Here are a couple of interesting stories concerning privacy that I came across while on vacation:
UC-Berkeley: Flash Cookies Can ‘Respawn’ Traditional Cookies — Even If You’ve Cleared Them
Wired says, “More than half of the internet’s top websites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies,” according to a new report from University of California-Berkeley researchers.
The researchers say:
We found that top 100 websites are using Flash cookies to “respawn,” or recreate deleted HTTP cookies. This means that privacy-sensitive consumers who “toss” their HTTP cookies to prevent tracking or remain anonymous are still being uniquely identified online by advertising companies. Few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.
One of the study’s authors makes an important point to Wired, “If users don’t want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,” said Ashkan Soltani, a UC Berkeley graduate student.
DHS Privacy Office Approves Suspicionless Laptop Searches at the Borders
Last year, it was revealed that the Department of Homeland Security has been claiming expansive powers at the border. Border officials appeared to have seemingly unlimited powers to search, seize, share, or “analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States.” Remember that this data could be your personal or business address book, personal photos, personal or business e-mail, personal or business taxes or other financial data, and myriad other information.
Now, the DHS Privacy Office has approved these broad powers in a new Privacy Impact Assessment (pdf). The Privacy Office says that travelers are subject to suspicionless searches and their electronic devices may be viewed, copied or seized by border agents without a specific cause. And it is possible that travelers would have no idea that their devices had been viewed or copied. “In some situations it is not practicable for law enforcement reasons to inform the traveler that his electronic device has been searched,” says the Privacy Office.
DHS has answered some questions that I had about the searches:
What legal standard is used to search and seize electronic devices such as laptops and digital cameras?
DHS’s answers seem to be: There is no legal standard; border agents may search and seize electronic devices and data without cause.
How long is this data kept and with whom is it shared?
DHS says it depends. “If CBP or ICE determines the information should be retained because the information is required for law enforcement purposes and is relevant to immigration, customs, or other laws enforced by DHS, the information and the record of the retention are recorded in a DHS system of records.” DHS systems of records have their own data retention, sharing and destruction policies, so the traveler’s data may be distributed to numerous federal, state, local or tribal agencies and kept for decades.
However, DHS also says, “Should CBP or ICE determine there is no value to the information copied from the device, that information is destroyed as expeditiously as possible. For CBP and ICE, the destruction must take place no later than seven calendar days after such determination unless circumstances require additional time. If additional time is required, the supervisor must approve and document it in the appropriate CBP or ICE system of records. Under no circumstance will the destruction be later than 21 calendar days after the determination that there is no value to the information.”
I am glad that DHS has set out a retention and destruction policy. It is a positive step. But I would also like to know much more about how the data might be shared and with whom, and what the threshold is for relevance “to immigration, customs, or other laws enforced by DHS.”
“Between October 1, 2008 and August 11, 2009, 221 million travelers were processed at U.S. borders and about 1,000 searches of laptop computers were conducted, of which 46 were in-depth examinations, the agency said,” Reuters reports.
For those who are interested, security expert Bruce Schneier and CNet News have both published guides on how to protect your laptops and other devices from such searches. Read more on the DHS Privacy Office’s report on border searches at Computerworld, the Associated Press, and InformationWeek.