June 2005

Politics & Privacy30 Jun 2005 11:18 pm

The AP is reporting that the credit card information of Federal Trade Commission (FTC) Chairwoman Deborah Platt Majoras was among those stolen from DSW Shoe Warehouse.

As I have blogged back on April 19, 2005, data thieves reportedly stole some 1.4 million customer names and credit card numbers from the computer systems of DSW, a popular shoe discounter. And on June 9, 2005, I blogged about the Ohio Attorney General Jim Petro’s suit against DSW for failing to promptly notify consumers whose data was stolen.

According to the AP report, Majoras learned of the loss of her data when she received a letter from the company notifying her of the breach.

The irony, of course, is that the FTC is the federal government agency responsible for policing many of the issues related to identity theft and fraud. This is not the first instance in which FTC commissioners have gotten first-hand experience in coping with problems under the FTC’s jurisdiction. Former FTC Commissioner Orson Swindle — still the best named FTC commissioner ever — was often fond of recounting his battles with the credit bureaus over erroneous data on his credit report that was impeding his ability to get a home mortgage. At the time, the FTC was suing the credit bureaus for failure to promptly resolve complaints about errors in credit reports. (Naturally, the credit bureaus still deny any wrong-doing.)

Luckily for Chairwoman Majoras, the FTC has some good information available for victims of identity theft, should her information actually be misused.

Law & Malware30 Jun 2005 04:18 pm

In near completion of their slide into the Dark Side, the Electronic Frontier Foundation has offered its congratulations to the malware makers WhenU on a recent court decision that will permit WhenU to generate pop-up ads over the websites of trademark holders.

The case involved 1-800-Contacts, who sued WhenU to stop them from generating pop-up ads for competitors when users attempted to visit the 1-800-Contacts website. The EFF had offered an amicus brief that raised some good points about the current state of trademark law, but ultimately failed to miss the larger point of WhenU’s unfair and deceptive practices.

According to the EFF’s Fred von Lohmann:

“A trademark owner is not entitled to control your desktop just because you happen to be visiting its website. […] This decision is good news for consumers who want the freedom to install tools that help them customize their web-surfing.”

Forget that WhenU’s software, like other malware companies’ products, often winds up on consumers’ computers without their knowledge or permission. Forget that when somebody wants to do business with 1-800-Contacts, the unasked-for, unwanted pop-up ad interferes with that business transaction. Forget that 1-800-Contacts has invested heavily in building a brand name that companies like WhenU, and the clients whose ads they deliver, are attempting to unfairly leverage.

The EFF would have you believe that the WhenU case is about a corporation — whose website you are trying to visit of your own free will — trying to somehow seize control of your desktop and prohibit you from using all your favorite Firefox plugins. This spin on the dispute is not merely deeply disingenuous, it’s downright intellectually dishonest.

Far from permitting consumers to exercise more control over their desktops, and be presented with more choices, malware companies themselves are seizing control of peoples’ computers and displaying what the malware company wants them to see, often without ever having asked them if they wanted such an interruption.

Malware companies don’t aid in competition, they interfere with it, using technological trickery to slip in between a consumer and the site they actually wanted to visit. As I wrote in my testimony before the Federal Trade Commission at their 2004 Spyware Workshop:

I believe that the practices of spyware-based advertising companies generally act to turn upside-down the notion of fair competition in a free market, allowing unauthorized parties to free-ride on the investments of others. The result is to, in effect, allow those advertisers who utilize spyware-based pop-up ads to supplement their advertising budgets with the investments made by those whose brands are targeted by the pop-up software.

Through an unfair technological circumvention of the normal advertising process, these advertisers are given the ability to deliver their advertising based not on their own efforts and investment in brand identity and advertising presences, but rather upon the efforts, popularity, brand recognition, and investments of others.

As a result, it is my opinion that the inevitable result of permitting one category of companies to usurp the brands and goodwill of another will cause businesses to reduce their investments in promoting and advertising their Web sites, resulting in less competitive information being presented to consumers.

I used to admire the EFF, back when they worked on actual issues of freedom and liberty. But lately they seem more concerned with trying to find the needle of civil liberties in haystacks of wrong-doing. When real freedoms are being threatened, they’re busy defending bad guys whose behavior actually harms people.

Whether it’s their work defending Grokster (“no, of course our name wasn’t trying to appeal to users of Napster”) or defending WhenU (“consumers love our software, even though 98 percent who install it can’t uninstall it fast enough”), they seem to have lost their way.

Malware & Sillycon Valley Biz30 Jun 2005 12:41 pm

According to CNet’s Stefanie Olsen, Microsoft is reportedly in discussions to buy Claria, the notorious firm responsible for many of the unwanted pop-up ads and malware infections that are battled by consumers the world over.

According to BitsofNews.com, this move “underscores just how eager Microsoft is to catch up with Google, the search and advertising giant.” Eager?!?! How about desperate? Picking up Claria for its advertising network is like buying a nuclear test site because the lack of anything standing affords a great view of the mountains. Just ignore the 3-headed rabbits populating the poisoned ground and you’ll be fine.

There are plenty of other ad networks out there, most of which got to be successful without engaging in deceptive, unfair, and tortious activities.

Claria is a long-standing pariah among consumers, and its advertising reach is directly tied to its years of distributing malware and encouraging abusers to taking advantage of security holes in Microsoft’s operating system to install the software surreptitiously and without permission. Claria claims to be migrating its business model to one focused on more legitimate forms of business. But like the Gotti family and their garbage hauling business, it’s going to take them some time to stop living off their “other” gigs.

To get an idea about how brazen Claria is these days, you really need to check in with Ben Edelman, who is doing yeoman’s work tracking the malware industry. His analysis of Ezone.com gives you an excellent example of how Claria takes advantage of inexperienced users to get their malware installed on the computers of unwitting consumers.

Dan Gillmor has also done an excellent job of encapsulating the Valley’s thoughts on Claria in his posting this morning. As he notes, neither company would be enhanced by a union. Although, as I will explain, I think it may actually be a better match than you might think.

When I served as an expert witness for a group of a dozen companies suing Claria, I learned a lot about their business practices. Unfortunately, I can’t really talk about any of the juicy details that I learned. Suffice to say, there was ample evidence in the record to make it worth Claria’s while to settle those suits — which they did last year.

Over the last several years, I’ve also had the opportunity to work fairly closely with executives at Microsoft on a number of issues related to privacy, security, and spam. While I have known a few really wonderful people who have passed through the doors at Microsoft, I’ve also found that in far too many instances, seeing a lengthy stint at Microsoft on someones bio is an all-too-reliable warning sign of someone you shouldn’t turn your back on.

Too many of my experiences with those who have risen to executive positions at the Redmond giant, and those alumni who have since moved on to build their own ventures, have been marked by bald-faced dishonesty and an utter vacuum when it comes to issues of ethics and honor. And the infection doesn’t stop there. I’ve learned that when Microsoft inserts its tentacles into various “independent” organizations, it has had remarkable success in driving out anyone with principles and stacking the organization with bought-and-paid-for apologists.

Yes, yes, I freely admit that I’ve got a chip on my shoulder when it comes to the ways in which I’ve been screwed by Microsoft over the years. But I’ve also learned that there are two kinds of people in this community: those who have been screwed by Microsoft, and those who keep begging for it as long as the money keeps flowing.

The irony is that, putting together what I know about Claria with what I’ve I came away from my experiences with Microsoft, I think Claria would be an excellent fit for the Redmond culture.

Law & Privacy28 Jun 2005 01:54 pm

In a great piece of original reporting by Gripe Line Blogger Ed Foster, at least one of the banks whose customers were affected by the CardSystems security breach doesn’t feel it had any obligation to notify its customers.

I’ve previously covered the CardSystems security problems, and noted several times here and on the radio, that the main reason we’re learning about these privacy breaches is because of new laws — such as one in California — that requires companies to notify consumers whose private information has been compromised. These laws are a common sense requirement, allowing consumers to have the information they need to be on higher alert for evidence of identity theft.

But as Ed Foster reports, the folks at Chase Manhattan Bank think the law is open to interpretation and don’t think its customers need to know about the risks they face:

“Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or an account password be involved,” [a Chase spokesman] told me. “None of those things were accessed in this case.”

As Foster notes, many other financial institutions are taking a different approach, believing that their customers might appreciate knowing when trouble might be around the corner. And, as previously noted, at least one state attorney general has decided that a failure to provide timely notice to consumers was a crime.

If your bank hasn’t notified you about any privacy risk to your credit card, it might be worth giving their customer service department a call to see if they can tell you definitively whether your card was at risk. If they don’t know or refuse to tell you, this might be a good opportunity close your account, cut up your card, and consider reducing your risk by finding a bank that cares more about you.

Privacy24 Jun 2005 02:32 pm

The San Jose Mercury News has reported that the California Department of Managed Care has levied its largest privacy fine ever — $200,000 — against Kaiser Permanente of Northern California.

The California agency found that Kaiser had left sensitive patient information accessible on a public website. The information, including names, addresses, phone numbers, and lab results, has been accessible “for up to four years.” The breach was finally made public by a disgruntled former employee who blew the whistle by linking to the data on her online blog.

In this case, the concern isn’t so much that a criminal might have used a person’s name, address and phone number to steal their identity. “It’s more that your most recent gynecologic visit might be publicly available,” Ehnes said.

As you could probably guess, Kaiser is now suing the the former employee for publicizing the privacy breach.

Punditry & Spam23 Jun 2005 03:07 pm

I was quoted in today’s CNet article about Microsoft’s deployment of Sender ID.

I’ve been working on email authentication issues for many years, including helping to develop a technology that Microsoft was once a beta-tester of. That technology, called Trusted Sender, turned out to be tremendously effective, which must be why Microsoft torpedoed it in favor or their lame “Caller ID for Email” scheme, which morphed into Sender ID.

Lest you think my complaints are just sour grapes, I’ll just say this. I’m not the only one who thinks Sender ID is a bad idea, and that Microsoft’s tactics in this space have been counter productive. I also note that we revoked the patent applications on our Trusted Sender technology and publicly released the standard for anyone to use.

Parenthetically, Sender ID has largely been pushed by the Exchange team at Microsoft, a group of well-meaning engineers who have, unfortunately, designed one of the most dysfunctional email infrastructure technologies to ever be foisted on the world. Not only is Exchange a resource pig, but it is designed to thumb its nose at many critical email standards. For example, it commits a cardinal sin: it rearranges and occasionally even rewrites email headers. For those who aren’t steeped in email technology, just understand that fiddling with headers is like randomly changing numbers on your tax return… there’s just no telling how it’ll screw things up.

But the larger issue is that during the course of my many years of work on email authentication issues, I have constantly watched Microsoft attempt to bully and coerce the world into adopting its myopic view of email authentication. Microsoft started out its involvement in the authentication space by attempting to organize a consortium of companies that would collaborate on a common standard, but Microsoft insisted that the standard be patented and owned by the collaborating companies.

This would have assured that they, as the only real enterprise software company in their hand-selected consortium, would have had the corner on the market. Seeing through the ruse, few of the participants wanted anything to do with Microsoft’s vision of how to control email. So Microsoft was on its own.

In considering which of the various authentication schemes Microsoft could actually support, they seem to have decided to crib from Meng Wong’s “Sender Policy Framework” (SPF), only they instead chose to make it even more cumbersome and obtuse. At one point SPF and Microsoft’s original “Caller ID” proposal were merged into what became known as Sender ID. Unfortunately SPF has its own problems, most of which are unhelped, and in some cases exacerbated, by the combination with Caller ID.

The current morass that is the email authentication debate is too long and convoluted to detail here. Suffice to say, the world still isn’t very close to a workable standard. My gut reaction to the Microsoft move is that they’ll make this big announcement, find out that tons of legitimate email is getting marked as spam, and have to make drastic modifications to the plan. Of course they’ll never admit that it was a mess, claim it’s all working beautifully despite any evidence that they realized their screw up, and continue to obstruct real progress in the space.

Miscellany23 Jun 2005 12:19 pm

I noticed a huge new spike in traffic… thanks to Yahoo listing me as a “Notable Site.” Very cool!

To everyone who is stopping by as a result, Welcome!

Privacy21 Jun 2005 11:33 pm

A data security flaw in the CVS Corporation’s “ExtraCare” loyalty card service was exposed Monday by the grassroots group Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN.

The security hole reportedly allowed anyone to learn what a customer had purchased using the loyalty card by using the card number, the customer’s zip code and first three letters of the customer’s last name.

According to an AP report, the CVS Corp. responded to the news by taking down the web site pending a redesign of the site’s security.

Homeland Security & Privacy20 Jun 2005 06:15 pm

The Transportation Security Administration (TSA), the people who rifle through your unmentionables and make you take off your shoes at the airport, were told by Congress that they should not build an airline passenger database for use in profiling.

“Oh, no! Of course we won’t!” the agency is reported to have responded. But what TSA can’t do, apparently contractors can.

According to an AP news item cited at HuffPost, the TSA hired a contractor who, in turn, hired three data brokers to gather detailed dossiers on U.S. citizens. The details of the program, called Secure Flight, are scheduled to be published in the Federal Register later this week.

According to the wire service story, the TSA obtained names from the airlines and then turned them over to a contractor, EagleForce Associates, who then used data brokerage firms to scrape together a more complete profile on each passenger, including:

[F]irst, last and middle names, home address and phone number, birthdate, name suffix, second surname, spouse first name, gender, second address, third address, ZIP code and latitude and longitude of address.

This is not the first time I’ve written about government agencies using private companies to do what the agency is prohibited from doing. Back in March, I was even quoted in a News.com piece about the embattled data brokerage firm ChoicePoint pitching itself to the FBI as being able to do what the agency was prohibited from doing.

I learned long ago in law school that you can’t hire somebody to do what you’re prohibited by law from doing. When you hire an assassin, you’re just as culpable. How these agencies intend to escape responsibility is unclear. But rest assured, the more the world looks into the work of data brokerage firms like ChoicePoint — and the organizations who hire them — the more difficult it will be for anybody to defend their practices.

Privacy20 Jun 2005 04:09 pm

Credit card processing vendor CardSystems Solutions is facing increasing scrutiny of its practices as consumers and lawmakers begin to demand an answer to how 40 million credit card transaction records were stolen from the company’s data banks.

As details about the breach begin to be made public, it’s clear that — once again — the problem is rooted in deep, systemic problems. In a story credited to the New York Times, CardSystems Solutions’ CEO John M. Perry said the data was being kept in a separate file for “research purposes” in violation of company policy. But the deeper problem was a security breach on the company’s computer network that allowed a hacker to install a “logging” program that gathered data and transmitted it to the hacker.

Unfortunately, the circumstances that led to the theft of 40 million credit card records from CardSystems is hardly a unique occurrence. Just ask Eli Lilly.

In late 2001, my old consulting firm, ePrivacy Group, was hired by the Federal Trade Commission (FTC) to help them investigate how nearly 700 email addresses wound up on the “To:” line of an email from the company’s “Medi-messenger” emailed reminder service at Prozac.com. The FTC investigated whether the company’s Privacy Policy had been breached by exposing recipients’ email addresses, and if so what caused the breach.

Our investigation revealed, as the FTC has publicly stated, that:

On June 27, 2001, a Lilly employee created a new computer program to access Medi-messenger subscribers’ e-mail addresses and sent them an e-mail message announcing the termination of the Medi-messenger service. The June 27th e-mail message included all of the recipients’ e-mail addresses within the “To:” line of the message, thereby unintentionally disclosing to each individual subscriber the e-mail addresses of all 669 Medi-messenger subscribers.

As our investigation turned up, Lilly had extensive and well-documented procedures for developing and testing of such computer programs before being put into production — procedures which were apparently ignored. In its settlement with the FTC in early 2002, Lilly agreed to implement a more vigorous security monitoring and compliance program, to properly train staff on adhering to the tenets of that program, conduct annual audits of its systems, and to be subject to FTC review for a period of 20 years!

Over the last few years, the FTC has continued to investigate privacy and security breaches. In cases like last week’s B.J.’s Wholesale, Tower Records, Guess.com, and Microsoft’s Passport, the company’s privacy and security practices were compared to their privacy promises and found lacking.

In most of these cases, it’s clear that the companies thought they were being up-standing and responsible companies. Yet as the investigations turned up, their vague platitudes about privacy and security protection didn’t stand up to scrutiny. For example, Tower Records’ claim of using “state-of-the-art technology to safeguard your personal information” didn’t square with the fact that the company’s network administrators hadn’t applied available security patches for known vulnerabilities on its web servers.

As the CardSystems debacle plays out, I think what we’ll learn is that CardSystems’ screw-ups aren’t at all new or unique. Rather, they are part of an ongoing and systemic problem across corporate America, and are a direct result of the lackadaisical attitude of many companies towards the protection of consumer data in their care.

Until stronger laws give harmed-parties real tools for holding companies accountable for such breaches, there will be little incentive for companies to take privacy and security more seriously.

Next Page »