Archive for October, 2005
Read the rest of this entry »
RFID is a super hot topic right now. The potential market is huge. Many chip makers, including Texas Instruments, Intel, AMD, Motorola, etc., are convinced that RFID will become the most prevalent “electronic-based intelligence” technology of the 21st century. RFID will link machines, goods and people, helping companies gauge consumer preferences. RFID has raised a lot of concerns about compromising consumer privacy. Some people even set up a website to raise the public’s awareness on this topic. There is a also new book “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID” by Katherine Albrecht and Liz McIntyre that was recently published by Nelson Current.
A recent study by Javelin Strategy & Research has found that in 26 percent of all ID theft cases, the victim knew the person responsible for the theft. The same study explains that online identity theft isn’t the largest threat. For those users who are afraid to make purchases online, you may be interested to know that you are more likely to be at risk from dumpster divers. Still, identity theft has tripled in the past couple of years, so make sure you continue to shred personal documents, give out your personal information sparingly, and regularly obtain your credit report.
Video surveillance is very prominent these days and given ThePrivacyPlace.Org’s extensive analyses of privacy documents at Financial Institutions (see: Financial Privacy Policies and the Need for Standardization), I decided to examine whether financial institutions now mention the collection of information via video surveillance in their policy documents. I checked all nine institutions examined in our 2004 IEEE Security & Privacy paper. None of the nine institutions mention video surveillance in any of their privacy, security or legal statements. Given that banks, for example, collect video of all ATM transactions and of patrons that enter their institutions it seems only natural that we, as patrons, have a right to expect that these practices be included in their policy statements. Video surveillance impacts one’s sense of autonomy because the knowledge that one’s actions are being observed may alter one’s behavior, thus resulting in a loss of privacy. There are certainly merits to video surveillance at ATM machines (public safety, deterrence of crime, etc.). However, the loss of autonomy results in a potential invasion of privacy about which patrons need to be informed. This begs the questions: Why are financial institution not including their video surveillance practices in their policy statements? Are patrons not entitled to know how this video is used and whether it is aggregated with other kinds of information about them?
Missouri governor Matt Blunt, signed an insurance audit bill HB 388 on July 12, 2005 that requires the Missouri Department of Insurance to modify the consumer complaint form to include a provision in which consumers can authorize the public release of their file. The bill took effect in September 2005. Of the 377 complaints filed with the department during the first month, 334 consumers chose to not authorize the release of any information. That’s an overwhelmingly 90 percent of the insurance consumers who choose to keep personal information confidential. The new law allows consumers who file a complaint with the state about their insurance company to prevent disclosure of their personal information, including healthcare details. Prior to the new law, Missouri
The Chicago Bulls requested NBA player Eddy Curry to provide his DNA sample for testing his genetic makeup before signing a one-year $5M contract with the Bulls. Curry’s lawyer Alan Milstein says this is an invasion to Curry’s privacy and the implication could go beyond the sports world. “Hand that information to an employer,” he said, “and imagine the implications. If the NBA were to get away with it, what about everyone else in this country looking for a job.” Read the whole story.
California’s governor signed a new anti-phishing bill into law on September 30, 2005. The law “makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business” (quoted from Information Week). This law establishes a general rule for penalties in phishing cases: the government can fine convicted phishers for up to $2,500 per violation, while victims can either pursue actual damages or up to $500,000 per violation (whichever is greater).
Phishing is still a growing problem, according to an earlier PC World article and groups such as the Anti-Phishing Working Group. Gartner research indicates that, “between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million” (quoted from a CSO Online discussion). Clearly phishing is a growing and very real problem, but it remains to be seen whether legislative efforts like the new CA law will have any substantial effect. A PC World article notes that the new law may have a symbolic effect in raising awareness of the issue, and could have real impact starting with the first few phishers that are actually convicted and fined under the law’s provisions.