Privacy Roundup #0019 • February 2008
February 2008 was dominated by the Phorm data-pimping scandal in Britain, a run of government data losses, and fresh proof that disk encryption keys can be lifted straight from a powered-down laptop.
1. ISP data deal with former 'spyware' boss triggers privacy fears
BT, Virgin Media and Carphone Warehouse agreed to feed their subscribers' browsing histories to Phorm, an advertising firm run by the man behind software that security vendors had once branded spyware. Critics warned that the Webwise system inspected every page a customer visited and that promised anonymisation might not survive determined re-identification.
2. BT pimped customer web data to advertisers last summer
The Register revealed that BT had secretly passed tens of thousands of customers' traffic to Phorm during trials in 2006 and 2007, then denied any link when subscribers queried suspicious redirects. Affected users said they had wasted time and money chasing what they thought were malware infections on their own machines.
3. Minister defends National Identity Register security
Home Office minister Meg Hillier told MPs that the planned National Identity Register would be encrypted, split across two databases and accessible to fewer than a hundred people. Sceptics countered that pooling biometric and biographical records in one scheme created a single point of catastrophic failure, especially after the recent loss of 25 million child benefit records.
4. 5,000 NHS records vanish with latest lost laptop
A laptop holding medical records for more than 5,000 patients was stolen from a hospital near Dudley, adding to a long run of public-sector data losses. The trust insisted the database was password protected and later rolled out encryption across its mobile devices.
5. Government 'lost' DNA data on 2,000 criminal suspects
The Crown Prosecution Service admitted that a disc carrying DNA profiles of around 2,000 suspects, sent by Dutch police, had gone missing for over a year. When the records were finally checked, eleven of the named suspects turned out to have committed serious offences in England and Wales during the period the disc was unaccounted for.
6. Consumers warned on data loss compensation packs
A firm began selling cut-price information packs to the 25 million people hit by the HMRC data loss, promising to help them claim compensation. Privacy lawyers cautioned that claimants would struggle to prove a direct causal link between the breach and any harm, making payouts very unlikely.
7. Judge dissolves Wikileaks.org injunction
A federal judge in San Francisco lifted an order that had disabled the wikileaks.org domain after the Swiss bank Julius Baer sued over leaked banking documents. The Electronic Frontier Foundation and the ACLU had intervened, and the judge cited First Amendment concerns and the futility of trying to switch off an entire website.
8. Cold boot attacks against disk encryption
Researchers at Princeton University, led by Edward Felten, showed that encryption keys linger in a computer's memory for seconds or minutes after the power is cut, and longer still if the chips are chilled. By rebooting a stolen laptop into a hostile operating system, they recovered keys protecting BitLocker, FileVault and dm-crypt volumes.
9. Chinese scholar to sue Google and Yahoo! over search censorship
Pro-democracy activist Guo Quan announced plans to sue Google and Yahoo! for scrubbing his name from their search results inside China. He called Google a servile dog wagging its tail at the Communist authorities, while lawyers doubted that a sovereign state's censorship rules could be challenged in this way.
10. German high court throttles government net snooping
Germany's Federal Constitutional Court struck down a regional surveillance law and ruled that data held on a personal computer enjoys constitutional protection. Secret installation of state spyware would be permitted only to defend rights of supreme importance, and only with prior approval from a judge.
11. Secret printer ID codes may breach EU privacy laws
Colour laser printers from manufacturers such as Brother, Canon, Xerox and HP were found to embed near-invisible dots that uniquely identify the machine on every page. EU Justice Commissioner Franco Frattini said the hidden tracking codes might infringe fundamental rights to privacy and the protection of personal data.
12. FBI sought approval to use spyware against terror suspects
Documents showed that the FBI had asked the secret Foreign Intelligence Surveillance Court to authorise its CIPAV spyware, which records a target's IP address, software and browsing activity. Security researchers warned that law enforcement malware undermined everyone's protection, since antivirus firms could not reliably tell sanctioned code from criminal code.
13. Government wants every English child on 'secure' database
Ministers set out plans for a national learner record that would assign every fourteen-year-old in England a Unique Learner Number and track their education across providers. Privacy campaigners warned of weak security and function creep, fearing the records would be reused well beyond their stated educational purpose.
14. UK data watchdogs drop Facebook probe
The Information Commissioner's Office closed its investigation into Facebook after the social network changed its policy to let users permanently delete their accounts rather than merely deactivate them. The watchdog had acted on complaints that personal data lingered on the site indefinitely even after members thought they had left.
15. Solicitors fined under Data Protection Act
Two London law firms were each fined by Stratford Magistrates' Court for processing personal data without registering with the Information Commissioner as the law required. The regulator had warned both firms repeatedly before prosecuting, noting that annual registration cost only thirty-five pounds.
16. Google mounts Chewbacca defence in EU privacy debate
A Google engineer told European regulators that IP addresses should not count as personal data because they change often and may be shared between several users. Privacy advocates rejected the argument, pointing out that an address tied to timestamped search queries and ISP logs can readily identify an individual.
17. Google eyes Cleveland medical records
Google announced a pilot of its Google Health service with the Cleveland Clinic, inviting thousands of patients to move their medical records into the company's online store. The World Privacy Forum warned that records held by a third party such as Google would fall outside the HIPAA protections that govern doctors and hospitals.
18. Trial for T5 mandatory biometrics kicks off at Heathrow
Heathrow began fingerprinting and photographing domestic passengers in a trial meant to stop ticket-swapping ahead of the opening of Terminal 5. Critics questioned why every traveller had to surrender biometrics when the underlying concern, transit passengers slipping onto domestic flights, could be addressed by far less intrusive means.
19. FBI screwed up, spied on entire email network
An FBI surveillance order aimed at a single email address was misread by an internet provider, which handed over traffic from an entire network instead. An intelligence official described such overcollection as common rather than weekly, feeding the wider row over surveillance powers and telecoms immunity.
20. US Supremes reject challenge to warrantless wiretapping
The Supreme Court declined to hear the ACLU's challenge to the Bush administration's warrantless wiretapping programme, leaving a lower court's dismissal in place. The plaintiffs faced an impossible bind, required to prove they had been targeted while the government withheld all such detail under the state secrets privilege.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: