June 2005


Law & Spam20 Jun 2005 01:35 am

In a report to Congress issued last Friday, The Federal Trade Commission (FTC) said it does not recommend requiring unsolicited commercial e-mail to include “ADV” or other labels in the subject line as a means to reduce spam.

In a 46-page report, which included a half-dozen citations to brilliant comments by this humble and faithful correspondent ;), the Commission’s report states that, although subject line labeling may appear to offer a simple legislative fix for the problem of spam, the Commission doubts that it would materially help consumers or ISPs to block or filter unwanted commercial e-mail. As the report notes:

Subject line labeling seems appealing because ISPs theoretically could preset their filters to screen out all email messages containing a particular label. However, subject line labeling is a rather crude way to filter and likely would not be very effective to combat spam because it would not distinguish spam from legitimate marketers’ UCE that some consumers may want to receive. Only lawabiding commercial emailers would label their UCE. Spammers would simply ignore such a requirement. … [As] a representative from PrivacyClue noted:

    The reality is that most spammers these days are still engaged in activities that range from marginally legal to quite illegal, and as a result, failure to comply with ADV is no great leap for them to make…

As the Kansas City Star reported, the Commission’s opinion was not unanimous. In a dissenting opinion, Commissioner Jon Leibowitz said:

“Requiring commercial e-mail to be labeled is not a panacea but, as the Can Spam Act clearly recognizes, there is no single bullet theory for solving the spam problem.” He also said he thought that Congress had in fact intended labeling as a device to help consumers deal with unsolicited commercial e-mail even from legitimate marketers.

Privacy & Sillycon Valley Biz17 Jun 2005 07:10 pm

According to a report by CNet, a contract between Google and the University of Michigan to make millions of books searchable online contains no provisions for protecting the privacy of people who use the service.

As I have previously noted, Google’s privacy policy is rather confusing on the issue of what data the company stores about your searches and how it may cross-link that with any personal information it might have about you. Indeed, a recent interview with Google’s VP of Engineering suggested he was more focused on whether law enforcement had adequate access to your private information.

Google’s blind spot on privacy issues is pretty well-known. But one expert was disappointed that U. of Mich. missed the boat too.

“I would have hoped that the University of Michigan would be sensitive to the fact that Google tracks everything that everyone searches,” said Daniel Brandt, founder of the Google-watch.org Web site, which is highly critical of the search company’s policies.

I’ve said it before and I’ll say it again, Google will continue to step on its … um, … it’s message, yeah that’s it … the company will continue to step on it’s message of being a cool and customer-centric company until the day it finally gets somebody onboard to man the privacy watchtower.

Privacy17 Jun 2005 04:40 pm

According to an AFP report (which I first read at Huffington Post), MasterCard has announced that a security breach at one of its third-party processing firms has placed upwards of 40 million consumers at increased risk for credit card fraud.

One analyst quoted by CNet’s News.com said this was a big one.

“In sheer numbers, this is probably one of the largest data security breaches,” said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

Because the processor, Arizona-based CardSystems Solutions, processes cards for many firms, more than MasterCard customers are at risk. Indeed, only 13.9 million of the transaction records exposed involved MasterCard-branded cards.

As always, people need to review their credit card statements, looking carefully for anything out of the ordinary. Under U.S. federal law, your liability is capped at $50.00 for unauthorized charges, and many credit card firms will even waive the $50. And if you suspect your card may have been compromised, call the number on the back of your card and ask them for a new account number. They’ll usually get you a new card in just a few days. (And don’t forget to switch over any recurring billings you might have set up!)

Malware16 Jun 2005 09:26 pm

BitTorrent, the cool new thing in intellectual property theft, appears to be suffering from an infestation of malware. According to a CNet News article, the anti-malware maker Sunbelt Software has discovered that music and video files retrieved through BitTorrent’s decentralized file sharing system, were in fact infected with multiple types of malware.

In one case, an episode of the Fox TV show “Family Guy” was bundled with several pieces of known adware, according to Boyd. “Under that kind of load, a midrange PC can easily go under,” Boyd said. Both spyware and adware are known to hurt PC performance because they use PC resources to run.

So if you’re a BitTorrent user, be on the look-out. Personally, I think that if you get infected from willfully using a product like Kazaa, Morpheus, or now BitTorrent, it’s really just a case of “lying with dogs, arising with fleas,” and you’re getting what you deserve. But your mileage may vary. :-P

Punditry14 Jun 2005 04:14 pm

In my monthly column for eSecurity Planet, as they like to say in Congress, I “revised and extended” my previously blogged remarks about a federal panel looking into the role of the new federal Chief Privacy Officers.

[Update 6/17/05: I heard from Prof. Leslie Ann Reis, an old friend of mine who happens to be a member of the NIST committee that I talked about in my article. Apparently the news report overstated the “skepticism” expressed by the panel. That’s a good thing. I’ll eagerly await the committee’s report to see if it reflects a good understanding of the value of CPOs!]

Law & Privacy09 Jun 2005 11:59 am

OK, I freely admit that I was trying to be cutesy when I titled my April 19 blog entry “Waiting for More Shoes to Drop?” But it seems that I was prescient, because indeed, another shoe has dropped — in the form of a lawsuit against DSW Shoe Warehouse by the Ohio Attorney General.

According to DM News, Ohio Attorney General Jim Petro is suing DSW for failure to notify those consumers whose data was stolen from company computers back in March 2005.

The issue of liability for stolen data is going to become an increasingly ripe topic for debate as more and more data breaches become known to the public. A growing number of Federal Trade Commission enforcement actions, such as the Guess? Jeans case, have put companies on notice that they should expect to be held responsible if they fail to take reasonable precautions to prevent data theft.

As I discussed on The David Lawrence Show earlier this week, the idea of holding software companies responsible for security problems in their products isn’t a new one. And it’s only a small logical leap from there to holding companies responsible for failure to use readily available technologies — such as database encryption — to protect vulnerable data.

Sillycon Valley Biz09 Jun 2005 09:49 am

Red Herring magazine reports that PortAuthority (formerly Vidius) has raised another $13.4 million. Competitor Vontu has landed another $10 million. And PC Guardian, a crypto firm, closed a round for $6 million. Not too shabby! The message is pretty clear: there’s an increasing market for privacy and security technologies, and there’s plenty of room out there for real innovation. And where innovation goes, VCs throw money. :-)

Law & Malware08 Jun 2005 05:19 pm

Three cheers for Symantec! As I reported recently, malware companies have been on the offensive against anti-malware companies, trying to threaten, cajole, and sweet-talk anti-malware companies into not labeling their wretched products as “adware” and “spyware.”

According to News.com, after months of going ’round and ’round with adware maker Hotbar (whose insidious and unwanted “toolbar” I have removed from more than a few friends’ computers), Symantec finally tired of Hotbar’s bellicose bloviations and filed a lawsuit seeking the right to label Hotbar’s adware as, well, adware.

“We have been talking with (Hotbar) for the last several months, and over the course of that time, they have threatened to sue us on a regular basis,” [Symantec spokesman Cris] Paden said. … Symantec said it is not asking for money, but is seeking an affirmation that Hotbar products are indeed adware and can be treated as security risks. “We are simply asking for the judge to say that we are within our rights to detect Hotbar,” Paden said. The company would then be able to help customers remove the toolbars from their PCs.

The News.com article goes on to discuss several other anti-spyware companies who are also being threatened by the Hotbar hotheads. Meanwhile, Hotbar is apparently unlawfully representing itself as a licensee of the TRUSTe privacy program. When you click on the TRUSTe logo, it says:

www.hotbar.com IS NOT A VALID TRUSTe MEMBER WEB SITE

The unauthorized display of the TRUSTe trustmark is unlawful and violates a TRUSTe trademark. If you clicked on the TRUSTe trustmark or Click to Verify seal to get to this page, the site you are visiting does not have permission to display the seal.

I applaud Symantec for standing up to the petulant twits at Hotbar, and more importantly, for seeking a legal precedent that would potentially establish a legal right to call a spade a spade. Hopefully Symantec’s discovery of a backbone will inspire McAfee and other anti-malware companies to stand up to the malware industry’s Jedi Mind Tricks.

Meanwhile, the message to Hotbar is simple. When you’re in the malware business, you have to expect that when you depend on bullying tactics, one day you’re going to bully somebody bigger than you, and get yourself smacked right back. In my opinion, Hotbar should shut up and take their lumps like a grown-up. Like their cousins in the spam industry, the malware companies need to accept that there are more people gunning for them than there are ethically-challenged marketers to keep hiring them. The tide is shifting, and this market isn’t going to be a hospitable place to peddle that ‘ware for much longer.

Unless you’re prepared to set up shop in China or some other nation where enough money will buy you a secure homebase for businesses built on shaky moral grounds, it’s time for malware vendors to accept that the golden age of malware may be drawing to a close. Certainly we’re not there yet, but as Spyware Warrior notes, vast numbers of people are trying to get rid of malware. If it hasn’t already, the uninstall rate will eventually surpass the install rate of malware, despite the increasingly desperate techniques some malware companies are using.

Sorry Hotbar! You had a good run. But as Symantec knows, there’s more profit to be had in erasing your products than playing word games to protect them.

Privacy08 Jun 2005 02:26 pm

In yesterday’s PM edition of the National Journal’s Technology Daily, writer Sarah Lai Stirland reported on Tuesday’s panel discussion held by the National Institute of Standards and Technology advisory board on information security and privacy.

Since most of you probably don’t subscribe to Technology Daily, and probably aren’t willing to pay the few thousand bucks a year for a subscription, I’ll do my best to paraphrase the article. The article can be read for free at GovExec.com. Thanks Stephen!

The panel is preparing a report for the Bush administration summarizing “best practices” for federal chief privacy officers (CPOs). But according to the article, the the committee is considering rejecting a proposal for mandatory outside audits of federal CPO activities. A recent appropriations bill required the establishment of CPOs in each federal agency, and requires the department’s inspectors general to engage outside auditors. But due to the odd wording of the law, the auditors would be auditing the work of the CPO, not the practices of the department.

According to the article:

Rebecca Leng, deputy assistant inspector general for information technology and computer security at the Transportation Department, said the appropriations language does not outline the criteria for such audits. The law simply says inspectors general must hire auditors to check the CPOs’ activities. “At this point in time, nobody knows what good practices are in the field [of privacy,]” she said.

Maybe nobody in the security field knows what good privacy practices are, but thankfully, they did have privacy professionals from IBM, AOL, and even the Department of Health & Human Services, to tell them all about these new fangled privacy practices. L-)

As I’ve promoted the role of the CPO over the years, I’ve occasionally been met with skepticism from security professionals. But once educated about the complimentary, but fundamentally distinct roles of privacy officers and security officers, most security professionals are able to understand what, for them, are the most important elements of the debate: a) privacy officers pose no threat to the territory of the security officers, and b) privacy officers are usually tasked with managing issues that are much more subjective and politically sensitive than many security officers would ever even want to deal with.

It sounds to me like this panel needs some more information about privacy practices generally and the role of privacy officers.

But let’s not miss the bigger point here. Assuming Congress could fix the law so that it would require the auditing of privacy practices, instead of the day-to-day work of the Privacy Officer, this is something that should be encouraged. A critical element of the Federal Trade Commission’s enforcement actions in the realm of privacy has been the requirement for companies to bring in outside auditors to oversee their privacy fixes and ongoing practices. If this panel believes that you should only audit after a problem is discovered, then they don’t appear to have a good grasp on the reality of the prevailing privacy methodology that is at work in most enlightened organizations.

That methology is pretty simple: I ought to know, I helped develop it. The four elements of a coherent privacy program are:

  • Know your current privacy-related practices
  • Articulate those practices in a Privacy Policy
  • Implement those practices through training and oversight
  • Audit those practices, from within and without, to ensure compliance

It ain’t always easy to do, but it ain’t rocket science either. Hopefully the security-minded folks that appear to dominate the advisory committee will get some additional folks in there who can help them wrap their minds around the distinct issues arising from privacy matters.

Finally, I was particularly amused by the comments of Franklin Reeder, as they were reported in the Tech Daily article. Mr. Reeder is apparently a long-time government employee who, it appears, is selling his consulting services back to the government through his business, The Reeder Group. He was quoted in the article as bemoaning evils of “Beltway bandits”… those businesses, chock full of former government employees, who sell services back to the government. Nice work if you can get it… and don’t let the revolving door hit you in the ass. :-D

Privacy06 Jun 2005 12:49 pm

Many companies have chosen not to encrypt their important databases because of the added cost and complexity associated with it. But what are the costs of having unencrypted data laying around, vulnerable to theft, loss, and mishandling? Ask the 3.9 million Citigroup retail customers whose names, Social Security numbers, and account histories, fell off the back of a UPS truck in transit to a credit bureau.

You can also ask the 80,000 U. S. Department of Justice workers whose names and credit card numbers were on a laptop stolen from a travel agency in Fairfax, VA. How about the 10,000 people whose names, SSNs, and credit card numbers were nicked from the Stanford University Career Center. Or the 1,500 patients whose prescription information was at risk because somebody at the University of Pittsburgh Medical Center couldn’t figure out how to make a secure web page. Or the 16,500 whose data was stolen from an MCI employee database.

Suddenly, everybody is beginning to ask the question that many of us in the privacy and security business have been encouraging enterprises to ask: can you afford not to protect the privacy of your data? For so many businesses, their databases are among their most valuable assets. Customer lists, account and transactional histories, customer profiles — these are invaluable corporate assets that are critical to the operations of the company.

Historic disasters, like the destruction of the World Trade Center towers, taught some companies the importance of off-site data backups. But then these newly enlightened executives don’t think twice about handing an unencrypted backup tape to some bike messenger with a pierced lip.

My rule of thumb for corporate data storage: if it’s worth protecting, it’s worth encrypting.

« Previous PageNext Page »