Security & privacy

The Privacy Commissioner’s office has announced their latest funding program. This program will fund privacy-related research and public education/outreach activities. Eligible organizations include not-for-profit organizations and education institutions. The maximum amount of funding per project is $50K. The deadline for applications is Jan. 30, 2009.

Contributions Program 2009-2010 – Program Summary – Privacy Commissioner of Canada

This year the Office is interested in receiving research proposals focusing on four priority areas: 1) national security, 2) identity integrity and protection, 3) information technology, and 4) genetic privacy.

We were talking the other day about attitudes towards privacy and how some people, mostly young ones, don’t worry much about their personal information. In the days of Facebook and Twitter, many people are quite willing to share lots of personal information in certain contexts. They also consider that information to be temporary and transient, as their favorite applications and groups change.

What many people underestimate, I think, is the ability to cross-link information from a variety of sources. By combining information about communication patterns, movements, purchases, etc., a complete profile can be assembled. This can have profound implications for individuals and groups, and the uses can both be beneficial and harmful.

Article from the New York Times, suggested by Slashdot.

You’re Leaving a Digital Trail. What About Privacy?

… a vast sea of digital information being recorded by an ever thicker web of sensors, from phones to GPS units to the tags in office ID badges, that capture our movements and interactions. Coupled with information already gathered from sources like Web surfing and credit cards, the data is the basis for an emerging field called collective intelligence.

Propelled by new technologies and the Internet’s steady incursion into every nook and cranny of life, collective intelligence offers powerful capabilities, from improving the efficiency of advertising to giving community groups new ways to organize.

But even its practitioners acknowledge that, if misused, collective intelligence tools could create an Orwellian future on a level Big Brother could only dream of.

Collective intelligence could make it possible for insurance companies, for example, to use behavioral data to covertly identify people suffering from a particular disease and deny them insurance coverage. Similarly, the government or law enforcement agencies could identify members of a protest group by tracking social networks revealed by the new technology. “There are so many uses for this technology — from marketing to war fighting — that I can’t imagine it not pervading our lives in just the next few years,” says Steve Steinberg, a computer scientist who works for an investment firm in New York.

There are real, human risks to bad security. Infections on computers by spyware and viruses not only can make the computers slow, and lead to the loss of private information, but they can also make the computers misbehave in unusual ways. One of these ways is for many, many pop-up windows to appear on the screen, out of the control of the user. I have had this happen to my computer, and it is not pleasant. But I did not have to deal with over-reacting parents, and uninformed school system, and a crazy court system.

This is the detailed story of how a Connecticut teacher was convicted and then later vindicated with the help of a geek. She was still convicted of lessor charges and lost her teaching license, but avoided jail with the help of her “shining star”.

The risk of computer infections is bad enough, but the risk caused by people in authority not understanding the technology, its behavior, and its limitations is horrible.

How spyware nearly sent a teacher to prison

If there’s a poster child for the dangers of spyware, it’s Julie Amero.

The 41-year-old former substitute teacher was convicted of four felony counts of endangering minors last year, stemming from an Oct. 19, 2004, classroom incident where students were exposed to inappropriate images.

Prosecutors had argued that Amero put her students at risk by exposing them to pornography and failing to shield them from the pop-up images after they appeared on her classroom computer.

According to David Fraser, the issue of pre-employment polygraph (lie detector) screening has been raised in Halifax. Apparently, the police and fire services there are requiring potential employees to submit to a polygraph test (and pay for it). It appears that the debate has centered around the privacy issues raised by the questions being asked. Equally important is the accuracy question — are polygraph examinations accurate for determining the truth. The answer is clearly no (see my previous post here), and yet organizations continue to use polygraph.

Slaw: Pre-employment screening

According to media reports, anybody applying for a job that falls within the purview of the Halifax Police Service and Fire Service is required to pay for a polygraph examination that includes a range of questions, some of which have been considered to be objectionable.

It is interesting to review the court decision (R. v. BÉLAND) mentioned in the Slaw article. That court found that polygraph evidence was not admissable in this case, even though they did not address the issue of the accuracy of the polygraph.

…the polygraph has no place in the judicial process where it is employed as a tool to determine or to test the credibility of witnesses.

…

…this view is not based on a fear of the inaccuracies of the polygraph. On that question we were not supplied with sufficient evidence to reach a conclusion. However, it may be said that even the finding of a significant percentage of errors in its results would not, by itself, be sufficient ground to exclude it as an instrument for use in the courts.

And be sure to check out this funny YouTube video…

It seems that PayPal is adding a second factor authentication scheme based on SMS text messages. These schemes work by send a unique code to your pre-registered cell phone, and you have to echo back that code to login. This kind of two-factor authentication (traditional password and unique SMS code) is a great idea, especially for services like PayPal that are frequent fraud targets.

PayPal offers SMS security key for mobile users

PayPal’s chief information security officer, Michael Barrett, believes this form of two-factor authentication, in which you need both something you know (your account password), and something you have (in this case, your mobile phone) is the next logical step for the company as it tries desperately to protect users against online security threats.

This is an interesting article by Camilo Viecco and Jean Camp of Indiana U on the recent rescue of hostages being held by the Columbian group FARC. There are interesting parallels between the real-world, life-and-death methods used for this rescue and the everyday attacks and defenses that occur in the online world.

A Life or Death InfoSec Subversion

…here we can look at a real-life analogue—an information attack on a highly complex security system, that of the Colombian guerrilla group FARC (Fuerzas Armadas Revolucionarias de Colombia, or the Revolutionary Armed Forces of Colombia). This operation included a man-in-the-middle attack, targeted denial of service (DoS), and authentication subversion. The attack on FARC’s communications structure is interesting not only because of its electronic and analog components, but also because it was a life-or-death matter.

Lauren Weinstein has posted about a troubling development in Italy involving free speech vs. privacy protections. What would happen if service providers, such as You Tube, become responsible for content they don’t control?

What are you in for, kid? – “I worked for Google … “

In Italy, prosecutors are bringing charges against four former and current Google employees, charging them with defamation and failure to appropriately control personal data.

The defendants in this case didn’t post anything themselves. At issue is the posting of a video in 2006 to YouTube that showed students humiliating a youth with Down syndrome. Italian authorities are asserting that the posting of this video is contrary to Italian law, even though the video was removed from YouTube by Google within hours of Google being notified of its existence.

Here is an interesting opinion piece about the proposed enhanced drivers licenses in Ontario. Christopher Parsons discusses the privacy issues associated with such licenses and the risks of misuse and function creep.

Driving Your Liberties Away: Biometrics and ‘Enhanced’ Drivers Licenses

Privacy advocates across Canada have been struggling to prevent the Ontario provincial government from passing legislation that will see radio identifiers and biometric data inserted into future Ontarian drivers licenses.
…
Ontario, and the rest of Canada, is being forced into including radio and biometric features in future drivers licenses by the United States government. As a consequence of the U.S. Western Hemisphere Travel Initiative (WHTI), all Canadians and Americans who cross into the U.S. at a land border with just a driver license will be required to present an Enhanced Drivers License (EDL) as of June 1, 2009. While the radio ‘feature’ is disturbing in its own right, insofar as it emits a unique identifier whenever brought into range of a reader, I want to focus on the biometric features of these cards, why they raise human rights and civil liberties concerns, and the risk of function creep associated with the biometric facets of EDLs.

It seems that IBM is working on the issue of securing online banking. This article describes a device that will setup a secure connection with a bank’s server. The interesting thing to note is that the device does not protect against man-in-the-middle attacks or Trojan programs on the customer’s computer. Instead, it is supposed to make all the transactions visible so that the user can look for fraudulent activities during the session. This relies on customer knowledge and vigilance, which is an obvious weak point.

IBM ‘security on a stick’ protects online bank customers – Network World

IBM researchers have come up with a small device they like to call “security on a stick” for use in online banking so customers plugging into any computer can protect transactions and find out if Trojan malware is trying to steal funds.
…
“It doesn’t prevent a man-in-the-middle attack on the PC, but it makes them visible,” Baentsch says. So after logging on,
if a banking customer intended to complete a certain transaction but saw that inexplicably there was different information
about to be transferred — perhaps through a trick of a Trojan on the machine — that action could be stopped.

The Information Security Group at the NRC has completed a demonstration of our privacy scanning technologies. PrivWatch uses a modified Limewire client to search the Gnutella Peer-to-Peer network for files containing private information. The results are then anonymized, summarized, and presented in an interactive Flex-based interface.

To view the PrivWatch demonstration, you will need a username and password, which you can get by contacting me.

PrivWatch.ca: A P2P Privacy Monitoring Tool

PrivWatch was created to detect and monitor privacy breaches on the Gnutella Peer-to-Peer (P2P) network. With PrivWatch, you can view statistics about privacy breaches based on the type of information, the geographic patterns, and the trends over time.