The Washington Post reports on a review at the U.S. Census Bureau that may affect the privacy of Census data.

The head of the Census Bureau said Friday he has ordered a review of the government’s efforts to protect the identity of individuals after researchers discovered months ago that years of publicly available data on the elderly contain numerous errors due to the government’s use of “masking” techniques.

Robert M. Groves, director of the bureau, said that the programming mistake responsible for the bad data had been corrected going forward, and that it would not affect the 2010 Census. Groves said he is considering a rerelease of the affected statistics, dating from 2000 to 2005. [...] Read more »

The Examiner has another story about an insider being accused or convicted of abusing her access in order to violate individual privacy, in this case taxpayers’ financial data privacy. Such cases of access misuse are numerous. A few include: a retired clerk at the New York Department of Taxation pled guilty to stealing the identities of taxpayers, dead family members and children to obtain 90 credit cards from 20 banks and ran up more than $200,000 on the cards; a UCLA Healthcare System researcher pleaded guilty to violating the federal health privacy law HIPAA – he was “alleged to have accessed the UCLA patient records system 323 times during the three-week period, mostly to check out the files of celebrities, according to the U.S. Attorney’s Office”; a former police dispatcher in Illinois misused “a police database for personal reasons — including checking up on the suitor of his girlfriend’s daughter.”

The Examiner reports:

A mentally ill woman exploited a loophole in D.C. tax office online systems to gain unauthorized access to taxpayer accounts, establish herself as the owner of dozens of businesses and file returns on their behalf.

Details of the online trespass, by a woman who law enforcement sources say believed herself to be the guardian of large corporations, were laid out in an independent auditor’s review of the District’s fiscal 2009 books and financial systems. BDO Seidman, D.C.’s outside auditor, found automated and manual tax processes in the Office of Tax and Revenue to be “significant deficiencies” in internal controls. [...] Read more »

Security experts Bruce Schneier and Marcus Ranum have a point-counterpoint debate at Information Security concerning anonymity on the Internet. (Last year, the two published point-counterpoint essays about online privacy at SearchSecurity.com.)

An excerpt from Schneier’s post on anonymity:

Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We’ll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks, such as those against Estonia or Georgia or South Korea, we’ll know who was responsible and take action accordingly.

The problem is that it won’t work. Any design of the Internet must allow for anonymity. Universal identification is impossible. Even attribution — knowing who is responsible for particular Internet packets — is impossible. Attempting to build such a system is futile, and will only give criminals and hackers new ways to hide. [...] Read more »

DarkReading reports on a new survey from Trustwave showing that private data stored hotel networks are major targets for hackers.

Hackers checked into hotel networks more than any other in 2009, and all organizations hit by attacks didn’t discover breaches for an average of 156 days, according to a new report based on real-world attacks worldwide.

Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs, announced at Black Hat DC this week these and other findings the company compiled in 218 data breach investigations in organizations across 24 countries. Financial services companies accounted for about 19 percent of the breaches, but that was far fewer than in the hospitality industry, where 38 percent of all breaches took place. Retail (14.2 percent) and food and beverage (13 percent) also suffered a fair chunk of attacks, according to Trustwave’s data.

And not surprisingly, a whopping 98 percent of targeted data was payment card information. Percoco said that credit card and debit card information is most in demand because it’s easy “to turn into cash quickly.” [...]

Nearly half of these attacks occur via remote access applications, of which 90 percent exploit default or weak passwords, according to the report. Around 42 percent of attacks occurred via third-party connections; 6 percent, SQL injection; 4 percent, exposed services; and 2 percent, remote file inclusion attacks. Interestingly, less than 1 percent began with an email Trojan.

The Wall Street Journal reports a rise in popularity of applications that can “spoof” Caller ID numbers.  With spoofing, the number that shows up on a call recipient’s Caller ID display is different from the actual phone number the dialer is using.

There are numerous legitimate reasons for a person to want her phone number hidden. For example, domestic violence survivors or stalking victims may need to contact their abusers to discuss custody arrangements or other questions. These victims need the ability to mask their phone numbers, so abusers could not track them down. (The National Network to End Domestic Violence has a paper about how abusers and stalkers use technology to control and harass their victims.)

Another example is journalists who wish to keep secret their sources. The journalists don’t want anyone with access to a whistleblower’s phone to know who has been calling. Doctors may not want patients to know their home phone numbers so spoof in order to have their office numbers displayed.

But, as the Journal reports, Caller ID spoofing can be used for criminal activity: Read more »

BNA’s E-Commerce and Tech Law Blog reviews a recent decision in Oregon, United States v. Ahrndt, No. 08-cr-468 (D. Ore. Jan. 28, 2010).

Who knew that password-protecting a wireless router also had constitutional significance? According to a recent court decision from Oregon, the failure to password-protect a wireless network can diminish the extent to which the Fourth Amendment protects computers and information on that network from government searches.

In United States v. Ahrndt, No. 08-cr-468 (D. Ore. Jan. 28, 2010), a federal trial court held that a child pornography suspect had no constitutionally protected privacy right in the files found on his personal computer, stored in a shared iTunes folder fed by a Limewire account, accessible by a neighbor who was piggybacking on his unsecured wireless network. [...] Read more »