Group items tagged

Hartmut Mehdorn's days as the boss of German rail operator Deutsche Bahn look to have come to an end as the embattled executive offers his resignation amid a damaging, ongoing data privacy scandal. Mehdorn said he was offering to go because the "destructive debates" over his future were damaging the company. "I have made an offer to terminate my contract with the supervisory board chairman," Mehdorn said Monday, March 20, at a press conference to announce Deutsche Bahn's annual financial results. "I assume that a successor will be appointed before the summer holidays" begin in July. Mehdorn, who has run the state-owned firm since 1999, has been under increasing pressure ever since it was revealed earlier this year that Deutsche Bahn accessed confidential staff data as far back as 1998.

Online targeted advertising and the collection of consumer data are the fuel of Internet commerce, not the major privacy problems described by some advocates and U.S. lawmakers, according to a new paper. "The use of such data permits firms to target their marketing messages to consumers' interests, pays for a wealth of content on the Internet, and helps protect consumers from a variety of online threats," said the paper, released Monday by the Technology Policy Institute (TPI), an antiregulation think tank. "It forms the basis for many of the business models that are fueling the growth of the Internet." Privacy groups want a "free lunch" online, with strong privacy controls that make it tougher for advertising to work online, the paper said. "Privacy advocates have provided little detail on the benefits of more privacy and have typically ignored the costs or trade-offs associated with increasing privacy," the paper said. Data collection delivers ads that people want and that advertising pays for a multitude of free services online, said the paper, co-authored by TPI President Thomas Lenard and Emory University law and economics professor Paul Rubin.

Top attorneys for Microsoft and Google today reiterated their companies' support for tougher government rules to protect consumer privacy. But when it comes to the details, some watchdog groups say they are concerned that Web firms will continue to fight against specific provisions that would limit the ways they can collect and use people's information to serve more targeted ads. Today's panel discussion, held here at the Computers, Freedom and Privacy conference, revisited a longstanding policy debate over the government's role in online privacy. The talk ran along some familiar plotlines, with Jeff Chester of the Center for Digital Democracy thundering about the detailed personal profiles being assembled by advertising companies who are using neuroscience to manipulate consumer behavior, while industry representatives assured the audience that their data-collection practices are benign, not to mention essential to providing free content and services on the Internet. But this wasn't just an idle debate. Rep. Rick Boucher, the Virginia Democrat who chairs a House subcommittee on the Internet, is developing legislation that could seek to impose sweeping restrictions on behavioral targeting. A few blocks up Pennsylvania Avenue at the Federal Trade Commission, the principal regulatory agency with authority over online advertising, newly minted Chairman Jon Leibowitz has spoken often about the need for industry to get serious about privacy. "The FTC's central concern here is transparency, consumer control," said Jessica Rich, assistant director of the agency's privacy and identity protection division. "We don't think consumers really know what's happening with their data."

Advertisers are your friend, and the government is here to help. If consumers don't take responsibility for their data, then all the regulation in the World won't matter.

Be careful what information you give to recruiters!

Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach. The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor. The company found out about the breach earlier this month when people began receiving spam messages that appeared to come from Aetna and complained to the company, Michener said. The spam purported to be a response to a job inquiry and requested more personal information. The spam campaign showed the intruders successfully harvested e-mail addresses from the Web site, although Michener said it's not clear if SSNs were also obtained. Nonetheless, Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach. The company is offering them one year of free credit monitoring, as SSNs are often used by identity thieves. "We wanted to err on the side of caution," Michener said. Aetna hired an IT forensics company to investigate how the Web site had been compromised. "At this point despite a thorough review, they've not been able to pinpoint the precise breach," Michener said. Aetna posted alerts on the job site, its main Web site and its internal intranet about the spam campaign, Michener said.

Google never fails to surprise. It's the scope and scale of their ambitions that impresses me ranging as they do from relatively simple applications that are just way cool such as Sky Map, through their Chrome Web browser (which is now looking pretty stable), to the subject of this newsletter: Google Health. Google Health, which was launched as a beta (of course) in spring 2008, is a free repository for your personal health information. Using the service you can create online health profiles for yourself, family members or others you care for (these profiles can include health conditions, medications, allergies and lab results), you can import medical records from hospitals and pharmacies, share your health records with "your care network" (which may include family members, friends and doctors), and browse an online health services directory to find services that are integrated with Google Health. After you sign up you can import your medical records from Allscripts, Anvita Health, The Beth Israel Deaconess Medical Center, Blue Cross Blue Shield of Massachusetts, The Cleveland Clinic, CVS Caremark, Healthgrades, Longs Drugs, Medco Health Solutions, Quest Diagnostics, RxAmerica and Walgreens. What you'll wind up with if you update all of the sections is a pretty complete health profile, which means that privacy has to be a concern. Interestingly, because becoming a subscriber is voluntary it appears that the service is exempt from the provisions of the Health Insurance Portability and Accountability Act of 1996.

A security researcher has found that hackers are using Twitter as a means to distribute instructions to a network of compromised computers, known as a botnet. The traditional way of managing botnets is using IRC, but botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trick.

Behavioral targeting is not bad as a concept but advertisers would have the public opt-in by default without knowing what is being collected and what it is being used for. On the other hand not many in the public seem very concerned about this subject.

The Internet contributes about US$300 billion a year to the U.S. economy, and U.S. lawmakers should be careful about tinkering with the advertising-supported Internet content model in the name of privacy, the Interactive Advertising Bureau (IAB) said. An IAB-commissioned study by two Harvard University professors, released Wednesday, found that 1.2 million U.S. residents are directly employed in Internet-related jobs, and another 1.9 million U.S. jobs support those Internet workers. IAB released the study Wednesday, as 30 publishers of small Web sites converged on Washington, D.C., to urge U.S. lawmakers to avoid passing legislation that would harm their ad-supported business models. Chief among those publishers' concern was talk in the U.S. Congress about requiring Web sites to gain opt-in permission from users before tracking their Web habits as a way to deliver personalized advertising to them. Many users wouldn't give the permission, and without offering targeted advertising, many small Web sites could fold, some small publishers said. Small Web publishers and sellers "are the face of small business" in the U.S. in recent years, said Susan Martin, publisher of Ikeafans.com, a home improvement site.

Did we need more proof that a chain is only as strong as its weakest link?

A secure Web mail company that challenged hackers to break into the company's Web mail system is paying out a US$10,000 prize, just days after launching the contest. A team of hackers managed to hack into StrongWebmail CEO Darren Berkovitz's Web mail account, using what's known as a cross-site scripting (XSS) attack, the company confirmed Monday. "They did it using an XSS script that took advantage of a vulnerability in the backend webmail program," StrongWebmail said in a statement. StrongWebmail launched the contest at the end of May as a way of promoting the voice-based identification technology sold by its parent company, Telesign. Hackers were given Berkovitz's e-mail address and password and challenged to break into the account. The company thought this would prove difficult because StrongWebmail requires a special password that is telephoned to the user before e-mail can be accessed.

Healthcare organizations are losing more than just names, addresses and Social Security numbers. When their data gets stolen, patients lose the privacy of their medical conditions, treatments and medications while at the same time falling prey to identity theft, medical billing fraud and other criminal schemes. Theft of electronic medical records is on the rise, and the implications are getting more serious. In a 2008 survey of identity theft victims, the Identity Theft Resource Center found that 67% had been charged for medical services they never received and 11% were denied health or life insurance due to unexplained reasons.

The Federal Bureau of Investigation is expanding beyond its traditional fingerprint-focused collection practices to develop a new biometrics system that will include DNA records, 3-D facial imaging, palm prints and voice scans, blended to create what's known as "multi-modal biometrics." Slideshow: The changing face of biometrics How the Defense Department might institutionalize war-time biometrics "The FBI today is announcing a rapid DNA initiative," said Louis Grever, executive assistant director of the FBI's science and technology branch, during his keynote presentation at the Biometric Consortium Conference in Tampa. The FBI plans to begin migrating from its IAFIS database, established in the mid-1990s to hold its vast fingerprint data, to a next-generation system that's expected to be in prototype early next year. This multi-modal NGI biometrics database system will hold DNA records and more.

Consumers face a greater risk of losing control of their data when doing business with smaller retailers, as many haven't made investments to comply with the Payment Card Industry's Data Security Standard (PCI DSS), according to a new survey. The survey, which covered 560 U.S. and multinational organizations, asked respondents a variety of questions about their investments and deployment of technology to comply with PCI DSS, which was introduced in 2005. It's an industry standard created by major credit card companies that's designed to protect customer payment data. The survey found that 55 percent of organizations only secured credit card information but not other data such as Social Security and driver's license numbers or bank account details. Also, only 28 percent of smaller companies between 501 to 1,000 employees comply with PCI DSS. That compares with more than 70 percent of large merchants with 75,000 or more employees that claimed they're compliant.

A privacy researcher is urging Netflix to cancel its next research contest, before it results in potentially millions of dollars in damages for invasion of its customers' privacy. "Netflix should cancel this new, irresponsible contest," Paul Ohm wrote in a blog affiliated with Princeton University's Center for Information Technology Policy. On Monday, the company awarded $1 million to the winners of its first competition, aimed at developing technology to improve its ability to predict what movies its customers will like. Ohm worries the information the company is about to release as test data for the second contest isn't as anonymous as Netflix may think.