Sunday, September 30, 2007

Collision of Privacy and Security? has an article up entitled Dot-Name Becomes Cybercrime Haven which discusses security implications of fees which are charged by Global Name Registry, the entity which administers domain names ending in ".name". For most domains (e.g., those ending in ".com") you can easily and without paying any fee find out who has registered the domain. However, with domains ending in ".name", to find out who has registered a domain, it is necessary to pay a fee of $2.00. The wired article makes this sound like a catastrophe for security, quoting one researcher who says that "What they have done is made sure the .name TLD is free haven for bad guys to lurk on...If I need to report 1,000 domains, I'm not going pay $2,000." But is charging $2.00 to learn who registered a domain really such a problem for security? After all, if a black hat hacker registers a .com domain, it seems very unlikely that they'd use their real name and address to do so (something which was pointed out in this comment to the story). Similarly, if Global Name Registry was served with legal papers, they'd almost certainly cough up the registration information without a fight. Thus, charging a gatekeeping fee seems to be just what the president of Global Name Registry said in his own comment to the story: a compromise between protecting the privacy of individuals and the legacy of openness which has been one of the hallmarks of the Whois domain name system.

The problem with that is that Global Name Registry's protestations about caring for individual privacy are totally disingenuous. For example, to sign up for a ".name" domain you have to agree to terms and conditions which include the following privacy policy:

PRIVACY POLICY: You agree and consent that we will make available the domain name registration information you provide or that we otherwise maintain to the following parties: ICANN, the Registry administrator, and to other third parties as ICANN and applicable laws may require or permit (including through web-based and other on-line WHOIS lookup systems), whether during or after the term of your domain name registration services of the domain name. You hereby irrevocably waive any and all claims and causes of action you may have arising from such disclosure or use of such information. Additionally, you acknowledge that ICANN may establish or modify the guidelines, limits and/or requirements that relate to the amount and type of information that we may or must make available to the public or to private entities, and the manner in which such information is made available.
(emphasis added)

In other words, as long as the law doesn't prohibit Global Name Registry from disclosing information, you agree that they'll do so - not exactly the policy of an organization which values its customers' privacy. Instead, it's exactly the policy you'd expect from an organization which wished to maximize its profit.

Tuesday, September 25, 2007

TJX to Pay Settlement (Maybe)

According to this article from ComputerWorld TJX has proposed to settle consumer class actions arising from its massive data breach earlier this year. As part of the settlement, TJX would provide credit monitoring, identity theft insurance, and payment of the cost of credit card replacement for individuals whose personal data may have been stolen during the breach. The company would also agree to hold a 15% off sale at some point in the next year, and to pay for "certain losses from identity theft" for individuals whose driver's license or other ID numbers were the same as their Social Security numbers.

The questions now are whether consumers should take the settlement, and whether the court should bless it as fair. At first blush, it seems like the settlement is almost an insult. After all, large retailers routinely hold sales with discounts greater than the 15% off that TJX is offering, and it is not clear what the "certain losses from identity theft" that TJX would agree to cover would actually entail. On the other hand, the credit monitoring, card replacement and free identity theft insurance are real benefits. True, it might seem like paying these costs is the least TJX should do, but when consumers have tried to use courts to force those payments out of companies which have had a security breach they have generally been unsuccessful. For example, this post discusses a case from the seventh circuit where consumers were thrown (figuratively) out of court because the judges decided that damages from fear of future identity theft weren't real enough to be used as a basis for compensation - even compensation for the cost of credit monitoring. Thus, while the settlement from TJX may seem like a bargain, it could be the best that the consumer plaintiffs can reasonably expect.

Friday, September 21, 2007

DRM: a Threat to Privacy

Via Michael Geist by way of BoingBoing we learn that The University of Ottawa's Canadian Internet Policy and Public Interest Clinic has released a report concluding that DRM pose a significant threat to privacy. From the executive summary:

• Fundamental privacy-based criticisms of DRM are well-founded: we observed
tracking of usage habits, surfing habits, and technical data.
• Privacy invasive behaviour emerged in surprising places. For example, we
observed e-book software profiling individuals. We unexpectedly encountered
DoubleClick – an online marketing firm – in a library digital audio book.
• Many organizations take the position that IP addresses do not constitute
“personal information” under PIPEDA [Personal Information Protection and
Electronic Documents Act] and therefore can be collected, used
and disclosed at will. This interpretation is contrary to Privacy Commissioner
findings. IP addresses are collected by a variety of DRM tools, including
tracking technologies such as cookies and pixel tags (also known as web
bugs, clear gifs, and web beacons).
• Companies using DRM to deliver content often do not adequately document
in their privacy policies the DRM-related collection, use and disclosure of
personal information. This is particularly so where the DRM originates with a
third party supplier.
• Companies using DRM often fail to comply with basic requirements of

This, sadly, should not be a surprise. Copyright organizations have shown themselves to be actively hostile to concerns about information security and data privacy (see, e.g., the discussion of concerns related to watermarking here, or Sony's now infamous fondness for installing rootkits). Indeed, the only time when copyright and information security are (supposedly) aligned is when copyright is trying to piggyback on security concerns to achieve its own ends (e.g., the destruction of P2P networks, as described here).

The happy news though, is that the study came out in the first place. It is possible that this examination of the impact of DRM on privacy could be a reflection of some sort of backlash against the copyright industry's current tactics - something that, if supported by legislation, could result in significant benefits for privacy and security of individual data.

Thursday, September 20, 2007

Quick Roundup

A few links of interest having to do with data privacy and information security. First, there's this article from Computer World which says that Facebook and MySpace users are happy to trade privacy for features. Really, this isn't a big surprise (I blogged here about a Wired story which described the small value most people place on privacy), but it is yet another data point showing just how little most people care about privacy. Also of interest is a current series of posts at the Dunning letter where Jack Dunning lays out his proposal for how individuals can control (and profit from) their personal information. Jack is highly knowledgeable about privacy issues, having worked on the inside as a junk mailer for years, and now working on the outside trying to improve privacy protections for individuals.

However, what has been devouring my internet time of late isn't actually privacy related - it's the "don't tase me bro" story (link to a discussion of the underlying incident here). Hopefully when that has played out, I'll find myself less distracted, and more able to provide some substantive analysis (especially of Jack's recent posts, which certainly deserve careful consideration).

Monday, September 17, 2007

Google in the News

There's a pair of articles about Google and privacy in Information Week. First, Google itself put out a call for a global privacy standard (article here). The initiative is laudable. Google's privacy counsel is quoted in the article as stating that

Yet despite the international scope of even the most ordinary Internet activity, the majority of the world's countries offer virtually no privacy standards to their citizens and businesses. And even if every country in the world did have its own privacy standards, this alone would not be sufficient to protect user privacy, given the Web's global nature. Data may move across six or seven countries, even for very routine Internet transactions. It is not hard to see why privacy standards need to be harmonized and updated to reflect this reality.

However, is Google really the organization to push privacy standards? According to the second article (link here) Canada's privacy commissioner has expressed concerns that Google's streetview product, which includes images of identifiable individuals captured in public places may violate Canadian privacy law. While streetview hasn't been introduced in Canada yet, making Google's legal violation largely hypothetical, the fact that the question is arising at all indicates that Google may still be a bit tone deaf on the issue of privacy, and might not be the right organization to spearhead a call for global standards.

Thursday, September 13, 2007

Search Engines React to EU Resolutions

The difference between the European approach to privacy and that followed in the U.S. has impacted the privacy practices of many search engines. Google has reduced the period after which its server logs will be made anonymous to 18 months, and its cookie retention period was reduced to 2 years. Other search engines quickly followed the lead. Yahoo! and Microsoft met Google's challenge, or implemented even shorter periods. It is likely that these moves were in reaction to the publication of an EU resolution on privacy protection and search engines last November, in which they called on the search engines "to respect the basic rules of privacy...and to change their practices accordingly." In the US, there is no one comprehensive and all-encompassing piece of legislation governing privacy to which all sectors of the economy are subject. Thus, US companies rely more on industry self-regulation and public pressure. Thus, the moves by the big three search engines can be seen as bowing to the concerns of the European public. Search engines are under pressure to deliver more targeted information to marketers, but also realize that customers have to feel comfortable that the information collected will be kept private. Successful search engines' business must start and end with consumer trust.

Major Change to California Law Regarding Security Breaches Coming

Back in July, I wrote about a proposed California law which would require merchants who suffer from data security breaches (think TJX) to reimburse financial institutions for the cost of replacing credit cards for people whose information is stolen (link here). Now, according to this article from Computer World, that bill has passed through the California senate and now awaits signature by governor Schwarzenegger. Though the law has had some changes as it moved through the legislature. For example, a new provision has been added which would allow merchants to excused for some or all of the costs of card replacement if it can show it was in compliance with all security requirements at the time of the breach. However, the main focus of the law - shifting costs from merchants to banks, remains intact. According to the Computer World article, if signed, the law is expected to have the same ripple effect that California's SB 1386 had on security breach notification in general.

Tuesday, September 11, 2007

Presumably, These People had Heard of HIPAA

Computer World has an interesting article up about companies which have, through their own incompetence, run afoul of the HIPAA data security rules. Highly recommended reading, and quite entertaining in a Darwin Award sort of way. My personal favorite was the one where a manager asked an employee to take backup tapes containing unencrypted personal data for patients home with him in order to accomplish the off site data storage requirements of HIPAA. When the tapes were stolen (of course) the employee reported their theft to the authorities and was fired for his trouble. The story doesn't end there though - because the employee was following his company policy and instructions from a supervisor, the employee is potentially protected from retaltiation from his employer. Thus, the employer might have bought itself both a HIPAA nightmare and a suit under the applicable whistleblower protection laws.

However, the bottom line of the article is serious. Too many organizations have been behaving as if HIPAA simply doesn't exist, or as if its requirements had no meaning. While the keystone cops level of competence of some organizations is amusing, it's no joke for the organizations and people involved. So, for HIPAA, know it, read it, do it...otherwise you could find yourself included in the next compilation of HIPAA disasters.

Friday, September 7, 2007

FBI Can't Stop an ISP from Telling Its Customers that the Government Wants Their Data

Yesterday the ACLU won a significant victory as the U.S. district court for the southern district of New York struck down certain provisions of the PATRIOT which information requests by the FBI (the decision can be found here). The basic subject matter of the lawsuit was national security letters (NSLs) which the FBI could send to wire and electronic communication service providers requesting information about their subscribers, such as the subscribers' names, addresses, lengths of service and records of their transactions. Under the challenged provision of the PATRIOT Act, the FBI could also prohibit the recipient of an NSL from disclosing that the FBI had sought or obtained access to information or records using an NSL if the director of the FBI, or his designee, certifies that disclosure "may result in a danger to the national security of the United States, interference with a criminal, counterterrorism, or coutnerintelligence investigation, [or other ennumerated harms]". Thus, not only could the FBI use a NSL to obtain information about an individual's electronic communications, but the FBI could prevent the individual from ever finding out about the NSL by stating that disclosing the NSL "may" pose a danger to certain listed (but generally poorly defined) interests. The judge analyzed the law under the rubric of a license to speak and found that the procedural safeguards necessary for such a licensing regime to survive were not present - a result the ACLU was understandably happy about (their press release can be found here).

The difficulty with this ruling though, is that it might not have any effect on the behavior of private entities. The judge struck down the portion of the PATRIOT act which allowed the FBI to prevent private entities from disclosing that they had received an NSL. However, the behavior of most entities when called on to do the government's bidding indicates that such a prohibition might not be necessary. For example, AT&T is currently in court for (allegedly) assisting the national security agency in illegally violating the rights of AT&T customers (the EFF page on the case can be found here). It doesn't take much imagination to visualize a situation where an entity such as AT&T receives an NSL, and then voluntarily declines to disclose the receipt of that letter (or anything about its contents) to anyone. While there have been some notable instances of businesses resisting the government (e.g., Google), in general, the government has substantial power to convince companies to cooperate even without being able to issue legally binding gag orders. Thus, until there is some indication that ISPs (and other relevant entities) won't simply cooperate with the government and voluntarily maintain their silence upon receipt of an NSL, there is a real danger that the ACLU's recent win may turn out to be a hollow victory.

In completely unrelated news, the Department of Justice has issued a public statement opposing Net Neutrality (link), a principle which would prevent ISPs from charging differential rates for internet traffic. Net Neutrality is generally opposed by telephone companies (e.g., AT&T) who would stand to profit from being able to charge higher rates for preferred access to internet resources link. Proponents of Net Neutrality generally include software companies (e.g., Google) which benefit from low cost internet access link.

Monday, September 3, 2007

Is Privacy Worthless?

Wired has an interesting article what value people put on privacy. The answer is unsurprising, if a bit depressing for people who do care about privacy: people always value even small amounts of money (e.g., a quarter) over the privacy of their personal information, even if that information is highly sensitive (e.g., number of sex partners). However, while the finding that consumers place very little value on privacy was depressing, one of the reasons given for that low value - a lack of understanding of the concrete risks to decreased privacy - was actually cause for hope. For example, consumers are generally highly concerned about identity theft (see, e.g., this article). Using that concern, it would seem that if privacy advocates can connect lack of privacy (i.e., everything you do being monitored and stored) with increased risk of identity theft (i.e., stored information about you being stolen and used for fraud) then they might be able to make a compelling case that consumers place too low a value on the privacy of their information.

Saturday, September 1, 2007

Know Your Pleadings: Electronic Communications Privacy Act

On the 22nd of August, a federal judge ruled that paying a hacker $15,000 to provide you with confidential emails did not lead to liability under the wiretap act or California's invasion of privacy act. The opinion itself can be found here.

So what happened? The judge stated that since the emails were taken from a server, they weren't "intercepted" for purposes of the wiretap act. As set forth in this article from C|NET, that would seem to indicate that the wiretap act simply doesn't cover email communications, since all emails are stored in memory (e.g., RAM), at least temporarily. No damages were available under California's invasion of privacy act because that act was preempted by the federal statute.

Does this mean that there is simply no remedy for someone whose emails have been stolen? Not at all. As the decision made clear, the wiretap act is only half of a larger bill, the electronic communications privacy act (ECPA). ECPA's other half, the stored communications act is designed to "address access to stored wire and electronic communications and transactional records." However, the plaintiffs made their claims under the wiretap act, note the ECPA. The moral of the story? There are two. First: the American legal system seems to have been designed in a deliberately confusing manner with traps for the unwary which can prevent even meritorious claims from being heard. Second: if someone steals your emails, you sue under the ECPA, not the wiretap act.