Author Archive

Diebold certified despite inability to comply with NC law

Monday, December 5th, 2005

A previous blog entry discussed Diebold’s struggles with the latest electronic voting law passed in North Carolina. The situation then was that Diebold said it could not meet the law’s requirements, and its efforts in seeking an exemption had been dismissed. On Friday, December 2, the North Carolina Board of Elections still certified Diebold as one of three approved vendors for the state, despite Diebold’s admitted inability to comply with law.

The EFF, which had fought Diebold’s attempts at an exemption in court, immediately posted its criticism of the board’s decision. An EFF attorney is quoted as saying: “In August, the state passed tough new rules designed to ensure transparency in the election process, and the Board simply decided to take it upon itself to overrule the legislature. The Board’s job is to protect voters, not corporations who want to obtain multi-million dollar contracts with the state.” The position of the North Carolina Board of Elections is that none of the electronic voting machine vendors could fully meet the requirements, so the board simply loosened the standards regarding source code escrow. The EFF disputes this claim, however, saying that at least one of the other vendors “has publicly stated that it is capable of meeting the escrow requirement for the code used it its system.”

A C|Net article quotes an advisor to the board as saying that “the Board of Elections decided at the last minute that it would allow the companies to be certified as long as they provided the state with the outside escrow locations of all the codes” – a requirement that must be met by December 22. This advisor to the board further says: “This is an extra step the board has decided to put in to strengthen the law that we have to work with.” I find this statement to be very inaccurate and unfortunate – how can making an exception and an end-run around the law possibly strengthen it?

The Baltimore Sun put up a well-reasoned editorial on the general concerns with electronic voting companies. Their conclusion: “Most nations do not use private companies to count their national election results; if the United States must, it had better make sure the voting, counting and transmission of poll data are as transparent and auditable – at every point – as possible.”

Diebold pulls out of North Carolina market

Thursday, December 1st, 2005

Earlier this year, the North Carolina legislature passed a bill that sets up standards for voting equipment used in elections. The bill sets out to “restore public confidence in the election process”. The law outlines many vendor responsibilities in Section 2.(a), including that “the vendor shall place in escrow with an independent escrow agent approved by the State Board of Elections all software that is relevant to functionality, setup, configuration, and operation of the voting system, including, but not limited to, a complete copy of the source and executable code…” as well as including “a list of programmers responsible for creating the software”. The penalties for violating the bill include a felony charge and a civil penalty of up to $100,000 per violation.

The new state law has led to Diebold threatening to pull out of the state, due to not being able to meet these openness requirements. Diebold originally sought an exemption, via an injunction guarding against prosecution as well as reinterpreting the law to not include Diebold’s situation. According to this AP article, Diebold claims that it cannot provide the source code nor list of programmers for Windows, on which their voting machines are based. The EFF was involved in the case to thwart Diebold’s exemption status; the EFF details its involvement and links to its legal brief here.

I find Diebold’s position confusing and questionable in this situation. To say that they cannot comply with the state law means that they are either unwilling to comply, find it overly difficult to do so, or actually find it impossible to meet the requirements. If the first or second case is true, then Diebold is simply making a business decision not to compete in North Carolina. If, however, compliance is actually impossible, then one wonders how Diebold is still able to do business in California, where the Elections Code requires “an exact copy of the source code” for voting machines be provided to the state. Is the North Carolina market simply not worth it to Diebold?

North Carolina is supposed to announce today the list of approved vendors for electronic voting machines that meet the new law’s requirements.

What is Identity Theft, exactly?

Tuesday, November 15th, 2005

The fears and discussions of identity theft have increasingly flooded news sites and blogs in 2005, yet it is not always clear exactly what constitutes identity theft when data breaches and frauds are discussed. For example, the oft-discussed ChoicePoint data breach involved the fraudulent acquisition of over 145,000 people’s personal information, yet less than 1,000 individuals have been reported to have suffered any direct losses as a result. Back on February 18, Cox News Service reported that “the criminals collected enough financial data to begin buying everything from jewels to consumer electronics … at least 765 such crimes have come to light so far” (the article, “ChoicePoint boss keeps low profile amid crisis”, is available on Lexis/Nexis). So is it proper to say that 765 people were identity victims, or 145,000? The media has not particularly attempted to distinguish the 765 victims from the 145,000 exposed to risk. To the media, all have been victims of identity theft – is this an accurate claim?

Wikipedia defines identity theft as “the deliberate assumption of another person’s identity, usually to gain access to their finances or frame them for a crime.” The same Wikipedia entry goes on to quote Javelin Strategy & Research founder James Van Dyke as arguing for two separate terms:

  • identity theft: unauthorized access to personal records;
  • identity fraud: unauthorized use of personal records.

This distinction helps to explain how a data breach can lead to identity theft, which may or may not result in identity fraud for each victim. Given Van Dyke’s interpretation of identity theft and identity fraud, I think we can more accurately express the various elements of data privacy. A data breach, such as the one befalling ChoicePoint, has undoubtedly led to 145,000+ victims of identity theft, where at least 765 of those people also suffered identity fraud.

A recent AP article highlights how the term ‘identity theft’ has been “too broadly defined and often misunderstood.” The risk, according to the article, is that “lawmakers and companies might be misdirecting their anti-fraud energies” and that consumers end up overly fearing Internet activities. The biggest problem with the term ‘identity theft’ ends up with how the misuse of an existing credit card is classified. If a criminal simply getting your existing credit card number and embarking on a shopping spree is identity theft, then 40 million people were put at risk of identity theft by the CardSystems breach. If instead, we limit identity theft to the exploitation of personal information (more in line with the Wikipedia entry), then those victims become simply inconvenienced individuals. While they may face fraudulent charges on their account, U.S. citizens rarely have to pay up for those charges: there is a $50 limit on personal liability, regardless of the amount fraudulently charged. Instead, it is when criminals possess enough information to obtain a new credit card that we are victims of identity theft and threatened by identity fraud.

Wiretapping on the Internet: the government seeks greater access

Friday, November 11th, 2005

Every communications medium brings with it the potential for misuse, and the government has always been eager to have some sort of ‘backdoor’ access into that medium so as to avoid being left in the dark. Sometimes the only way to catch criminals/terrorists in the act has been to tap their communications – be it on traditional phone lines, cell phones, or email. Now with the recent surge in VoIP (Voice over IP) usage, the government once again seeks to ensure its ability to ‘tap the lines’ and monitor any suspected criminal activity.

CALEA, the Communications Assistance for Law Enforcement Act, came into effect 11 years ago as a way for the federal government to wiretap ‘telecommunications carriers’; the government now wants to expand that act’s coverage to include VoIP providers and ISPs carrying VoIP traffic. The current push is to get CALEA extended in full force to Internet phone traffic in the next 18 months. A new C|Net article details the government’s position, as well as some of the challenges being raised to this expansion. The challenges, however, largely focus on seeking exemptions for particular groups, such as universities, from having to add such backdoors to their systems.

Upon some basic review, it seems that the government’s position is a difficult one to maintain. The desire for wiretapping is understandable: in theory, wiretapping is reserved for when the government cannot gather evidence in other ways but has verifiable suspicion of wrongdoing. Granting exemptions to several groups may, however, simply result in criminals using those systems for their activities; if all universities are exempt from providing backdoor access to their systems, then surely those networks would be the logical place to conduct (illegal) business. From a privacy perspective, in gaining this expansion the government would be extending a very broad net of backdoor access to Internet traffic. It is also unclear whether CALEA was ever meant to extend into the online world. An earlier C|Net article covered many of the privacy and legal arguments raised by VoIP providers and concerned advocacy groups.

What you say (online) can be used against you

Thursday, November 3rd, 2005

The allure of posting thoughts, feelings, and commentary online has generally been fueled by the freedom and (at least pseudo) anonymity that the Internet provides. A person can start a blog or post on numerous social networking sites without fear of reprisal, as he/she will generally use a pseudonym or simply leave an anonymous comment. However, as the Internet has become more mainstream, companies and organizations are increasingly trying to discover the identities of such posters and hold them accountable for their words, actions, or portrayed behavior. Two recent situations receiving news coverage illustrate this trend.

The first example involves an employee who posted an anonymous comment (which included a racial slur) to a Yahoo! message board discussing his company. The company, Alleghany Energy Service, discovered the post and sued to reveal the identity of this anonymous poster. The company eventually received a subpoena and compelled Yahoo! to reveal the poster’s identity, and then fired the poster for the racial slur. The employee is countersuing for wrongful termination, among other claims. GWU law professor Daniel Solove, in his blog Concurring Opinions, discusses this situation in greater detail, including analyzing the legal situation surrounding the original suit and the countersuit.

On a college level, many students are now members of a site called the Facebook, which describes itself as “an online directory that connects people through social networks at schools”. Students can post pictures and personal details, as well as engage in discussions about anything and join groups for common interests. However, not just students are taking note, and some students have found themselves held accountable for the pictures and words posted online. A student paper at Boston College, The Heights, covers in this article how students have been subject to disciplinary action and, in one case so far, expulsion at the hands of university officials. You can use the print feature to view all article text without having to register for the site, as clicking to view the next page will force you into a registration process. The article summarizes the situation with this statement: “Students at schools across the country have recently been charged with everything from alcohol related infractions to making threatening comments to a campus police officer – all from photos or information posted on the Facebook.”

Both of these stories show the difficulty of maintaining any sort of private online identity, separate and distinct from the real world. In both cases, the actions of the company/university are somewhat questionable, as they involve pursuing the employee/student outside of the work environment and into that individual’s actions at home. In the case of the university, though, the students’ homes may be university property, in which case different rules may apply.

Google updates their privacy policy, and everyone takes notice

Tuesday, October 18th, 2005

On October 14th, 2005, Google put up a new privacy policy, replacing one that had been in effect since July 1st, 2004 (available here). This fact alone does not seem particularly newsworthy, but what has been interesting to observe is the extensive coverage on the internet of this change. People have been analyzing the changes, comparing the previous policy to the new one, and generally commenting on Google and privacy.

Google has also put up a new section entitled Google Privacy Policy Highlights, which seems to be an attempt to quickly capture the essence of the privacy policy for those who won’t read the entirety of the document. Given that so few people actually read privacy policies, this may be a benefit for consumers and regular internet users in getting them to read anything at all about what they are agreeing to when they use Google services. However, providing these highlights necessarily risks omitting details that may be important to some individuals.

The implications and legal status of a highlights document is also unclear. Just as in the case of the HIPAA Privacy Rule, a privacy policy highlights page may benefit users by making policies more readily accessible and actually read. However, following the Privacy Rule is necessary but not sufficient for HIPAA compliance; likewise, a company adhering to its highlighted privacy policy elements may still be violating other aspects of their policy. Furthermore, while Google still seems to be squarely on the side of good, more devious or uncaring companies may use a privacy policy highlights document to deceptively portray their privacy practices, knowing few (if any) people will take the time to review the longer, more legally significant full policy.

Google has continued to make previous versions of the privacy policy available for review/download, which is a good business practice but could go further. Granted, Google is doing more than most companies in this respect, but the next step would be to actually highlight the changes between two documents. Very few (if any) sites are providing this sort of privacy policy insight, so curious/concerned individuals are left to use other means for such analysis, such as this HTML diff tool. Using this tool, one can view the changes from the old policy to the new one here, although this only provides a literal diff between the documents and no high-level insight. Another text comparison that emphasizes the changes between documents is here.

Read the rest of this entry »

Phishing: punishable by fines (in CA)

Tuesday, October 4th, 2005

California’s governor signed a new anti-phishing bill into law on September 30, 2005. The law “makes it unlawful for any person, through the Internet or other electronic means, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the approval or authority of the business” (quoted from Information Week). This law establishes a general rule for penalties in phishing cases: the government can fine convicted phishers for up to $2,500 per violation, while victims can either pursue actual damages or up to $500,000 per violation (whichever is greater).

Phishing is still a growing problem, according to an earlier PC World article and groups such as the Anti-Phishing Working Group. Gartner research indicates that, “between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million” (quoted from a CSO Online discussion). Clearly phishing is a growing and very real problem, but it remains to be seen whether legislative efforts like the new CA law will have any substantial effect. A PC World article notes that the new law may have a symbolic effect in raising awareness of the issue, and could have real impact starting with the first few phishers that are actually convicted and fined under the law’s provisions.

TSA’s Secure Flight in the news

Tuesday, September 27th, 2005

There have been several stories regarding TSA’s Secure Flight program and no-fly lists over the past few days. The major news this week is that TSA has announced that they will not use commercial data brokers in the initial deployment of Secure Flight (news presented in a article and confirmed at EPIC’s overview of Secure Flight). This announcement came just before a major report by the Secure Flight Privacy/IT Working Group [pdf] was released yesterday, in which the group was highly critical of the TSA’s actions regarding Secure Flight. Bruce Schneier discusses the report more in depth in a blog entry; he was a member of the working group.

Some other major stories regarding the TSA have come forward regarding people’s difficulties with the no-fly lists and the pains they endure in trying to remove themselves from the list, once mistakenly placed on it. Wired is running a story about several people who have had bad experiences with the system, including a nun who spent ninth months on the list, missing meetings and events, until an appeal was made to Karl Rove and the situation was rectified. Another person’s dilemma is described in this article: a pilot was placed on the no-fly list and thus effectively unable to work, all because of what seems to be a data error. The pilot is fighting the situation in court. In this case, the government is maintaining that a person’s presence on the list and reasons for being there are so secret that even in court, they will not be disclosed to the defense.

In the Wired article, Secure Flight is presented by the TSA as the solution to these types of problems. However, with so many criticisms and concerns over privacy practices and data accuracy, there is much to be done before Secure Flight will have a chance to adequately address these issues.

Fighting back against undesired picture-taking

Tuesday, September 20th, 2005

Researchers at Georgia Tech have developed a prototype system to cancel out a digital camera trying to take a picture aimed its way. The system, described in more detail in this article, targets any detected digital camera lens with focused light to thwart successful picture-taking. Where the photographer might have tried to capture a private meeting or an inappropriate picture, they instead will have a “blurry picture of what looks like a flashlight beam.”

The technology works by actively detecting a digital camera lens based on its ‘retroreflective’ properties. Digital camera lenses are much more retroreflective than other surfaces, such as eyeglasses. The system is constantly putting out infrared light to find any spying cameras; after sensing a camera lens aimed towards the system, it immediately targets the origin with a “localized beam of light” to neutralize the attempted photograph. The researchers provide more detail at their page describing the project.

Hurricane Katrina and ID theft

Tuesday, September 13th, 2005

The reports of devastation and tragedy coming out of the areas affected by Hurricane Katrina have dominated the news for the past week and a half now. Many of the stories have centered around the outpouring of aid and personal efforts to rescue and restore survivors to some semblance of normalcy. Amidst these efforts, however, have cropped up some stories about the risk of identity theft and the efforts of some to defraud the victims of the storm.

Last week, experts (such as the FTC ID theft program head) were already warning the public of the high risk of identity theft tied to the hurricane’s aftermath. An AP story noted that “Social Security cards, driver’s licenses, credit cards and other personal documents are literally floating around New Orleans.” The risk of credit card fraud and identity theft is clear, as the information leakage was certainly not the first thought of survivors escaping their homes and being rescued from rooftops.

The same article notes that some 2,000 web sites popped up related to Hurricane Katrina relief efforts, but about a dozen are under investigation for potential fraud. Not only is there a risk from completely fraudulent web sites, but also from phishers spoofing major relief efforts such as the Red Cross or Salvation Army. This article notes the email scams already observed and the risk of such phishing attacks increasing in the coming weeks. According to the article, VeriSign has gotten involved in hunting down such phishing efforts and took down two such sites already as of last week.

Some unscrupulous individuals have already been arrested for attempted ID theft. Three people in Mississippi went to a shelter and posed as FEMA officials in an effort to obtain personal information – such as names, birthdates, and SSNs – from evacuees. The AP broke this story on Saturday.