CIPP Information Privacy & Security News

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee. The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma's Human Services' clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday. The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency. "We feel this was not a situation where someone was targeting the agency or that information," DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. "We feel it was random." Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said. News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

During the past decade, rapid developments in information and communications technology have transformed key social, commercial, and political realities. Within that same time period, working at something less than Internet speed, much of the academic and policy debate arising from these new and emerging technologies has been fragmented. There have been few examples of interdisciplinary dialogue about the importance and impact of anonymity and privacy in a networked society. Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society fills that gap, and examines key questions about anonymity, privacy, and identity in an environment that increasingly automates the collection of personal information and relies upon surveillance to promote private and public sector goals. This book has been informed by the results of a multi-million dollar research project that has brought together a distinguished array of philosophers, ethicists, feminists, cognitive scientists, lawyers, cryptographers, engineers, policy analysts, government policy makers, and privacy experts. Working collaboratively over a four-year period and participating in an iterative process designed to maximize the potential for interdisciplinary discussion and feedback through a series of workshops and peer review, the authors have integrated crucial public policy themes with the most recent research outcomes. The book is available for download under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Canada License by chapter below. Hard copies are available for purchase at Amazon & at Oxford University Press.

Yesterday, CBC radio's morning show, the current, featured Lessons From The Identity Trail co-author, Ian Kerr, who discussed the book and a number of contemporary challenges that privacy faces in light of emerging technologies with guest host, Nancy Wilson. Below is the the text of Nancy Wilson's introduction and a link to the podcast of the full length interview in segment #3 of the show. To some people the Internet is the world's biggest commons ... a global public square. For others, it's a realm of shadowy, anonymous figures hiding behind online aliases. But anonymity is becoming less and less a feature of life online. We aired a clip with one perspective on that trend, posted last May on the website, Mobuzz.tv. Taking responsibility for your actions on line may be just one way you relinquish privacy. Every day, millions of Canadians hop on the Internet to check their e-mail, chat with their friends on social networking sites, book a vacation or buy a gift. And each time they click on a purchase or post a picture, they give up a little bit of their privacy. With this explosion of information technology - there are those who warn that our anonymity and our right to privacy is in jeopardy. That's the premise of a new book called On The Identity Trail: Anonymity, Privacy and Identity in a Networked Society. Academics, governments and private corporations around the world contributed to the book, which examines how technology is changing the nature of our private lives, and what it means to be "anonymous."

A Swiss insurance worker lost her job after surfing popular social network site Facebook while off sick, her employer said Friday. The woman said she could not work in front of a computer as she needed to lie in the dark but was then seen to be active on Facebook, which insurer Nationale Suisse said in a statement had destroyed its trust in the employee. "This abuse of trust, rather than the activity on Facebook, led to the ending of the work contract," it said. The unnamed woman told the 20 Minuten daily she had been surfing Facebook in bed on her iPhone and accused her employer of spying on her and other employees by sending a mysterious friend request which allows access to personal online activity. Nationale Suisse rejected the accusation of spying and said the employee's Facebook activity had been stumbled across by a colleague in November, before use of the social network site was blocked in the company.

U.S. lawmakers plan to introduce privacy legislation that would limit how Internet service providers can track their users, despite reports that no U.S. ISPs are using such technologies except for legitimate security reasons. Representative Rick Boucher, a Virginia Democrat, and three privacy experts urged lawmakers Thursday at a hearing before the House Energy Commerce subcommittee to pass comprehensive online privacy legislation in the coming months. Advocates of new legislation focused mainly on so-called deep packet inspection (DPI), a form of filtering that network operators can use to examine the content of packets as they travel across the Internet. While DPI can be used to filter spam and identify criminals, the technology raises serious privacy concerns, Boucher said. "Its privacy-intrusion potential is nothing short of frightening," he added. "The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every e-mail ... is alarming."

Lawmakers took aim at privacy practices of cable and Internet providers Thursday at a House subcommittee hearing, laying the groundwork for the introduction of legislation that could restrict companies' ability to target ads at consumers online. The focus of the hearing was on new efforts by Internet providers to collect and share data on consumers' behavior to target online advertising and by cable companies to target ads at subscribers via their set-top boxes. Lawmakers are concerned about consumer privacy as cable, phone and Internet companies experiment with Internet-based technologies that pinpoint advertising to consumers in new and more accurate ways. Legislation to impose tougher privacy rules could be coming later this summer.

Obama administration cybersecurity advisor Melissa Hathaway, in her much anticipated speech before the RSA Conference on Wednesday, suggested that the findings of a study she submitted Friday to President Obama calls for cybersecurity policy to be run from the White House. "The White House must lead the way forward with leadership that draws upon the strength, advice and ideas of the entire nation," said Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils. Scant on details, Hathaway in her 2,400-word speech did not explain how federal cybersecurity should be governed, even if it's based in the White House. Two months ago, President Obama charged Hathaway to head up a team to review current cybersecurity policies and processes. "It can be said that the federal government is not organized appropriately to address this growing problem because responsibilities for cyberspace are distributed across a wide array of federal departments and agencies, many with overlapping authorities and none with sufficient decision authority to direct actions that can address the problem completely," Hathaway said. "We need an agreed way forward based on common understanding and acceptance of the problem." Hathaway said the team she assembled addressed all missions and activities associated with the information and communications infrastructure, including the missions of computer network defense, law enforcement investigations, military and intelligence activities and the intersection of information assurance, counter intelligence, counter terrorism, telecommunications policies and general critical infrastructure protection. Task force members held more than 40 meetings with different stakeholder groups during the 60 days and received and read more than 100 papers that provided specific recommendations and goals, she said. "We identified over 250 needs, tasks, and recommendations," Hathaway said. "We also solicited input from gov

A typical lost or stolen laptop costs employers $49,246, mostly due to the value of the missing intellectual property or other sensitive data, according to an Intel-commissioned study made public Wednesday. "It is the information age, and employees are carrying more information on their laptops than ever before," according to an analysis done for Intel by the Michigan-based Ponemon Institute, which studies organizational data-management practices. "With each lost laptop there is the risk that sensitive data about customers, employees and business operations will end up in the wrong hands." The five-month study examined 138 laptop-loss cases suffered over a recent 12-month period by 29 organizations, mostly businesses but also a few government agencies. It said laptops frequently are lost or stolen at airports, conferences and in taxis, rental cars and hotels. About 80 percent of the typical cost - or a little more than $39,000 - was attributed to what the report called a data breach, which can involve everything from hard-to-replace company information to data on individuals. Companies then often incur major expenses to prevent others from misusing the data. Lost intellectual property added nearly $5,000 more to the average cost. The rest of the estimated expense was associated with such things as investigative costs, lost productivity and replacing the laptop. Larry Ponemon, the institute's chairman and Advertisement founder, said he came up with the cost figure based on his discussions with the employers who lost the laptops. When he later shared his findings with the companies and government agencies, he said, some of their executives expressed surprise at the size of the average loss. But he noted that one of the employers thought the amount could have been even higher.

MPs have today launched an investigation into the use of snooping technology by ISPs which allows them to profile customers for advertisers and throttle or block specific types of traffic. An inquiry by the All-Party Parliamentary Group on Communication will examine issues such as the emergence of Phorm's profiling system, and the restriction of bandwidth available to specific applications such as BitTorrent. Both activities are reliant on Deep Packet Inspection (DPI) technology. "Now the Internet is part of daily life, concerns are increasingly raised about a wide range of online privacy issues," the group said in a background statement. "Should there be changes to individual behaviour? Should companies be pressed to prioritise privacy issues? Or is there a need for specific regulations that go beyond mere 'data protection' and address privacy directly?" The inquiry will also consider the impact of DPI technology on ISPs' "mere conduit" protection from liability for illegal traffic such as child pornography and copyright-infringing filesharing.

Will there be one major catastrophe, or just smaller disasters? Panelists discuss what security issues we should be watching out for, where the threat might come from, and the difficulties in predicting the unpredictable. Panelists include: Whitfield Diffie, vice president and chief security officer for Sun Microsystems; Ronald Rivest, Viterbi Professor of Electrical Engineering and Computer Science at MIT; Adi Shamir, professor of computer science at the Weizmann Institute of Science in Israel; and Bruce Schneier, chief security technology officer for BT Counterpane. Moderating the panel is Ari Juels, chief scientist and director of RSA Laboratories.

Playboy.com journalist Mike Guy underwent waterboarding by a trained member of the U.S. military in the site's new Lab Rat feature. Guy bet that he could endure 15 seconds of the interrogation technique used by the Bush administration on al Qaeda chief Khalid Sheikh Mohammed and Abu Zubaydah. Watch the results

There was no way I was ever going to convince my parents that Jimi Hendrix's music was good. More than anything, the youth culture was defined by its music. The chasm it created was called "the generation gap" a metaphor for the ideological differences that separated us. There is a new generation gap. It's not defined through music or politics or fashion, those ideas are shared much more among the generations than before. This time it's about privacy. My generation came of age thinking about "1984", the looming threat of "Big Brother" watching over all of us all of the time. It was the government or some group which would monitor all of our actions, know all our habits: who we associate with, what we watch, what buy. 1984 came and went. Nothing like "Big Brother" happened unless you count Apple computer's historic "Big Brother" commercial which ends with the slogan: "On January 24th, Apple Computer will introduce Macintosh. And you'll see why 1984 won't be like "1984". They were right - 2009 is. Personal details used to be considered private. We were careful about who knew what about us and certainly didn't post pictures of our friends, families and fantasies for all to see. Privacy does not seem to be valued anymore. Giving up one's privacy has become a rite of passage. It's what you leave at the portal when you sign up for any of the social networking sites on the internet. The sites are free - as long as you don't calculate the value of your identity, demographics, viewing and buying habits to advertisers. This isn't new, the Nielsen Ratings service has been assembling viewer information since the 1950s for television advertisers, but its methods were primitive in comparison to the two way constant information gathering that's done on the internet. In March 2009, Google initiated the use of "behavioral targeting", which uses information collected on someone's web-browsing behavior, such as the pages they have visited or the searches they have made, to selec

Plans by Internet service providers to deliver targeted adverts to consumers based on their Web searches threaten online privacy and should be opposed, the founder of the Web said Wednesday. "I just want to know that when I click on a link it is between me and the Web, and the Internet service provider is not going to immediately characterise me in different categories for advertising or insurance of for government use," Tim Berners-Lee told a Web conference in Madrid. "The postman does not open my mail, the telephone company does not listen to my telephone conversations. Internet use is often more intimate than those things," he added. New software called Webwise allows Internet service providers to show adverts to their clients based on their Web browsing habits instead of based on the content of a single Web page as currently happens. Several British Internet service providers, including BT and Virgin Media, have said they are considering using the software, which is aimed at making the Web more financially profitable for advertisers. With the help of other scientists at the European Organisation for Nuclear Research (CERN), Berners-Lee set up the Web in 1989 to allow thousands of scientists around the world to stay in touch. The WWW technology -- which simplifies the process of searching for information on the Internet -- was first made more widely available from 1991 after CERN was unable to ensure its development, and the organisation made a landmark decision two years later not to levy royalties.

European Union's move indicates growing government concern over how Internet companies are using individuals' private data The European Commission began legal action against the U.K. Tuesday over its failure to protect Internet users from Phorm -- a covert behavioral advertising technology tested by the U.K.'s biggest fixed line operator, BT, in 2006 and 2007. The move signals growing concern in Brussels over the way new Internet-based technologies are using people's personal data. In addition to taking legal action against the U.K., the Commission also issued a general warning to all 27 E.U. countries to uphold privacy laws, especially regarding social-networking Web sites and users of RFID (radio frequency identification) technologies. In Canada, the federal government has even proposed a legislation that will provide law enforcement agents sweeping powers to obtain user information from ISPs. The Commission, the executive body of the European Union responsible for upholding laws, said the U.K. had failed to enforce E.U. data protection and privacy rules, because broadband Internet subscribers were not informed that their browsing was being tracked.

Cable operators will sit in the hot seat Thursday as Congress reviews their plans to roll out targeted advertising amid fears that consumer privacy could be infringed if the companies were to track and record viewing habits. The House subcommittee on Communications, Technology and the Internet will hold a hearing that will look at new uses for digital set-top boxes, the devices that control channels and perform other tasks on the TV screen. Cable TV companies plan to use such boxes to collect data and direct ads more targeted to individual preferences. "We have recently called on Congress and the Federal Trade Commission to investigate cable's new interactive targeted TV ad system on both antitrust and privacy grounds," said Jeff Chester, executive director of the Center for Digital Democracy. He's concerned about Canoe Ventures, a consortium formed by the nation's six largest cable companies to oversee the rollout of targeted and interactive ads nationally. Chester worries that Canoe will track what consumers do in their homes. Currently, cable companies aim their ads based strictly on geography. Now, cable's goal is to take the Internet's success with targeted ads and transfer that to the TV medium. Thus, a household that watches a lot of Nickelodeon and the Disney Channel eventually could be targeted for theme parks promotions. This type of targeting is something broadcast TV can't do. For starters, Canoe plans to offer ads this summer that consider demographic factors such as age and income. Philadelphia-based Comcast Corp. and Cablevision Systems Corp. of Bethpage, N.Y., also have been testing or rolling out targeted ads outside the consortium. But cable operators are wary about being seen as trampling on consumer privacy and reiterate that they don't plan to target based on any personally identifiable information, such as someone's name and address. Canoe said it doesn't have plans this year to use set-top box data for ads. Instead, the first ads it pl

As the impact of digital advertising on consumer privacy comes under scrutiny, AT&T is taking a stance in support of stricter standards. Rep. Rick Boucher (D., Va.), chairman of the subcommittee, said in an interview Wednesday that a statute is needed to regulate how companies collect, share and use data on consumers' behavior in targeting online advertising. While ad targeting on the Web has been at the forefront of privacy advocates' concerns, worries are growing about other media, ranging from mobile phones to emerging TV technologies. To sell marketers targeted ads, technology and media companies collect data about customers, ranging from the Web sites they visit to the neighborhoods they live in to the TV shows they watch. Marketers often will pay a premium for this form of advertising because it allows them to show their ads to consumers who are likelier to buy their products or services. "Pitfalls arise because behavioral advertising in its current forms is largely invisible to consumers," says Dorothy Attwood, AT&T's senior vice president of public policy and chief privacy officer, in prepared testimony she is expected to deliver at the hearing of the House Subcommittee on Communications, Technology and the Internet. Her statement says consumers don't fully understand that their online activity is used to create detailed profiles of them. Internet and other media companies say the data they use to target ads are anonymous and can't be traced to individual consumers. AT&T plans to argue that consumers should have "full and complete" notice of what information is collected about them and how it is used and protected, and should have tools that let them determine whether their Web activities are being tracked. The company says it won't use consumer information for online behavioral advertising unless it first obtains consent from the consumers involved. AT&T's stance contrasts with the position taken by most big Internet companies and industry trade grou

By now, many employees are uncomfortably aware that their every keystroke at work, from email on office computers to text messages on company phones, can be monitored legally by their employers. What employees typically don't expect is for the company to spy on them while on password-protected sites using nonwork computers. But even that privacy could be in jeopardy. A case brewing in federal court in New Jersey pits bosses against two employees who were complaining about their workplace on an invite-only discussion group on MySpace.com, a social-networking site owned by News Corp., publisher of The Wall Street Journal. The case tests whether a supervisor who managed to log into the forum -- and then fired employees who badmouthed supervisors and customers there -- had the right to do so. The case has some legal and privacy experts concerned that companies are intruding into areas that their employees had considered off limits. "The question is whether employees have a right to privacy in their non-work-created communications with each other. And I would think the answer is that they do," said Floyd Abrams, a First Amendment expert and partner at Cahill Gordon & Reindel LLP in New York. The legal landscape is murky. For the most part, employers don't need a reason to fire nonunion workers. But state laws in California, New York and Connecticut protect employees who engage in lawful, off-duty activities from being fired or disciplined, according to a report prepared by attorneys at the firm Proskauer Rose LLP. While private conversations might be covered under those laws, none of the statutes specifically addresses social networking or blogging. Thus, privacy advocates expect to see more of these legal challenges. In February, three police officers in Harrison, N.Y., were suspended after they allegedly made lewd remarks about the town mayor on a Facebook account. The officers mistakenly thought the remarks were protected with a password, but city officials view

China has denied allegations that it hacked into a Pentagon IT system and recovered plans for the Joint Strike Fighter (JSF). The combat aircraft which is to be procured by Britain as well, is being produced by Lockheed Martin. In allegations first reported in the Wall Street Journal, hackers stole "several terabytes of data related to design and electronics systems". The most sensitive data however on weapons systems and its stealth technology was not breached since it is kept on computers not connected to the internet. IT experts have said that they suspect the hackers came from China although it will be difficult to identify their exact origins. Hacking into IT systems as complex as the DoD's would require the help and capabilities of another government. Recovering data on the JSF would allow countries or rogue groups who could face the aircraft in future conflicts to develop counter measures based on the aircraft's weaknesses. The Chinese strongly denied that the breach originated from their country. "China has not changed its stance on hacking. China has always been against hacking and we have cracked down very hard on hacking. This is not a Chinese phenomenon. It happens everywhere in the world," a spokesperson for the Foreign Ministry said. This is not the first time the JSF's security has been breached. Early on in the contract the DoD and Lockheed Martin admitted that there was no universal IT security policy for the 1,200 sub contractors and that leaks may have occurred. BAE subsequently admitted that their IT security for JSF material was lax and that leaks could have occurred. Britain is scheduled to buy 150 of the aircraft by 2018.

A national security panic spread through the Internet yesterday after a report by The Wall Street Journal suggested "terabytes" of classified data on the F-35 Lightning II had been stolen by hackers. Today the Pentagon and Lockheed Martin responded to the allegations saying they are untrue, and I believe them. Defense Department spokesman Bryan Whitman said, "I'm not aware of any specific concerns." That's a key phrase. Lockheed Martin--the F-35 superjet's primary contractor--also commented "We actually believe The Wall Street Journal was incorrect in its representation of successful cyber attacks on the F-35 program." And the company's CFO Bruce Tanner added "I've not heard of that, and to our knowledge there's never been any classified information breach." While it's easy to argue that these responses are merely a smokescreen to save political face, the language is much more direct than a plain old "no comment." Typically, companies protect themselves in this sort of situation by denying the existing or potential hackers any public information on the success or failure of hack attempts, obscuring the level of secrecy of any stolen data. In the F-35 case it looks like the denials are much firmer, and that suggests the developers of the JSF are confident in their security systems. It's an echo of alleged data leaks via F-35 contractor BAE Systems last year, that were later withdrawn due to lack of evidence that leaks had occurred. Government and defense contractor computer networks face a pretty continuous rate of hack attempts. As a result such companies have even more stringent data security protocols in place than normal organizations. They're still not absolutely impervious to hacking, of course, as no such system ever is. So that's why the most highly classified data--critical to the super-secret offensive and defensive capabilities of hardware like the F-35--is typically stored on computers that have an extremely low-tech "air gap firewall". They're not co

The global recession manifests itself in big and small ways, most gloomy, some quirky and often reflecting the inventive human spirit. Here is a look at some signs of the times. * With record defaults on consumer loans, collection agencies in the United States are going to extra lengths to recover the money. Illinois resident and Mercedes driver James Ricobene says an agency hired by JP Morgan Chase left a post on his daughter's MySpace page threatening action that could lead to prison, unless she contacted the agency within five days about its efforts to repossess her father's car. Ricobene has sued the collection agency and JP Morgan for libel, fraud and invasion of privacy.