You leak: let us peek

January 18, 2007

More news on security breaches: California Senator Dianne Feinstein is renewing her push to set national requirements for consumer notification in the event of data security breaches, and to restrict the sale, purchase and display of Social Security numbers. Under her proposed Notification of Risk to Personal Data Act, any federal agency or business that “uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information” would be required to notify any U.S. resident whose data may have been compromised by a security breach “without unreasonable delay.” Her second bill, the Social Security Misuse Prevention Act, would prohibit the sale, purchase or “display” (intentional communication to the general public, including via the Internet) of SSNs without “affirmatively expressed consent of the individual,” either electronically or in writing. The bills feature broad exemptions, which are bound to prove controversial. Across the border, meanwhile, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) published a white paper calling for similar legislation to be introduced into Canadian data protection law (PIPEDA). Data breach notification laws are all the rage, prompting interest of regulators in the EU as well. A big question is what can consumers do with information concerning their data having leaked into unauthorized hands. One option, is, of course, suing. Yet, interestingly enough, while class action law suits have been filed against Choicepoint, LexisNexis and CardSystems Solutions, none have yet to reach judgment as of December 2006.

Oops – 100,000,000 times (for now)

December 21, 2006

A week of severe data security breaches: UCLA reported hackers gained access to a database containing personal information on 800,000 current and former applicants, students, faculty and staff. Aetna revealed a lockbox holding personal information of 130,000 health insurance customers was stolen. And Boeing reported a laptop containing personal information of 382,000 current and former employees was stolen from an employee’s car. US Privacy Rights Clearinghouse reports that the total number of personal records lost or exposed in security breaches since February 2005 now exceeds 100 million. The total maintained by the organization represents the number of records that have been compromised due to security breaches, not the number of individuals affected. Individuals may be the victims of more than one breach. However, only data breaches that result in information useful to ID thieves, such as Social Security numbers, bank account details and driver’s license numbers, count towards the 100 million mark. The reports of security breaches are a result of legislation originating in California’s Security Breach Information Act of 2003 and now adopted in about 30 additional states. Europe is still considering similar legislation. In the UK, for example, a report by Deloitte Touche Tohmatsu reveals 25 million personal records are exposed to theft and fraud annually. One of the big issues, particularly for Europe, where private lawsuits are rare and class actions uncommon, is whether individuals can actually do anything with knowledge about their data having been compromised.

RFID: A chip on your shoulder

December 17, 2006

One of privacy advocates‘ prime suspects have long been RFID systems, enabling data to be transmitted via a portable device, called a tag, to an RFID reader and processed according to the needs of a particular application. RFID, which started as a benign replacement of the barcode, allowing Wallmart to perfect its inventory control process, is increasingly appearing in privacy-compromising applications. Last week, U.S. Department of Homeland Security Secretary Michael Chertoff defended national ID cards, established by a federal law called the Real ID Act in May 2005, as vital for security and consistent with privacy rights. Among other concerns, national ID cards may carry RFID tags, despite a recent DHS advisory committee report advising against using RFID for tracking humans. More prosaic, a report by researchers at the University of Washington warns against surreptitious surveillance of joggers by their Nike+iPod Sport Kit, which consists of an RFID chip. The EU Article 29 Working Party has last year warned against the dangers of RFID in an official report. The bigger problem lurking behind RFID is that of privacy in an age of ubiquitous computing, where every object, not only cellphone but also table or spoon, is a computer. 

“International Law: Between War and Peace”

December 7, 2006

mishp.jpg The definitive hebrew textbook on public international law? With “International Law: Between War and Peace” (Ramot 2006), Orna Ben Naftali and Yuval Shany (College of Management School of Law and Hebrew University Faculty of Law, respectively) make an invaluable contribution to a field more important and relevant in Israel than, perhaps, anywhere else in the world.

Spam goes “Bam”

December 7, 2006

Bill Gates predicted spam would be a thing of the past by 2006. Well, it is making a big comeback after an off year in 2005. In the last six months, the problem has gotten measurably worse. The NYT reports worldwide spam volumes have doubled from last year and unsolicited junk mail now accounts for more than 9 of every 10 email messages sent over the Internet. The negligible costs of orchestrating an attack and significant trouble of preventing one do not help. For an overview of anti-spam legislation see David Sorkin’s Spam Laws.

The DHS presents: ATS

December 5, 2006

The US Department of Homeland Security revealed its new big data mining program: the Automated Targeting System (ATS), successor to the former Total Information Awareness (TIA), Computer Assisted Passenger Pre-screening System (CAPPS-2) and “Secure Flight” programs. For the past four years, ATS has assigned millions of international travelers, including American citizens, computer-generated scores rating the risk they pose of being terrorists or criminals. The scores are assigned to passengers entering and leaving the US after computers assess their travel records, including where they are from, how they paid for tickets, their dates of birth, motor vehicle records, past one-way travel, frequent flier account details, hotel accommodations, meal requests  and seating preference. Privacy advocates are responding with alarm.

4th Circuit rules anti-anti-SPAM

November 30, 2006

A recent 4th Circuit decision, written by Judge James Harvie Wilkinson III demonstrates the risks inherent to the federal CAN-SPAM Act 2003, which preempts anti-SPAM state legislation. The Court ruled in favor of alleged spammer, which sued an aggrieved customer, who called its email spam, for defamation.

SPAM and phishing: The battle goes on

November 28, 2006

The European Commission calls for stronger action against spammers and spyware merchants. On the other hand, a security flaw in Google’s search appliances could expose websites using such products to phishing attacks. Microsoft has recently launched an antiphishing campaign in Europe and the Middle East, filing 129 lawsuits against alleged perpetrators.

Conference: The Law Of Search Engines‏

November 26, 2006

The University of Haifa School of Law is holding a conference on the Law of Search Engines, touching on issues such as privacy and data protection, freedom of speech, intellectual property. Some of the field’s leading names are scheduled to participate, including Helen Nissenbaum of NYU and Michael Geist of Ottawa. The event is organized by Haifa Profs Niva Elkin-Koren and Michael Birnhack.

EU-US privacy rift: SWIFTly expanding

November 25, 2006

The Article 29 Working Party has now posted its harsh SWIFT opinion. A shorter press release has also been issued. In the US, meanwhile, the NYT reports not much progress with review of President Bush’s massive secret wiretapping program, despite Democratic takeover of Capitol Hill.