Emergent ChaosHe digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that their privacy policy is at least honest. They make no claim that they care about your privacy, nor any that they apply the highest standards of security to your information.
Bookmark this post:
Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. "CCTV was originally seen as a preventative measure," Neville told the Security Document World Conference in London. "Billions of pounds has been spent on kit, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter fiasco: only 3% of crimes were solved by CCTV. There's no fear of CCTV. Why don't people fear it? [They think] the cameras are not working." (BBC, "CCTV boom 'failing to cut crime.'")Blogosphere analysis: Schneier, Stoddard.
Our thought? Their chocolate ration needs to be increased to 20 grammes. Action this day.
Image credit: Emergent Chaos
Bookmark this post:
Bookmark this post:
How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy.How Much Do You Make? The Nation Already Knows. The data has already been removed from easy web access at the official site. Bloomberg's report indicates that it wasn't simply posted to the web, but offered up as spreadsheets:
A ministry Web site was bombarded by Italians curious to see what their neighbors or favorite actors declared as income, making it often impossible later in the day to download spreadsheets with the name, date of birth, total income and amount each taxpayer paid.
If anyone knows where the mirrors are, please share.
I ask not out of prurient interest, but because it's not so easy as taking data off the website.
Bookmark this post:
As part of its regular "risk management" service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a "watch list" service that checks these individuals against 63 different lists from 35 sources, including OFAC, the FBI, and Interpol, Bradley says. ("Companies May Be Held Liable for Deals With Terrorists, ID Thieves", DarkReading)I say more than 63 because some unknown number are secret. The poor souls who find themselves on these lists have, in essence, no recourse. Convincing 35 or more agencies that their presumption of your guilt is incorrect might, in theory, be possible. In reality, the agency has no reason to do anything but drag its feet: there are no penalties to them for declaring you guilty. In contrast, a failure to put your name on the list risks them not having prevented you from your future thoughtcrime.
But there's hope. And it's not in MicroBilt's stock price (MicroBilt is a subsidiary of First Advantage). Rather, it's in the courage of a judge, who ruled that any American who has been routinely detained because they are on a watch list knows that they are on a list, and thus the government's 'State Secrets' privilege isn't applicable:
since the government admits it has stopped the six men and two women more than 35 times, federal Magistrate Judge Sidney Schenkier of the United States Northern Illinois District Court dismissed that argument. Instead he found that the government "failed to establish that, under all the circumstances of this case, disclosure of that information would create a reasonable danger of jeopardizing national security." (" Court: Government Must Reveal Watch-List Status to Constantly Detained Americans," Wired's excellent 27B-6 Mk IIa blog)
Bookmark this post:
Banksy has done a wonderful service. The well-known artist has given us delightful commentary on surveillance.
Better than that, he did it in a site above a Post Office yard in London (Newman Street, near Oxford Circus), behind a security fence and under surveillance by CCTV. His team erected three stories of scaffolding on Saturday, did their work, and removed the scaffolding on Sunday.
The Daily Mail has photos that include the CCTVs overlooking the work.
Photo courtesy of Herschell Hershey's photostream.
Bookmark this post:
I'm breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act's requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed'n of Gov't Employees v. Hawley, D.D.C., No. 07-00855, 3/31/08.Links: Her post, "Am. Fed'n of Gov't Employees v. Hawley.pdf."[T]he plaintiffs' alleged injury is not speculative nor dependent on any future event, such as a third party's misuse of the data, the court said. The court finds that plaintiffs have standing to bring their Privacy Act claim.This follows the Supreme Court's holding in Doe v. Chao, 540 U.S. 614 (2004) that a plaintiff must prove actual damages to succeed on an alleged Privacy Act violation, however in that case, the court never defined "actual damages."
I think this is a fascinating decision. The assertion that privacy damages are primarily financial is a very narrow one. We have already entered an age in which information is widely understood to have great value. Much of that value derives from a mind-numbing array of intrusions on seclusion, and allows for action on a poor shadow of what we used to call reputation.
As the value and use of that data grows, the costs and risks of abuse or negligence in the gathering, storage or application of that data also grows. There's every reason to expect that the law will find a way to sort out those torts.
Bookmark this post:
At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond.
Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. These zones become the subject of her videos and stills. Satisfying in both form and content, they are psychologically riveting, intentionally beautiful, and surprisingly witty portraits of our private lives lived publicly." (From "Public Privacy" site.)I think it's tremendously cool to add an artist and their art to a business conference. Too often, we find ourselves focused entirely on questions such as cost of compliance, or forthcoming regulation. Bringing in new and different perspectives may be uncomfortable or challenging, but it's important to remember the people for whom we're doing this work.
I'd encourage anyone running a conference to consider bringing in artists whose work touches, even tangentially, on the subject at hand.
Who knows, you might have some chaos in an otherwise too-well-oiled machine.
Photo: Wendy Richmond, photo with Adam's cell phone and permission.
Bookmark this post:
The Washington Post reports:
The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama's passport file.Obama's presidential campaign immediately called for a "complete investigation."
State Department spokesman Tom Casey said the employees had individually looked into Obama's passport file on Jan. 9, Feb. 21 and March 14. To access such a file, the employees must first acknowledge a pledge to keep the information private.
The employees were each caught because of a computer-monitoring system that is triggered when the passport accounts of a "high-profile person" are accessed, he said. The system was put in place after the State Department was embroiled in a scandal involving the access of the passport records of then-presidential candidate Bill Clinton in 1992.
"The State Department has strict policies and controls on access to passport records by government and contract employees," Casey said.
The department uses contract employees to help with data entry, customer service and other administration tasks. The employee involved in the March 14 incident has only been disciplined so far, because the probe of that incident is continuing, an official said.
My translation is that the State Department, "in order to serve you better", violates the principle of separation of privilege and allows individual contract call center people to access the passport data for everybody in the country. Then, after a high-profile person has his privacy grossly violated (they ran Clinton's file because of malicious, false rumors he renounced his US citizenship during the Viet Nam era), they put in detective controls (not preventative -- too obvious), but these only work for important people.
Nice.
Luckily, Bill Burton, spokesman for Senator Obama, has a keen grasp of the issues:
"This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama's passport file, for what purpose, and why it took so long for them to reveal this security breach."
One way to learn some of that, as I am sure Mr. Burton's boss knows, is to get a decent national breach notification law.
While State may have been slow, they did the right thing, and canned the violators. Nothing reinforces a security policy better than a public execution, and nothing undermines one more effectively than blatant non-enforcement. With recent privacy breaches affecting not just semi-celebs like Presidential candidates, but also really important people, making sure that punishment is swift and sure seems like an obvious way to "incentivize good behavior".
Bookmark this post:
Bookmark this post:
After weathering days of criticism from Germany over a spectacular tax evasion case, Liechtenstein — sometimes seen as the inspiration for the satirical novel from the 1950s about a tiny Alpine principality that declared war on the United States — is digging in for what may be a prolonged battle to defend its lucrative tradition of banking secrecy against what it views as attacks from a giant neighbor.Of course, Germany, and the other large nations would like to pretend this is about fraud, not competition for business. They'd like the smaller nations to harmonize their tax codes, and prevent the messy chaos of having to compete on their laws. Countries such as Liechtenstein offer alternatives, and act as a brake on the unfettered invasions of privacy that otherwise intrude on all our lives.
This isn't about Liechtenstein above all others, it's about diversity. It's about diversity in approaches to taxation leading to diversity of choices. It would be stereotyping to assert that the orderly Germans or the bureaucratic French don't like Liechtenstein solely because it's different. Really, it's because few governments have any appreciation of, or love for liberty.
Governments and their employees focus on their goals and their (always enlightened) rules. This isn't about Liechtenstein putting itself above others, but allowing people to put their own self-interest ahead of that of the functionaries and bureaucrats.
Some chaos emerges, and we think it's a fine thing.
Bookmark this post:
I was dismayed to learn that footage of Spitzer's (alleged) rent-a-babe "Kristin" performing in a class play while in elementary school has been featured at various web sites -- among them serious sites that should know better.
One could argue that this woman made her bed, and now she can lie in it (puns intended). That's fine. However, the child in that school play did not make any choices about it being immortalized digitally, and to bandy this footage about in the guise of news does violence to a part of "Kristin" -- her memories of a more carefree and innocent time -- the sanctity of which should be respected. It won't, of course, but we can at least recognize what could have been.
Bookmark this post:
The New York Times claimed that the "Revelations Began in [a] Routine Tax Inquiry." I wish we had better insight into how true that is. In perhaps closely related news, "Fraud Police Buckling Under Mountains of Data." So what kicked off this routine investigation? Was it data or voyeurism?
What does a guy need to do to get a little privacy in this country, anyway?
Bookmark this post:
Kim writes:
I personally think we are just beginning to understand what it would mean if everything we do is both remembered and automatically related to everything else we do. No evil “Dr. No” is necessary to bring this about, although evil actors might accelerate and take advantage of the outcome. Linkage is just a natural tendency of digital reality, similar to entropy in the physical world. When designing phsyical systems a big part of our job is countering entropy. And in the digital sphere, our designs need to counter linkage.This has led me to the idea of the “Need-to-Know Internet”.
...
Our goal is that Minimal Disclosure Tokens will become base features of identity platforms and products, leading to the safest possible intenet. I don’t think the point here is ultimately to make a dollar. It’s about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions.
On a personal level, I'm happy to be working with Stefan again, and look forward to what Microsoft and our customers will be able to achieve with this technology.
Previously on Emergent Chaos:
[Updated with some quotes from Kim.]Bookmark this post:
Dan Solove has an interesting article up, "Coming Back from the Dead." It's about people who are marked dead by the Social Security Administration and the living hell their lives become:
Dan starts with quotes from the WSMV News story, "Government Still Declares Living Woman Dead"I'd propose a different solution: libel law. These organizations are making false and defamatory statements about people. They should be held accountable, under existing law.According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there's no end to the complications the situation creates.Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source....
According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.
...
Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.
I've been discussing libel and the credit agencies for years, in posts like "Because That's Where The Money is: Ethan Leib's ID Theft" or " Government Issued Data and Privacy Law." I've yet to hear why libel law isn't a reasonable and easy approach to the problem. As Nick Szabo comments in "The Discovery of Law," "common law is a painstaking way of discovering and making better law, case by case, dispute by dispute, piece of evidence by piece of evidence."" I'm not calling for a broad overhaul. I think that a common law approach to libel law would likely address many of our issues with the way data flows between organizations.
Bookmark this post:
Last week, Siva Vaidhyanathan, of Sivacracy, released a new column in the Chronicle of Higher Education, Naked in the 'Nonopticon' has some refreshing thoughts on privacy and surveillance that I wish more of us on the security side understood better. His main themes are (in his own words):
1) Anyone who claims "young people don't care about privacy" doesn't understand that privacy is about control, not about whether we choose to reveal our sexual or consumer details in public forums.2) We have at least four "privacy" interfaces" and try to govern our details and reputations differently in each one. For instance, we regulate information about ourselves one way among friends and family, and a different way with Amazon or Google.
3) The "Panopticon" model of surveillance is stale and inapplicable to the current situation. We don't suffer from knowing we are being watched. We suffer more from the surveillance we are not supposed to see or understand -- such as the illegal domestic wiretapping in the United States.
Additionally, his reviews of Daniel Solove's and James Rule's new books, makes me wish I had more time to read in the next few weeks.
[Image from hawkinspi.com]
Bookmark this post:
Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you and the readers of Emergent Chaos to join the debate by blogging or commenting to the debate floor. (No subscription is necessary).The debate: "Proposition: Security in the modern age cannot be established without some erosion of individual privacy."
Have at Mr. Livingstone, arguing for the side of order and no emergent chaos, or, if you must, Mr. Barr, on the side of truth, justice, and the American way.
Bookmark this post:
On December 19th, Denebola, the student run newspaper of Newton South High School, broke the news that video cameras had been secretly installed in their school. Not only were students and parents not notified of the cameras but apparently neither were any of the teachers. From the student article:
According to Salzer, only he, Superintendent Jeff Young, Director of Public Facilities Mike Cronin, and a small security team were aware of the cameras. They did not inform faculty members, and the Newton Fire and Police Departments are not involved in their operations.
Boston.com is reporting that the school committee and the teachers union are asking why there weren't contacted or involved in this discussion.
Newton Teachers Association (NTA) President Cheryl Turgel is unsure whether the cameras violate teacher contract agreements or faculty privacy rights. The Newton Public Schools did not warn the NTA prior to the camera installation of their decision. While Turgel is not necessarily opposed to the Newton Public Schools using surveillance cameras to deter vandalism, she feels that the NTA should have warned of the installation.
While the Boston.com article ignores the issue of student privacy, the student paper does not:
Staff Attorney for the American Civil Liberties Union Foundation of Massachusetts Sarah Wunsch notes that, while the legalities of putting surveillance cameras in schools without notifying the public is a rather gray area, South’s installation is “at the very least, an awful thing to do.”
The one saving grace is that the cameras are not yet operational, apparently due to a software problem. When fully operational, the principal will be able to access the previous 31 days of footage on any of the cameras. I really hope (and seriously doubt) that a proper security audit has been done on this system to ensure that other people won't be able to remote access this footage.
Bookmark this post:
