Tuesday, August 30, 2005

EPIC Calls For More Phone Privacy

On Tuesday EPIC asked the FCC to create stronger standards for the privacy of customer phone records. EPIC says these records are extremely sensitive, and in the wrong hands -- for instance, a stalker -- they can be abused. But they can be accessed, and sold to third parties, with little consequence, EPIC says.

Data thefts, and more often, unauthorized access through fraud does occur, phone companies say, but obviously they do not see the need for stronger rules.

Stronger control over their data by phone companies might help prevent the enactment of stricter laws and regulations. It's happened to other industries. A little self regulation now might go a long way. Conversely, the publicity from a major privacy breach could be the tipping point the other way. Just an observation.

Wednesday, August 24, 2005

Air Force Hacked

You know it's getting bad when the Air Force is hacked.

Actually, they say the person who gained access to personal information (including Social Security numbers)
on 33,000 Air Force officers had a legitimate user's log in information, but even so, should even a legitimate user have access to that much information?

Apparently the officers affected have been advised to monitor their credit reports.

According to the Washington Post, the Air Force has stated: "The incident is being investigated by both military and civilian
law-enforcement agencies. "We are conducting a wall-to-wall review of our
personnel-related data systems to maximize the security of the systems."

Monday, August 22, 2005

Breaches and Business Practices

The Los Angeles Times has an article about the practice of data brokers such as ChoicePoint offering to sell to consumers their own information that may have been disclosed in a security breach. In a sense, make money off of their mistake.

I realize such practices are tempting, and can even seem reasonable, but to others they seem like profting from negligence. Even extortion.

In any case, they are an invitation to even more state and federal regulation.

Here's a funny quote:

"We don't make use of domain names that are close to, or are misspellings
of, 'annualcreditreport' to try to create business," said TrueCredit
President John Danaher.

Asked about TransUnion's use of "annualcreditmonitoringreport," Danaher said:
"That doesn't have the words 'free, annual' in it."


More remarks like, and hearings followed by sweeping news laws won't be far behind.
Count on it.

Thursday, August 18, 2005

Tommy Thompson to Get Implantable Chip?

There are have been many stories lately that former Governor and Secretary of HHS Tommy Thompson is planning on getting a medical chip implanted. I still haven't been able to verfiy this, and remain a bit skeptical.

However, Thompson was appointed to the Board of Directors of Applied Digital Solutions, the maker of these chips, in July of 2005. So, that certainly makes the story more plausible. Maybe to work there you HAVE to get one. (Just kidding!)

I'm interested in these chips because they do hold some promise for the future but there is a great deal of misinformation about them too. The greatest being that you can be tracked, or that having one will help you in the event of a kidnapping.

If Thompson gets one, it would be for the publicity, presumably, and it would raise the profile of chips, (and the company) considerably.

That's what I call taking one for the team.

Tuesday, August 16, 2005

Roberts & the Right to Privacy, Part 4

The USA Today has an editorial today discussing John Roberts and the right to privacy. In the editorial they include an interesting run down of the cases involving the "right to privacy." Looking at this list, it does seem the term "right to privacy" is vague at best, covering the right raise your own children to the right to refuse surgery or purchase birth control. It would also seem that it might to transcend party and ideological lines. In any case, the right is a right of control, over choices, over family, and over the individual body.

From the USA Today:

1789-91: Bill of Rights adopted to include protection for various forms of privacy; Ninth Amendment affirms
rights "retained by the people."

1878: Supreme Court rules mail private.

1891: Court rules in forced-surgery case that "no right is more sacred than the right to control of his own person."

1925: Family privacy ruled to include right to determine children's education.

1965-72: State bans on birth control overturned as privacy violations.

1973: Bans on abortion overturned.

2003: Bans on gay sex overturned.

Monday, August 15, 2005

Appeals Court Revives E-Mail Eavesdropping Case

On Thursday the full First Circuit Court of Appeals revived a Wiretap Act prosecution against an executive who read customer e-mails, overruling both the District Court judge and an earlier ruling by the First Circuit.

The company the executive worked in had a free e-mail service, and on the orders of the executive, secretly stored and read customer e-mails from Amazon.com, for business reasons.

In 5-2 decision, the full Circuit Court ruled that the interception of the e-mails could be a violation of the federal wireapping laws.

In a dissent, one Appeals Court Judge said the Wiretap law did not apply.

"If Interloc did intercept its customers' messages in breach of a privacy agreement, the remedy lies in contract, not in the Wiretap Act," he wrote.

The First Circuit ruled that Congress intended the wiretapping prohibitions to cover electonicaly stored messages "intrinsic to the communications process."

Friday, August 12, 2005

New York Enacts Security Breach Law

New York has become the latest state to enact a security breach law.

The law (Assembly bill 4254) applies to the breach of unencrypted personal information or that was encrypted but for which the key has been acquired.

Any person or business which conducts business in New York State, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any RESIDENT of the state whose private information was or OR IS REASONABLY BELIEVED TO HAVE BEEN, acquired by a person without authoriztion.

"Personal information" means any information concerning a nautral person which, because of the name, number, personal mark, or other identifier can be used to identify a person.

"Private information" means account numbers, driver's license number, credit card numbers, passwords, SSN, and other sensitive information.

"Breach of the Security System" means unauthorized acquisition of computerized data which compromises the security, confidentiality, integrity, of personal information maintained by a business or state agency.

The law goes into effect in 4 months.

AOL, Microsoft Win Spam Lawsuits

On Tuesday, Microsoft a settlment in its lawsuit against a prolific spammer. The spammer agreed to them $7 million. A small amount for Microsoft, to be sure, but more substantial against the spammer.

Yesterday America Online was awarded $13 in a lawsuit filed in federal court in Virginia. The suit was filed under the 2003 CAN SPAM Act, which provides for seizure of spammer's assets. AOL is going to get some cash and a 2003 Hummer.

AOL is going to raffle off the seized assests to its subscribers, and donate other stuff to local schools.

According to the Washington Post, AOL credits the CAN SPAM law with helping with the problem.

AOL's deputy general counsel, Curtis Lu, said, "There are only a couple of dozen spammers who are responsible for the highest volume," he said. "This shows that under the tool that Congress gave us with CAN-SPAM we can really reach out and touch them . . . and when we find them we are going to hurt them badly."

Thursday, August 11, 2005

FCC Requires Easy Wiretapping of VoIP

The FCC has voted to require companies to allow police to wiretap Internet phone calls (VoIP).

The rule applies to Internet, broadbad, cable and telephone service providers. The ruling is an expanision of the 1994 federal law known as CALEA. (Communications Assistance for Law Enforcement Act). The law required
telecommunications businesses to make it easier for police to tap into civilian conversations. Critics say CALEA does not apply to VoIP.

The Justice Department and the FBI support the ruling.

The companies have 18 months to comply with the ruling.

Wednesday, August 10, 2005

State University Can Block E-Mails

The Fifth Circuit Court of Appeals has ruled that the University of Texas can block e-mails is deems spam even if the e-mails comply with the CAN SPAM Act.

An online dating service sending the e-mails claimed their constitutional rights were violated.

The Fifth Circuit said University policies were not pre-empted, and the dating service's Constitutional rights to free speech were not violated.

Tuesday, August 09, 2005

Insurers Using Consumer Reports Must Send Adverse Action Notices

The Ninth Circuit Court of Appeals reversed a lower court and issued ruling stating that when insurers offer applicants and current customers less favorable rates because of their consumer report, they must send an adverse action notice.

This is true no matter how good the credit report was, IF the rate would have been EVEN BETTER, with a BETTER consumer report.

Or if the consumer report is NOT considered.

Or if it is NOT AVAILABLE.

So there's going to be a lot of adverse action notices flying around out there.

The basis of the ruling is the insurance company's obligations under the Fair Credit Reporting Act.

SEE:

Reynolds v. Hartford Financial Services Group, 2005 U.S. App. LEXIS 16076 (9th Cir. 2005)

Monday, August 08, 2005

Does John Roberts Believe in a Right to Privacy? - Part 4

The New York Times has an article today discussing John Roberts' views on privacy, though they remain little known, since his writings almost all come from his days advocating on behalf of someone else.

The headline is: "Privacy Views: Roberts Argued Hard for Others," the article is by Adam Liptak.

The article suggests that Roberts holds a skeptical view of the reasoning of cases like Roe v. Wade and Griswold, putting him in the same camp as Rhenquist and Robert Bork, (among others) but that it is difficult to say whether, after all this time, he believes they are settled law or not.

One part reads:

"In a draft article for Attorney General William French Smith that year, Judge Roberts wrote that the Supreme Court should not interpret the Constitution to give rise to new rights.

"All of us, for example," he wrote, "may heartily endorse a 'right to privacy.' That does not, however, mean that courts should discern such an abstraction in the Constitution, arbitrarily elevate it over other constitutional rights and powers by attaching the label 'fundamental,' and then resort to it as, in the words of one of Justice Black's dissents, 'a loose, flexible, uncontrolled standard for holding laws unconstitutional.' "

The quotation was a telling one. Justice Hugo L. Black's dissent was in Griswold v. Connecticut, a 1965 case in which the Supreme Court struck down a Connecticut law that made the use of contraceptives a crime. It was, Justice Potter Stewart wrote in his own dissent, "an uncommonly silly law." But, the dissenters said, the Constitution did not give courts the power to strike down even silly laws unless they were in direct conflict with a constitutional command.

Justice William O. Douglas, writing for five of the seven justices in the majority, said the law was at odds with a fundamental constitutional right to privacy. The right, he said, was implicit in or suggested by guarantees in the First, Third, Fourth, Fifth and Ninth Amendments. The "specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees," Justice Douglas wrote in explaining the roots of the right to privacy."

For the full text of the article, go to www.nytimes.com

Friday, August 05, 2005

New York Legislature Approves Changes to Security Breach Law

The New York States Assembly and Senate have approved changes to their Security Breach law. Senate Bill 5827 has been sent to the Governor.

The bill defines "Breach of the security of the system" to mean:

"Unauthorized acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information maintained by a state entity. Good faith acquisition of personal information by an employee or agent of a state entity for the purposes of the agency is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure."

The bill also states:

"IN DETERMINING WHETHER INFORMATION HAS BEEN ACQUIRED, OR IS REASONABLY BELIEVED TO HAVE BEEN ACQUIRED, BY AN UNAUTHORIZED PERSON OR A PERSON WITHOUT VALID AUTHORIZATION, SUCH STATE ENTITY MAY CONSIDER THE FOLLOWING FACTORS, AMONG OTHERS:

(1) INDICATIONS THAT THE INFORMATION IS IN THE PHYSICAL POSSESSION AND CONTROL OF AN UNAUTHORIZED PERSON, SUCH AS A LOST OR STOLEN COMPUTER OR OTHER DEVICE CONTAINING INFORMATION;

OR

(2) INDICATIONS THAT THE INFORMATION HAS BEEN DOWNLOADED OR COPIED;

OR

(3) INDICATIONS THAT THE INFORMATION WAS USED BY AN UNAUTHORIZED ERSON, SUCH AS FRAUDULENT ACCOUNTS OPENED OR INSTANCES OF IDENTITY THEFT REPORTED."

Wednesday, August 03, 2005

John Roberts -- Right to Privacy, Part 3

In 1981 John Roberts worked at the U.S. Department of Justice. Ronald Reagan had recently been elected President and taken office. Some of Roberts 20 year old memos have been released to the public by the National Archives.

In one memo he wrote to Reagan's Attorney General, William French Smith, Roberts cites approvingly of a comment by former Solicitor General Erwin Griswold regarding "so-called 'right to privacy'," found by the Court in "Roe v. Wade" in 1973, and "Griswold v. Connecticut" in 1965. (No relation to Erwin Griswold).

Roberts wrote that Erwin Griswold, was "arguing as we have that such an amorphous right is not to be found in the Constitution."

Of course, Roberts was writing for the administration at the time, not necessarily for himself. Still, it should make any person curious at so what John Roberts' views are regarding the "right to privacy", and whether it is the Constitution or not.

The documents also suggest that Roberts was the author of draft of an article criticizing the concept of a Constitutional right to privacy, which said "the broad range of rights which are now alleged to be 'fundamental' by litigants" bear "only the most tenuous connection to the Constitution.''

These memos and articles are more than 20 years old, and Roberts was writing as employee. Still, at the very least, they are grounds for further questioning.

Corzine Security Breach Notification Bill

Senator Jon Corzine of New Jersey has introduced a Security Breach Notification bill

This bill was introduced July 29. The number of the bill is S.1594

The bill is described as:

"A bill to require financial services providers to maintain customer information security systems and to notify customers of unauthorized access to personal information, and for other purposes."

The text of the bill is not available yet.

The bill has been referred to the Committee on Banking, Housing, and Urban Affairs.

Tuesday, August 02, 2005

Specter - Leahy Identity Theft - Privacy Bill

Senator Arlen Specter (Republican - Pennsylvania) and Senator Patrick Leahy (Democrat - Vermont) have jointly introduced an identity theft / privacy bill. (S. 1332).

The bill, titled the “Personal Data Privacy and Security Act of 2005,” is described as designed “to prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

The bill is 91 pages long, and contains a number of provisions.

Among the provisions:

• Intentionally concealing a security breach could result in 5 years in prison.

• Data Brokers must disclose to individuals all records pertaining to that individual.

• Data brokers must correct inaccuracies.

• Data brokers who intentionally violate the law could face fines of $15,000 per day.

• Any business collecting, using, storing or accessing personal information on more than 10,000 people must implement a comprehensive personal data privacy and security program, that administrative, technical and physical safeguards appropriate to its size and complexity.

• The safeguards would have to ensure the privacy, security, and confidentiality of personal electronic records, protect against any anticipated vulnerabilities, and protect against unauthorized access.

• Businesses would have conduct risk assessment and risk management, employee training and vulnerability training.

• Businesses would have to exercise due diligence when working with third parties not subject to the Specter – Leahy law.

• Businesses would have keep up with changes in technology, internal and external threats, its changing business, and make adjustments accordingly.

• Violations of the above could result in fines of $35,000 per day.

• Businesses storing, collecting, using or accessing personal information would have to notify individuals in the event of a security breach involving sensitive personal information, as well as each consumer reporting agency and the federal agencies.

• Businesses would also have to provide to individuals 1 year of monthly access to their credit report and 1 year of credit-monitoring services.

• Failure to follow the above could result in fines of $55,000 per day.

The bill also contains limits of the use of Social Security Numbers and government access to commercial databases.

Monday, August 01, 2005

Convention on Cybercrime: Threat to Privacy?

In this age of terror and international cooperation, plus the general suspicion with which computer and Internet users are still viewed, not to mention that no politician wants to be viewed as "soft of crime," it is no surprise that the Senate is moving toward approval of the treaty called the"Council of Europe Convention on Cybercrime." (Although there is the trend of Senate Republicans being suspicious of binding international treaties and Europe in general.)

In 2003, President Bush asked the Senate to approve of the Treaty, which he called "the only multilateral treaty to address the problems of computer-related crime and electronic evidence gathering."

The President also said:

"By providing for broad international cooperation in the form of extradition and mutual legal assistance, the Cybercrime Convention would remove or minimize legal obstacles to international cooperation that delay or endanger U.S. investigations and prosecutions of computer-related crime. As such, it would help deny "safe havens" to criminals, including terrorists, who can cause damage to U.S. interests from abroad using computer systems. At the same time, the Convention contains safeguards that protect civil liberties and other legitimate interests."

On July 26, 2005, the Senate Committee on Foreign Relations approved the treaty by a unanimous voice vote. Sen. Dodd did say that privacy concerns should be addressed.

In this age of terror and international cooperation, plus the general suspicion with which computer and Internet users are still viewed, not to mention that no politician wants to be viewed as "soft of crime," it is no surprise that the Senate is moving toward approval of the treaty called the "Council of Europe Convention on Cybercrime." (Although there is the trend of Senate Republicans being suspicious of binding international treaties and Europe in general.)

On July 26, 2005, the Senate Committee on Foreign Relations approved the treaty by a voice vote.

Software companies are lobbying hard for the treaty, which has strong copyright enforcement provisions.

One controversial provision is the requirement that a law enforcement agency is required to cooperate with another country in investigating a crime, even if the act is not a crime in the cooperating country.

Put simply, the U.S. would forced to assist in investigating a crime even the alleged crime was only what we would call exercising free speech, or freedom of religious expression.

The ACLU has expressed concern, writing:

"The Senate should carefully consider what it means to agree to provide mutual legal assistance to countries whose substantive laws and procedures do not comport with American understandings of justice."

The treaty has been criticized by privacy advocates and those concerned about state sovereignty, among others. The Electronic Privacy Information Center has written a letter to the Senate outlining their objections.

See: http://epic.org/privacy/intl/senateletter-072605.pdf

EPIC also is concerned that the treaty lacks adequate privacy provisions, but this is not surprising in a treaty the purpose of which is to enable governments to read e-mail, listen to phone conversations, and in other ways, in an effort to prevent crime and catch criminals, coordinate in spying on citizens.