Archive for 'Uncategorized'

Security Questions: Not As Secure As You Think

Thursday, December 15th, 2016

On the heels of recent news about the disclosures of 1 Billion Yahoo accounts, ThePrivacyPlace is proud to release the following PSA (Public Service Announcement) video that was created by a team of students in Georgia Tech’s Privacy, Technology, Policy and Law course during the Fall 2016 semester. The course is co-taught by Professor Annie I. Antón and Professor Peter Swire. This PSA, entitled “Security Questions: Not As Secure As You Think”, teaches you a few simple ways you can help protect your accounts from compromise.

Congratulations to Jacqui Grant, Alexa Grzech, Sherry Li, Tasneem Nabi, and Claudia Wang for receiving one of two 2016 Georgia Tech Privacy PSA Judges Award!

Prof. Antón appointed to the President’s Commission on Enhancing National Cybersecurity

Thursday, April 14th, 2016

President Obama has appointed Professor Annie Antón to be one of twelve members of the Commission on Enhancing National Cybersecurity.  The announcement describes the Commission’s task as follows:

The Commission is tasked with making detailed recommendations on actions that can be taken over the next decade to enhance cybersecurity awareness and protections throughout the private sector and at all levels of Government, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security.

She will be serving with an extremely distinguished non-partisan group of experts:

General Keith Alexander, USA (Ret) –  Chairman and CEO of IronNet, and former director of the National Security Agency.

Ajay Banga – president and CEO of MasterCard.

Steven Chabinsky – general counsel and chief risk officer for the cybersecurity technology firm CrowdStrike.

Patrick Gallagher – Chancellor and CEO of the University of Pittsburgh.

Peter Lee – corporate vice president of Microsoft Research.

Herbert Lin – Senior Research Scholar for Cyber Policy and Security at the Center for International Security and Cooperation and a Research Fellow at the Hoover Institution, both at Stanford University.

Heather Murren – private investor and member of the Board of Trustees of the Johns Hopkins University and the Johns Hopkins University Applied Physics Laboratory.

Joe Sullivan – chief security officer at Uber.

Maggie Wilderotter – Chief Executive Officer of Frontier Communications from 2004 to 2015, and then Executive Chairman of the company until April 1, 2016.

Georgia as the Next Cybersecurity Hub

Friday, May 8th, 2015

This week Prof. Annie Antón was a guest on Georgia Public Broadcasting’s On Second Thought to discuss the state of cybersecurity research and the cybersecurity industry in Georgia. You can listen to her segment alone or to the whole program.

Data Privacy Day in Atlanta

Saturday, January 24th, 2015

This Wednesday, January 28th, is data privacy day. The National Cyber Security Alliance is bringing together experts from industry, government, and academia to discuss the implications of future developments in technology for healthcare privacy. The event will be hosted on campus at Georgia Tech and it is titled: Health Privacy in a Fully Connected World: The Loss of Autonomy or Increased Opportunity for Longevity? If you’re interested in attending, tickets are available now.

Editorial on Healthcare Privacy

Saturday, January 24th, 2015

Professors Antón and Swire have an op-ed in the Atlanta Journal Constitution about the increasing importance of protecting healthcare data. It’s difficult to summarize an issue as complex as protecting privacy in healthcare information technologies, but this op-ed does it well.

2008 Privacy Values Survey Completed

Monday, September 29th, 2008

Our 2008 Privacy Values Survey ended this morning at 12:01 am on September 29, 2008. Thank you to the more than 2,000 survey respondents over the course of the survey.

Thank you for your interest! Please check back in a few months to see the survey results.

Previous survey results can be found in the following publications:

Earp, J.B.; Antón, A.I.; Aiman-Smith, L.; Stufflebeam, W.H., “Examining Internet privacy policies within the context of user privacy values,” IEEE Transactions on Engineering Management, vol.52, no.2, pp. 227-237, May 2005

Carlos Jensen, Colin Potts, Christian Jensen, “Privacy practices of internet users: Self-reports versus observed behavior,” International Journal of Human-Computer Studies, vol. 63, no. 1-2, pp. 203–227, 2005.

Vail, M. W.; Earp, J. B.; Antón, A. I., “An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies,” IEEE Transactions on Engineering Management, vol.55, no.3, pp.442-454, Aug. 2008

ThePrivacyPlace.org Authentication Technologies Survey Still Available

Monday, January 28th, 2008

Researchers at ThePrivacyPlace.Org are still conducting an online survey about individuals’ experience with and perceptions of authentication technologies. The survey was released last August and is supported by an NSF ITR grant (National Science Foundation Information Technology Research). Your participation will help us with our investigations regarding digital identities. It will take about 15 to 20 minutes to complete the survey.

As a way of saying thank you for taking the time to complete our survey, we are also offering the chance to enter a drawing for one of two $50 Amazon gift certificates.

The URL is: http://www.theprivacyplace.org/current-survey/

The results will be posted on ThePrivacyPlace.org later in 2008.

The Happiest Place On Earth

Friday, July 15th, 2005

In 1996, Walt Disney World in Orlando, Florida started using finger geometry scans to identify annual and season pass holders. Over the past six months, they have quietly extended this requirement to all ticket holders, meaning that anyone coming into the park must have their fingers scanned and verified. Disney officials say that records are not kept after the tickets expire, but it’s not clear if they are immediately purged from the system.

The scan does not make a record of a person’s fingerprints. Guests place their index and middle fingers on the scanner and the system recognizes certain characteristics such as finger thickness and length. A number is assigned based on these measurements, and this number is stored in the system for future comparisons. Injuries to the index and/or middle fingers can cause the system to falsely reject a guest’s profile, as can more mundane changes such as the presence of a ring that was not worn during the initial scan. AllEarsNet, an unofficial Walt Disney World guide, has an online FAQ about the scan. At present, the system is only being used in Walt Disney World, and not in Disneyland in California or any of Disney’s international theme parks. Universal Studios Orlando and SeaWorld are said to be planning to introduce similar verification systems in the future.

Larry Spalding of the American Civil Liberties Union was quoted as saying that while the Disney system, known as Ticket Tag, had been brought to the ACLU’s attention, no one had yet filed a complaint. Spalding expressed concern about the system, saying “Slowly but surely we’re just giving away our right of privacy, and the question is what are we getting in return?” Even if the records aren’t kept and can’t be matched to other biometric identifiers such as fingerprints, it still seems a bit disconcerting. As Civil Liberties Union spokesman George Crossley said, “I think it is a step toward collection of personal information on people regardless of what Disney says.”

Slashdot discussion here.

HEADLINE: Kaiser Permanente patient data exposed online

Wednesday, March 23rd, 2005

That was the headline for Linda Rosencrance’s article on Computerworld on March 16th. (See http://www.nwfusion.com/news/2005/0316kaiseperma.html?nl)

But did they really? When you dig several paragraphs deeper into the story the picture becomes much more ambiguous than the headline would lead you to believe.

A woman, known as “Elisa” and “Diva of the Disgruntled” on her weblog had been terminated from her job as a web coordinator at Kaiser. Some time later, she claimed that Kaiser had posted a series of system schematics for Electronic Medical Records (EMR) project on a publicly accessible web site as well as personal patient information for about 140 people. She filed a complaint with the Office Of Civil Rights on the grounds that it is a violation of HIPAA regulations. She apparently made no attempt to notify Kaiser directly. A Kaiser spokesman said that the company learned of the incident when the Office of Civil Rights began an investigation.

The parts of the story regarding posting of the EMR project schematics doesn’t seem to be in dispute. Elisa found the web site URL with the schematics when she googled the name of her former manager. She made these URLs publc on her web log. A Kaiser spokesman admitted that the schematics had been put on the web site in order to share them with remote IT people. It’s unclear that the project schematics themselves were particularly sensistive, though they have since been put behind a password protected site.

Now, if that had been all there was to this story it wouldn’t have been such a big deal. But what about the patient data for those 140 individuals? Elisa didn’t provide a URL on the Kaiser site where that information had been posted. She only posted the URL to where the schematcs were located. So as far as can be determined by the information in the Computerworld article, Elisa doesn’t seem to have produced any forensic evidence that Kaiser accidently exposed the information on their public web site.

What is known to have happened is that Elisa posted the real patient information on her web log. So it’s clear that she had possession of the patient information, but it’s not at all clear that she obtained that information from the Kaiser public web site. Kaiser got the web log ISP to remove the information and had to do so at least twice because Elisa reposted the information. She claims that she had intended to remove the information once the Office of Civil Rights had investigated. Of course she could have supplied the information directly to the consumers and she could have refrained from posting patient medical ecords to her publc web log.

The Kaiser spokesman said that Kaiser has notified the affected patients and is continuing to investigate how Elisa came into possession of the data.

Now, read the headline again:
Kaiser Permanente patient data exposed online

Ask yourself, does this headline accurately reflect the story? I don’t think so. The only evidence of an exposure is for the IT system schematics and it’s not at all clear that these are particularly sensitive, especially from a HIPAA point of view. Perhaps a more accurate headline should have been:

Former Kaiser Employee Posts Kaiser Patient Data To Weblog

There is no dispute about the fact that Elisa did this. But there is no evidence (at least none mentioned in the article) that Elisa obtained this information through an accidental disclosure on the Kaiser web site.

My point is not to disparage Linda Rosencrance or ComputerWorld for a misleading headline. My point is that Elisa had access to patient data somehow. Maybe she got it from the Kaiser public website as she claims. Maybe she somehow got access to the data while she was still employeed. Maybe she received it from an insider who still works for Kaiser. The fact of the matter is that it doesn’t matter to Kaiser how Elisa obtained the patient data. It’s still a publicity nightmare.

The question is, how can this be prevented? This is the heart of good data stewardship and good data governance. As far as I can see, there’s no way to prevent this except to treat the operating environment of the business inside the firewall as an untrusted environment. Everytime sensitive information is seen by eyeballs, everytime it’s written to any media as clear text, there’s a potential for this kind of incident, which I expect is keeping a lot of CSO-types awake at night.

Keystroke Logging Case Dismissed

Monday, November 29th, 2004

A judge in California ruled that the use of a keystroke logger, which is a device or program that records what you type on your keyboard, does not violate federal wiretap laws.

This case involved an employer installing a physical device between his secretary’s computer and keyboard that monitored and recorded what she typed.

Privacy advocates have argued that since keystroke logging facilitates covertly monitoring and recording information and conversations, cases should be prosecuted using the same laws that protect the public from telephone wiretaps. However, the wiretap laws offer very specific protection. In this case the best the prosecution could offer was that the computer being monitored was used to compose emails. Email can be protected under the wiretap laws but only as they travel over data networks. After they are stored, snooping is not protected under wiretap laws.

More information on this story can be found at SecurityFocus.com and more on keystroke loggers can be found at Wikipedia.org