CompuBlab

If it's computer related, we'll blab about it!

Category: Privacy

SOPA and PIPA – The Battle is Far From Over

Greetings all!

It is hard to believe how much time has passed since I last posted on the blog. A string of illnesses in our family had us all gasping for air (and antibiotics) for a quite a while. Fortunately, we are all back on our feet and up and at’em once more!

During that brief hiatus, two not-so-little bills made their way through the US Senate and the US House of Representatives. You may have heard about them. One was called SOPA (Stop Online Piracy Act) while the other was called PIPA (Protect Intellectual Property Act). Both laws were, on the surface, designed to help law enforcement officials combat piracy of digital products overseas. The problem with these laws was that they were so broad, they could (and would) have been used (more like “abused”) to disrupt sites acting legally within the United States.

There is a lot that can be said about these two laws, but I found the best introduction to the issue was given by the talented folks over at the Khan Academy. I am including that roughly 11 minute video in this post for your viewing pleasure.

The only point I want to make here and now is that as you watch the video, keep in mind that the SOPA/PIPA issue is anything but over. Lawmakers were surprised at the amount of backlash that was generated from those laws and now they will regroup before trying to put such legislation through the system a second time. Since this topic *will* come up again, it behooves you, a consumer of digital and online products, to understand at least in general what the big flap was all about.

Yes, laws to combat the theft of intellectual property are needed, but we must as consumers make certain that the laws that are crafted make sense, and do not go beyond the mark of what they are supposed to do.

Give the video a look, and draw your own conclusions.

Facebook & FTC Settle on Privacy Issues

Some very good news recently regarding Facebook and their long standing issues with violating people’s privacy. The news is reporting that the FTC and Facebook have come to a settlement regarding Facebook’s disregard for people’s private information (see the article referenced here).

If you are a user of Facebook, privacy has always been an issue. For my part, I am amazed at the amount of personal information people post on Facebook. Even information that could help someone steal a person’s identity (your birthdate, for example). Yet even with people being seemingly unaware of how much information they were giving out, Facebook made itself a lot of enemies over the last few years by revamping their privacy settings for users.

In perhaps the most egregious violation of basic information privacy, on more than one occasion Facebook has made changes to the settings screens that relate to privacy of your data. This in and of itself isn’t bad. What *is* bad is that Facebook defaulted your privacy settings to be “let the whole world see this”…even when it involved data you had previously indicated was not to be shared. In addition, Facebook did what so many companies do today…promised they would not share your personal information with advertisers…and then did so anyway. Of course they did…it was all about the money. Your personal information is valuable to marketing companies, more so now that advanced data mining and analysis techniques have become so powerful.

I recall reading a study a few years ago about privacy statements for different companies. A cursory examination showed that the vast majority of companies simply ignore their privacy statements. Your data is shared with whomever will pay for it. Is this a surprise? Not to me. Corporations are not known for their morals and ethics (though there are some notable welcome exceptions).

The settlement includes the promise by Facebook to make any and all changes in privacy settings be “opt-in” on the part of the user. That is, any changes to privacy settings must be approved by the user. This is great, but I am sad that it has taken two years to get Facebook to agree to do that which it should have done from the beginning.

The settlement also provides for Facebook to be audited for the next twenty years regarding privacy issues. Sadly, there was no information in the article I referenced regarding how this auditing was to take place (which is to say, is it “window dressing” or does the auditing provision have any real “teeth” to it).

There is more that the FTC needs to do to crack-down on such flagrant violations of your privacy, but at least this is a start. I *am* disappointed though that no financial penalty was imposed upon Facebook. Seeing as they profited from their unethical actions, I feel a financial penalty would have been in order.

Since that doesn’t seem to be in the cards, we will just have to hope that Facebook lives up to their word (which given their track record, is not something I would bet the farm on)…

Why Your Personal Information Is Not Safe

Of all the technology mis-information that is dispersed to the common public, the one that gets my blood burning faster than just about anything else is when some company representative insists that “your data is safe with us.”

Look folks, here’s the deal. Your data is just not all that safe. Not your personal information that could be used to steal your identity, nor your banking information, nor any other information you provide to anyone else online. If you doubt this at all, just look at the news over the last six to twelve months at all of the high-profile data thefts that have occurred. From banks to online gaming systems, your data is vulnerable and the bad guys want it.

And today we have a story in the news that shows you just WHY all of the fancy data protection measures that corporate executives and marketing VPs just LOVE to tout don’t add up to a hill of beans. You see, that protection often times is geared at preventing individuals outside the security system from accessing your data. That is a very good thing. But what about all of the people INSIDE the company security system (i.e. the employees and/or contractors)? How well have they been screened? What if one of them decides to embark on a life of crime? What then?

Well, that’s EXACTLY what happened at the New Jersey Department of Motor Vehicles (DMV).

It seems that two enterprising employees of the New Jersey DMV decided to start selling people’s personal information to identity thieves. That is, names, birth dates, and social security numbers were sold for in some cases the rather paltry sum of $200. All the protections that the New Jersey DMV had in place were for naught because the people who stole the information were required to have access to that data as part of the normal course of their jobs (see the article referenced here).

Data security involves more than just encrypting people’s data and using passwords to control access. Something that company executives are getting an education in right now according to news reports.

As a side note, yes I do use online banking and what not…it is very difficult to avoid these days. However, there are smart ways to use such services, and also not-so-smart ways. Perhaps in the coming days I’ll provide some additional information on this point.

Misnamed Congressional Bill to Track Your Every Move on the Internet

I have noticed that when a major political topic is talked about in the news for some time (such as the debt crisis right now), some lawmakers see it as an opportunity to ram through legislation that any literate American would object too. Now they have done it again. Using a bill named Protecting Children from Internet Pornographer’s Act of 2011,  congress wants to force Internet Service Providers (ISP) to track your every move on the internet, and to keep such logs for at least 12 months (click here for the original story).

I personally cannot think of anyone who would be against a bill that was aimed at protecting children from internet pornography. However, to track every American’s move on the internet, including exposing their credit card numbers and bank account numbers, is going so far past the mark that it is even laughable that they might try to pull this one over on the American people.

Today, ISP’s already track enough information to match up a user with a temporarily assigned internet address, which is what law enforcement officials need when trying to track down someone on the internet who is trying to be anonymous. However, this new bill wants to FORCE the ISP’s to expose all of the following personal information into their logs:

  1. Name
  2. Address
  3. Phone number
  4. Credit Card Number
  5. Bank Account number
  6. Temporarily assigned network (IP) address
  7. EVERY site visited on the internet

The Electronic Frontier Foundation (EFF), a digitally focused civil liberties group, summed it up nicely as follows (click here for the complete EFF statement):

The data retention mandate in this bill would treat every Internet user like a criminal and threaten the online privacy and free speech rights of every American, as lawmakers on both sides of the aisle have recognized. Requiring Internet companies to redesign and reconfigure their systems to facilitate government surveillance of Americans’ expressive activities is simply un-American. Such a scheme would be as objectionable to our Founders as the requiring of licenses for printing presses or the banning of anonymous pamphlets.

One of the reasons I started this blog was to try to make available a layman’s description to those whose career were not in technology of issues that would effect them. I have found over the years that organizations, including governments, prey upon people’s lack of knowledge in order to manipulate them. I am very sorry to say that this is what is going on here.

Most ISP’s (this could be your cable company, AT&T UVerse, etc.) provide you with an internet connection that assigns a dynamic IP address, a network address that is not specific to you, but can change every time you log into the Internet (okay, so technically it is a bit more involved than that, but for the lay person the thing to understand is that your network address could change at nearly any moment). The difficulties that law enforcement officials have had in the past was trying to track down a specific individual’s actions on the Internet.

Let’s say that a person sends as threatening email to the President…which happens to be illegal. Law enforcement officials would want to know who it was that sent that message. With a network address that can change over time, it might be difficult to track down who it was. However, most (if not all) ISP’s keep a log of which network addresses are assigned to which of their customers at any given moment. This gives law enforcement officials the ability to back-track to a specific computer should they need to.

What ISP’s most often DO NOT DO is track/log EVERY SINGLE THING YOU DO ONLINE. There is no need for this with respect to law enforcement. At least none that anyone has been able to explain to me. I certainly invite law enforcement officials to make it clear to me as to why this information is insufficient for their needs.

If you are getting the technical gist but are not understanding the reason for my concern at this point, pick up a copy of George Orwell’s book entitled 1984.

 

Laptop Rental Company Takes Secret Pictures via the Web Cam

A somewhat sobering article appeared over on TechGoblin (click here to see the original story) regarding a Laptop Rental Company that installed software to take pictures using the computer’s built-in webcam and to transmit them back to the rental company. Of course, they never DISCLOSED this minor detail to their customers.

Now, I don’t know about you, but it seems to me that such behavior is well outside of what one would consider proper conduct with respect to a customer’s privacy. Apparently, a lot of customers agreed with my opinion as they opened up a class-action lawsuit against the company.

Well, the surprising part of this little story is that the judge recently decided not to issue an injunction against the laptop rental company (that is, the judge did not order them to stop). You’ll have to read the article yourself  (see the link to the original article I listed previously) to try to understand why it is the judge decided the way he did. I for one seem to have too much common sense to be able to understand the twisted nature of our legal system.

The best that I can come up with is that the judge did not necessarily disagree with the plaintiffs that what this laptop rental company was going was despicable, but that he was saying that the WAY the plaintiff’s attorney was trying to argue the case was not going to be very strong.

No matter what the reason, apparently the judge did not feel it necessary to put an end to this invasion of privacy.

Patient Records Online – A Really BAD Idea

Today I read in the British publication The Telegraph that a London hospital is making plans to move patient records “into the cloud” (which is to say, they wish to make the patient’s records available online). You can click here to see the Telegraph Article

Folks, this is as BAD an idea as I have seen since it was proposed that presidential elections in the United States should use online voting!

Why is this a bad idea? I can spell it out for you in one word: Security (as in “the lack of”).

If you have followed the news at all this year, the number of so-called “secure” systems whose data have been compromised is astounding:

And the list just keeps going on and on…

Folks, I’m going to give it to you straight. I am a computer scientist who holds both a Bachelors and a Master’s Degree in computer science and has over thirty years in the profession…and I will tell you that in the final analysis, your data online IS NOT SECURE!

Encryption, the scrambling of data that so many online databases tout as protecting your data, can be broken (and has been broken time and time again). Multiple method user identification (like the RSA Secure ID device) has been broken as well (see above). SSL certificates, the things that let you log into a website “securely” for things like online banking or making purchases, have been “forged” in the past. Passwords most certainly are not secure (so many can be simply “guessed” with just a little information about the account holder), and this is before we even BEGIN to factor in:

  • Unscrupulous employees of the companies that are supposed to be protecting your data (a.k.a. “inside jobs”)
  • Social Engineering – a con method of getting someone to reveal key information about their account so that a hacker can compromise their data
  • Human error where data is exposed to the public by programmer or administrative error rather than by being “hacked”

Given the list above (and this is just some of the more largely publicized break-ins), I don’t think you need to take my word for it. Read those articles and do some searching for yourself online. If your data online was that secure, then why are there so many break-ins being experienced by these so-called “secure” computer systems?

Now bringing it back to patient records online, Tony Lucas, the founder of Flexiant, the company that is putting all of this together, is either misinformed or just plain lying. Again I direct you to the list of compromised systems above. There are techniques that can help secure your data against amateurs trying to gain access to it, but in the face of determined system crackers, the evidence is overwhelmingly against him that your information is actually secure.

Most distressing to me is that Mr. Lucas is making noise about this information being available via mobile phones…a technology that to date has still not demonstrated that it can be safe from malware.

When it comes to the computer security techniques employed today, I like to use the analogy of someone who wants to steal your car. Do you lock your car doors? I know I do. Do I think that it 100% protects my car from theft? Of course not! If someone really wants my car…there are ways to get it. Same thing with car alarms. Do you think that just because you put an alarm system on your car that no one is capable of stealing it? For me, the answer is “of course not.”

The goal of many protection systems on a vehicle (such as locking the doors or installing an alarm system) is to prevent the mischievous kid, the amateur, or the opportunist from stealing your car. I think most people are aware of the fact that if a professional car thief wants your car, they ARE going to get it.

And so it is with computer security.

We use encryption, secure IDs, SSL certificates and passwords to protect our data against the amateurs, the opportunists, etc. If a “professional” wants to steal our data…their odds of getting it are pretty good.

With the state of security being what it is, do YOU feel good about having YOUR medical records placed online? The potential for abuse is enormous, and the protection that these companies are offering up for your data is by no means air-tight.

Please keep all of this in mind the next time someone offers to put your medical records online, or to have voting for the next President of the United States handled online.

Warrantless GPS Tracking

Is it legal for law enforcement officers to track your location via GPS without a court order? By agreeing to hear the case of Antoine Jones, a man from Washington who was convicted on drug-related charges in 2008, that is precisely the question that the US Supreme Court has will most likely have to answer.

You see, a lot of the case against Antoine Jones traces back to GPS tracking information that was obtained by placing a GPS tracker on Jone’s vehicle. Jone’s lawyer is claiming “foul” in that he asserts that attaching a GPS tracker to a suspect’s vehicle is much like tapping a suspect’s phone…and phone taps require a warrant from a judge. This is a perfect case of technology progressing beyond what the framers of the US Constitution ever imagined.

As you may know, the Fourth Amendment protects individuals against unlawful search and seizure. One instance of this protection is seen in  “phone taps” or “wire taps,” which require a warrant from a judge before they may be performed. A judge’s job is to ensure that law enforcement officers are requesting the phone tap because they have a reasonable suspicion of wrong doing…and not for any other reason (well, the REAL definition of this is a bit more specific, but I am generalizing here for the sake of brevity).

Well, Jone’s lawyer is asserting that GPS information tracking should be held in the same regard as phone conversations. Namely, that such information is private, and that only by the granting of a judge’s warrant should such tracking be allowed under the Fourth Amendment.

How the court rules on this issue is likely to impact all of us. At stake is personal privacy versus the ability of Law Enforcement Officials  to be able to gather evidence against suspects.

My personal take (which is to say, my opinion only):

I personally believe that GPS tracking SHOULD require a judge’s warrant. I don’t believe that anyone should be allowed to “track” anyone else without their knowledge unless a judge has been convinced that there is probable cause of wrong doing. To me, the “secret” tracking of someone via a GPS tracker is akin to “stalking” a person…an action for which there are laws already in place for the public’s protection.

I should also point out that while this is my opinion, I also think that there is a problem with our legal system regarding the improper gathering of evidence. For example, if an officer gathers evidence in a manner where the authenticity of the evidence is not in question, but the legality of the evidence IS in question, then I think that the evidence should stand (that is, I think it should be able to be used against the defendant). An example would be where an office discovers a dead body in a suspect’s closet moments before a search warrant arrives. There is no disputing that there is a dead body on the suspect’s closet. Unless there is some question of somehow the body being planted in the closet, I think the evidence should stand and that the officer should receive appropriate consequences for his or her actions.

Again, just my two cents…

So keep an eye on this issue in the news. I certainly will be watching it.

References:

Powered by WordPress & Theme by Anders Norén