according to a Jan. 4 notice on the Federal Business Opportunities Web site. De-identification and re-identification of patient data have become hot issues in the discussion about how to protect patient privacy while advancing adoption of electronic health records. The Obama administration is distributing at least $17 billion in incentive payments to doctors and hospitals who buy and use digital systems for medical data."

"Nearly every practicing doctor in the United States is being warned that their identities might have been stolen when the laptop of an employee of an insurance trade group was snagged from a car in Chicago. The laptop contained business and personal information such as Social Security numbers, addresses and certain identification numbers on the laptop of an employee from the Chicago-based Blue Cross and Blue Shield Association, a trade group for the nation's Blue Cross health insurance plans. The association confirmed that an employee "broke protocol and transferred to a personal laptop" information that was stolen in late August. No patient information was on the database, and so far, no doctor has reported a security breach. However, nearly 20 percent of the doctors listed in the database have their Social Security numbers as their medical-care provider identification, putting these health professionals at risk for identity theft, according to an article in the Chicago Tribune."

Laws in Canada and other countries are increasingly helping technology force people to identify themselves where they never had to before, threatening privacy that allows people to function effectively in society, a new study has found. "What we're starting to see is a move toward making people more and more identifiable," University of Ottawa law professor Ian Kerr said Wednesday. His comments followed the launch of Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society, a book summing up the study's findings, at a public reading in downtown Ottawa hosted jointly with the Privacy Commissioner of Canada. Kerr led the study with University of Ottawa criminology professor Valerie Steeves. They collaborated with 35 other researchers in Canada, the U.S., the U.K., the Netherlands and Italy. The researchers reported that governments are choosing laws that require people to identify themselves and are lowering judicial thresholds defining when identity information must be disclosed to law enforcement officials. That is allowing the wider use of new technologies capable of making people identifiable, including smartcards, security cameras, GPS, tracking cookies and DNA sequencing. Consequently, governments and corporations are able to do things like: * Embrace technologies such as radio frequency identification tags that can be used to track people and merchandise to analyze behaviour. * Boost video surveillance in public places. * Pressure companies such as internet service providers to collect and maintain records of identification information about their customers. While Canada, the U.K., the Netherlands and Italy all have national laws protecting privacy - that is, laws that allow citizens to control access to their personal data - such legal protection does not exist for anonymity, Kerr said. "Canada is quite similar [to other countries] with respect to anonymity. Namely, it's shrinking here just as it is there.

Online fraud is a $4 billion dollar a year industry. It grows as the unemployment rate increases and the jobless attempt to earn a living through whatever means necessary. Meanwhile, the Internet's footprint on the global economy and culture becomes larger every day. The expansion of fraud and the identification of this risk will create more jobs in the fields of compliance, risk management, and best practices. Who will fill these positions? For many companies looking to take action, the initial move will be to consolidate roles. Individuals in areas such as sales and marketing will absorb fraud identification, reporting, and prevention responsibilities. This will prove to be ineffective for the following reasons: 1. The sales and marketing staffs are not trained to identify fraud and they cannot keep up with the ever-changing tactics. 2. Associates are conflicted when faced with a fraud incident. They are not motivated to report fraud and their compensation structure dissuades them from reporting incidents. 3. Business goals are not aligned appropriately, which naturally moved fraud last on the priority list for the associates assigned the additional responsibilities. 4. While the internal attempt is made, no time is spent on partner due diligence and monitoring. Organizations will benefit in the long term by hiring dedicated staff. This tactic is one component of my company's Best Practice approach to doing business. My dedicated team helped realign business goals and create a culture that now embraces a higher set of standards and expectations. Staffing and training were the largest challenges I have faced in the last year. The positions were new, the skill set was specific, and as a result we received a dichotomous set of resumes. Applicants with online marketing experience had little to no experience with fraud, or they came from companies where more unscrupulous methods were used, and I was not confident those habits would be easily kicked. The app

In the 2002 film Minority Report, video billboards scanned the irises of passing consumers and advertised to them by name. That was science fiction back then, but today's marketers are creating digital signs that can display targeted ads based on information they extract from examining the contours of individual human faces. These smart signs are proliferating in commercial establishments and public places from New York's Times Square to St. Louis area shopping malls. They are a powerful innovation in advertising, but one that raises compelling privacy issues - issues that should be addressed now, before digital signs that monitor our behavior become the new normal. The most common name for this medium is digital signage. Most digital signs are flat-screen TVs that run commercials on a continuous loop in airports, gas stations, and anywhere else marketers think they can get your attention. However, marketers have had difficulty determining exactly who sees the display units, which makes it harder to measure viewership and target ads at specific audiences. The industry's solution? Hidden facial recognition cameras. The tiny cameras can estimate the age, ethnicity and gender of people passing by and can track how long a given person watches the display. The digital sign can then play an advertisement specifically targeted to whomever happens to be watching. Tens of millions of people have already been picked up by digital signage cameras. While camera-driven systems are the most common, the industry is also utilizing mobile phones and radio frequency identification (RFID) for similar purposes. Some companies, for example, embed RFID chips in shopper loyalty cards. Digital kiosks located in stores can read the information on the cards at a distance and then display ads or print coupons based on cardholders' shopping histories. Facial recognition, RFID and mobile phone tracking are powerful tools that should be matched by business practices that protect consu

In the 2002 film Minority Report, video billboards scanned the irises of passing consumers and advertised to them by name. That was science fiction back then, but today's marketers are creating digital signs that can display targeted ads based on information they extract from examining the contours of individual human faces. These smart signs are proliferating in commercial establishments and public places from New York's Times Square to St. Louis area shopping malls. They are a powerful innovation in advertising, but one that raises compelling privacy issues - issues that should be addressed now, before digital signs that monitor our behavior become the new normal. The most common name for this medium is digital signage. Most digital signs are flat-screen TVs that run commercials on a continuous loop in airports, gas stations, and anywhere else marketers think they can get your attention. However, marketers have had difficulty determining exactly who sees the display units, which makes it harder to measure viewership and target ads at specific audiences. The industry's solution? Hidden facial recognition cameras. The tiny cameras can estimate the age, ethnicity and gender of people passing by and can track how long a given person watches the display. The digital sign can then play an advertisement specifically targeted to whomever happens to be watching. Tens of millions of people have already been picked up by digital signage cameras. While camera-driven systems are the most common, the industry is also utilizing mobile phones and radio frequency identification (RFID) for similar purposes. Some companies, for example, embed RFID chips in shopper loyalty cards. Digital kiosks located in stores can read the information on the cards at a distance and then display ads or print coupons based on cardholders' shopping histories. Facial recognition, RFID and mobile phone tracking are powerful tools that should be matched by business practices that protect consu

European Union's move indicates growing government concern over how Internet companies are using individuals' private data The European Commission began legal action against the U.K. Tuesday over its failure to protect Internet users from Phorm -- a covert behavioral advertising technology tested by the U.K.'s biggest fixed line operator, BT, in 2006 and 2007. The move signals growing concern in Brussels over the way new Internet-based technologies are using people's personal data. In addition to taking legal action against the U.K., the Commission also issued a general warning to all 27 E.U. countries to uphold privacy laws, especially regarding social-networking Web sites and users of RFID (radio frequency identification) technologies. In Canada, the federal government has even proposed a legislation that will provide law enforcement agents sweeping powers to obtain user information from ISPs. The Commission, the executive body of the European Union responsible for upholding laws, said the U.K. had failed to enforce E.U. data protection and privacy rules, because broadband Internet subscribers were not informed that their browsing was being tracked.

Here's the paper's abstract: This paper presents a novel technique for authenticating physical documents based on random, naturally occurring imperfections in paper texture. We introduce a new method for measuring the three-dimensional surface of a page using only a commodity scanner and without modifying the document in any way. From this physical feature, we generate a concise fingerprint that uniquely identifies the document. Our technique is secure against counterfeiting and robust to harsh handling; it can be used even before any content is printed on a page. It has a wide range of applications, including detecting forged currency and tickets, authenticating passports, and halting counterfeit goods. Document identification could also be applied maliciously to de-anonymize printed surveys and to compromise the secrecy of paper ballots.

Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and national identification numbers of 45,000 employees and retirees, a union leader says. Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials briefed union leaders Monday about the security breach. FAA spokeswoman Laura Brown confirmed the agency's computers were hacked last week. Story continues below ↓advertisement | your ad here Waters said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social Security is the U.S. government-directed pension system, and in the absence of a national identity card, other people's social security numbers can be used to steal identities for illicit purposes. Waters said the other file contained medical information that was encrypted. "These government systems should be the best in the world, and apparently they are able to be compromised," said Waters, an FAA contracts attorney. "Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world." FAA officials told union leaders the incident was the first of its kind at the agency. But Waters said his union complained about three or four years ago about an incident in which employees received anti-union mail that used names and addresses that appeared to be generated from FAA computer files.

The Payment Card Industry Data Security Standard (PCI DSS) is ineffective and major payment processing infrastructure improvements are needed to secure credit and debit card transactions, lawmakers said Tuesday. The House Subcommittee on Emerging Threats, Cybersecurity, Science, and Technology, part of the House Committee on Homeland Security, held a hearing in Washington, D.C., on Tuesday to examine the effectiveness of PCI DSS. "The bottom line is that if we care about keeping money out of the hands of terrorists and organized criminals, we have to do more, and we have to do it now," said U.S. Rep. Yvette Clarke (D-N.Y.), who chairs the subcommittee. "The payment card industry and issuing banks need to commit to investing in infrastructure upgrades here in the United States." Clarke called on the industry to implement encryption on its credit and debit card processing networks and said the deployment of chip and PIN technology could significantly reduce the amount of stolen payment data. Chip and PIN technology is used in Asia and Europe. The technology replaces the magnetic strip on the back of a card and adds a four-digit personal identification number (PIN) to confirm a payment.

With identity theft on the upswing, Aram Langhans thought he was simply being prudent when he asked the Yakima Heart Center to remove his Social Security number from its files. "They had my insurance card and my driver's license. What else did they need?" said Langhans, a retired public school teacher insured by Group Health. Langhans said he was initially hooked up to a portable heart monitor that he was to wear for 24 hours, but the disagreement over his Social Security number prompted upper-level personnel to change their minds. He said moments after the device was attached, he was sent to a restroom to remove it and turned away. Shawnie Haas, administrator of the Heart Center, an independent outpatient group practice, declined to discuss the incident. But she said in an e-mail statement that the practice protects patients' privacy. "The Yakima Heart Center is careful to collect data pertinent to ensuring accuracy of our patient's medical record. Routine information collected for all patients includes name, address, date of birth, Social Security number, gender, and other specific information that helps us verify that individual's identity and insurance enrollment or coverage data. We are careful to maintain confidentiality of all patient information in our system." According to state and federal regulators, private insurance companies have moved away from using Social Security numbers for patient identification. But health-care providers in the Yakima Valley say they routinely collect them as "backup" in the event that patients' insurance doesn't pay the claim.

The European Commission on Tuesday set a code of conduct for companies using RFID (radio frequency identification) tags that it hopes will safeguard citizens' privacy and allow the quick rollout of the new technology. Around 2.2 billion RFID tags were sold worldwide last year, a third of them in Europe, and were installed in a wide range of products including shipping containers and smart cards used in highway toll booths. The Commission expects the use of RFID tags to grow to five times the current level over the next decade, as tags are added to common consumer items such as bus passes, refrigerators and even clothes. There is "clear economic potential" in using RFID chips to allow communication between objects, said information society commissioner Viviane Reding in a statement. But she added that European citizens "must never be taken unawares by the new technology."

The head of Calgary's Drop-In Centre says he is astounded by the controversy surrounding the shelter's use of a handprint-based security system, with the latest salvo coming from the province's privacy commissioner on Friday. "People . . . have no idea what we're going through here,"said the centre's executive director Dermot Baldwin, adding he now has three staff off work because of beatings. "We're going to (take) the measures necessary to make this place safe, secure, a good place to come . . . but in order to do that, I've got to keep the bad guys out." The comments came after Alberta's privacy commissioner said he's concerned about a new security system the Drop-In Centre is testing, which includes the scanning of clients' handprints to confirm their identification. Frank Work said Friday the home-less shelter's system of scanning and collecting handprints will likely lead to the creation of a database that will store that information.

Climbing into his Volvo, outfitted with a Matrics antenna and a Motorola reader he'd bought on eBay for $190, Chris Paget cruised the streets of San Francisco with this objective: To read the identity cards of strangers, wirelessly, without ever leaving his car. It took him 20 minutes to strike hacker's gold. Zipping past Fisherman's Wharf, his scanner detected, then downloaded to his laptop, the unique serial numbers of two pedestrians' electronic U.S. passport cards embedded with radio frequency identification, or RFID, tags. Within an hour, he'd "skimmed" the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet. Embedding identity documents - passports, drivers licenses, and the like - with RFID chips is a no-brainer to government officials. Increasingly, they are promoting it as a 21st century application of technology that will help speed border crossings, safeguard credentials against counterfeiters, and keep terrorists from sneaking into the country. But Paget's February experiment demonstrated something privacy advocates had feared for years: That RFID, coupled with other technologies, could make people trackable without their knowledge or consent. He filmed his drive-by heist, and soon his video went viral on the Web, intensifying a debate over a push by government, federal and state, to put tracking technologies in identity documents and over their potential to erode privacy. Putting a traceable RFID in every pocket has the potential to make everybody a blip on someone's radar screen, critics say, and to redefine Orwellian government snooping for the digital age. "Little Brother," some are already calling it - even though elements of the global surveillance web they warn against exist only on drawing boards, neither available nor approved for use.

Did we need more proof that a chain is only as strong as its weakest link?

A secure Web mail company that challenged hackers to break into the company's Web mail system is paying out a US$10,000 prize, just days after launching the contest. A team of hackers managed to hack into StrongWebmail CEO Darren Berkovitz's Web mail account, using what's known as a cross-site scripting (XSS) attack, the company confirmed Monday. "They did it using an XSS script that took advantage of a vulnerability in the backend webmail program," StrongWebmail said in a statement. StrongWebmail launched the contest at the end of May as a way of promoting the voice-based identification technology sold by its parent company, Telesign. Hackers were given Berkovitz's e-mail address and password and challenged to break into the account. The company thought this would prove difficult because StrongWebmail requires a special password that is telephoned to the user before e-mail can be accessed.

Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN (Personal Identification Number), which would potentially allow criminals to clone the card in order to withdraw cash.

Windows XP is an obvious choice to run ATMs! Sigh!

A Troy woman learned Tuesday that she will spend 180 days in the Livingston County Jail for stealing the identity of a local woman who was dying. Judge Stanley J. Latreille also sentenced Vershawn Jones, who earlier pleaded guilty to identity theft, to four years of probation. Assistant Prosecutor Pamela Maas said the victim, who was not in court Tuesday, wanted to know how Jones, 38, got his wife's identification. His wife, Maas noted, was dying in a Hospice facility at the time. Jones, who said she operated a mortgage business, said she got it from one of four employees who brought her applications from people seeking mortgages. Those applications included personal information, such as Social Security numbers, she said. When pressed for names, Jones glanced at her attorney and shrugged. "I apologize to the victim and the victim's family," she said. "I've done the best I can running my own business." Maas initially requested that the state be allowed to withdraw from the plea deal that called for her office to recommend Jones serve no more than 90 days in the county jail after noting Jones had twice been sent to jail for failing to show for court hearings. While Jones apologized, Latreille was unmoved, telling the defendant "you're fortunate you're not going to prison."

Would Near-Field Communication be considered a superior technology to high-frequency radio frequency identification?

"It's the easiest way for a bad guy to pretend to be you." So why are banks still using SSNs as a major form of customer identification?

Web sites that strip personally identifiable information about their users and then share that data may be compromising their users' privacy, according to researchers at the University of Texas at Austin. They took a close look at the way anonymous data can be analyzed and have come to some troubling conclusions. In a paper set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn't 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format. Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these "anonymized" data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with. "A lot of the time people will share information online and they'll expect that they are anonymous," Narayanan said in an interview. But if their identity can be ascertained on one social network, its possible to find out who they are on some other network, or at least make a "strong guess," he said.

TSA terrorist watchlist changes affect travel industry, document coordination requirements, security & privacy concerns. Over-strengthening one set of regulations and ignoring others simply means that the terrorists will move to safer (for them) modes of attack.

The Transportation Security Administration is getting ready to take over responsibility from the airlines for checking passengers' names against terrorist watch lists, and is advising travelers to start booking airline tickets using their full name as it appears on their driver's license or passport.