Archive

Archive for the ‘privacy and security’ Category

UK — Ofcom publishes report on internet safety measures

July 24, 2014 Comments off

Ofcom publishes report on internet safety measures
Source: Ofcom
Ofcom has today published a report for Government outlining measures the UK’s largest internet service providers have put in place to help parents protect children from harmful content online.

This follows an agreement between the Government and BT, Sky, TalkTalk and Virgin Media, the four largest fixed line internet service providers (ISPs), announced in July 2013. Each ISP committed to offer new customers ‘family-friendly network-level filtering’ by the end of December 2013.

This is the second of three reports the Department for Culture, Media and Sport (DCMS) has asked Ofcom to produce on internet safety measures to protect children. The DCMS asked Ofcom to look at the approach taken by each ISP to implement family-friendly filtering services which block content that may be inappropriate or harmful for children, rather than assess the effectiveness of the filters.

The report also describes measures taken by ISPs to present a pre-ticked ‘unavoidable choice’ to new customers on whether or not to activate the filter, and includes initial take-up data among new customers offered filters.

The filters apply to all web based internet content, on any device that is connected to the fixed broadband network in the home.

About these ads

How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations

July 23, 2014 Comments off

How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations
Source: Transportation Research Board

TRB’s Transit Cooperative Research Program (TCRP) Legal Research Digest 46: How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations explores whether the privacy and security rules established by HIPAA apply to transit agencies that possess patrons’ health information.

The first seven sections of this digest discuss HIPAA and whether various entities are subject to HIPAA’s privacy and security provisions applicable to the protection of protected health information, as defined by HIPAA. This digest also analyzes how protected health information is defined by HIPAA and discusses HIPAA’s Privacy Rule and Security Rule as defined by the U.S. Department of Health and Human Services in its most recent final rule.

This digest summarizes other important aspects of HIPAA including whether protected health information must be produced in response to a subpoena, discovery request, or a request under a freedom of information act (FOIA) or similar law. The remainder of the digest discusses the privacy of health information under other federal and state laws. The digest also covers industry standards and best practices used by transit agencies to protect the privacy of patrons’ health information.

Inverse Privacy

July 22, 2014 Comments off

Inverse Privacy
Source: Microsoft Research

We say that an item of your personal information is private if you have it but nobody else does. It is inversely private if somebody has it but you do not. We analyze the provenance of inverse privacy and argue that technology and appropriate public policy can reduce inverse privacy to a minimum.

Information Exposed: Historical Examination of Data Breaches in New York State

July 21, 2014 Comments off

Information Exposed: Historical Examination of Data Breaches in New York State (PDF)
Source: New York State Attorney General
From press release:

Attorney General Eric T. Schneiderman today issued a new report examining the growing number, complexity, and costs of data breaches in the New York State. Using information provided to the Attorney General’s Office pursuant to the New York State Information Security Breach & Notification Act, the report, titled “Information Exposed: Historical Examination of Data Security in New York State, analyzes eight years of security breach data and how it has impacted New Yorkers.

The report reveals that the number of reported data security breaches in New York more than tripled between 2006 and 2013. In that same period, 22.8 million personal records of New Yorkers have been exposed in nearly 5,000 data breaches, which have cost the public and private sectors in New York upward of $1.37 billion in 2013. In addition, the report also found that hacking intrusions – in which third parties gain unauthorized access to data stored on a computer system – were the leading cause of data security breaches, accounting for roughly 40 percent of all breaches. Attorney General Schneiderman’s report also presents new recommendations on steps that both organizations and consumers can take to protect themselves from data loss.

New From the GAO

July 17, 2014 Comments off

New GAO Reports
Source: Government Accountability Office

1. National Nuclear Security Administration: Agency Expanded Use of Some Federal Oversight Reforms, but Is Still Determining Future Plans. GAO-14-588, July 17.
http://www.gao.gov/products/GAO-14-588
Highlights - http://www.gao.gov/assets/670/664836.pdf

2. Missile Defense: DOD’s Report Provides Limited Insight on Improvements to Homeland Missile Defense and Acquisition Plans. GAO-14-626R, July 17.
http://www.gao.gov/products/GAO-14-626R

3. Information Security: FDIC Made Progress in Securing Key Financial Systems, but Weaknesses Remain. GAO-14-674, July 17.
http://www.gao.gov/products/GAO-14-674
Highlights - http://www.gao.gov/assets/670/664841.pdf

Global Opposition to U.S. Surveillance and Drones, but Limited Harm to America’s Image

July 16, 2014 Comments off

Global Opposition to U.S. Surveillance and Drones, but Limited Harm to America’s Image
Source: Pew Research Global Attitudes Project

Revelations about the scope of American electronic surveillance efforts have generated headlines around the world over the past year. And a new Pew Research Center survey finds widespread global opposition to U.S. eavesdropping and a decline in the view that the U.S. respects the personal freedoms of its people. But in most countries there is little evidence this opposition has severely harmed America’s overall image.

Global Internet Privacy Study Reveals Consumers’ Conflicting Views

July 14, 2014 Comments off

Global Internet Privacy Study Reveals Consumers’ Conflicting Views
Source: EMC Corporation

Highlights

  • Taps into privacy attitudes of 15,000 consumers from 15 countries
  • 91% of respondents value the benefit of “easier access to information and knowledge” that digital technology affords
  • Only 27% say they are willing to trade some privacy for greater convenience and ease online
  • Only 41% believe government is committed to protecting their privacy
  • 81% expect privacy to erode over the next five years; 59% say they have less privacy than a year ago

Overcoming Speed Bumps on the Road to Telematics: Challenges and opportunities facing auto insurers

July 11, 2014 Comments off

Overcoming Speed Bumps on the Road to Telematics: Challenges and opportunities facing auto insurers
Source: Deloitte

Early adopters of telematics are collecting data that can reveal a driver’s behavior, which in turn can provide a basis for greater precision in insurance underwriting, pricing and claims. Having such first-hand driving data at their disposal could give existing usage-based insurance (UBI) carriers a considerable leg up over those not using telematics. Of course, early adopters still face many challenges in executing a viable telematics program.

In order to get a better idea of consumers’ reactions to UBI, Deloitte surveyed more than 2,000 respondents about their experiences with consumer mobile technology. We have placed the respondents in three categories — Eager Beavers, Fence Sitters and Naysayers — based on their willingness to have their driving monitored by insurers.

This report provides data and analysis that may help guide carriers that have already started on the road to telematics, along with those poised to join in, as well as others that will have to compete with telematics-driven players.

See also: Telematics: How Big Data Is Transforming the Auto Insurance Industry (SAS; PDF)

Statistical Transparency Report Regarding Use of National Security Authorities — Annual Statistics for Calendar Year 2013

July 7, 2014 Comments off

License Plate Readers for Law Enforcement: Opportunities and Obstacles

July 3, 2014 Comments off

License Plate Readers for Law Enforcement: Opportunities and Obstacles
Source: RAND Corporation

Law enforcement agencies across the country have quickly been adopting a new technology to combat auto theft and other crimes: automated license plate reader (LPR) systems. These systems can capture the image of the license plate of a passing vehicle and compare the plate number against official “hotlists” that show an array of infractions or reasons why it may be of interest to authorities. But because LPR technology is relatively new in the United States, opportunities and obstacles in its use in law enforcement are still under exploration. To examine issues about this technology, RAND conducted interviews with law enforcement officers and others responsible for procuring, maintaining, and operating the systems. Champions of LPR technology exist at many levels, from tech-savvy officers who use it every day, to chiefs who promote it, to other officials and policymakers who believe LPR technology is a significant force multiplier for police departments. Challenges exist, however, to realizing more widespread acceptance and use of the technology. Chief among these are privacy concerns related to the retention and potential misuse of LPR data, technical and bureaucratic impediments to sharing data among law enforcement agencies, and constraints on the availability of staffing and training needed to support LPR systems.

Privacy and Civil Liberties Board Releases Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act

July 3, 2014 Comments off

Board Releases Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act
Source: Privacy and Civil Liberties Board

The Board’s report will contain a detailed analysis of the Section 702 program, with a focus on increasing transparency to the public regarding the surveillance program. It will address the Section 702 program’s development and operation, statutory basis, constitutional implications, and whether it strikes the right balance between national security and privacy and civil liberties, and will make recommendations for policy reforms. The report will be unclassified and available to the public. Previously, on January 23, 2014, the Board released a separate unclassified report regarding operation of the telephone records program under Section 215 of the USA PATRIOT Act, as well as on the operations of the Foreign Intelligence Surveillance Court. The Board’s review of these surveillance programs has included three public meetings, receipt of dozens of public comments, meetings with congressional committee staff, advocates and private sector representatives, analysis of classified materials, and briefings by government agencies.

Net Threats: Experts say liberty online is challenged by nation-state crackdowns, surveillance, and pressures of commercialization of the Internet

July 3, 2014 Comments off

Net Threats: Experts say liberty online is challenged by nation-state crackdowns, surveillance, and pressures of commercialization of the Internet
Source: Pew Research Internet Project

As Internet experts look to the future of the Web, they have a number of concerns. This is not to say they are pessimistic: The majority of respondents to this 2014 Future of the Internet canvassing say they hope that by 2025 there will not be significant changes for the worse and hindrances to the ways in which people get and share content online today. And they said they expect that technology innovation will continue to afford more new opportunities for people to connect.

Still, some express wide levels of concern that this yearning for an open Internet will be challenged by trends that could sharply disrupt the way the Internet works for many users today as a source of largely unfettered content flows.

The Net Threats These Experts Fear

  1. Actions by nation-states to maintain security and political control will lead to more blocking, filtering, segmentation, and balkanization of the Internet.
  2. Trust will evaporate in the wake of revelations about government and corporate surveillance and likely greater surveillance in the future.
  3. Commercial pressures affecting everything from Internet architecture to the flow of information will endanger the open structure of online life.
  4. Efforts to fix the TMI (too much information) problem might over-compensate and actually thwart content sharing.

The NSA Revelations: All in One Chart

July 3, 2014 Comments off

The NSA Revelations: All in One Chart
Source: Pro Publica

This is a plot of the NSA programs revealed in the past year according to whether they are bulk or targeted, and whether the targets of surveillance are foreign or domestic. Most of the programs fall squarely into the agency’s stated mission of foreign surveillance, but some – particularly those that are both domestic and broad-sweeping – are more controversial.

A Measurement Study of Google Play

June 26, 2014 Comments off

A Measurement Study of Google Play (PDF)
Source: Columbia University

Although millions of users download and use third-party Android applications from the Google Play store, little in- formation is known on an aggregated level about these applications. We have built PlayDrone, the first scalable Google Play store crawler, and used it to index and analyze over 1,100,000 applications in the Google Play store on a daily basis, the largest such index of Android applications. PlayDrone leverages various hacking techniques to circumvent Google’s roadblocks for indexing Google Play store con- tent, and makes proprietary application sources available, including source code for over 880,000 free applications. We demonstrate the usefulness of PlayDrone in decompiling and analyzing application content by exploring four previously unaddressed issues: the characterization of Google Play application content at large scale and its evolution over time, library usage in applications and its impact on application portability, duplicative application content in Google Play, and the ineffectiveness of OAuth and related service authentication mechanisms resulting in malicious users being able to easily gain unauthorized access to user data and resources on Amazon Web Services and Facebook.

See: Crucial security problem in Google Play: Thousands of secret keys found in android apps (Science Daily)

Just Released — Supreme Court decision — Riley v. California (cell phone searches)

June 25, 2014 Comments off

Riley v. California
Source: Supreme Court of the United States

In No. 13–132, petitioner Riley was stopped for a traffic violation,which eventually led to his arrest on weapons charges. An officer searching Riley incident to the arrest seized a cell phone from Riley’s pants pocket. The officer accessed information on the phone and noticed the repeated use of a term associated with a street gang. At the police station two hours later, a detective specializing in gangs further examined the phone’s digital contents. Based in part on photographs and videos that the detective found, the State charged Riley in connection with a shooting that had occurred a few weeks earlierand sought an enhanced sentence based on Riley’s gang membership.Riley moved to suppress all evidence that the police had obtained from his cell phone. The trial court denied the motion, and Riley was convicted. The California Court of Appeal affirmed.

In No. 13–212, respondent Wurie was arrested after police observed him participate in an apparent drug sale. At the police station, the officers seized a cell phone from Wurie’s person and noticed that the phone was receiving multiple calls from a source identified as “my house” on its external screen. The officers opened the phone, accessed its call log, determined the number associated with the “my house” label, and traced that number to what they suspected was Wurie’s apartment. They secured a search warrant and found drugs,a firearm and ammunition, and cash in the ensuing search. Wurie was then charged with drug and firearm offenses. He moved to suppress the evidence obtained from the search of the apartment. The District Court denied the motion, and Wurie was convicted. The First Circuit reversed the denial of the motion to suppress and vacated the relevant convictions.

Held: The police generally may not, without a warrant, search digital information on a cell phone seized from an individual who has been arrested. Pp. 5–28.

Hackers Wanted: An Examination of the Cybersecurity Labor Market

June 24, 2014 Comments off

Hackers Wanted: An Examination of the Cybersecurity Labor Market
Source: RAND Corporation

There is a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation’s networks and may leave the United States ill-prepared to carry out conflict in cyberspace.

RAND examined the current status of the labor market for cybersecurity professionals — with an emphasis on their being employed to defend the United States. This effort was in three parts: first, a review of the literature; second, interviews with managers and educators of cybersecurity professionals, supplemented by reportage; and third, an examination of the economic literature about labor markets. RAND also disaggregated the broad definition of “cybersecurity professionals” to unearth skills differentiation as relevant to this study.

In general, we support the use of market forces (and preexisting government programs) to address the strong demand for cybersecurity professionals in the longer run. Increases in educational opportunities and compensation packages will draw more workers into the profession over time. Cybersecurity professionals take time to reach their potential; drastic steps taken today to increase their quantity and quality would not bear fruit for another five to ten years. By then, the current concern over cybersecurity could easily abate, driven by new technology and more secure architectures. Pushing too many people into the profession now could leave an overabundance of highly trained and narrowly skilled individuals who could better be serving national needs in other vocations.

Few Consumers Trust Companies to Keep Online Info Safe

June 20, 2014 Comments off

Few Consumers Trust Companies to Keep Online Info Safe
Source: Gallup

Recent incidents such as Target’s security breach, the Heartbleed bug, and eBay’s systems hack have called attention to how much consumers trust the businesses they patronize to keep their personal information safe. That trust currently appears to be hard to come by. Just 21% of Americans have “a lot of trust” in the businesses or companies they regularly interact with to keep their personal information secure.

DHS OIG — Radio Frequency Identification Security at USCIS Is Managed Effectively, But Can Be Strengthened

June 18, 2014 Comments off

Radio Frequency Identification Security at USCIS Is Managed Effectively, But Can Be Strengthened (PDF)
Source: U.S. Department of Homeland Security, Office of Inspector General
From Spotlight (PDF):

We determined that United States Citizenship and Immigration Services (USCIS) has effectively managed the implementation of RFID technology We determined that USCIS has effectively managed the implementation of RFID technology measures to minimize the risk of using RFID enabled permanent resident cards. For example, USCIS has granted its card production system the authority to operate, evaluated privacy implications of using the system, and ensured that no personal data is transmitted by permanent resident cards. However, USCIS had not deployed timely security patches on the servers and workstations that support RFID processes, assessed annually on the effectiveness of security controls implemented on the system that produces RFID cards, or ensured employees producing these cards receive the mandatory annual privacy awareness training.

USPS OIG — Postal Inspection Service Mail Covers Program

June 18, 2014 Comments off

Postal Inspection Service Mail Covers Program (PDF)
Source: U.S. Postal Service, Office of Inspector General

BACKGROUND:
In fiscal year 2013, the U.S. Postal Inspection Service processed about 49,000 mail covers. A mail cover is an investigative tool used to record data appearing on the outside of a mailpiece. Law enforcement agencies use this information to protect national security; locate fugitives; obtain evidence; or help identify property, proceeds, or assets forfeitable under criminal law.

A mail cover is justified when it will further an investigation or provide evidence of a crime. The U.S. Postal Service is responsible for recording and forwarding the data to the Postal Inspection Service for further processing. Postal Service and law enforcement officials must ensure compliance with privacy policies to protect the privacy of customers, employees, and other individuals’ information.

Our objective was to determine whether the Postal Service and Postal Inspection Service are effectively and efficiently handling mail covers according to Postal Service and federal requirements.

WHAT THE OIG FOUND:
Opportunities exist to improve controls over the mail covers program. For example, responsible personnel did not always handle and process mail cover requests in a timely manner and documents relating to the covers were not always returned to the program files as required. Of the 196 external mail cover requests we reviewed, 21 percent were approved without written authorization and 13 percent were not adequately justified or reasonable grounds were not transcribed accurately. Also, 15 percent of the inspectors who conducted mail covers did not have the required nondisclosure form on file

Further, the Postal Inspection Service provided evidence for only one periodic review of the mail covers program over the past 3 fiscal years and did not have procedures to ensure annual reviews were performed as required. Finally, the mail cover computer application did not always provide accurate and reliable information because system controls did not ensure completeness, accuracy, and consistency of data. For example, we found 928 mail covers in active status after the cover periods ended.

Insufficient controls could hinder the Postal Inspection Service’s ability to conduct effective investigations, lead to public concerns over privacy of mail, and harm the Postal Service’s brand.

WHAT THE OIG RECOMMENDED:
We recommended management improve controls to ensure responsible personnel process mail covers in a timely manner and conduct periodic reviews of the mail covers program. Also, we recommended management implement system controls to ensure data integrity in the Postal Inspection Service mail cover application.

CRS — The Fourth Amendment Third-Party Doctrine

June 16, 2014 Comments off

The Fourth Amendment Third-Party Doctrine (PDF)
Source: Congressional Research Service (via Federation of American Scientists)

In the 1970s, the Supreme Court handed down Smith v. Maryland and United States v. Miller, two of the most important Fourth Amendment decisions of the 20th century. In these cases, the Court held that people are not entitled to an expectation of privacy in information they voluntarily provide to third parties. This legal proposition, known as the third-party doctrine, permits the government access to, as a matter of Fourth Amendment law, a vast amount of information about individuals, such as the websites they visit; who they have emailed; the phone numbers they dial; and their utility, banking, and education records, just to name a few. Questions have been raised whether this doctrine is still viable in light of the major technological and social changes over the past several decades.

Follow

Get every new post delivered to your Inbox.

Join 857 other followers