Security & privacy

Here are a collection of announcements concerning Canada’s plan for new legislation on identity theft. The legislation is important because it attempts to address not only the actual acts of fraudulent use of identities, but also the collection and trafficking of the information. The reaction of the Privacy Commissioner on further steps that are needed is also notable. This will be interesting legislation to watch.

Canadian government to introduce identity theft legislation

Here is an interesting article by Spaf (Prof. Eugene Spafford) on the state of security research and development today. The argument is that we are spending too much time of building fixes, without addressing the root problems. In this case, the root problems include development techniques and languages, and inadequate operating systems. The analogy to sacred cows is interesting.

Solving some of the Wrong Problems

We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it. Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised.

Here is an interesting article from The Economist on the growing use of surveillance and data tracking, and the blind acceptance by citizens in most countries. I like the analogy myth of the “boiled frog” attributed to Ross Anderson at the end of the article — if the water is heated gradually enough, the frog fails to notice the difference until it is too late.

Learning to live with Big Brother

Across the rich and not-so-rich world, electronic devices are already being used to keep tabs on ordinary citizens as never before. Closed-circuit television cameras (CCTV) with infra-red night vision peer down at citizens from street corners, and in banks, airports and shopping malls. Every time someone clicks on a web page, makes a phone call, uses a credit card, or checks in with a microchipped pass at work, that person leaves a data trail that can later be tracked. Every day, billions of bits of such personal data are stored, sifted, analysed, cross-referenced with other information and, in many cases, used to build up profiles to predict possible future behaviour. Sometimes this information is collected by governments; mostly it is gathered by companies, though in many cases they are obliged to make it available to law-enforcement agencies and other state bodies when asked.

I am left puzzled about this story about using ID cards and fingerprints to authenticate visitors at a homeless shelter. The motivation appears to be problems about personal safety while staying at the shelter. But I fail to see how having clients identified in this way would help deter any behavioral problems that occur. Just like the border identification schemes that are motivated to prevent terrorism, knowing who someone is does nothing for knowing their intent. On the other hand, such an identification scheme might do a lot to discourage people from using the shelters.

Homeless shelter considers ID cards and fingerprint scans

Fingerprint scans and ID cards may be required for clients wanting to enter Calgary’s largest homeless shelter.

The Calgary Drop-In Centre is pricing out new security measures that could include biometric technology, such as fingerprints, a spokeswoman said Thursday.
…
The centre wants to maintain a database of client identities, which
would enhance security operations and offer clients peace of mind.

I recently attended the Biometrics Consortium conference in Baltimore where I learned about the lastest developments in biometric security systems. Three or four vendors were demonstrating iris-at-a-distance systems that have profound privacy implications.

For example, Sarnoff’s system is able to capture iris information as people pass through a door frame or look at a drive-through kiosk. The image capture and processing can be done without the person being aware, and iris recognition can be far more accurate and reliable than the face recognition systems that have been used in these situations.

We need to have serious discussions about the societal impacts of biometric systems, and this was the topic of my presentation at a NIST workshop on usability and biometrics.

Technorati Tags: biometrics, iris, security, privacy, Sarnoff, NIST, usability

This article describes a new system that monitors people as they view advertising and records the emotions they show on their face. I doubt that the system will be accurate enough to detect important, subtle differences in emotion (e.g., amusement versus bemused annoyance), but the possibilities are interesting.

Advertisements That Watch You Smile | Germany | Deutsche Welle | 10.07.2007

Imagine the following scenario: a perfume advertisement hangs in the departure lounge of an airport where thousands of people see it each day. Some people stop and stare. Others walk by amused. Still others seem puzzled.

Usually, advertisers can only guess at the public’s reaction to a new ad campaign. But new technology under development by researchers at the Fraunhofer Institute for Integrated Circuits (IIS) in the southern German town of Erlangen makes that type of data instantly accessible to advertisers.

Technorati Tags: surveillance, emotion, privacy, advertising

Here is a good article listing 15 free security programs that you can download and run on your PC. Installing a collection like this is essential for maintaining even a basic level of security.

http://www.networkworld.com/news/2007/070207-15-great-free-security.html

From the moment you switch on your PC, your system faces countless Internet-borne dangers, including spyware attacks, viruses, Trojan horses, home-page hijackers, and hackers trying to weasel their way into your system. And the Internet isn’t the only source of trouble. Anyone with access to your PC can invade your privacy by prying into which Web sites you visit–and learning a great deal more as well. But fighting back is easy. We’ve found 15 great pieces of software–firewalls, spyware busters, antivirus software, rootkit killers, and general Internet security tools–designed to protect you against any dangers that come your way. They’re free, they’re powerful, and they’re easy to use. So what are you waiting for? Start downloading.

Technorati Tags: Internet, security, virus, firewall, free, download

Credit card fraud may be more of a problem at stores and gas stations than when shopping online. Those terminals where you swipe your card, and the systems behind them, are not very secure.

Data breaches start at the gas station, analyst says – Network World

Using a credit card at a gas station could pose more of a risk for data theft than shopping online, as point-of-sale terminals have emerged as a weak link in the security chain, according to a Gartner Inc. analyst.

When a card is swiped, point-of-sale (POS) terminals often collect and store the data held in the magnetic stripe on the back of a credit card, said Avivah Litan, a Gartner vice president and distinguished analyst. Retailers are often unaware that their POS applications collect so much information.

Technorati Tags: internet, shopping, credit card, fraud, point of sale