November 10th, 2015
Rep. Jason Chaffetz (R-Utah) recently introduced a bill, H.R. 3871, The Stingray Privacy Act (pdf), to limit the use of cellphone surveillance technology known as cell-site simulators or “Stingray” technology. The bill, Chaffetz says, “would require law enforcement to obtain a warrant before deploying a cell site simulator consistent with recently issued federal guidance and the 4th Amendment to the Constitution. H.R. 3871 does provide targeted exceptions for exigent circumstances and foreign intelligence surveillance.” The federal guidance mentioned is recent policies on cell-site simulators released by the departments of Justice (pdf) and Homeland Security (pdf), with various exceptions for special circumstances. The new guidance was released after public and Congressional scrutiny of the use of the surveillance devices.
The Stingray and similar cellphone surveillance technologies are extremely invasive. They simulate a cellphone tower so that nearby mobile devices will connect to it and reveal their location, text messages, voice calls, and other personal data. The surveillance technology scoops up data on every cellphone within its range, so innocent people’s private conversations and texts are gathered, too.
Dozens of police departments nationwide use this cell-site simulator surveillance technology, and there are a lot of questions about how they’re using it. Even the IRS admitted in Congressional testimony that it using the surveillance technology. Read more »
October 23rd, 2015
A recent case in New Hampshire illustrates how libraries continue to be battlegrounds for privacy rights. The Kilton Public Library in Lebanon, N.H., a town of about 13,000 people, decided to join Tor, an anonymization network for online activities. It was a pilot for a bigger Tor relay system envisioned by the Library Freedom Project. According to Ars Technica, the Library Freedom Project seeks to set up Tor exit relays in libraries throughout the country. “As of now, only about 1,000 exit relays exist worldwide. If this plan is successful, it could vastly increase the scope and speed of the famed anonymizing network.”
The Department of Homeland Security learned of the pilot, Pro Publica reported: “Soon after state authorities received an email about it from an agent at the Department of Homeland Security. [...] After a meeting at which local police and city officials discussed how Tor could be exploited by criminals, the library pulled the plug on the project.”
After much criticism of the DHS and local law enforcement interference and petitions to reinstate the pilot project (including one from the Electronic Frontier Foundation), the Kilton library’s board voted a few weeks later to reinstate the project. ”Alison Macrina, the founder of the Library Freedom Project which brought Tor to Kilton Public Library, said the risk of criminal activity taking place on Tor is not a sufficient reason to suspend its use. For comparison, she said, the city is not going to shut down its roads simply because some people choose to drive drunk,” the Valley News reported. Read more »
September 8th, 2015
Targeted behavioral advertising is where a user’s online activity is tracked so that ads can be served based on the user’s behavior. What began as online data gathering has expanding — now there’e the online and offline data collection and tracking of the habits of consumers. There have been numerous news stories about this privacy and surveillance issue. There is a fundamental issue about targeted behavioral advertising that divides industry and consumer advocates: opt-in or opt-out. Opt-in, the choice of consumer advocates, puts the burden on companies to have strong privacy protections and use limitations so consumers will choose to share their data. Opt-out, the choice of the majority of ad industry players, puts the burden on consumers to learn about what the privacy policies are, whether they protect consumer data, whom the data is shared with and for what purpose, and how to opt-out of this data collection, use and sharing.
Companies can also buy information on individuals from data collectors. At times, the information can be wrong, causing problems for individuals. Read a previous post for more about data brokers.
What happens when data is gathered as a person browses the Internet? It can lead to innocuous advertisements for cars when you’re searching for a new vehicle or boots when you’re considering replacing ones that wore out last winter. Or it can lead to a more difficult situation when you’re faced with ads strollers and car seats showing up on Web sites that you visit even though you had a miscarriage a month ago. It’s easy for advertisers to connect the dots when someone starts searching for infant safety gear or reading parenting Web sites and the person is unable to opt-out of targeted behavioral advertising. Read more »
August 19th, 2015
I’m taking some time off and will resume posting here in September. I’ll be posting sporadically on Twitter, so follow me there @privacylives if you want privacy news.
July 15th, 2015
There have been myriad data breaches and security problems recently with private and public sector systems. As more sensitive data is passed through more hands — corporate and government — there needs to be an emphasis on security.
Although the Consumer Financial Protection Bureau is focused on financial data, its call for privacy protections to be built into systems from the beginning is valuable for all sectors. In the case of the CFPB, it has set out guiding principles of data privacy and security for the creation of new payment systems.
These new systems are aimed at reducing “pocket-to-pocket” payment times between consumers and businesses or other entities. The CFPB wants to ensure any new payment systems are secure, transparent, accessible, and affordable to consumers. The systems should also have robust protections when it comes to fraud and error resolution. [...]
The CFPB wants to ensure that consumer protections are at the forefront as new and improved payment systems are developed. The protections recommended in today’s Consumer Protection Principles relate to privacy, transparency, costs, security, and consumer control. They also relate to funds availability, fraud and error resolution protections, and payment system accessibility. Read more »
June 4th, 2015
Update on June 7: There’s news that the Office of Personnel Management was hacked and the unencrypted personal data of 4.1 million current and former federal employees was accessed. It has been nine years since an unencrypted laptop and hard drive containing sensitive data on 26.5 million current military personnel, veterans, and their spouses were stolen from a Department of Veterans Affairs’ employee’s home. That security breach led to a push for the use of encryption throughout the federal government, and I hope this breach leads to stronger data protections.
For years, security and privacy professionals have been urging companies to encrypt their data so that when there are security breaches, there is less damage to individuals whose data is accessed. Yet we continue to read reports about companies failing to use this basic tool to secure information.
For example, California-based U.S. Healthworks recently revealed (pdf) that a password-protected yet unencrypted laptop was stolen from an employee’s vehicle. The health-care service provider told employees, “We determined that the laptop may have contained files that included your name, address, date of birth, job title, and Social Security number.”
Financial services company Sterne Agee and Leach was recently fined $225,000 and required to review its security protocols by the Financial Industry Regulatory Authority after a 2014 incident where a Sterne Agee employee lost an unencrypted laptop after leaving it in a restroom. The laptop included “clients’ account numbers, Social Security numbers and other personal information,” according to a news report. Read more »