For my Computer
Security students. If not Best Practices, at least consider these
“Things you can do to avoid hassles by the FTC.” Note that all
of these are in Chapter One of the Intro to Computer Security
textbook. More importantly, look at all the practices they don't
mention! For my regular Blog readers: Told ya so!
The Federal Trade
Commission has released a provisionally redacted public version of
its
complaint
against LabMD (PHIprivacy.net’s coverage of LabMD linked
here).
The complaint provides
what could be useful guidance as to what types of
practices the FTC considers to be problematic practices under the
Act:
10.
At all relevant times, respondent engaged in a number of practices
that, taken together, failed to provide reasonable and appropriate
security for personal information on its computer networks.
Among other things, respondent:
(a)
did not develop, implement, or maintain a comprehensive information
security program to protect consumers’ personal information. Thus,
for example, employees were allowed to send emails with such
information to their personal email accounts without using readily
available measures to protect the information from unauthorized
disclosure;
(b)
did not use readily available measures to identify commonly
known or reasonably foreseeable security risks and vulnerabilities on
its networks. By not using measures such as penetration tests, for
example, respondent could not adequately assess the extent of the
risks and vulnerabilities of its networks;
(c)
did not use adequate measures to prevent employees from accessing
personal information not needed to perform their jobs;
(d)
did not adequately train employees to safeguard personal information;
(e)
did not require employees, or other users with remote access to the
networks, to use common authentication-related security measures,
such as periodically changing passwords, prohibiting the use of the
same password across applications and programs, or using two-factor
authentication;
(f)
did not maintain and update operating systems of computers and other
devices on its networks. For example, on some computers respondent
used operating systems that were unsupported by the vendor, making it
unlikely that the systems would be updated to address newly
discovered vulnerabilities; and
(g)
did not employ readily available measures to prevent or detect
unauthorized access to personal information on its computer networks.
For example, respondent did not use appropriate measures to prevent
employees from installing on computers applications or materials that
were not needed to perform their jobs or adequately maintain or
review records of activity on its networks. As a result, respondent
did not detect the installation or use of an unauthorized file
sharing application on its networks.
11.
Respondent could have corrected its security failures at relatively
low cost using readily available security measures.
12.
Consumers have no way of independently knowing about respondent’s
security failures and could not reasonably avoid possible harms from
such failures, including identity theft, medical identity theft, and
other harms, such as disclosure of sensitive, private medical
information.
LabMD
will likely respond that the FTC should have published these as a
guideline before
going after companies for not complying with them, but
other businesses may want to use this complaint for their own
guidance. In the meantime,
LabMD
continues complaining vociferously about the FTC’s action.
(Related) This is a
peak at Data Brokers. Moer Privacy than Security
EFF
– Data Broker Acxiom Launches Transparency Tool, But Consumers
Still Lack Control
EFF:
“Acxiom, a
data
broker that collects
1,500
data points per person [How many can
you name of the top of your head? Bob] on
over
700 million consumers total and sells analysis of such
information, is trying to ward off federal privacy regulations by
flaunting transparency—a diluted term, in this case—around user
data. The company just launched
AboutTheData.com,
a site that will let users see and edit
some information
that Acxiom has about them—only “some,” since Acxiom’s
analytics reveal far more information about you (living habits and
personal preferences) that isn’t readily available to you, but is
sold to partner companies. Everyone should be deeply concerned about
data brokers.
These companies are scavengers [Data
Miners and Big Data analysts? Bob] for very personal
data, amassing details about everything from
“major
life events” (like a wedding or a baby) to your browsing
history and shopping habits, and they have even begun exploring
business relationships with social media giants like
Facebook
and
Twitter.
And once this data is collected, it’s a small step away from
government agencies and law enforcement. (There was hubbub around
Acxiom and travel information, which the
government
collected and
inadvertently
shared.) ACLU has an
excellent
breakdown of Acxiom after the company released operational
details in response to a Congressional inquiry. The Federal Trade
Commission (FTC) has
launched
an in-depth investigation into data brokers to see what
information they gather and how it is used. Commissioner Julie Brill
recently wrote an op-ed
demanding
transparency around what user data is being collected through a
voluntary “Reclaim Your Name” campaign.”
So fingerprints should
not become a “Best Practice.”
Marcia Hofmann writes:
There’s
a lot of talk around biometric authentication since Apple introduced
its newest iPhone, which will let users unlock their device with a
fingerprint. Given Apple’s industry-leading position, it’s
probably not a far stretch to expect this kind of authentication to
take off. Some even
argue
that Apple’s move is a death knell for authenticators based on what
a user knows (like passwords and PIN numbers).
While
there’s a great deal of discussion around the
pros
and cons of fingerprint authentication — from
the
hackability
of the technique to the
reliability
of readers — no one’s focusing on the
legal effects of
moving from PINs to fingerprints.
Because
the constitutional protection of
the Fifth
Amendment,
which guarantees that “no person shall be compelled in any criminal
case to be a witness against himself,”
may not
apply when it comes to biometric-based fingerprints
(things that reflect who we are) as opposed to memory-based passwords
and PINs (things we need to know and remember).
Read more of her
excellent OpEd on
Wired.
Politics is the art of
“anything you can get away with.” This is a case of “We can,
therefore we must.”
Tesla Rodriquez
reports:
State
Rep. Steve Drazkowski is one of 18 plaintiffs in a lawsuit filed
Thursday that claims employees from Wabasha and Winona counties, the
city of Winona and nearly 50 other counties and cities illegally
accessed personal information hundreds of times.
The
lawsuit claims that an unknown number of state employees used the
state’s driver’s license database more than 600 times since April
2003 to look up their records, which include photos, Social Security
numbers, addresses, weight, height and other private information.
[From
the article:
The lawsuit claims that
an unknown number of state employees used the state’s driver’s
license database more than 600 times since April 2003 to look up
their records, which include photos, Social Security numbers,
addresses, weight, height and other private information.
The 18 plaintiffs, a
majority of whom are from Wabasha County, say they were targeted
because of political reasons, such as for writing a letter to a
newspaper, running for election, supporting a campaign or pushing for
government reform.
“My clients do
something (political),” said attorney Erick Kaardal, who represents
the clients. “Police identify them and then run a check.”
Lots of information, so
I'm not going to reproduce it here. Worth scanning!
Medical identity theft
affected about 1.84 million adults or their family members this year
at a projected out-of-pocket cost to the victims of over $12 billion,
according to a new report released today.
Are the judges on the
Ninth Circuit so far behind the average high school student that they
think unencrypted wi-fi is hard to detect and record? Do they still
use quill pens? Did they even consider a Google search?
EPIC
– Federal Appellate Court Upholds Privacy Protection for Wi-Fi
Communications
“The Court of Appeals
for the Ninth Circuit has
upheld
a lower court ruling against Google in a case arising out of the
Street View interception of private Wi-Fi communications. The
lawsuit alleges that Google’s ongoing interception of Wi-Fi payload
data through its Street View program violated several laws, including
the federal Wiretap Act. The court rejected Google’s arguments
that the interception was permissible.
The court
said that Google’s interpretation could have the absurd result of
rendering private communications, like email, unprotected simply
because the recipient fails to encrypt their Wi-Fi network. [I
would agree with Google. That's why encryption is a “Best
Practice!” Bob] Furthermore, the court explained that
the unencrypted nature of the Wi-Fi networks did not make the data
transmitted over them “readily accessible to the general public”
because the data was still difficult for an ordinary
person to intercept. [Nonsense. Bob]
EPIC filed a “friend of the court”
brief
in the case urging the court to uphold legal protections for Wi-Fi
communications, and discussing both the intent of the federal law and
the operation of a typical home W-Fi network. For more information,
see
EPIC:
Ben Joffe v. Google and
EPIC:
Google Street View.”
[See also:
Everyone knows that
unencrypted wireless traffic can be viewed by anyone, and your data
can easily be compromised.
This is really
interesting. I wonder if there are similar sites for other
professions? MBA, Computer Security, etc. (Sturm
is there)
Law
School News Aggregator
Elmer Masters: “Law
School News. You can check it out at
http://lsn.symphora.com/.
In a nutshell it’s
a site that aggregates RSS/Atom
news feeds from just over 100 law schools in the US.
There are more details about how it got built and what’s there on
my blog at
http://elide.us/2L.”
Come to thing of it,
this could make lots of things easier!
To
Enjoy Driverless Cars, First Kill All the Lawyers
Perspective: My
students could at least try reading the textbook...
Welcome to the 72-Hour Work Week
How many hours do you
think the average American professional works each week? If you
think 40, 50 or even 60, think again. For many, 72 hours is the new
norm.
Could be handy
– allows you to
design your own personal startpage with your most important bookmarks
and RSS feeds. Easy to use, reliable and completely (ad) free. Your
startpage is stored in the cloud so that you can access it
anywhere and on any device. Categorize bookmarks and RSS feeds
in pages and lists. Import and export your bookmarks and RSS feeds.
Make your pages public and share them.
For all my students.
(At least the ones who like Chrome.)
Turn
Chrome Into a Research Hub With These Extensions
We’ve covered a few
tools like this before, like
Diigo
and
Google
Drive, but I’ll be going through four of the extensions that
help me out the most as a student, and they can help you too.
OverTask
is a like a homebase for organizing all of your tabs. It replaces
your New Tab page with the OverTask main page where you can create
tasks and view all of your tasks in a nice, simple, colorful layout.
When you select a task or create one, it will close all of your tabs
and leave you with just one tab for your task.
Citelighter
is a toolbar that sits at the top of your window and help you keep
your research organized and cited.
Joining
the hordes of vowel-deprived services like Tumblr and Flickr is Stay
Focusd; this app, as the name implies, attempts to keep you focused
on your work. It does this by limiting the amount of time you can
spend on a certain list of websites.
Citable
is a tool for organizing your sources, similar to Citelighter. It
creates a button in the upper right hand of Chrome that you can click
to cite the website you are on.
For my students with
thumbdrives...
5
Websites For Every Portable Application On The Web
Applications
are linked to reviews that already exist on MakeUseOf.
As
the name implies, everything you’ll find here is 100% free and
portable.
Pendriveapps.com
is a very large and organized directory that is quite similar to The
Portable Freeware Collection, but just structured differently.
The
huge majority of the applications here are portable (I’ve yet to
find one otherwise) and they are all extremely small in size.
PortableApps.com
is one of the most well-known places on the web to go for portable
applications, most specifically their famous
PortableApps.com
Suite. However, PortableApps.com also offers their applications
in a standalone format through a directory of more than 300 apps.
