Privacy Roundup #0034 • May 2009
May 2009 paired a run of painful breaches with hard questions about location tracking, deep packet inspection and who gets to watch the wires.
1. Heartland faces multi-million-pound card fines after record breach
Heartland Payment Systems told investors the breach had already cost it 12.5 million dollars, much of it in fines levied by Visa and MasterCard on its sponsor banks. The processor said it would contest the penalties, setting up a fight that grew out of the largest card compromise then on record.
2. Hackers demand 10m dollar ransom for Virginia prescription records
Intruders claimed to hold 8.3 million patient records and more than 35 million prescriptions taken from Virginia's drug-monitoring website, demanding ten million dollars for their return. State officials pulled the site offline and called in the FBI as the Obama administration was urging hospitals to digitise their records.
3. UC Berkeley says hackers raided health-services databases
The university warned that attackers had spent six months inside its University Health Services databases, exposing data on roughly 160,000 students, alumni and others. The haul included Social Security numbers, insurance details and medical-record numbers, although clinical notes were stored separately and survived.
4. Aetna warns 65,000 after job-application site is breached
The insurer told 65,000 current and former staff that their Social Security numbers might have been taken from a vendor-run recruitment website. The breach surfaced only after applicants began receiving phishing emails crafted from the 450,000 contact records held on the same site.
5. Stolen laptop exposes 109,000 UK pension records
An unencrypted laptop taken from a contractor held names, addresses, dates of birth, National Insurance numbers, salaries and bank details for around 109,000 members of the Pensions Trust. Six of the trust's 39 schemes were affected, and the machine had only password protection rather than encryption.
6. Obama names a cybersecurity coordinator with a privacy remit
President Obama unveiled a national cybersecurity strategy and a new White House coordinator whose office would include an official charged with protecting privacy and civil liberties. He stressed that the effort would not extend to monitoring private networks or internet traffic.
7. GCHQ's 'Mastering the Internet' surveillance plan revealed
Reporting showed that, despite ministers scrapping a central communications database, GCHQ was already spending heavily on a system to give it complete visibility of British internet traffic. The plan relied on thousands of deep packet inspection probes feeding a vast store at Cheltenham, which campaigners called the same scheme by the back door.
8. NebuAd folds after deep packet inspection backlash
The behavioural advertising firm NebuAd told a court it would cease to exist, ending a venture that had used deep packet inspection inside American ISPs to profile subscribers. Congressional scrutiny and the loss of its largest ISP partners had already gutted the company.
9. Greece halts Google Street View over privacy concerns
The Hellenic Data Protection Authority barred Google from photographing Greek streets until it explained how long it would keep the original images and how it would warn residents. Marking the camera cars, the regulator said, was not adequate notice.
10. Google to reshoot Street View in Japan from a lower angle
After complaints that its cameras peered over garden fences, Google agreed to reshoot every Street View image in Japan with the lens dropped by about 40 centimetres. The company also promised to blur vehicle number plates across the dozen cities it had already mapped.
11. UK passport service to keep fingerprint images in a national store
The Identity and Passport Service confirmed plans for a National Biometric Identity Store holding facial and fingerprint images, and the templates derived from them, for passport, identity card and visa applicants. Retaining the images, rather than templates alone, meant the system could function as a national fingerprint database.
12. New York's top court demands a warrant for GPS tracking
In People v. Weaver, New York's highest court ruled that police could not attach a GPS tracker to a car without a warrant, after officers had tailed a suspect's vehicle for 65 days. The judges warned that such tracking could expose a person's political, religious and amorous associations.
13. Wisconsin court allows warrantless GPS tracking
A Wisconsin appeals court reached the opposite conclusion, holding that fixing a GPS device to a suspect's car was neither a search nor a seizure. The judges said they were troubled by their own ruling and urged state lawmakers to set limits, though Bruce Schneier doubted any would follow.
14. Schneier questions whether online data carries any expectation of privacy
Schneier argued that emails and documents held by ISPs and cloud providers enjoy far weaker legal protection than papers kept at home. He called on the courts to recognise that virtual privacy and physical privacy ought to share the same boundaries.
15. Rotenberg reframes the security-versus-privacy trade-off
Schneier shared an essay by Marc Rotenberg arguing that the familiar choice between security and privacy is a false one. Accepting unchecked surveillance, Rotenberg wrote, means surrendering constitutional protection and judicial oversight rather than buying genuine safety.
16. EFF and CDT propose privacy rules for government website tracking
The two groups published recommendations for how federal websites should use cookies and other measurement tools, calling the existing rules both too bureaucratic and too permissive. Visitor data, they argued, must be anonymised quickly, used only for traffic analysis and subject to a clear opt-out.
17. Microsoft unveils Bing as a 'decision engine'
Microsoft revealed Bing, a rebuilt search engine that tailored its results pages to query types such as health, travel and shopping. Pitched as a decision engine rather than a list of links, it leaned on inferred intent to organise what users saw.
18. Google announces Wave, blurring email and instant messaging
At its developer conference Google unveiled Wave, a real-time platform that merged email, chat and collaborative documents into shared conversations. A playback feature that replayed how a conversation had unfolded raised fresh questions about how much of an exchange the service would retain.
19. Google Latitude starts broadcasting your location to the open web
Google added a Public Location Badge that let Latitude users publish their whereabouts on a blog or website rather than only to chosen friends. Even supporters acknowledged the privacy risk of broadcasting one's position at all times, softened only by an option to share location at city level.
20. Downing Street refuses to investigate Phorm
Responding to a petition signed by more than 21,000 people, the government declined to investigate Phorm's web-monitoring system and pointed instead to the Information Commissioner. Critics noted the regulator had already declined to act over BT's secret trials, even as Brussels pursued the United Kingdom over the same conduct.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: