David Kirkpatrick

July 31, 2010

Food for online privacy thought

Three recent articles to ponder about how much — or really, how little — your online privacy is protected.

First up, from the Wall Street Journal, your data is money. I’m pretty sure just about anyone who’s been using the web for any amount of time knows all about tracking cookies, data mining and all that. This article goes into detail on just how much, and how detailed, information top visited websites collect on visitors.

From the link:

Hidden inside Ashley Hayes-Beaty’s computer, a tiny file helps gather personal details about her, all to be put up for sale for a tenth of a penny.

The file consists of a single code— 4c812db292272995e5416a323e79bd37—that secretly identifies her as a 26-year-old female in Nashville, Tenn.

The code knows that her favorite movies include “The Princess Bride,” “50 First Dates” and “10 Things I Hate About You.” It knows she enjoys the “Sex and the City” series. It knows she browses entertainment news and likes to take quizzes.

“Well, I like to think I have some mystery left to me, but apparently not!” Ms. Hayes-Beaty said when told what that snippet of code reveals about her. “The profile is eerily correct.”

Ms. Hayes-Beaty is being monitored by Lotame Solutions Inc., a New York company that uses sophisticated software called a “beacon” to capture what people are typing on a website—their comments on movies, say, or their interest in parenting and pregnancy. Lotame packages that data into profiles about individuals, without determining a person’s name, and sells the profiles to companies seeking customers. Ms. Hayes-Beaty’s tastes can be sold wholesale (a batch of movie lovers is $1 per thousand) or customized (26-year-old Southern fans of “50 First Dates”).

“We can segment it all the way down to one person,” says Eric Porres, Lotame’s chief marketing officer.

Also from the WSJ in the same series is an article with more on the same as above with an emphasis on consumer-tracking technology used by the top 50 sites.

From the link:

The tracking files represent the leading edge of a lightly regulated, emerging industry of data-gatherers who are in effect establishing a new business model for the Internet: one based on intensive surveillance of people to sell data about, and predictions of, their interests and activities, in real time.

The Journal’s study shows the extent to which Web users are in effect exchanging personal data for the broad access to information and services that is a defining feature of the Internet.

In an effort to quantify the reach and sophistication of the tracking industry, the Journal examined the 50 most popular websites in the U.S. to measure the quantity and capabilities of the “cookies,” “beacons” and other trackers installed on a visitor’s computer by each site. Together, the 50 sites account for roughly 40% of U.S. page-views.

The 50 sites installed a total of 3,180 tracking files on a test computer used to conduct the study. Only one site, the encyclopedia Wikipedia.org, installed none. Twelve sites, including IAC/InterActive Corp.’s Dictionary.com, Comcast Corp.’s Comcast.net and Microsoft Corp.’s MSN.com, installed more than 100 tracking tools apiece in the course of the Journal’s test.

And not to leave the government out of the online privacy picture, this PhysOrg story on the access the Federal Bureau of Investigation has to your online data, including email, really adds to online privacy concerns. Or at least it should.

From the final link:

Federal law requires communications providers to produce records in counterintelligence investigations to the FBI, which doesn’t need a judge’s approval and court order to get them.

They can be obtained merely with the signature of a special agent in charge of any FBI field office and there is no need even for a suspicion of wrongdoing, merely that the records would be relevant in a counterintelligence or counterterrorism investigation. The person whose records the government wants doesn’t even need to be a suspect.

The bureau’s use of these so-called national security letters to gather information has a checkered history.

The bureau engaged in widespread and serious misuse of its authority to issue the letters, illegally collecting data from Americans and foreigners, the Justice Department’s inspector general concluded in 2007. The bureau issued 192,499 national security letter requests from 2003 to 2006.

In this June 28, 2010, file photo, Senate Judiciary Committee Chairman Sen. Patrick Leahy, D-Vt., gestures on Capitol Hill in Washington. Invasion of privacy in the Internet age. The administration’s proposal to change the Electronic Communications Privacy Act “raises serious privacy and civil liberties concerns,” Leahy said Thursday, July 29, 2010, in a statement. Expanding the reach of law enforcement to snoop on e-mail traffic or on Web surfing. Those are among the criticisms being aimed at the FBI as it tries to update a key surveillance law.

(AP Photo/Susan Walsh)

October 12, 2009

A sad day for civil liberties

Last week the Senate Judiciary Committee voted to extend the Patriot Act past the sunset provision slated to go into effect this year.

From the link:

Supporters of the Patriot Act say it gives law enforcement important powers to track down and investigate terrorists. Without the Patriot Act, U.S. law enforcement efforts to find terrorists would be significantly harmed, members of former President George Bush’s administration argued.

But the American Civil Liberties Union (ACLU) and the Center for Democracy and Technology (CDT), a digital rights group, both protested the Judiciary Committee’s decision to move the bill forward.

Click here to find out more!

Parts of the Patriot Act would expire at the end of the year if Congress doesn’t renew them. The Judiciary Committee on Thursday voted 11-8 to approve the USA PATRIOT Act Sunset Extension Act with a handful of amendments.

One of the most controversial portions of the bill allows the U.S. Federal Bureau of Investigation to obtain warrantless subpoenas to get personal information from Internet service providers, telephone carriers and other businesses.

The National Security Letter (NSL) program allows the FBI, and potentially other U.S. agencies, to issue letters to businesses or organizations demanding information about targeted users or customers. E-mail messages and phone records are among the information that the FBI can seek in an NSL.

October 7, 2009

Small business cybersecurity guide from NIST

Cybersecurity is important at all levels of business, and is often a place where small business looks to cut corners and save money.

The release:

New computer security guide can help safeguard your small business

Just in time for October’s Cyber Security Awareness Month, the National Institute of Standards and Technology (NIST) has published a guide to help small businesses and organizations understand how to provide basic security for their information, systems and networks. NIST has also created a video that explores the reasons small businesses need to secure their data.

The guide, Small Business Information Security: The Fundamentals, was authored by Richard Kissel, who spends much of his time on the road teaching computer security to groups of small business owners ranging from tow truck operators to managers of hospitals, small manufacturers and nonprofit organizations. The 20-page guide uses simple and clear language to walk small business owners through the important steps necessary to secure their computer systems and data.

Small businesses make up more than 95 percent of the nation’s businesses, are responsible for about 50 percent of the Gross National Product and create about 50 percent of the country’s new jobs, according to a 2009 Small Business Administration report. Yet these organizations rarely have the information technology resources to protect their sensitive information that larger corporations do.

Consequently, they could be seen as easy marks by hackers and cyber criminals, who could easily focus more of their unwanted attention on small businesses. And just like big companies, the computers at small businesses hold sensitive information on customers, employees and business partners that needs to be guarded, Kissel says. He adds that regulatory agencies have requirements to protect some health, financial and other information.

“There’s a very small set of actions that a small business can do to avoid being an easy target, but they have to be done and done consistently,” Kissel says.

In the guide Kissel provides 10 “absolutely necessary steps” to secure information, which includes such basics as installing firewalls, patching operating systems and applications and backing up business data, as well as controlling physical access to network components and training employees in basic security principles.

He also provides 10 potential security trouble spots to be aware of such as e-mail, social media, online banking, Web surfing and downloading software from the Internet, as well as security planning considerations. The guide’s appendices provide assistance on identifying and prioritizing an organization’s information types, recognizing the protection an organization needs for its priority information types and estimating the potential costs of bad things happening to important business information.

###

NIST works with the Small Business Administration and the Federal Bureau of Investigation in this outreach to educate small businesses.

Small Business Information Security: The Fundamentals can be downloaded from the Small Business Corner Web site athttp://www.csrc.nist.gov/groups/SMA/sbc/.

The related video, “Information Technology Security for Small Business. It’s not just good business. It’s essential business,” features experts from NIST and the Small Business Administration. The video is available on You Tube and the Small Business Corner of the NIST Computer Security Web pages.