Officials from six countries, including the U.S. Secret Service, worked together to arrest 28 suspects from an ID theft ring accused of stealing, among other things, more than 1.7 million credit card numbers. The thieves are noted to have gone after confidential information from both individuals and companies. This is third in a series of worldwide investigations resulting in multiple arrests for identity theft.

Enforcement measures like these are encouraging, and should help to deter identity theft, but the sheer magnitude of information thieves can steal emphasizes the need to keep a close watch on information you want to keep private.

Read more at C|Net.

Law.com posted an article, entitled “Keeping Promises: Online Privacy Policies,” that describes a settlement between the FTC and Gateway Learning, the sellers of “Hooked on Phonics.” To summarize the complaint, Gateway Learning posted in its privacy policy that it would not share customer information with outside parties. Gateway Learning, despite these promises, began renting personal information to marketers — including names, address, phone numbers, ages, and information about consumers’ children.

This practice is alarming, but it is also interesting to note that, as part of the settlement provisions, the FTC prohibits Gateway Learning from sharing any personal information collected unless they receive an “opt-in” consent from the consumer. I’ve been an emphatic advocate for the notion of “opt-in” to be not only common practice, but implemented in the form of legislation. Presently, some companies allow consumers to “opt-out” of sharing information with third parties, most don’t give you a choice at all, and rarely do they ever have an “opt-in” policy. Privacy shouldn’t be the burden of the consumer, it should be the de facto standard.

Unfortunately, most of the sites we analyzed in the healthcare domain have nearly identical policies to that of Gateway Learning. You can read more about this analysis in our paper: An Analysis of Web Site Privacy Policy Evolution in the Presence of HIPAA.

Daniel J Weitzner has an editorial in this week’s Computerworld online called “Openess as a Privacy Protection Strategy“. At first it seems like a contradictory statement and he references David Brin’s seminal work, The Transparent Society.

But just as Brin argues that increases in loss of privacy from surveillance aren’t Orwellian as long as _everybody_ has access to the surveillance, Weitzner seems to argue that customers needn’t necessarily fear companies collecting large amounts of information about them as long as this activity is “transparent,”

As Weitzner puts it:

Is the transparent enterprise destined to be the engine of the elimination of privacy? Has the analytic power and data-gathering reach of today’s information networks rendered privacy a disappearing artifact of simpler, less-networked times? I don’t believe so, but in order to retain the dignity, control and occasional solitude that are at the heart of privacy, we have to start designing systems differently.

First, we should embrace transparency as a design philosophy that can help people ensure that information about them isn’t used in a way that’s contrary to legally permissible purposes or in violation of agreements under which it was collected. Our design goal should be to provide active transparency to users. In many cases, people are comfortable about information collection, provided they know that it’s happening, understand the purpose of it and can check that it’s not being used inappropriately.

While I still think there is a very strong case to be made for actively working to minimize data collection, just as I believe there is a very strong case for actively working to minimize governmental surveillance, I think Weitzner’s point is valid. Transparency of data handling, i.e., making customers aware of what data is being collected about them and how it will be used, is a perfectly valid design goal. Software engineers need to be thinking about how this goal would affect their system designs.

Blue Cross & Blue Shield of Massachusettes is leading a coalition that will spend about $50 million that will allow for the creation of a medical records system in three communities. This will cover about 2,000 physicians, hospitals, pharmacies, and potentially nursing homes and community health centers. The goal is to reduce the number of medical errors by allowing physicians to log into a central database containing all of a patients medical records. This is an alternative to keeping patient records on paper in filing cabinets.

With any new advance in technology and information sharing where the data has such a high level of sensitivity attached to it, privacy concerns are abundant. First, I am skeptical of the system when the primary investors are insurance companies. It seems that the insurance companies have a vested interest in consolidating all of a patients records into one location. Personally, and as a researcher, this concerns me because I don’t think that insurance companies should have access to such a database. Although I don’t see where it is explicitly stated that they would have access to the database, it seems very possible that this is one of their goals. Additionally, I am concerned about so many people having such easy and transparent access to my data. The possibility of pharmacist or nurse looking up a neighbor or potential boyfriend in the database seems all too likely.

The adoption of such a system can undoubtedly bring forth advances in medical treatment and research, but at what cost to personal privacy? I urge everyone to consider the value of their medical history and the medical history of their friends, family, and community as an alternative to blindly accepting this new system.

Read more about the medical records database here.

Google has recently released a new desktop search tool that allows you to search your hard drive for information in the same way as you use Google to search information on the web. This is an exciting new technology and brings more convenience to end users. But, be careful about the privacy conerns with this new tool. The general public often get exicited about new technologies and hurry to try them out without realizing the implications. Educate yourself before you install the tool on your machine.

CNN has an article saying users could unwittingly let others see sensitive information. According to Richard Smith, a privacy-and-security consultant in Cambridge, Massachusetts, “Google Desktop is a great organizer for finding information on your hard drive. But it’s really a spying program. If it’s installed on your computer and somebody else starts poking around, they can learn a lot about you.”

If you are sharing a computer with someone, you’d better be very careful about what information should be stored on your computer. For example, do you use an e-mail client that saves messages in local hard drive? Do you regularly visit some websites that you don’t want others to know? (Because your browser automatically saves the visited pages for a while in the cache, you’d better clear the browsing history and location bar history every time after use.) Do you store other sensitive information on the computer such as banking account, credit card numbers, usename/passwords? With google’s new tool, it would be very easy for other users of the computer to find this kind of information on the hard drive. Read more about privacy and desktop search.

Privacy advocates are raising concerns over the collection and storage of data on homeless people. Department of Housing and Urban Development is collecting such data saying that it will help homeless people and battered women in the long run. What they do not realize is that there is potential risk that someone might get acces to information on a victim of domestic violence and find them and hurt them more.
For more information read:
Tussling over victims’ privacy

EWeek has a great editorial titled “The Governance Edge” in the current edition which does a great job of drawing the connection between between controls in IT infrastructure and corporate ethics. As they put it:

“Without information management, there can be no corporate governance of any kind, good or bad.”

and later in the same editorial:

IT people will have to take part in the good governance of their own companies, through helping to implement Sarbanes-Oxley, the Patriot Act, SEC 17a-4 and HIPAA compliance solutions. The tools that vendors are offering IT managers to meet these compliance guidelines give IT managers the power to preserve data and audit it when need be. IT managers need to harness this technology to make good governance a day-to-day practice within their companies.

The problem we face as an industry is that we have to work governance issues into software engineering practices and eventually good governance principles need to be “baked in” to the products and services that are offered to customers.

What does this have to do with privacy management? Everything. Privacy management, financial data controls (Sox), HIPAA (medical privacy), COPPA (child protection), are all about placing controls on how and when data can be used, all of which fall under the umbrella term, “Data Governance.”

SecurityFocus News is reporting that data for about 1.4 million Californians was put at risk due to a security breach at a computer system that contained data for California’s In-Home Supportive Services program.

It’s interesting to note that investigators are note sure whether or not the the personal information was actually extracted from the system. But California’s recently passed anti-identity theft law, SB1386, requires that all 1.4 million people whose data was on that system be notified so that they can take appropriate measures to protect their identity by calling the credit reporting agencies, etc.

Imagine, having to write a letter on your university letterhead to 1.4 million citizens of your state telling them that you were not protecting their information from theft and that an incident has occurred in which the citizen’s personal information, including social security number, has been downloaded by an unknown person.

It seems like Internet scamming is on the rise. Recently, many incidents of phishing have been observed causing loss of millions of dollars in the US. “Phishing is a scheme that uses e-mails appearing to come from a legitimate company and directing recipients to fake websites where they are asked for personal or financial information.” Consumers should only disclose personal information when they initiate a transaction themselves.
For more information please visit: 500 million dollars lost in Internet ‘phishing’ scams in US

Spyware, a common problem for computer users, refers to covertly installed applications that monitor and record your computer usage habits. Spyware is not only invasive, but it can slow your computer down and cause it to crash. Fortunately, new legislation has been passed that adds large fines to punishments companies convicted of installing spyware can receive. However, it is easy to question the effectiveness of stricter laws, as the companies responsible for spyware might simply relocate to avoid possible fines. Helping consumers avoid spyware may be a more effective strategy, and to that end computer-maker Dell has partnered with getnetwise.org, a non-profit group aimed at helping educate consumers and help them avoid spyware. Other getnetwise.org members include AOL and Microsoft. Read more at CNN and MSNBC.