Archive
Cyber Resiliency Assessment: Enabling Architectural Improvement
Cyber Resiliency Assessment: Enabling Architectural Improvement
Source: MITRE Corporation
Cyber resiliency assessments are intended to identify where, how, and when cyber resiliency techniques can be applied to improve architectural resiliency against advanced cyber threats. This document presents a general process for architectural assessment. The process can be applied to an operational or as-is architecture, to identify first steps or quick wins for improving resilience against advanced cyber threats. The process can also be applied to a notional or to-be architecture, to identify opportunities to provide greater and more cost-effective resilience, and/or to support the development of a cyber resiliency improvement roadmap. The process is supported by assessment scales and questions. Because the set of cyber resiliency techniques continues to evolve, detailed discussion of selected techniques, including POET considerations, is provided.
Give and Take: Good Practice Guide for Addressing Network and Information Security Aspects of Cybercrime
Source: European Network and Information Security Agency (via RAND Corporation)
In 2010 ENISA started its support for operational collaboration between the Computer Emergency Response Teams (CERTs) in the Member States on the one hand and Law Enforcement Agencies (LEA) on the other hand. Various activities have since been launched, including stock taking of legal and operational obstacles that prevent collaboration, advice resulting from that, workshops that brought together members of both communities, consultation with members of both communities, etc. It was soon realised that the process of trust building, tackling obstacles together, discussion and finally working together would need time and active, continuous support from ENISA, CERTs and LEAs, and that ENISA just embarked on a long-term trip to achieve its goals. The document at hand constitutes a "work in progress", a snapshot of the current status of ENISAs support for CERTs and LEAs, and includes good practice and recommendations for both communities. It must be clear that while we may already be several steps closer to a smoother collaboration, we need to continue our common efforts to reach that goal. This document contains a Good Practice Guide concerning cooperation between Computer Emergency Response Teams (CERTS) and other stakeholders, primarily Law Enforcement Authorities (LEAs) within Europe.
New From the GAO
New GAO Reports and Testimonies
Source: Government Accountability Office
Reports
1. Homeland Security: An Overall Strategy Is Needed to Strengthen Disease Surveillance in Livestock and Poultry. GAO-13-424, May 21.
http://www.gao.gov/products/GAO-13-424
Highlights – http://www.gao.gov/assets/660/654750.pdf
Podcast – http://www.gao.gov/multimedia/podcasts/654743
2. Funding for 10 States’ Programs Supported by Four Environmental Protection Agency Categorical Grants. GAO-13-504R, May 6.
http://www.gao.gov/products/GAO-13-504R
Testimonies
1. Immigration Enforcement: Preliminary Observations on DHS’s Overstay Enforcement Efforts, by Rebecca Gambler, director, homeland security and justice, before the Subcommittee on Border and Maritime Security, House Committee on Homeland Security. GAO-13-602T, May 21.
http://www.gao.gov/products/GAO-13-602T
Highlights – http://www.gao.gov/assets/660/654753.pdf
2. Telecommunications Networks: Addressing Potential Security Risks of Foreign-Manufactured Equipment, by Mark L. Goldstein, director, physical infrastructure issues, before the Subcommittee on Communications and Technology, House Committee on Energy and Commerce. GAO-13-652T, May 21.
http://www.gao.gov/products/GAO-13-652T
Highlights – http://www.gao.gov/assets/660/654764.pdf
3. Fiscal Year 2014 Budget Request: U.S. Government Accountability Office, by Gene L. Dodaro, Comptroller General of the United States, before the Subcommittee on Legislative Branch, Senate Committee on Appropriations. GAO-13-617T, May 21.
http://www.gao.gov/products/GAO-13-617T
Highlights – http://www.gao.gov/assets/660/654758.pdf
Teens, Social Media, and Privacy
Teens, Social Media, and Privacy
Source: Pew Internet & American Life Project
Teens are sharing more information about themselves on social media sites than they have in the past, but they are also taking a variety of technical and non-technical steps to manage the privacy of that information. Despite taking these privacy-protective actions, teen social media users do not express a high level of concern about third-parties (such as businesses or advertisers) accessing their data; just 9% say they are “very” concerned.
FTC Warns Data Broker Operations of Possible Privacy Violations
FTC Warns Data Broker Operations of Possible Privacy Violations
Source: Federal Trade Commission
The Federal Trade Commission sent letters to ten data broker companies warning that their practices could violate the Fair Credit Reporting Act (FCRA) after a test-shopping operation by the FTC indicated the companies were willing to sell consumer information without abiding by FCRA requirements.
The test-shopping operation was part of a worldwide privacy protection effort. FTC staff members posed as individuals or representatives of companies seeking information about consumers to make decisions related to their creditworthiness, eligibility for insurance or suitability for employment.
Data broker companies that collect, distribute or sell this information are considered consumer reporting agencies under the FCRA, meaning they must reasonably verify the identities of their customers and make sure that these customers have a legitimate purpose for receiving the information. This requirement ensures that the privacy of sensitive consumer report information is protected. Of the 45 companies contacted by FTC staff in the test-shopper operation, ten appear to violate the FCRA by offering to provide the information without complying with the law’s requirements.
The FTC issued the letters this week in conjunction with an international privacy practice transparency sweep conducted by the Global Privacy Enforcement Network (GPEN). The network connects privacy enforcement authorities to promote and support cooperation in cross-border enforcement of laws protecting privacy. Several GPEN members from countries around the world are taking steps this week to ensure that companies meet their obligations related to the privacy of consumers’ personal information.
The Dangers of Surveillance
The Dangers of Surveillance
Source: Harvard Law Review (via SSRN)
From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, our culture is full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context, and why it matters. Developments in government and corporate practices have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance.
This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of “surveillance studies,” I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It also gives the watcher power over the watched, creating the the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance.
At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance. First, we must recognize that surveillance transcends the public-private divide. Even if we are ultimately more concerned with government surveillance, any solution must grapple with the complex relationships between government and corporate watchers. Second, we must recognize that secret surveillance is illegitimate, and prohibit the creation of any domestic surveillance programs whose existence is secret. Third, we should recognize that total surveillance is illegitimate and reject the idea that it is acceptable for the government to record all Internet activity without authorization. Fourth, we must recognize that surveillance is harmful. Surveillance menaces intellectual privacy and increases the risk of blackmail, coercion, and discrimination; accordingly, we must recognize surveillance as a harm in constitutional standing doctrine.
FTC Issues Updated FAQs on Amended Children’s Online Privacy Protection Rule
FTC Issues Updated FAQs on Amended Children’s Online Privacy Protection Rule
Source: Federal Trade Commission
The Federal Trade Commission has issued an updated set of frequently asked questions designed to help website operators, mobile application developers, plug-ins and advertising networks operating on child-directed websites and online services prepare for upcoming changes to the Children’s Online Privacy Protection Rule.
The document, titled “Complying With COPPA: Frequently Asked Questions” contains information directed to websites and online services whose work online may involve the collection of personal information from children under age 13. The document provides guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC.
In addition to the guidelines and frequently asked questions, FTC staff maintain a “COPPA Hotline” email address, COPPAHotLine@ftc.gov, where industry members can send questions on how to ensure they are compliant with the rule. FTC staff will periodically update the FAQs. Comments on the FAQs or suggestions for new FAQs may be submitted through the COPPA Hotline email address.
The Commission finalized amendments to the COPPA Rule last December, and they will go into effect on July 1 of this year. The process to review the rule was begun in 2010 with the intent to modernize the rule and ensure that children’s privacy protections kept up with evolving technology and changes in the way children use and access the Internet, including the increased use of mobile devices and social networking.
Querying Encrypted Data (Tutorial)
Querying Encrypted Data (Tutorial)
Source: Microsoft Research
Data security is a serious concern when we migrate data to a cloud DBMS. Database encryption, where sensitive columns are encrypted before they are stored in the cloud, has been proposed as a mechanism to address such data security concerns. The intuitive expectation is that an adversary cannot “learn” anything about the encrypted columns, since she does not have access to the encryption key. However, query processing becomes a challenge since it needs to “look inside” the data. This tutorial explores the space of designs studied in prior work on processing queries over encrypted data. We cover approaches based on both classic client-server and involving the use of a trusted hardware module where data can be securely decrypted. We discuss the security challenges that arise in both approaches and how they may be addressed. Briefly, supporting the full complexity of a modern DBMS including complex queries, transactions and stored procedures leads to significant challenges that we survey.
Using Public Surveillance Systems for Crime Control and Prevention: A Practical Guide for Law Enforcement and Their Municipal Partners
Source: Urban Institute
Municipalities across the country are in a constant search for effective public safety interventions that will curb crime and improve the livability and economic well-being of their communities. This is particularly true among law enforcement agencies that embrace a community policing philosophy, which has become a key component of policing efforts in most mid- and large-sized law enforcement agencies across the United States. While many believe that the adoption of community policing has led to more efficient and effective policing strategies, law enforcement agencies continue to grapple with limited resources and are therefore interested in employing new, cost-effective tools that can enhance their community policing efforts. Among the latest wave of public safety tools is the use of public surveillance systems, often referred to as Closed-Circuit Television (CCTV). While public surveillance systems are widely employed in the business sector to improve security, until recently the use of cameras to monitor public spaces has been much less common in the United States, in part due to concerns about privacy and civil liberties. Community policing, which embodies a combination of proactive crime prevention and community engagement with more traditional policing functions, may benefit from this technology because public surveillance can enhance problem solving strategies, aid in arrests and investigations, and ultimately increase offenders’ perceptions that they will be both caught and prosecuted. Public surveillance systems might also yield a secondary impact, serving to increase legitimate users’ perceptions of safety and thus their presence in public areas, which in turn may increase guardianship, improve police-community partnerships, and reduce crime.
The potential contributions to policing and public safety of public surveillance systems perhaps explain why their use has expanded in recent years. Unfortunately, these investments of scarce public safety resources are being made in the absence of research documenting the decisions behind camera investment and use and the lessons learned by cities that have employed this technology.
This guidebook aims to fill that gap, detailing the results of an in-depth qualitative data collection effort to examine and synthesize the experiences of three large urban cities that have invested in public surveillance systems in recent years. It serves as a companion document to an evaluation of the impact of public surveillance cameras in three cities that found that cameras can have a significant and cost-effective impact on crime.10 While cameras hold promise as an effective crime prevention tool, however, it is important to note that their impact is not a given, and varies considerably based on where cameras are located and the degree to which they are monitored and integrated into other law enforcement activities. This report is therefore designed to guide city administrators, law enforcement agencies, and their municipal partners in making decisions regarding their public surveillance systems in a manner that will yield the greatest intended impact. The guidebook answers many of the important questions that arise when implementing or expanding a public surveillance system. It details the various aspects of a system that are integral in realizing a cost-beneficial impact on crime, including budgetary considerations, camera types and locations, how best to monitor cameras, and the role that video footage plays in investigations and prosecutions. This publication also highlights the most prominent lessons learned in an effort to guide both city administrators and jurisdictions that are currently investing in cameras for public safety purposes, as well as inform those that are contemplating doing so.
The 2013 Data Breach Investigations Report
The 2013 Data Breach Investigations Report
Source: Verizon
From press release:
The ‘Verizon 2013 Data Breach Investigations Report’ reveals that large-scale financial cybercrime and state-affiliated espionage dominated the security landscape in 2012. Taking the top spot for all breaches in the 2013 report is financially motived cybercrime (75 percent), with state-affiliated espionage campaigns claiming the No. 2 spot (20 percent). Breaches in the No. 2 spot include cyberthreats aimed at stealing intellectual property — such as classified information, trade secrets and technical resources — to further national and economic interests.
The 2013 DBIR also found that the proportion of incidents involving hacktivists — who act out of ideological motivations or even just for fun — held steady; but the amount of data stolen decreased, as many hacktivists shifted to other methods such as distributed denial of service (DDoS) attacks. These attacks, aimed at paralyzing or disrupting systems, also have significant costs because they impair business and operations.
The Dangers of Surveillance
Source: Harvard Law Review (via SSRN)
From the Fourth Amendment to George Orwell’s Nineteen Eighty-Four, our law and literature are full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don’t really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with “privacy,” we lack an understanding of what “privacy” means in this context, and why it matters. Developments in government and corporate practices, however, have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance.
This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of “surveillance studies,” I explain what those harms are and why they matter. At the level of theory, I explain when surveillance is particularly dangerous, and when it is not. Surveillance is harmful because it can chill the exercise of our civil liberties, especially our intellectual privacy. It is also gives the watcher power over the watched, creating the the risk of a variety of other harms, such as discrimination, coercion, and the threat of selective enforcement, where critics of the government can be prosecuted or blackmailed for wrongdoing unrelated to the purpose of the surveillance.
At a practical level, I propose a set of four principles that should guide the future development of surveillance law, allowing for a more appropriate balance between the costs and benefits of government surveillance. First, we must recognize that surveillance transcends the public-private divide. Even if we are ultimately more concerned with government surveillance, any solution must grapple with the complex relationships between government and corporate watchers. Second, we must recognize that secret surveillance is illegitimate, and prohibit the creation of any domestic surveillance programs whose existence is secret. Third, we should recognize that total surveillance is illegitimate and reject the idea that it is acceptable for the government to record all Internet activity without authorization. Fourth, we must recognize that surveillance is harmful. Surveillance menaces intellectual privacy and increases the risk of blackmail, coercion, and discrimination; accordingly, we must recognize surveillance as a harm in constitutional standing doctrine.
CRS — Cloud Computing: Constitutional and Statutory Privacy Protections
Cloud Computing: Constitutional and Statutory Privacy Protections (PDF)
Source: Congressional Research Service (via Federation of American Scientists)
Cloud computing is fast becoming an integral part of how we communicate with one another, buy music, share photos, conduct business, pay our bills, shop, and bank. Many of the activities that once occurred solely in the physical world, including communications with one another, are increasingly moving to the digital world. What was once a letter to a friend is now a Facebook message; a call to a loved one is now a Skype chat; a private meeting with a business partner is now a video conference call. In short, the cloud is revolutionizing not only how we compute, but also how we live. Where individuals once locked personal or business papers solely in a desk drawer or filing cabinet, they now also store them on someone else’s computer.
In short, cloud computing is a web-based service that allows users to access anything from e-mail to social media on a third-party computer. For instance, Gmail and Yahoo are cloud-based email services that allow users to access and store emails that are saved on each respective service’s computer, rather than on the individual’s computer. As more communications are facilitated through these cloud-based programs, it is no surprise that government and law enforcement would seek to access this stored information to conduct criminal investigations, prevent cyber threats, and thwart terrorist attacks, among other purposes. This prompts the following questions: (1) What legal protections are in place for information shared and stored in the cloud? (2) What legal process must the government follow to obtain this information? and (3) How do these rules differ from those applied in the physical world?
Protections of communications in the physical world flow from the Fourth Amendment and various federal statutes such as the Electronic Communications Privacy Act of 1986 (ECPA), which includes the Stored Communications Act (SCA). Under the Fourth Amendment, government officials are generally prohibited from accessing an individual’s communication, such as tapping into a telephone call or opening a postal letter, without first obtaining judicial approval. In the digital world, courts have by and large required law enforcement to acquire a warrant before accessing the contents of electronic communications, but have permitted law enforcement to access non-content information such as routing data with lesser process. These cases do not seem to distinguish between cloud-based and traditional forms of Internet services.
Federal courts have applied the SCA to various electronic communications including e-mails, messages sent on social networking sites like Facebook and MySpace, and movies posted on video-sharing sites like YouTube. The process for obtaining these communications under the SCA depends on how long the information has been stored with the service provider and how the provider is classified under the SCA. The relatively few cases dealing with cloud computing have required lesser legal process for accessing electronic communications sent via cloud-based services than traditional forms of Internet computing.
In light of this rapidly changing technology, there have been several legislative proposals to augment the Fourth Amendment’s protections for digital communications and update existing statutory protections like the SCA for information shared and stored in the cloud.
FTC Releases Top 10 Complaint Categories for 2012
FTC Releases Top 10 Complaint Categories for 2012
Source: Federal Trade Commission
Identity theft is once more the top complaint received by the Federal Trade Commission, which has released its 2012 annual report of complaints. 2012 marks the first year in which the FTC received more than 2 million complaints overall, and 369,132, or 18 percent, were related to identity theft. Of those, more than 43 percent related to tax- or wage-related fraud.
The report gives national data, as well as a state-by-state accounting of top complaint categories and a listing of the metropolitan areas that generated the most complaints. This includes the top 50 metropolitan areas for both fraud complaints and identity theft complaints.
The remainder of complaint categories making up the top 10 are:
Debt collection 199,721 10 percent
Banks and Lenders 132,340 6 percent
Shop-at-Home and Catalog Sales 115,184 6 percent
Prizes, Sweepstakes and Lotteries 98,479 5 percent
Impostor Scams 82,896 4 percent
Internet Services 81,438 4 percent
Auto-Related Complaints 78,062 4 percent
Telephone and Mobile Services 76,783 4 percent
Credit Cards 51,550 3 percent
New From the GAO
New GAO Reports
Source: Government Accountability Office
DEPARTMENT OF ENERGY
Status of Loan Programs
GAO-13-331R, Mar 15, 2013
HOUSING AND URBAN DEVELOPMENT
Strategic Human Capital and Workforce Planning Should be an Ongoing Priority
GAO-13-282, Mar 15, 2013
INFORMATION SECURITY
IRS Has Improved Controls but Needs to Resolve Weaknesses
GAO-13-350, Mar 15, 2013
MEDICAID
Additional Enrollment and Expenditure Data for the Transitional Medical Assistance Program
GAO-13-454R, Mar 15, 2013
CRS — The Freedom of Information Act (FOIA): Background and Policy Options for the 113th Congress
The Freedom of Information Act (FOIA): Background and Policy Options for the 113th Congress (PDF)
Source: Congressional Research Service (via Federation of American Scientists)
The Freedom of Information Act (FOIA; 5 U.S.C. § 552) allows any person—individual or corporate, citizen or not—to request and obtain, without explanation or justification, existing, identifiable, and unpublished agency records on any topic. Pursuant to FOIA, the public has presumptive access to agency records unless the material falls within any of FOIA’s nine categories of exception. Disputes over the release of records requested pursuant to FOIA can be appealed administratively, resolved through mediation, or heard in court.
FOIA is a tool of inquiry and information gathering for various sectors—including the media, businesses, scholars, attorneys, consumers, and activists. Agency responses to FOIA requests may involve a few sheets of paper, several linear feet of records, or information in an electronic format. Assembling responses requires staff time to search for records and make duplicates, among other resource commitments. Agency information management professionals are responsible for efficiently and economically responding to, or denying, FOIA requests.
FOIA was enacted in 1966, after 11 years of legislative development in the House, and nearly six years of consideration in the Senate. The perception that agencies were not properly implementing FOIA has resulted in amendments in 1974, 1976, 1986, 1996, 2007, and 2010. Among the requirements in the OPEN Government Act of 2007 (P.L. 110-175), was the creation of an Office of Government Information Services (OGIS) within the National Archives and Records Administration (NARA). The office was established to review FOIA and its implementation, recommend ways to improve the statute and how agencies interpret it, and offer mediation services between requesters and agencies as an alternative to litigation.
In FY2011, the Department of Justice (DOJ) annual summary of agencies’ FOIA administrative statistics found the federal government received the highest volume of requests in FOIA’s history: 644,165 FOIA requests. Requests increased by 46,750 compared to FY2010 (a 7.8% increase).
DHS received more requests than any other agency with 175,656 requests in FY2011 (27.3% of all FOIA requests). DHS requests increased by 45,558, making it largely responsible for the 7.8% increase. The U.S. Citizenship and Immigration Service within DHS received 24,042 more requests in FY2011 than in FY2010 (a 26.3% increase). U.S. Customs and Border Patrol, also within DHS, saw a 13,159 request increase in that same year (a 69.4% increase). It is not clear what prompted the increase in requests. In contrast, the Department of State saw a 15,908 (52.3%) reduction in the number of FOIA requests it received in FY2011.
The 113th Congress may have an interest in ensuring that federal agencies are properly administering FOIA. Additionally, Congress may have an interest in determining whether the executive branch should be releasing certain controversial records, including photographs related to the death of Osama Bin Laden, or visitor logs at the White House.
This report provides background on FOIA, discusses the categories of records FOIA exempts from public release, and analyzes statistics on FOIA administration. The report also provides background on several legal and policy issues related to FOIA, including the release of controversial records, the growth in use of certain FOIA exemptions, and the adoption of new technologies to improve FOIA administration. The report concludes with an examination of potential FOIA-related policy options for Congress.
Protecting Patient Privacy and Data Security
Protecting Patient Privacy and Data Security
Source: New England Journal of Medicine
On December 4, 2012, two Australian radio DJs called London’s King Edward VII’s Hospital, identified themselves, in fake British accents, as Queen Elizabeth and Prince Charles, and asked about a celebrity patient who had been admitted for pregnancy complications. A nurse, filling in at the reception desk in the early morning hours, answered the phone and, without attempting to verify the callers’ identities, transferred them to the duty nurse caring for the Duchess of Cambridge. The duty nurse then provided them with confidential patient information.1 The Australian DJs broadcast the phone call, considering it a humorous prank, but as the world knows, it had disastrous consequences.
How confident are U.S. hospitals, nursing homes, and physicians’ offices that their staff would appropriately deny patient information to an unknown caller?
FTC Staff Report Examines Growing Use of Mobile Payments
FTC Staff Report Examines Growing Use of Mobile Payments
Source: Federal Trade Commission
As part of its efforts to ensure that consumers are protected in the growing mobile marketplace, the Federal Trade Commission issued a staff report today highlighting key issues facing consumers and companies as they adopt mobile payment services. The report, titled “Paper, Plastic… or Mobile? An FTC Workshop on Mobile Payments,” is based on a workshop held by the Commission in 2012 to examine these issues.
The mobile payments arena is growing quickly, and the report notes that mobile payment cover of FTC mobile payments reportsystems can provide innovative and convenient options for consumers. But the report also notes three major areas of potential concern for consumers.
First, the report encourages companies to develop clear policies on how consumers can resolve disputes arising from a fraudulent mobile payment or an unauthorized charge.
Consumers fund mobile purchases using a variety of sources, from credit cards to prepaid debit cards to charges placed on their mobile phone bills. Under current regulations, each of these funding methods has a different process for consumers to dispute unauthorized charges, with varying levels of consumer protection. This creates a potentially confusing landscape for consumers trying to decide which mobile payment system to use and how to fund these payments, the report notes.
The report also highlights the growing problem of mobile “cramming,” which occurs when third parties place unauthorized charges onto consumers’ mobile phone bills. The Commission discussed this issue in its previous comment to the Federal Communications Commission, and the FTC staff has announced a mobile cramming roundtable to be held in May.
Second, the report encourages industry-wide adoption of strong measures to ensure security throughout the mobile payment process. The report addresses ways sensitive financial information can be kept secure during the mobile payment process, such as through end-to-end encryption. The possibilities for encryption listed in the report cover everything from the authentication of data during the transaction to the secure storage of information on a mobile device.
Third, the report highlights the need for companies in the mobile payment sphere to practice “privacy by design,” incorporating strong privacy practices, consumer choice, and transparency into their products from the outset. Doing so, the report notes, increases the likelihood of consumer trust in the mobile payment process.
Silent Listeners: The Evolution of Privacy and Disclosure on Facebook
Silent Listeners: The Evolution of Privacy and Disclosure on Facebook
Source: Journal of Privacy and Confidentiality
Over the past decade, social network sites have experienced dramatic growth in popularity, reaching most demographics and providing new opportunities for interaction and socialization. Through this growth, users have been challenged to manage novel privacy concerns and balance nuanced trade-offs between disclosing and withholding personal information. To date, however, no study has documented how privacy and disclosure evolved on social network sites over an extended period of time. In this manuscript we use profile data from a longitudinal panel of 5,076 Facebook users to understand how their privacy and disclosure behavior changed between 2005—the early days of the network—and 2011. Our analysis highlights three contrasting trends. First, over time Facebook users in our dataset exhibited increasingly privacy-seeking behavior, progressively decreasing the amount of personal data shared publicly with unconnected profiles in the same network. However, and second, changes implemented by Facebook near the end of the period of time under our observation arrested or in some cases inverted that trend. Third, the amount and scope of personal information that Facebook users revealed privately to other connected profiles actually increased over time—and because of that, so did disclosures to “silent listeners” on the network: Facebook itself, third-party apps, and (indirectly) advertisers. These findings highlight the tension between privacy choices as expressions of individual subjective preferences, and the role of the environment in shaping those choices.
Hat tip: PW
New From the GAO
New GAO Reports
Source: Government Accountability Office
FEDERAL PENSIONS
Judicial Survivors’ Annuities System Costs for 2008 to 2010
GAO-13-236, Feb 22, 2013
SPECTRUM MANAGEMENT
Further Consideration of Options to Improve Receiver Performance Needed
GAO-13-265, Feb 22, 2013
VETERANS’ HEALTH CARE
Improvements Needed to Ensure That Budget Estimates Are Reliable and That Spending for Facility Maintenance Is Consistent with Priorities
GAO-13-220, Feb 22, 2013
FINANCIAL AUDIT
Federal Deposit Insurance Corporation Funds’ 2012 and 2011 Financial Statements
GAO-13-291, Feb 21, 2013
HUMAN SERVICES
Sustained and Coordinated Efforts Could Facilitate Data Sharing While Protecting Privacy
GAO-13-106, Feb 8, 2013
New From the GAO
New GAO Report
Source: Government Accountability Office
INFORMATION SECURITY
Federal Communications Commission Needs to Strengthen Controls over Enhanced Secured Network Project
GAO-13-155, Jan 25, 2013
