A new report released by OpenTheGovernment.org indicates that the government’s spending on maintaining secrets is rising across the board. The summary of findings indicates that in 2004, $148 was spent keeping new secrets for every $1 spent releasing old secrets; this cost has been on the rise for the past several years, and as recently as 2001 the government only spent $20 to keep secrets for every $1 to release them.

The U.S. government also classified more documents last year than any year previously: 15.6 million documents classified, at a cost of $460 per document to keep it secret. Conversely, the number of Freedom of Information Requests hit an all-time annual high, with 4,080,737 requests for information. The government is still unable to keep up, though agencies are improving in their ability to handle requests.

This report is interesting in its discussion of how the government keeps secrets, what types of secrets are being kept, and the costs involved.

The AP has a story on the new report that summarizes many of the key findings and presents some reasons for the increased secrecy.

President Bush called for the adoption of electronic health records in his 2004 State of the Union and extolled their benefits, saying that “by computerizing health records, we can avoid dangerous medical mistakes, reduce costs, and improve care.” In 2005’s State of the Union, he reiterated his desire to seek “improved information technology to prevent medical error and needless costs.”

Recently, a Congress health subcommittee has been reviewing the efforts to deploy electronic medical records (EMRs) and has found progress to be “disappointingly slow” (according to Rep. Johnson, R-Conn.). The hearing (detailed in this CNET article) reviewed the pros and cons of moving towards paperless systems and included testimony from several health and privacy experts. Particular concern was noted for HIPAA’s lack of coverage of non-insurance health transactions; this means that medical records used in these transactions are not governed by the strict security and privacy requirements. It was noted that the lack of a uniform federal privacy standard may also make the deployment of an EMR system much more complicated.

Threats to personal information continue to mount; the latest reported risk to our personal privacy comes from companies selling cell phone records of consumers. For a significant fee, one simply needs to provide a person’s name, address, and cell phone number and can receive a record of that person’s outgoing calls for the past month. Details on several specific (online) companies and their offerings are discussed further in this Washington Post article.

While this sort of service appears to be generally illegal, companies are skirting the cell phone companies’ efforts to stymy the trade of such information. One expert interviewed by the Washington Post says that “information security by carriers to protect customer records is practically nonexistent and is routinely defeated” - a claim that carriers deny, despite the prevalence of companies advertising these services on the internet.

In Russia, a country looking to join the World Trade Organization, there is still rampant piracy of music, movies, and software. A visit to the street markets in major cities quickly reveals an incredible selection of CDs and DVDs, being sold cheaply almost regardless of their specific content. For example, when I visited Russia in 1999, all CDs cost the equivalent of US $3, whether they contained the latest band’s music or a copy of a Windows OS.

These days, however, there is a scarier deal on the market. It appears as though the information being acquired by fraud artists, hackers, and phishers is reaching the street markets, as personal information is being sold in bulk. The examples given in this Globe and Mail article include Russia’s 2003 tax return records and a mobile phone company’s subscriber list.

It appears that in our day and age, the privacy of our PII is constantly under attack by the flow of information, whether such flow was intended or not. As long as those with criminal intent are able to so easily acquire PII, the aggregation and exploitation of that information will only continue to grow.

A recent Gartner survey of public opinion regarding identity theft revealed that many consumers, “half those polled, either weren’t aware they were entitled to a free credit report or considered them ‘not effective’ in fighting ID theft” (quoted from this MSNBC article). The article goes on to say that about one-third of those polled were “very concerned” about becoming ID theft victims themselves. Perhaps the clearest result from the survey - entitled “Increased Phishing and Online Attacks Cause Dip in Consumer Confidence” - is that the free credit reports are nowhere near enough protection for consumers against the increasing threat of identity theft.

Enter in new legislation from two U.S. Senators, which joins a slew of other proposed legislation aimed at tackling the ID theft epidemic. Senators Specter and Leahy have recently put forth their own bill, which would establish penalties for not disclosing data breaches nationwide, as well as limit the sales of SSNs and increase consumers’ abilities to access the information data brokers have on them. This Reuters article describes the bill in a bit more detail.

Read the rest of this entry »

The epidemic of information theft, leakage, and loss continued this past weekend with the announcement by MasterCard that 40 million credit card accounts had been compromised. The breach - as always attributed to hackers first, although this may be later clarified - affected almost 14 million MasterCard accounts, with the rest belonging to Visa and other companies. The lapse in security was at a third-party processing facility (CardSystems Solutions Inc), not MasterCard itself.

The latest twist in this story, just being reported this morning, is that the third-party processing company is now admitting that they were breaking rules established by Visa and MasterCard regarding information storage. Consumer records were being stored for ‘research purposes’, according to the company’s CEO; the CEO explicitly states that “we should not have been doing that” (first reported by The New York Times). The same article also reports that CardSystems Solutions was storing the 3/4-digit verification codes that are supposed to heighten credit card security in online purchases. The presence of that information can “double or triple the black-market value of a cardholder’s account” - even more reason to question the company’s unnecessary data storage practices.

Read the rest of this entry »

President Bush is stumping for many provisions of the original Patriot Act to be not only renewed before expiring at the end of 2005, but permanent fixtures in the American legislative landscape. Bush argues that these provisions have all but singlehandedly saved America from terrorism, having “closed dangerous gaps in America’s law enforcement and intelligence capabilities” (as quoted in this CNN article).

While Bush is presenting the frightening could-have-been scenarios that were thwarted by the Patriot Act’s presence, however, many civil liberties and privacy advocates continue to argue the potential and real abuses of the Patriot Act’s sweeping power. While the opposition has been hard-pressed to point to specific cases of overreaching authorities, many still argue from a fundamental and constitutional standpoint that the Act should not be renewed. Some Senators are pushing for a scaled-back version of the Patriot Act (see this Wired article). The same article quotes an ACLU senior counsel’s key point: “the lack of a documented case of abuse doesn’t mean the law doesn’t violate civil liberties.”

Read the rest of this entry »

The epidemic of stolen privacy-sensitive information, largely starting with the fraud committed against ChoicePoint that came to light this February, has spurred states to adopt disclosure measures similar to the California law that has existed since July 2003. The California law was the first of its kind in requiring companies to notify consumers if privacy-sensitive information has been lost or stolen. Many privacy advocates heralded the California law as the only reason that ChoicePoint’s fraud issues entered the public spotlight. To date, five states - Arkansas, Georgia, Montana, North Dakota, and Washington - have already passed similar laws, while two other states - Florida and Illinois - are simply awaiting the governor’s signature.

A recent article that covers this recent legislative push by states can be found here.

IBM has contracted with UAE CERT Telematics, the “leading technology and research organization of the United Arab Emirates” (according to their site), to develop and deploy over 100,000 automobile-monitoring systems in the next four years. The devices, according to this article at GeekCoffee, “would be installed in cars to provide a voice warning if the driver exceeds the local speed limit for wherever he may be driving. If the voice warning is ignored, the system would use a GSM/GPRS link to beam the car’s speed, identity and location to the police so that a ticket could be issued.”

There is no announcement yet as to whether these devices will be mandatory, or who will be selected for having to install the devices in their vehicles.

Read the rest of this entry »

Most people have become accustomed to signing up for “discount” cards - such as MVP or VIP cards - when shopping at grocery stores. The cards provide the benefit of enjoying weekly sale prices, at the expense of some loss of privacy. A person generally has to disclose his/her name, address, and phone number when signing up for the cards. However, the store can then track each individual’s purchasing history while using that card on all purchases, whether the item was discounted or not, as most shoppers swipe their card for all subsequent purchases at a store.

This sort of information can be invaluable to a store’s marketing and business strategies, as they can track which sales seem to work and which products are simply in higher demand. Consumers generally accept the privacy tradeoff because they benefit from the perceived lower prices on the goods they want.

Recently in the news, however, a more invasive use of this privacy information entered the media spotlight, if but for a few days. The first news article, which can be found here, described a fireman charged for setting fire to his own house. The police arrested him after finding that his Safeway Club Card had been used to purchase a firestarter (and a firestarter was used in this particular fire). The firefighter claimed to have never purchased such a firestarter.

The use of such purchasing information to solve crime is nothing new - at least based on the perception created by television crime dramas - but still seems to push the boundaries of personal privacy information. As one who has never liked giving a store access to my entire purchasing history, I am always that guy who needs to borrow a discount card at the grocery store or gets the cashier to just swipe a store card. After reading this news story, however, I wonder if a criminal could completely cripple a person’s life by merely asking to borrow his/her card in line when making a purchase of something that will be used to commit crime.

While the details still are not fully clear on what happened in this arson case, the charges against the firefighter were dropped. The reason for the dismissal of charges, however, was not from police disregarding the results of this purchasing history; instead, it took another person coming forward and claiming responsibility for the fire for the firefighter to be cleared of suspicion. This confession came after the firefighter endured five months of public scrutiny and administrative leave from his job. A followup article on the story can be found here.

For anyone interested in the particulars of Safeway’s privacy policies, the details are here [pdf].

In the end, this is just another case of let the buyer beware - but in this case beware of who ends up knowing what you bought at the store…