Veterans Affairs CIO: We’re more secure. Citing the data breach last May as “a real eye-opener,” the CIO of the U.S. Department of Veterans Affairs said the agency has reorganized its IT group and improved cybersecurity. [Computerworld Privacy News]
E-Gold Gets Tough on Crime. Weary of being called a haven for money launderers and crooks, the PayPal competitor gets cozy with law enforcement and locks down suspicious accounts. If you’ve sent $17,000 to the Ukraine “for beer,” you may be banned. By Kim Zetter. [Wired News: Security Blanket]
Information Security as a Business Practice. This paper, written by John Enamait, addresses the role information security plays in an organization with discussions around structure and best practices. By John Enamait. [Infosec Writers Latest Security Papers]
Market Research Company Secretly Installs Spyware. An anonymous reader writes “Forbes reports that two security experts are raising new questions about comScore, claiming that company’s tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co.” From the article: “‘[The] software is sneaking onto users’ computers without the user agreeing to receive it,’ says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall.” [Slashdot: Your Rights Online]
RIAA Wants Artist Royalties Lowered. laughingcoyote writes “The RIAA has asked the panel of federal government Copyright Royalty Judges to lower royalties paid to publishers and songwriters. They’re specifically after digital recordings, and uses like cell phone ringtones. They say that the rates (which were placed in 1981) don’t apply the same way to new technologies.” — From the article: “According to The Hollywood Reporter, the RIAA maintains that in the modern period when piracy began devastating the record industry profits to publishers from sales of ringtones and other ‘innovative services’ grew dramatically. Record industry executives believe this to be cause to advocate reducing the royalties paid to the artists who wrote the original music.” [Slashdot: Your Rights Online]
E-Voting Whistleblower Deserves Medal, Gets Punished.
The need for e-voting reform is now widely-recognized, as this Friday’s front page story in the New York Times demonstrates. Along with many other people deserving credit for bringing this issue to the fore, you’d think that whistleblowers like Stephen Heller would be unanimously celebrated. Unfortunately, you’d be mistaken.
In 2004, Heller leaked documents showing that Diebold Election Systems used uncertified software in California elections even though it knew that doing so was likely illegal. The documents outraged voters and spurred instant media coverage for an issue that, at that time, was largely ignored. For defending Californians’ fundamental right to vote, Heller deserves a medal from the state.
Instead, Heller has been facing criminal charges and threats by Diebold’s lawyers to sue him for multimillion dollar damages. Last month, Heller accepted a plea agreement of three years probation and a $10,000 payment to lawyers at Jones Day.
This sad outcome could only be made worse if Heller’s virtuous aims remain unfulfilled and votes continue to be cast on flawed machines. EFF is pushing for voting reform around the country, including in our recent lawsuit in Sarasota, Florida. You can support reform, too, by writing to your representatives through our Action Center.
Chertoff Shocked(!) at Privacy Uproar Over “Targeting” System.
In a fascinating article by Shane Harris in the National Journal, Homeland Security Secretary Michael Chertoff professes great surprise at the public uproar over the Automated Targeting System (ATS). He claims that he has discussed the “collection” and “analysis” of personal data — including airline Passenger Name Records (PNR) — “incessantly.” The Secretary says that critics of the system — which assigns “risk assessment” scores to all travelers, including U.S. citizens, and retains them for 40 years — just haven’t been paying attention:
“Yeah, they missed about 100 speeches that I gave,” an exasperated Chertoff told National Journal on December 5. “I’ve talked about… PNR data and biographic data and using it to analyze and connect the dots about people before they come into the country; I have to have given at least 20 speeches about it.”
Well, many of us have paid attention, and despite our best efforts, we’ve been unable to learn much about Homeland Security’s collection and use of personal data.
Read on for more after the jump.
“I’ve talked about the collection of this data and the analysis of this
data incessantly,” Chertoff said in an interview this week at his
office. By “this data,” Chertoff means the international passenger name
records (PNRs) that airlines give to Homeland Security screeners. Each
PNR contains basics such as a passenger’s name, address, and seat
assignment, but also details how the ticket was paid, whom the person
is traveling with, and what telephone number the passenger used to book
the reservation.
The screeners analyze PNRs, including those of American
citizens traveling abroad, as well as passport information, to see if
anyone can be connected to a terrorist. But in the past two months,
nearly 50 organizations and individuals have contacted the department
to express varying degrees of concern and outrage over the computer
program that actually performs this analysis: the Automated Targeting
System. That’s because, in addition to crunching data, ATS tags every
international traveler with a “risk assessment,” which security
officers use when deciding whether to interrogate passengers or to keep
them from flying. Once generated, those assessments may stay locked in
ATS for as long as 40 years, and it is unlikely that passengers could
ever know precisely what their risk rating is and how it was
calculated.
This is news to just about every major privacy and
civil-liberties watchdog in the country; they thought that Homeland
Security officials only wanted to use passenger data to target
terrorists and assign risk ratings but had refrained from actually
doing so. They believed that ATS was being used only to identify risky
cargo aboard ships. So, did the watchdogs miss something?
How Pop-Ups Could Brand You a Pervert or Crook.
Greetings. A New York Times article today explores the problem of Web-based “pop-up” ads being used to artificially inflate Web traffic.
I’d like to point out a potentially much more serious problem
related to pop-ups that can access arbitrary Web sites — they could be
used for purposes that could get innocent Web users into major legal
problems.
The issue of sites triggering unsolicited access to other sites is not new. In a message over a year ago (“Google’s new feature creates another user privacy problem”),
I discussed how Google’s triggering of top item “prefetch” in returned
search results could result in Firefox browsers visiting the referenced
site — and collecting any associated cookies — without users’
knowledge (I also suggested ways to prevent this behavior).
The essential problem is that Web logs that record users’ access to
sites would record such visits as if they had been voluntarily
initiated by those users. If those destinations happen to be sites with
various forms of “illicit” materials that could be the subject of
government or other investigations that would go digging through
associated access logs… well, you can imagine the possible
complications.
Google’s prefetch behavior is an example of a well-intended feature with unfortunate negative side-effects.
On the other hand, the sorts of nefarious pop-ups described in the
NYT piece have much greater potential for intentionally serious sorts
of damage, since they can be far more flexible and directed than simple
Web prefetches, and so could put innocent consumers at even greater
risk. They might not only access pages that could get people arrested
(perhaps c-porn?), but also download files that could trigger RIAA
and/or MPAA “automatic” lawsuits, or any number of other nightmare
scenarios.
It’s fair to ask why anyone might want to set loose such technical
monsters on innocent victims. The simple answer is that there are quite
a few people out there who just want to score a point — to prove that
they can do it — plus of course the sick minds who enjoy watching
other people suffer.
In late May, more than five million Web users vanished.
The disappearing act came when
Nielsen/NetRatings, a leading company in measuring Internet traffic,
sharply cut its previously reported statistics for the financial Web
site Entrepreneur.com to 2 million unique visitors in April, from 7.6 million.
Why
the change? For millions of Web surfers, Entrepreneur.com visited them
– and not the other way around, the measurement company said.
As
computer users visited other sites, new browser windows popped up
containing articles from Entrepreneur.com, according to Scott Ross,
senior product manager for Nielsen/NetRatings.