ThePrivacyPlace.Org Privacy Survey is Underway!
$100 Amazon.com gift certificates sponsored by Intel Co.
gifts from IBM and Blue Cross and Blue Shield of North Carolina
By Jeremy Maxwell and Dr. Annie I. Antón
Hackers recently broke into Governor Palin’s personal Yahoo email account and, subsequently, several of personal emails and family photos were posted on the internet [See: BBC Article].
This recent case reminds us that we must be careful with the information we divulge online as well as the information that is requested of us online. Consider that the responsible hacker was able to guess Governor Palin’s answers to the security questions that Yahoo used by doing some simple Internet searching [See: PCWorld].
This attack could be considered a social engineering attack [See: Social Engineering Fundamentals]–– social engineering attacks are not technical attacks, but instead aim to trick the victim into divulging personal information. Phishing and trojan horses are also examples of social attacks. The Governor Palin attack, however, is similar to the attack described by Herbert Thompson, where an attacker can gain access to user accounts simply by using information available on the internet, usually using some sort of password resetting service that asks personal questions to validate the identity of the user. If this private information is well known, than anyone could impersonate the identity of the victim. Sources of information can include public records such as driving or court records, blogs, social networking websites, personal websites, etc. The lesson here is to avoid posting private information in a public setting. Most people would not post their Social Security number or the password to their email account on their blog, but the information they do post might be enough.
So before you post the name of your first pet on Facebook or MySpace or on your blog, think about whether it can be used to fraudulently impersonate you at a later date.
[Update: Fixed minor grammar error]
By Dr. Annie I. Antón and Gurleen Kaur
Erik Sherman’s September 4, 2008, BNET blog post, Privacy Policies are Great — for PhDs, analyzes the readability of common Internet privacy policies including Google, Microsoft and Yahoo. His study supports the findings, published by ThePrivacyPlace.Org researchers in IEEE Security & Privacy. Our studies showed that privacy policies are inaccessible to the very end-users they are intended to inform.
Last month, ThePrivacyPlace published an empirical study in IEEE Transactions on Engineering Management that reveals that users perceive traditional, paragraph-form policies to be more secure than other policy representations, but that user-comprehension of paragraph-form policies is poor in comparison to other policy representations.
Google recently announced their new open source browser, called Chrome, via a comic book. Although slated for release sometime today, the link mentioned in the comic book (http://www.google.com/chrome) appears to be down is now up! The 38-page comic book is surprisingly informative, mildly entertaining, and certainly a unique way to release a new product, but don’t let the playfulness of the announcement fool you. Chrome has many important features, including a privacy-enhancing feature called “Incognito.”
Incognito is a user-visible feature that enables a private browsing mode. Private browsing is a relatively simple concept with tangible benefits to privacy. Under normal operation, a browser will store information about a user’s browsing history. Stored information could include sites visited, data downloaded, searches conducted, or even personal information entered. Under private browsing mode, that same browser simply doesn’t store this type of information. Essentially, a browser has no memory of what users do when private browsing is enabled.
Although private browsing is conceptually simple, it is not easy to implement because everything the browser does is affected by private browsing. Apple’s Safari browser has had a private browsing mode since version 2.0 (April 2005). Currently in version 3.1.2, Safari still is the only major browser to have a built-in private browsing mode. However, Safari’s private browsing mode isn’t perfect.
Private browsing was a planned feature for Firefox 3.0, but was dropped before the release because the developers “didn’t want to put something in that was half baked.” The Mozilla Wiki describes the current state of this feature and provides a link to a Firefox plugin called Stealther, which provides some private browsing features.
Microsoft has announced that they will include a private browsing feature, called InPrivate, in their next version of Internet Explorer. Microsoft’s effort seems to be even more ambitious than simply not storing data locally. For example, a Microsoft blog post describes a feature, called InPrivate Blocking, that would add the ability to block browsing information that would normally flow to third party sites.
Clearly, private browsing mode is not a trivial engineering task, but Chrome has some fundamental advantages over the “big three” that may simply make real private browsing easier to implement and maintain. Since Chrome will have Incognito on its first release there is less code that needs to be re-engineered to respect a private browsing mode. Also, Chrome uses a separate process for each tab, whereas a traditional browser only has a single process for all of its tabs. Multiple processes make it easier to sandbox tabs. As a result of these strict separations, it could be possible that Chrome would allow individual tabs to go “Incognito” while others act normally.
It is difficult to predict what sort of impact Chrome will have on the browser market, web application development, or Internet privacy, but if Chrome will have any impact, then it must compete with the “big three.” They are big for a reason, and a comic book isn’t going to solve that problem.
[ Update: Google has officially released Chrome at the following URL: http://www.google.com/chrome ]
by Jessica Young and Annie I. Antón
On May 19, 2008, Google launched Google Health , a new Personal Health Record (PHR) web portal that allows patients to gather and organize their medical records while keeping their physicians up to date about their health condition. As with other PHRs, like Microsoft’s HealthVault, Google Health does not appear to be covered by federal or state health privacy laws. According to the Google Health Terms of Service, Google is not a “covered entity” as defined in the Health Insurance Portability and Accountability Act (HIPAA); as such, “HIPAA does not apply to the transmission of health information by Google to any third party” .
Researchers at ThePrivacyPlace.org have evaluated privacy policies and privacy breaches since its founding in 2001. In particular, The Privacy Place researchers are addressing the extent to which information is protected in financial and health care systems that must comply with relevant laws and regulations.
Google Health is not a covered entity as defined in HIPAA. Thus, any personal health data that you submit to Google Health will not be afforded the same legal protections required of health care providers under HIPAA. Until state and federal agencies establish and enforce laws to protect the privacy of personal health records maintained by non-covered entities, individuals should carefully consider the risks involved in submitting sensitive health information to Google Health and other PHRs such as HealthVault. PHRs are not subject to the same privacy and security laws to which traditional medical records are subject to in the United States.
We sent four questions regarding Google Health’s privacy practices via the Google Health Help Center  on May 23, 2008. On June 4, 2008, we submitted the same four questions but this time via Google’s Web Search Help Center , where users are invited to submit questions specifically about Google’s privacy practices. It has been over three weeks since our first inquiry and we have yet to receive a response of any kind to any of our questions. Patients are concerned about the privacy of their health information . A lack of prompt replies to questions regarding health privacy is disconcerting and suggests that privacy is not a priority for those managing Google Health or manning the Google Help Center.
We focused on three questions of Microsoft’s HealthVault in our previous analysis . Here we examine these same three questions within the context of Google Health.
Will your health information be stored in other countries without appropriate legal oversight, skirting many of the protections afforded by the HIPAA?
Will your health care records be merged with other personal information about you that was previously collected within the context of non-health related services?
Are the access controls to your health records based not only on your consent, but also on the principle of least privilege?
 Google Health.
 Google Health Terms of Service, April 28, 2008
 A.I. Antón. Is That Vault Really Protecting Your Privacy?, ThePrivacyPlace.org Blog, October 9, 2007.
 Google Health Help Center Contact Us [Question about privacy] page.
 National Consumer Health Privacy Survey, California Health Care Foundation, 2005.
 Google Health Frequently Asked Questions, no date provided.
ThePrivacyPlace is pleased to announce that we are moving to a new hosting provider and will be revamping our site to make it more informative. Please bear with us as we work to provide better service!
ThePrivacyPlace.org is pleased to announce that Peter Swire, a law professor at Ohio State University, and Annie Antón, a computer science professor at North Carolina State University, have co-authored comments to the Federal Trade Commission regarding Online Behavioral Advertising. The FTC has requested comments for its Proposed Self-Regulatory Principles for Online Behavioral Advertising. Professor Swire and Professor Antón’s comments examine the technical steps necessary to achieve consumer control. Their comments are available on the Center for American Progress website.
Researchers at ThePrivacyPlace.Org are still conducting an online survey about individuals’ experience with and perceptions of authentication technologies. The survey was released last August and is supported by an NSF ITR grant (National Science Foundation Information Technology Research). Your participation will help us with our investigations regarding digital identities. It will take about 15 to 20 minutes to complete the survey.
As a way of saying thank you for taking the time to complete our survey, we are also offering the chance to enter a drawing for one of two $50 Amazon gift certificates.
The URL is: http://www.theprivacyplace.org/current-survey/
The results will be posted on ThePrivacyPlace.org later in 2008.