Researchers who used to search medical records for potential participants in their clinical trials of new medications or medical treatments must now rely on doctors for patient referrals. As a researcher, I fully understand how this can be viewed as hindrance by medical researchers. However, as a public citizen I’m happy to see that HIPAA is having an impact on those trying to access my sensitive medical information without my knowledge. ThePrivacyPlace.Org recently released an Analysis of Web Site Privacy Policy Evolution in the Presence of HIPAA that you may find interesting.

For more information on HIPAA prohibiting researchers from reviewing medical records, see: Privacy rule builds biomedical research bottleneck.

– aia

The Patriot Act, passed shortly after 9/11, was designed in part to make it easier for the government to monitor suspected terrorists. However, it had been under a great deal of scrutiny by critics who think it gives the government too much power to gather information. One of those criticisms involved the ability to secretly search information ISPs (Internet service providers) and phone companies have about their customers. The American Civil Liberties Union sued, claiming that these expanded privileges violate the Forth Amendment. Yesterday a U.S. District Judge agreed, ruling the powers unconstitutional.

Read more here [CNN].

Japan Today reports on the following case of RFID tags being used to track students in a Japanese primary school. School introduces security system to monitor students’ movements
From the article: “TOKYO Rikkyo Primary School on Monday introduced a new security system at its Tokyo campus that uses active RFID tags to accurately monitor the comings and goings of its students in real time.”

RFID stands for Radio Frequency Identification, and the technology is being deployed in small tags that can be attached to everything from articles of clothing to tires on your car. These tags can then be used to track movement, location, etc. of the items to which they are attached, which obviously raises many privacy issues to be considered as this technology gets deployed into widespread use.

Read the rest of this entry »

California is the first state to enact the cell number privacy law supported by Gov. Arnold Schwarzenegger. Consumers should have the right to decide whether they want a privacy block on their number or whether they want to make it public. According to this law, a written consent would be required by the customer to make their number public and those who do not wish to indulge in this service would not be charged. For more information check out:

California is First to Enact Cell Phone Number Privacy Law

Army inspector general released findings on investigating Torch Concepts, a defense contractor, privacy violation on testing data-mining techniques on JetBlue Airline passenger records. According to the report, Torch Concepts did not violate the Privacy Act of 1974 because the personal data was collected from private sources and was never in the hands of the government. Compare this report with the Department of Homeland Security (DHS)’s Report to the Public on Events Surrounding JetBlue’s Data Transfer, in which the DHS privacy officer said TSA employees violated the spirit of the 1974 Privacy Act by asking JetBlue to provide data. More discussion can be found here.

Passenger information for those who flew in June of 2004 will be
turned over to the government to evaluate a new system designed to help identify terrorists. This data is certain to have anomalies which could potentially lead to innocent citizens being erroneously labeled as terrorists and placed on a perpetual watch-list. Additionally, the fact that the government is collecting data that includes, for example, special food requests opens the door for individuals to unfairly infer things about passengers.

The TSA has posted a Privacy Impacts Assessment (PIA) for the testing phase of the Secure Flight program. See Yahoo News Article for more information.

A few months back I received an email from a person who said they have my medial reports from Blue Cross Blue Shield of NC. This was a person with the exact same name as mine. I was shocked to see the carelessness that was shown on part of the employees at the Student Health Center at my University. On checking with them I found out that my social security number was transferred to the other person’s records and vice versa. It seems to me that at many places privacy and general “best practices” are not being given the regard people expect to see.
On a similar note, recently, an Everett, Washington hospital employee mistakenly faxed confidential patient data to the city’s newspaper when the employee transposed numbers for two physicians with the same last name. More information on this case can be found at :
Hospital works to cut number of fax problems

– Neha Jain

The U.S. Senate has unanimously approved an amendment to the 2005 Homeland Security Department spending bill. The amendment requires all federal agencies that use data-mining technologies to submit a privacy impacts report to Congress. For more information, see: Senate votes for privacy study on agencies’ data-mining use.

Last October, a few of us at ThePrivacyPlace.Org examined the JetBlue Airways’ policy in an attempt to better understand the revelation that JetBlue had violated its public privacy policy when it gave the travel records of five million JetBlue customers to Torch Concepts, a private contractor to the Department of Defense (DoD). This paper is scheduled to appear in IEEE Security & Privacy and is entitled, “The Complexity Underlying JetBlue’s Privacy Policy Violations.” If you don’t want to wait for the paper to appear in print, the technical report is currently available here: The Complexity Underlying JetBlue’s Privacy Policy Violations.

The Department of Homeland Security (DHS)
Privacy Office investigated jetBlue to determine if the DoD had violated any laws. The DHS Privacy Office released a Report to the Public on Events Surrounding jetBlue Data Transfer on February 20, 2004. This report asserts that there is no evidence that jetBlue had provided directly to the Transportation Security Administration (TSA) or the U.S. Department of Transportation (DOT). Instead, that jetBlue had provided the information to Torch Concepts through its contractor (Acxiom). This objective of this investigation, was to determine whether government agencies had played a role in the privacy violation. The report states that no TSA employee had violated the Privacy Act; however, TSA employees were involved in the data transfer and failed to consider privacy policy impacts of this transfer: “The TSA employees involved acted without appropriate regard for individual privacy interests or the spirit of the Privacy Act of 1974.” The DHS report specific recommendations, including the need for comprehensive privacy training for employees and the establishment of data sharing guidelines.

It was later revealed that Northwest Airline had also disclosed the travel records of its customers as well. This privacy violation also prompted a number of complaints, including one by the Electronic Privacy Information Center (EPIC). See: Northwest Airlines’ Disclosure of Passenger Data to Federal Agencies.

On the 15th of September, the Transportation Administration dismissed the privacy complaint filed by EPIC against Northwest (see: Transportation Department dismisses privacy complaint against Northwest.

We at ThePrivacyPlace.Org will continue to investigate methods and tools that can be developed to help stop sensitive information from being disclosed when such disclosures are not in compliance with governing policies and laws. For a sample of some our efforts, check out our reports that are available on our publications page.

– Annie Antón

I recently received another email “alert” from “my bank” – “CitiBank”, telling me due to recent identity theft and fraudulent emails, CitiBank needs me to update my personal information by clicking the provided link. The sender of the email was shown as “customerservice@citibank.com”. The CitiBank logo was displayed in the email. The request was to “protect” me, a customer of CitiBank. Everything seemed so right. I almost wanted to click the link, but I did not.

Of course, I would never click such a link. As a researcher working on security and privacy, I’m quite familiar with such kind of fraudulent emails. But for the general public, especially those inexperienced Internet users, would they click such a link and update their personal information?

Study has shown that this attack (using fraudulent emails and screens to trick customers to provide their personal information) has a surprisingly high success ratio. As many as 5% of the email recipients were tricked by these fraudulent emails and screens. (I wish I had a reference for you about the 5%. I heard that in a seminar at NC State University in May 2004 given by Professor Marianne Winslett from UIUC.)

So, are you scared or are you astonished by the high success ratio of the attack?

I have been using online banking for over three years. So far it works pretty good for me. I enjoy the convenience that online banking has brought to me. So, maybe it is not bad after all.

A recent article by Tony Lima – Does Online Banking Put Your Money at Risk?, states that scammers and thieves are out there, but you can protect yourself. I agree with Tony. But I also think the security knowledge of the general public is far from good enough to protect themselves against the attacks that are invented every day.

Even for myself, I do not completely trust the security of online banking. For example, there is usually less than $1,500 balance in my checking account. This is the average amount I use to pay my bills each month for an apartment living. I have other accounts that I never use online banking. In this way, I have limited the maximal loss of my account in the worst case.

Online banking brings us a lot of convenience and also poses additional risks. Knowledge is the power. With more security knowledge, people can protect themselves from being attacked or tricked. There is a great need for more security training on and off campus for everyone that are involved in online banking and e-commerce.