According to the Associated Press, a thief recently stole a laptop from the University of California at Berkeley, which contains personal information about nearly 100,000 alumni, graduate students and past applicants. Information contained on the laptop includes names and Social Security numbers dating back to 1976.

Recently there were several similar security breaches reported involving loss of a large amount of personal data, including ChoicePoint Inc., a consumer data firm duped into distributing personal information about 145,000 people; Lexis-Nexis, where computer hackers obtained access to the personal information of 32,000 people; and Chico State University, where a computer hacking job exposed 59,000 people to potential identity theft.

I do not carry my insurance card with me every day because my Social Security Number was printed on the card. In case I lost my wallet some day, all of my personal information (including name, SSN, DoB, home address, which will be more than enough for identity theft) will be available to whoever got my wallet. I cannot afford the risks. But, there are good news for New York State residents. Excellus Blue Cross Blue Shield of New York State has begun issuing new alpha-numeric identification numbers to its policyholders, replacing their old Social Security number-based policy ID system. The switch is scheduled to be completed by the end of May. That’s absolutely great news. I hope the Blue Cross Blue Shield of North Carolina can do the same thing for their customers so that I can carry my insurance card with me without worrying about what will happen if I lose my insurance card.

Security and privacy should be designed into IT systems. Developers of new technologies must take privacy implications into consideration when developing new products. Vulnerabilities from intentional and unintentional intrusions or violations need to be guarded against at an architectural level. John Kavanagh recently wrote an article about what questions IT professionals should ask themselves about privacy when developing new systems.

On October 5, 2004, I posted a blog entry about California Governor Arnold Schwarzenegger vetoing three privacy bills, including two bills that would have restricted the outsourcing of medial and financial data services. In that blog entry, I argued Governor Schwarzenegger’s decision is wrong.

Recently, a new report by the Information Security Forum shows that outsourcing and offshoring data processing and other business functions carries significant risk, particularly with regard to regulatory compliance. The report acknowledges that outsourcing is “here to stay,” and urges careful planning and management of outsource partners to minimize associated risks. Unfortunately, the full version of the report is available to ISF members only.

The Privacy Place researchers have participated in a Transnational Digital Government project, which focuses on developing a prototype system for remote border control. Recently, I read an article that says new security technologies, which call for fingerprinting, photographing and running checks on suspicious visitors, are being tested at U.S. border crossings. Digital fingerscans and photos are matched with databases to determine if visitors might be wanted for immigration problems and crimes or are on lists barring them from entering the country because of suspected terrorist ties. The information will be stored indefinitely in a national database, but Homeland Security officials promised its use would be restricted to ensure privacy. By the end of 2005, the United States Visitor and Immigrant Status Indicator Technology program, or US-VISIT, is scheduled to be used at all 165 land border crossings.

The national strategy to secure cyberspace is extremely important, but its implementation has been weak, says Cyber Security Industry Alliance of Washington leader Paul Kurtz, whose last post was special assistant to the president and senior director for critical infrastructure protection. Kurtz believes cybersecurity should be approached from a business-risk viewpoint, given that most of the owners and operators of critical infrastructure are members of the private sector. The government cannot and should not shoulder the entire burden of protecting cyberspace. Read full story.

Google has recently released a new desktop search tool that allows you to search your hard drive for information in the same way as you use Google to search information on the web. This is an exciting new technology and brings more convenience to end users. But, be careful about the privacy conerns with this new tool. The general public often get exicited about new technologies and hurry to try them out without realizing the implications. Educate yourself before you install the tool on your machine.

CNN has an article saying users could unwittingly let others see sensitive information. According to Richard Smith, a privacy-and-security consultant in Cambridge, Massachusetts, “Google Desktop is a great organizer for finding information on your hard drive. But it’s really a spying program. If it’s installed on your computer and somebody else starts poking around, they can learn a lot about you.”

If you are sharing a computer with someone, you’d better be very careful about what information should be stored on your computer. For example, do you use an e-mail client that saves messages in local hard drive? Do you regularly visit some websites that you don’t want others to know? (Because your browser automatically saves the visited pages for a while in the cache, you’d better clear the browsing history and location bar history every time after use.) Do you store other sensitive information on the computer such as banking account, credit card numbers, usename/passwords? With google’s new tool, it would be very easy for other users of the computer to find this kind of information on the hard drive. Read more about privacy and desktop search.

California Governor Arnold Schwarzenegger vetoed three privacy bills on Wednesday September 29, 2004, including a bill that would have required employers to notify employees of e-mail monitoring, and two bills that would have restricted the outsourcing of medial and financial data services. Schwarzenegger said the bills were redundant to current law and would have only created more work for California businesses. Detailed story…

I’m afraid I do not agree with Governor Schwarzenegger. Of the three vetoed bills, one bill would have limited data that medical firms can send abroad for processing without a patient’s consent. If the current law is sufficient to protect patient privacy, how could this happen in October 7, 2003? A pakistan woman named Lubna Baloch, sent an email to UC San Francisco Medical Center to threaten she would disclose patient medical records if UCSF Medical Center do not help her get the money she was owed. In her email she said, “Just to make you believe that I am not bluffing I am attaching latest voice file and text of your hospital.” Baloch had included private discharge summaries for two UCSF patients. Detailed story…

Army inspector general released findings on investigating Torch Concepts, a defense contractor, privacy violation on testing data-mining techniques on JetBlue Airline passenger records. According to the report, Torch Concepts did not violate the Privacy Act of 1974 because the personal data was collected from private sources and was never in the hands of the government. Compare this report with the Department of Homeland Security (DHS)’s Report to the Public on Events Surrounding JetBlue’s Data Transfer, in which the DHS privacy officer said TSA employees violated the spirit of the 1974 Privacy Act by asking JetBlue to provide data. More discussion can be found here.

I recently received another email “alert” from “my bank” - “CitiBank”, telling me due to recent identity theft and fraudulent emails, CitiBank needs me to update my personal information by clicking the provided link. The sender of the email was shown as “customerservice@citibank.com”. The CitiBank logo was displayed in the email. The request was to “protect” me, a customer of CitiBank. Everything seemed so right. I almost wanted to click the link, but I did not.

Of course, I would never click such a link. As a researcher working on security and privacy, I’m quite familiar with such kind of fraudulent emails. But for the general public, especially those inexperienced Internet users, would they click such a link and update their personal information?

Study has shown that this attack (using fraudulent emails and screens to trick customers to provide their personal information) has a surprisingly high success ratio. As many as 5% of the email recipients were tricked by these fraudulent emails and screens. (I wish I had a reference for you about the 5%. I heard that in a seminar at NC State University in May 2004 given by Professor Marianne Winslett from UIUC.)

So, are you scared or are you astonished by the high success ratio of the attack?

I have been using online banking for over three years. So far it works pretty good for me. I enjoy the convenience that online banking has brought to me. So, maybe it is not bad after all.

A recent article by Tony Lima - Does Online Banking Put Your Money at Risk?, states that scammers and thieves are out there, but you can protect yourself. I agree with Tony. But I also think the security knowledge of the general public is far from good enough to protect themselves against the attacks that are invented every day.

Even for myself, I do not completely trust the security of online banking. For example, there is usually less than $1,500 balance in my checking account. This is the average amount I use to pay my bills each month for an apartment living. I have other accounts that I never use online banking. In this way, I have limited the maximal loss of my account in the worst case.

Online banking brings us a lot of convenience and also poses additional risks. Knowledge is the power. With more security knowledge, people can protect themselves from being attacked or tricked. There is a great need for more security training on and off campus for everyone that are involved in online banking and e-commerce.