March 10th, 2014
The UK Information Commissioner’s Office announced that it has fined (pdf) the British Pregnancy Advice Service £200,000 “after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.”
An ICO investigation found the charity didn’t realise its own website was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data wasn’t stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.
The hacker threatened to publish the names of the individuals whose details he had accessed, though that was prevented after the information was recovered by the police following an injunction obtained by the BPAS. […]
The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.
March 7th, 2014
The Department of Homeland Security has released the “2013 Data Mining Report to Congress” (DHS pdf; archive pdf). The DHS Privacy Office said, “The Federal Agency Data Mining Reporting Act of 2007, 42 U.S.C. § 2000ee-3, requires DHS to report annually to Congress on DHS activities that meet the Act’s definition of data mining. For each identified activity, the Act requires DHS to provide the following: (1) a thorough description of the activity and the technology and methodology used; (2) the sources of data used; (3) an analysis of the activity’s efficacy; (4) the legal authorities supporting the activity; and (5) an analysis of the activity’s impact on privacy and the protections in place to protect privacy.” Here’s more from the report’s executive summary:
This year’s report, covering the period January 1, 2013, through December 31, 2013, provides updates on modifications, additions, and other developments that have occurred in the current reporting year including use of [the Automated Targeting System] by DHS components other than CBP. The report also presents two new programs currently in development that will include data mining capabilities: the DHS Data Framework, a DHS-wide pilot initiative, and FALCON-Roadrunner, which is administered by ICE. Additional information on DARTTS and on the Transportation Security Administration’s (TSA) Secure Flight Program’s use of ATS is being provided separately to Congress in two annexes to this report that contain Law Enforcement Sensitive Information and Sensitive Security Information, respectively. [...] Read more »
March 6th, 2014
Wired reports on a new programming language, Jeeves, created by MIT PhD student Jean Yang. Jeeves is a privacy-centric language, Wired reports.
Any application that stores personal data such as photos is vulnerable to bugs that accidentally expose private information. Human error is inevitable. But an MIT PhD student named Jean Yang wants to make these coding mistakes as rare as possible with new privacy-centric programming language called Jeeves.
Today, software programmers typically create dedicated privacy settings for each new feature they add to an application. But with Jeeves — named after the fictional valet in a series of short stories by P. G. Wodehouse — coders could readily create privacy settings for an entire application, a master list that could then flow to each new application feature. This could help prevent situations like the one that snagged Mark Zuckerberg [whose private Facebook photos were revealed because of a programming bug in 2011.] [...]
Jeeves would help programmers avoid such a mistake by making privacy settings an inherent part of each piece of content. “In a Jeeves system, assuming the programmer sets things up right, private data such as photos would be attached to policies until the moment they are released,” she says. “This guarantees that unauthorized viewers may not view a photo no matter what series of actions they took to arrive at a photo.” Read more »
March 5th, 2014
The Detroit News reports on privacy concerns with high-tech vehicles and the data they collect, store and transmit:
Every time a motorist slides in behind the wheel, odds are that car or truck is gathering information: How aggressively the driver accelerated, whether the speed limit was observed, how hard the brake pedal was applied. And beyond driving habits, where and when the car was driven, what route was taken and whether the seat belt was buckled.
Few laws or regulations address ownership of data collected by infotainment and navigation systems in dashboards and by electronic black boxes under hoods. Auto data privacy is the industry equivalent of the Wild West, according to automotive industry and law experts.
Should drivers expect information collected by their cars to be private? [...]
These questions come at a time when many Americans are fearful of their privacy in the wake of National Security Agency leaks and the answers are largely unclear. Read more »
March 4th, 2014
The New York Times reports on yesterday’s MIT- and White House-sponsored workshop “Big Data Privacy” and what all that data gathering and use means for average individuals’ privacy rights. The event is part of the White House’s recently announced review of privacy and big data. The Times reports:
CAMBRIDGE, Mass. — With the success of its free open online course system, called MITx, the Massachusetts Institute of Technology finds itself sitting on a wealth of student data that researchers might use to compare the efficacy of virtual teaching methods, and perhaps advance the field of Web-based instruction. [...]
As researchers contemplate mining the students’ details, however, the university is grappling with ethical issues raised by the collection and analysis of these huge data sets, known familiarly as Big Data, said L. Rafael Reif, the president of M.I.T.
For instance, he said, serious privacy breaches could hypothetically occur if someone were to correlate the personal forum postings of online students with institutional records that the university had de-identified for research purposes. [...] Read more »
March 4th, 2014
Reuters reports on privacy questions concerning telecommunications firms’ data-mining programs and their effect on individuals:
Although figures are scarce, analysts think selling data on mobile users’ locations, movements, and web browsing habits may grow into a multi billion-dollar market for the business.
Big carriers like Telefonica, Verizon, Orange and Singapore’s Starhub warn that they are only just starting to test the waters and pledge to market only anonymous crowd information to protect customers.
They are also promoting their big data products as being helpful well beyond the realms of advertising – for credit card companies wanting to detect fraud, for ambulance operators plotting routes to avoid traffic, and for public health officials responding to outbreaks of flu. [...]
As they shift to treating customer data as an asset to be mined instead of a mere incidental to running networks, telecom operators must tread carefully. Read more »