October 23rd, 2014
We’ve discussed before the pitfalls of various anonymization or “de-identification” techniques and how the information can be “deanonymized” or re-identified, leading to privacy problems for individuals. A few months ago, the EU’s Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data released a detailed report (pdf) on the issue. Now, researchers at Neustar Research have delved into the “anonymized” NYC taxicab dataset and were able to re-identify passengers and their destinations, including customers of strip clubs:
There has been a lot of online comment recently about a dataset released by the New York City Taxi and Limousine Commission. It contains details about every taxi ride (yellow cabs) in New York in 2013, including the pickup and drop off times, locations, fare and tip amounts, as well as anonymized (hashed) versions of the taxi’s license and medallion numbers. It was obtained via a FOIL (Freedom of Information Law) request earlier this year and has been making waves in the hacker community ever since.
The release of this data in this unalloyed format raises several privacy concerns. The most well-documented of these deals with the hash function used to “anonymize” the license and medallion numbers. A bit of lateral thinking from one civic hacker and the data was completely de-anonymized. This data can now be used to calculate, for example, any driver’s annual income. More disquieting, though, in my opinion, is the privacy risk to passengers. With only a small amount of auxiliary knowledge, using this dataset an attacker could identify where an individual went, how much they paid, weekly habits, etc. I will demonstrate how easy this is to do in the following section.
Read the full story for details on how the data was deanonymized in order to be able to identify individuals.
October 22nd, 2014
Fortune reports on an increase in cases of medical identity theft in the United States, which has implications for patients’ health privacy:
In the last five years, the number of data breaches in the medical sector has quadrupled. Last year, for the first time, the medical sector experienced more breaches than any other. It’s again on track to lead in 2014, according to the ID Theft Center. While the health care industry has long suffered fraud by providers or employees fraudulently billing insurers, Medicare, or Medicaid, the medical industry is only just now trying to catch up to the quickly growing threat from hackers.
With the increasing digitization of health information (in the form of electronic health records) and the formation of health exchanges (due to the Affordable Care Act), the trend in medical identity theft is unlikely to abate any time soon. Personal medical information is useful to many different types of criminals, which is why it fetches a higher price on the black market than financial information. Read more »
October 21st, 2014
Wired reports on a troubling database of private phone records created by Virginia police, the Hampton Roads Telephone Analysis Sharing Network:
The database, which affects unknown numbers of people, contains phone records that at least five police agencies in southeast Virginia have been collecting since 2012 and sharing with one another with little oversight. Some of the data appears to have been obtained by police from telecoms using only a subpoena, rather than a court order or probable-cause warrant. Other information in the database comes from mobile phones seized from suspects during an arrest.
The five cities participating in the program, known as the Hampton Roads Telephone Analysis Sharing Network, are Hampton, Newport News, Norfolk, Chesapeake and Suffolk, according to the memorandum of understanding that established the database. The effort is being led in part by the Peninsula Narcotics Enforcement Task Force, which is responsible for a “telephone analysis room” in the city of Hampton, where the database is maintained. [...] Read more »
October 20th, 2014
To recap: There has been considerable controversy about the privacy and civil liberties implications of the bulk telephone data collection program revealed by former National Security Agency contractor Edward Snowden. (He revealed several surveillance programs by the agency.) The Review Group on Intelligence and Communications Technologies (created by President Obama in August after the Snowden revelations) issued a report (archive pdf) recommending against the telephone call record database. Recently, the Privacy and Civil Liberties Oversight Board (PCLOB), an independent oversight agency within the executive branch, released a report (archive pdf) on the NSA’s surveillance program that collects telephone records in bulk saying the NSA surveillance program is illegal and should be ended. Federal judges have issued conflicting rulings on the surveillance program. In January, Obama announced reforms and proposed changes to the NSA surveillance programs, including the call record database surveillance program. Obama also issued a “Presidential Policy Directive, PPD-28,” (pdf) concerning signals intelligence activities.
Now, the Office of the Director of National Intelligence has issued an interim progress report (DNI pdf; archive pdf) on implementing PPD-28. In an announcement, Robert Litt, general counsel for the Office of the Director of National Intelligence, and Alexander W. Joel, civil liberties protection officer for the Office of the Director of National Intelligence, said the report “articulates key principles for agencies to incorporate in their policies and procedures, including some which afford protections that go beyond those explicitly outlined in PPD-28. These principles include the following: Ensuring that privacy and civil liberties are integral considerations in signals intelligence activities.”
October 20th, 2014
IT News in Australia reports that New South Wales Attorney-General Brad Hazzard is considering new privacy rules for the storing of data offshore:
The office of NSW Attorney-General Brad Hazzard has confirmed the government’s intentions to update the state’s privacy legislation to make it clear where agencies and healthcare providers stand when it comes to storing data offshore, particularly as part of cloud computing arrangements.
The NSW Privacy Commissioner, Elizabeth Coombs, finalised her draft code of practice for offshore data hosting and handed it to the Attorney-General in May this year, after a number of aborted attempts by her predecessors. [...] Read more »
October 16th, 2014
The Associated Press reports that when some banks’ customers call in to customer service, their voiceprints are being gathered so the banks can identify them. This practice of gathering biometric information, sometimes without giving notice to or obtaining consent from customers, raises substantial privacy questions:
An Associated Press investigation has found that two of America’s biggest retail banks — JPMorgan Chase & Co., and Wells Fargo & Co. — are quietly recording the biometric details of some callers’ voices to weed out fraud. The technology, sometimes called voiceprinting, is aimed at bad guys rather than legitimate customers, but legal and privacy experts alike still have reservations about the practice. [...]
As it stands, seven major American financial institutions are already using blacklists or have run pilots, said Shirley Inscoe, an analyst with the Aite Group, a research and advisory firm. Read more »