Tuesday, May 01, 2007

Privacy notes

Another collection of items over the past few weeks, this one relating to privacy concerns. As is often the case, it's not necessarily any individual item that really matters - although they are bad enough on their own - but the pattern they collectively demonstrate.

March 30 - In a regulatory filing, TJX Cos., parent company of nearly 2,500 discount stores including T.J. Maxx and Marshalls, revealed gross security holes in their handling of customer data, holes that lead to the personal information of at least 45.7 million credit and debit card holders being compromised.

Those holes included failure to delete customer data promptly and failure to adequately protect encryption methods.
"It's not clear when information was deleted, it's not clear who had access to what, and it's not clear whether the data kept in all these files was encrypted, so it's very hard to know how big this was," said Deepak Taneja, chief executive of Aveksa, a Waltham, Mass.-based firm that advises companies on information security.
Experts say such failures are common. The data theft has been tied to a gift card scam in Florida involving fraudulently obtaining $1 million in electronics and jewelry.

April 2 - HealthDay News reported that
urine-based drug tests have a lot of room for error and may not be useful in schools and other venues, a U.S. study says.
Researchers from the Center for Adolescent Substance Abuse Research at Children's Hospital in Boston reviewed 710 random urine drug test from 110 patients aged 13 to 21. Of the 217 positive results, a shockingly high 21% were attributable to legitmate prescription or OTC meds - that is, more than one out of every five positive results was wrong.
Given the high potential for misinterpretation, there is no justification for widespread use of random drug testing for adolescents, the researchers concluded. ...

"Drug testing should be reserved for patients with a clinical indication for this procedure, and when drug testing is indicated, the best available procedures should be used," [study author Dr. Sharon] Levy said.
Pressure for random testing of teens both in schools and the home is paired with pressure for, and the increasing occurence, of, such testing in the workplace. The researchers, as is normal practice, limited their judgment to adolescents because those were the people studied - but it can fairly be asked if in light of these results there is any "justification for widespread use of randon drug testing" for anyone at all.

April 4 - Schools in Taunton, Massachusetts plan on becoming the first in the state
to have students pay for lunch by scanning their fingerprints, a plan that is triggering an uproar among parents and ACLU officials worried about privacy and possible identity theft.
The plan was going to be mandatory but because of the strong opposition, it's voluntary.
Still, some parents are concerned that the fingerprints their children register with the school district could be stolen, misplaced, or used for a form of fraud that hasn't even been invented.

They note that supermarkets and retail stores have had customer information compromised, and argue that there are no state guidelines for schools using the technology. The parents also say they are skeptical that the 8,100-student Taunton school system can keep their children's information secure.
In a letter to the school superintendent, a staff attorney with the American Civil Liberties Union of Massachusetts objected to teaching students to be casually fingerprinted. In a later interview, she called it "Orwellian."

School officials, on the other hand, played the same card that always gets played: the "it's for your benefit!" argument. They said
the new system will speed the cafeteria line, possibly let parents monitor what children eat, and lift the stigma from poor students who receive free or reduced-price lunches.
Okay - in addition to taking note of the creepy "everything you do is being watched" overtones, I have another question, not so much about this attack on privacy but related to it: Just how does treating food assistance programs as something so shameful that participation in them is something that has to be hidden, "lifting the stigma?"

April 17 - The crime laboratory of the Massachusetts State Police is considering changing its rules on DNA database searches to allow for reports of partial matches.

Right now, DNA recovered from a crime scene is sent to the lab, which looks for a match among its database of DNA samples taken from convicted felons. If there's a match, investigators are informed. If there's not, they're not.

The change being considered would allow for investigators to be told about a "close match," one which could indicate that a suspect is a close relative of someone in the database. The problem is, such a practice would not only invade the privacy of, and cast suspicion on, innocent people who happened to be related to convicted felons, it would also inevitably wind up pointing fingers of suspicion at people unrelated to the person in the database but who just happened to have a DNA profile similar in the regions examined.

On a sidebar, in January the database administrator was found to have violated the ban on so-called familial searches. He was fired Friday. Just like in the Bush administration, when officials are found to be violating policies or laws and invading privacy, the response it to make what they did legitimate.

April 25 - At a debate in New York City about privacy rights, Norman Siegel, former director of the New York Civil Liberties Union, estimated that there are at least 10,000 cameras around the city conducting surveillance of passersby. Most of those are run by private businesses.

Siegel said such cameras should be
registered with a government agency and people on the street should be informed that they being filmed. ...

He suggested that it be made a criminal offense to abuse surveillance camera footage.
On the other side, Heather MacDonald of the conservative Manhattan Institute, dismissed concerns as people "amusing themselves with Big Brother fantasies" while fantasizing the cameras deter criminals and terrorists. She insited it wasn't an issue because "there is no reasonable expectation of privacy in public spaces."

That's an interesting argument because the "no reasonable expectation of privacy" garbage has been used to justify all sorts of intrusions of, and limitations on, exactly that reasonable expectation, from saying police could search your garbage with no need for a warrant to arguing passengers in a car could be searched, again without a warrant or an arrest, because since the car is not their "possession" they have no basis to expect to be "secure" in it. I only wonder how long it will be before someone declares that you had no "reasonable expectation of privacy" in your own home because a shade was up. Increasingly, our "expectation of privacy" is being limited only to those areas our most intrusive technologies cannot reach - and is shrinking as the latter expands.

April 27 - Just this week, a White House task force lead by the FTC and the DOJ released a plan to fight the increasing levels of identity theft, identity theft made increasingly possible by the increasing amount of what many of us naively believe to be personal information increasingly gathered and increasingly shared by an increasing number of public agencies and, more importantly, un- (or barely-) regulated private companies.

Certainly some action is needed.
In recent years, the Federal Trade Commission (FTC) has recorded approximately 250,000 complaints of identity-theft fraud annually. A survey study by the data-analysis group Javelin Strategy and Research estimated total adult victims in the United States at nearly nine million in 2006, with the value of the fraud totaling $56.6 billion. Common violations, perpetrated by individuals as well as organized groups, range from credit-card forgery to assuming a new identity to cover up other crimes.
And of course, we're not going to see action from the Shrub team.
To privacy-rights and consumer groups, identity fraud reflects structural vulnerabilities, as technology casts sensitive records into more unknown hands. In response, groups are calling for much-tighter controls than those the White House proposes on how corporations and government agencies harvest personal information. ...

[O]verall, the [task force] report is light on explicit recommendations for new regulations on companies and agencies that handle sensitive information. Rather, it emphasizes further monitoring of the problem, such as studying how companies use social-security numbers.
Oh, of course not, we can't put restrictions on business! Not without studying the problem! So let's have a study. Then we can have a second study to check the first study, a third to examine differences between the first two, a panel to do a meta-study of the three studies, a review panel to check the meta-study panel's results, a "high level" review of the review - by which time it will be decided that the original study is outdated and a new one is required. All the while, corporate America goes its merry number-crunching, database building and swapping, way.
David Sohn, counsel with the Center for Democracy and Technology (CDT), ... said existing laws miss new security and privacy threats posed by the "revolution in data technology, in terms of the ability to gather, store and manipulate large quantities of data." ...

Fundamentally, privacy and consumer groups say the most effective way to combat identity theft is to minimize the amount of data available for stealing. Groups such as the Electronic Privacy Information Center (EPIC), for example, support strict limits on the use of social-security numbers as an identifier.
Which is actually something I've been advocating for well, let me see, for over 20 years now. As I recall, what first got me going on this was discovering that the student ID numbers at the college where I was working were their Social Security numbers - and I couldn't understand why they were in effect being required to reveal their SSNs to anyone who had occasion to see their ID. My long-standing proposal was to limit the use of your Social Security number to uses directly related to Social Security and taxation and the only people who could ask for it are people who are legally required to make reports about you to the IRS, such as your employer and your bank. And within a certain period of time after you left a job or closed an account, information linking you to your SSN would have to be destroyed.

There are additional proposals on the table such as making companies liable when harm results from misuse of the data they collect - but again of course industry opposes such measures and so does the White House. And so it goes on as the same corporations and government agencies that keep telling you to "protect yourself" and "beware of identity theft," putting the onus all on you as an individual, at the same time keep demanding from you more and more personal information of the type that makes identity theft possible.

Footnote: The article linked is too long to be easily summarized here; I urge you to read the whole thing. I also have to note, sadly, that The New Standard, the source of the article, ceased publication as of April 27. The archives will be up at least for a while. It will be missed.

No comments:

 
// I Support The Occupy Movement : banner and script by @jeffcouturer / jeffcouturier.com (v1.2) document.write('
I support the OCCUPY movement
');function occupySwap(whichState){if(whichState==1){document.getElementById('occupyimg').src="https://sites.google.com/site/occupybanners/home/isupportoccupy-right-blue.png"}else{document.getElementById('occupyimg').src="https://sites.google.com/site/occupybanners/home/isupportoccupy-right-red.png"}} document.write('');