Site Meter

Category: Privacy (ID Theft)

3

Privacy on the Road

From the New York Times, a nice little piece about privacy (or lack thereof) on the road:

Using a public computer can also mean courting trouble, because data viewed while surfing the Web, printing a document or opening an e-mail attachment is generally stored on the computer — meaning it could be accessible to the next person who sits down. (To remove traces of your work, delete any documents you have viewed, clear the browser cache and the history file and empty the trash before you walk away.)

“You also run the risk that somebody has loaded a program on there that can capture your log-ins and passwords,” Mr. Louderback said, recalling an incident a few years ago when a Queens resident was caught installing this type of “key logger” software on computers at several Kinko’s locations in New York.

As the article points out, it’s a scary, scary world out there. Public computers can be searched for passwords or equipped with malicious keyloggers. Wiireless hot spots can be raided with packet sniffers. There are software solutions for getting around these, but the easiest solution is also the safest:

Absolutely never check your bank account on a public computer. And be careful about checking it on a wireless hotspot.

One thing the article lacked was a real discussion of how prevalent this kind of identity theft is. What are the statistics on this kind of thing, Dan? How much identity theft (or for that matter, data theft) comes out of these kinds of interactions – do we have any ideas?

8

The Ten Greatest Privacy Disasters

Wired News lists what it considers to be the 10 greatest privacy disasters:

10. ChoicePoint data spill

9. VA laptop theft

8. CardSystems hacked

7. Discovery of data on used hard drives for sale

6. Philip Agee’s revenge

5. Amy Boyer’s murder

4. Testing CAPPS II

3. COINTELPRO

2. AT&T lets the NSA listen to all phone calls

1. The creation of the Social Security Number

See the Wired article for its explanations. It’s a good list, but there are a few problems. Although we still don’t know all the details of the NSA surveillance program, it’s not worse than COINTELPRO, which involved massive surveillance of a wide range of groups, the wiretapping of Martin Luther King, Jr., attempts to blackmail King, and more. The Social Security Number has indeed led a ton of problems, but the fault doesn’t lie with its creation. Rather, the problem is mostly the expanding use of the number and the failure of the government to reign in government agencies and business from using it. CAPPS II, while flawed in its conception, should not be so high on the list.

Some notable omissions: Where’s Total Information Awareness? What about Olmstead v. United States, 277 U.S. 438 (1928), where the Supreme Court held that the Fourth Amendment didn’t regulate wiretapping? Olmstead led to nearly 40 years of extensive abuses of wiretapping before it was overruled. There are countless other Supreme Court 4th Amendment cases that could arguably be listed, but I’d definitely include Miller v. United States, 425 U.S. 435 (1976), which created the third party doctrine which holds that the Fourth Amendment does not apply to personal records possessed by third parties. Another possible inclusion: The birth of J. Edgar Hoover.

Hat Tip: Bruce Schneier

0

Privacy, Information, and Technology

Spinoff Cover 2e.jpgMy new casebook, PRIVACY, INFORMATION, AND TECHNOLOGY (ISBN: 0735562548) (with Marc Rotenberg & Paul M. Schwartz) is now hot off the presses from Aspen Publishers. It is an abridged version (300 pages) of our regular casebook, INFORMATION PRIVACY LAW

(2d ed.), which is about 1000 pages in length.

Privacy, Information, and Technology is designed as a supplement to courses and seminars in technology law, information law, and cyberlaw. It will provide between 2-4 weeks of coverage of information privacy issues pertaining to technology, government surveillance, databases, consumer privacy, and government records.

More information about the book is here. If you’re interested in getting a review copy of the book, please send an email to Daniel Eckroad.

The book will sell for $35 and can be purchased on Aspen’s website.

The book consists of four chapters. Chapter 1 contains an overview of information privacy law, its origins, and philosophical readings about privacy. Chapter 2 covers issues involving law enforcement, technology, and suveillance. Chapter 3 focuses on government records, databases, and identification. Chapter 4 covers business records, financial information, identity theft, privacy policies, anonymity, data mining, and government access to private sector data.

The full table of contents is available here.

0

Data Security Laws, the States, and Federalism

Remember well over a year ago, when last February ChoicePoint announced it had a major data security breach? Since then hundreds of breaches have been announced — over 200 instances involving data on 88 million people. Several bills were proposed in Congress; many Senators and Representatives quickly emphasized the importance of privacy and data security. And after all this time, what has Congress produced? Nothing.

Meanwhile, the states have been very busy. 31 states have passed data breach notification laws. 24 states have now passed credit freeze laws, which allow people to lock their credit files to prevent unauthorized activity.

The stateline.org website has a terrific chart of the states that have enacted data security laws, which is below in smaller form. Visit the stateline website for a larger view.

data-security-breach-laws2.jpgdata-security-breach-laws1.jpg

I never used to be a fan of federalism, but in following information privacy law, I’ve found that the states are by far more responsive to problems, more flexible and experimental in solutions, and more able to get things accomplished. Substantively, the states have also established a better balance between privacy and business interests than Congress.

The bills kicking around in Congress would preempt many of the state laws discussed above. Ironically, that is what might make Congress finally do something in response to the data security breaches. Companies afraid of an orgy of state laws are pushing Congress to act — not to protect privacy, but to wipe the board clean of state regulation and replace it with a weaker less-protective federal standard all in the guise of helping to “protect” our privacy.

Read More

1

Panic! More Private Data Lost

The Birmingham News reported, yesterday, that a computer with private employee data from supermarket chain Bruno’s was lost. An employee with Deloitte put his notebook in checked baggage at the airport. Naturally, it did not reappear on the baggage belt. (The story does not clarify whether the bag didn’t appear, or whether the bag arrived sans laptop.) Apparently the folks at Royal Ahold (the owner of Brunos) have ongoing problems in this regard. Last May, another Ahold supplier lost a computer containing private employee data. Nobody thinks this is a good thing, but is it really newsworthy?

We have seen several stories, recently, about lost or stolen laptops containing troves of private data. These incidents do introduce a risk that the data will be converted to improper uses – most obviously identity fraud – but I suspect that, in most cases, the ultimate recipient of the computer was seeking, well, a computer. In any case, one thing is clear: the media like to find stories that fit into existing news frames. In particular, they like to find stories that fit with growing social anxieties. Thus, a few years back, a couple of drivers went nuts on the road, taking shots at drivers in other cars. Some savvy writer coined the term “road rage”. Suddenly, aggressive acts by drivers – even those that would have been too mundane to report – became newsworthy as proof of surging “road rage.”

So it is, I fear, with misplaced computers containing private data. The good news for Brunos employees is that, given baggage handling norms, the compuer is likely inoperable. And even if does work, it’s probable that the thief – if there be one – simply wanted some additional computing power. On the other hand, maybe that notebook is for sale this very day in at the nation’s lost baggage depot - The Unclaimed Baggage Center – in Scottsboro, Alabama. If so, identity thiefs would be advised to hustle on down before a local farmer buys the unit and accidentally erases pages of highly valuable private information.

2

Some Interesting Facts About Identity Theft

creditcard-2aa.jpgToday’s Washington Post contains an interesting article about identity theft. Some identity thieves enlist unwitting employees of financial institutions into supplying them with personal information:

An identity-theft ringleader, also known as the “concierge,” recruits an “insider” to steal personal information from work, data that can be used to make bogus credit cards with real names and account numbers.

Often the “insider” is a lonely woman who falls in love with the concierge after he sidles up to her in a bar, orders her a drink, and discovers that she works for a bank or insurance company — at which point he escalates his wooing. After a while, he persuades her to leak him some customer data because he’s “short on cash.” . . .

The concierge then turns that information into cash using various schemes. One involves giving the customer names and numbers to someone who uses machinery in his basement to churn out phony credit cards and IDs — documents that might not fool a cop but do get past many store clerks. Or the ringleader may use the information to open new credit accounts in the names of unsuspecting victims.

Next, he rents a van in someone else’s name, rounds up a bunch of drug addicts, and gives each a bogus credit card and a shopping list, Goldberg said. Dumped at a suburban mall, they make their purchases and return with hot merchandise.

Then they are driven to another mall in a nearby county, where they are sent shopping again. Purchases are kept under $200 and repeated in different counties to keep the dollar value of individual merchant losses below the radar of police agencies. . . .

Another interesting part of the article discusses how drug dealers are increasingly turning to identity theft:

“What I am finding is these people are in fact retired drug dealers who are sick of getting shot at and arrested,” [Richard] Goldberg [a prosecutor in the U.S. Attorney's office in the Eastern District of Pennsylvania] said at the summit, which drew thousands of security professionals to Washington for four days.

These days, identity theft is almost as lucrative as drug dealing — but safer.

A stolen credit card number can sell for $100 to $1,000 on the black market, Goldberg said, depending on whether it includes the expiration date and other security codes, plus background on its owner.

Perhaps we should be pleased that the federal government is inept at addressing the identity theft problem . . . finally, a way to get drug dealers off the streets. . . .

3

More Data Lost: 1.3 Million Student Loan Recipients

From CNET:

About 1.3 million customers of a Texas provider of student loans are at risk of ID fraud, after a contractor lost computer equipment with sensitive information on them.

The equipment, which was not identified, contains the names and Social Security numbers of the borrowers, the Texas Guaranteed Student Loan company said in a statement Tuesday. The hardware was lost by an employee of Hummingbird, a enterprise software company hired to prepare a document management system, it said.

This follows a similar pattern to the way that the Veteran’s Administration lost 26 million records — some employee takes home the data and it promptly gets lost or stolen. Security tip: Don’t let your employees go home with the data! The government seems to be able to figure this out when it comes to top secret information; companies have figured it out when it comes to trade secrets. But when it comes to personal data belonging to others, it seems as though employees can just waltz out the door with it.

Hat tip: Deven Desai

0

Private vs. Public Sector Responses to Data Security Breaches

va1a.jpgI just blogged about the massive data security breach by the Veterans Administration, affecting 26.5 million veterans. Bob Sullivan has a terrific post comparing the government’s response to its data security breach to that of the businesses that have had such breaches in the past:

It’s become standard practice for data leakers to offer free credit monitoring to victims, so they are able to watch their credit reports daily for signs of misuse. The services are available from the credit bureaus, and cost about $10 a month. Corporations that leak data and foot the bill usually get big discounts.

So far, the vets haven’t been offered credit monitoring. Instead, the VA is reminding victims that they are entitled to a free copy of their credit report every year, and then basically wishing them good luck.

That’s insufficient. . . .

Meanwhile, a single peek at their credit report today would probably reveal very little. Fraudulent accounts can take weeks or months to appear, meaning it would be better to take that one peek in a month or two. But even that’s a tepid step at best to spy signs of identity theft after a data leak like this.

The only way to know something bad is happening to your credit is to look at it repeatedly, at about the same frequency that you look at your checking account statement. It’s hardly a perfect solution and doesn’t catch every instance of ID theft, but it’s a solid start. Credit monitoring services give consumers that kind of access. ChoicePoint, LexisNexus, and nearly all other commercial entities that have lost data have offered credit monitoring to victims for 3, 6, even 12 months.

The VA should do the same. Anything less is neglectful.

Bob Sullivan is exactly right. More at Sullivan’s excellent post.

0

The Government’s Data Security Breach and “Data Neutralization”

data-security-breach1.jpgThe AP reports an enormous breach of data security by the government:

Thieves took sensitive personal information on 26.5 million U.S. veterans, including Social Security numbers and birth dates, after a Veterans Affairs employee improperly brought the material home, the government said Monday.

The information involved mainly those veterans who served and have been discharged since 1975, said VA Secretary Jim Nicholson. Data of veterans discharged before 1975 who submitted claims to the agency may have been included.

This data breach is one of the largest ever. There are several points worth mentioning about this fiasco:

1. The government can be just as careless with people’s personal data as businesses and other organizations, which last year revealed data security breaches affecting millions of Americans — over 50 million according to one tally.

2. Keeping massive quantities of personal data creates risks to individuals. People must depend upon those keeping their data to maintain good security practices. This is one reason why, whenever the government collects data about people, we should be concerned.

3. Many data breaches are low-tech and are due to just a few irresponsible individuals or bad apples. Often, all it takes is for one dishonest or careless employee to breach security. In this instance, an employee took the data home, something that the employee wasn’t supposed to do. But why weren’t there better limits in place at Veterans Affairs? It is amazing that an employee can just walk out with personal data on 26.5 million people. Shouldn’t procedures be in place to prevent such things from happening?

4. Congress should look into legislation to neutralize the damage that all the leaked data can cause to people. Many of the laws addressing data security breaches focus on notifying people about breaches and on limiting such breaches. That’s all well and good, but more needs to be done. We need a “data neutralization” law. By “data neutralization,” I mean neutralizing certain pieces of personal information to reduce the potential damage that can be caused when such information is leaked. Leaked Social Security numbers and other identifying information wouldn’t cause so much trouble if the government restricted businesses and other organizations from using them as passwords to gain access to accounts or to verify identity. If these practices are stopped, the leaking of a Social Security number becomes much less harmful.

Read More

1

New Casebook (Privacy, Information, and Technology)

Spinoff Cover 2e.jpgApologies for the self-promotion, but in time for this fall semester, Paul Schwartz, Marc Rotenberg, and I will be publishing a short paperback casebook of about 300 pages entitled PRIVACY, INFORMATION, AND TECHNOLOGY (Aspen Publishers, forthcoming mid-July 2006), ISBN: 0735562548.

This book is intended to be an inexpensive volume that adapts the cyberspace and technology materials from our full-length casebook, INFORMATION PRIVACY LAW (Aspen Publishers, 2d ed. 2006). The full-length casebook is about 1000 pages; the shorter paperback book is a more streamlined volume of about 300 pages, focusing exclusively on cyberspace, databases, and technology. Aspen informs me that this shorter paperback adaptation will probably sell at a price between $30 and $35.

The book might be useful as a supplement for cyberlaw or information law courses for instructors who want in-depth coverage of information privacy issues for between 2 to 5 weeks.

More information about the book is here. If you’re interested in getting on the list to obtain a review copy of the book (available in mid-July), please send an email to Daniel Eckroad.

The table of contents is available here. A summary of the book’s contents is after the fold.

Read More