October 30th, 2014
CNN reports that CurrentC, a mobile payment system that is in the pilot phase, has been hacked and the breach raises questions about the security of the system, a rival to Apple’s Apple Pay and Google’s Wallet:
Apple Pay rival CurrentC has been hacked.
The mobile payments app — which isn’t even officially out yet — was created for the sole purpose of getting stores away from credit card fees they pay every time you swipe your card. [...]
On Wednesday, those taking part in the CurrentC pilot program received a warning from the consortium of anti-credit-card retailers called MCX, or Merchant Consumer Exchange: The program was hacked in the last 36 hours, and criminals managed to grab the email addresses of anyone who signed up for the program. [...] Read more »
October 29th, 2014
Politico reports on a privacy concerns with a surveillance program to track mail vial “mail covers” in the United States:
Cutting-edge data-gathering techniques may have grabbed the spotlight lately, but it turns out the government has been playing fast and loose with a more old-school surveillance method: snail-mail snooping.
The U.S. Postal Service failed to observe key safeguards on a mail surveillance program with a history of civil liberties abuses, according to a new internal watchdog report that USPS managers tried to keep secret, citing security concerns.
The Office of Inspector General audit of so-called “mail covers” — orders to record addresses or copy the outside of all mail delivered to an individual or an address — found that about 20 percent of the orders implemented for outside law enforcement agencies were not properly approved, and 13 percent were either unjustified or not correctly documented. Read more »
October 28th, 2014
The Washington Post reports on the Federal Communications Commission’s recent planned fine of telecom companies YourTel America and TerraCom and its implications for data privacy and security:
The Federal Communications Commission leapt into data security litigation Friday, levying a $10 million fine against two telecom companies that allegedly stored personally identifiable customer data online without firewalls, encryption or password protection.
The two companies, YourTel America and TerraCom, share the same owners and management. From September 2012 to April 2013, the FCC said, the companies collected information online from applicants to Lifeline, the government’s telephone subsidy program for poor Americans. To prove their eligibility, potential customers are asked for personal information, including Social Security numbers, dates of birth, addresses, names and drivers’ license numbers. Read more »
October 27th, 2014
Eurasia Review reports that facial-recognition technology experts are developing global guidelines for the use of the biometric technology, which could have wide-ranging impact on individuals’ privacy:
The first meeting of the INTERPOL Facial Expert Working Group brought together global experts in biometrics to begin the process of developing international facial recognition standards.
The two-day meeting (14 and 15 October) gathered 24 technical and biometrics experts and examiners from 16 countries who produced a ‘best practice guide’ for the quality, format and transmission of images to be used in facial recognition. [...]
INTERPOL is currently developing a facial image database with the support of Safran Morpho, a leader in biometrics in the private sector. The database is expected to become operational in early 2015, and will enhance INTERPOL’s forensic capabilities as many crimes do not have hard evidence such as DNA or fingerprints to help identify suspects.
October 24th, 2014
The Washington Post rounds up news on the increasing use of biometrics in everyday life and its implications for individual privacy:
The future is here, and it’s biometric identification: You will soon be able to unlock the most recent iPad model with your fingerprint; banks are reportedly capturing voice imprints to catch telephone fraud; and the FBI’s facial recognition database is at “full operational capacity” (although it still pales in comparison to Facebook’s database).
But while these technologies are already influencing consumers’ lives, it’s not clear that everyone understands the long-term implications of widespread biometric use, experts say. [...]
Biometric markers area also immutable, unlike other forms of digital verification techniques. “You can change your password, but you can’t change your face or your fingerprints without going through an awful lot of trouble,” Bedoya explains. Read more »
October 23rd, 2014
We’ve discussed before the pitfalls of various anonymization or “de-identification” techniques and how the information can be “deanonymized” or re-identified, leading to privacy problems for individuals. A few months ago, the EU’s Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data released a detailed report (pdf) on the issue. Now, researchers at Neustar Research have delved into the “anonymized” NYC taxicab dataset and were able to re-identify passengers and their destinations, including customers of strip clubs:
There has been a lot of online comment recently about a dataset released by the New York City Taxi and Limousine Commission. It contains details about every taxi ride (yellow cabs) in New York in 2013, including the pickup and drop off times, locations, fare and tip amounts, as well as anonymized (hashed) versions of the taxi’s license and medallion numbers. It was obtained via a FOIL (Freedom of Information Law) request earlier this year and has been making waves in the hacker community ever since.
The release of this data in this unalloyed format raises several privacy concerns. The most well-documented of these deals with the hash function used to “anonymize” the license and medallion numbers. A bit of lateral thinking from one civic hacker and the data was completely de-anonymized. This data can now be used to calculate, for example, any driver’s annual income. More disquieting, though, in my opinion, is the privacy risk to passengers. With only a small amount of auxiliary knowledge, using this dataset an attacker could identify where an individual went, how much they paid, weekly habits, etc. I will demonstrate how easy this is to do in the following section.
Read the full story for details on how the data was deanonymized in order to be able to identify individuals.