digital rights, online privacy and the law

Here we go again, another federal employee’s laptop stolen, this time including private health data of 2,500 patients.  Of course the kickers are; the National Institutes of Health sat on this information for a month and the data on the laptop *was not encrypted*, which is against their own regulations.  “Almost 2,500 patients taking part in a federal medical trial recently had their private health data compromised when a researcher’s laptop computer was stolen. The National Institutes of Health, which was responsible for safeguarding the data, made things worse by delaying in notifying the patients. This disturbing incident underscores the need for a strong federal law to protect medical privacy and for greater responsibility by those who handle sensitive medical information. In late February, a laptop belonging to a researcher at the N.I.H.’s National Heart, Lung and Blood Institute was stolen from the trunk of his car. It contained information about heart disease patients, including their names, dates of birth and diagnoses of their medical conditions. The data was not encrypted as it should have been, which made it possible for an outsider to read. The N.I.H. waited roughly a month before notifying the patients whose data was lost. The release of this information is serious. Heart patients probably do not want their employers or insurance companies, among others, to know the details of their conditions. The breach is also a setback for medical research. Patients are likely to be reluctant to participate in clinical trials if their privacy is not respected.“  Who’s checking on people with sensitive data?  Can people not see the weakest link in that chain?

EFF has a great writeup of a LAtimes article that covers why the fight against illegal wiretaps and surveillance is so important, and how it threatens our most basic right.

Going back to the ’20s, Sanchez reviews multiple occasions when authorities have used spying powers not to protect the country, but to further the political aims of parties and politicians:

The original FISA law was passed in 1978 after a thorough congressional investigation headed by Sen. Frank Church (D-Idaho) revealed that for decades, intelligence analysts — and the presidents they served — had spied on the letters and phone conversations of union chiefs, civil rights leaders, journalists, antiwar activists, lobbyists, members of Congress, Supreme Court justices — even Eleanor Roosevelt and the Rev. Martin Luther King Jr. The Church Committee reports painstakingly documented how the information obtained was often “collected and disseminated in order to serve the purely political interests of an intelligence agency or the administration, and to influence social policy and political action.”

Sanchez traces the history of US government surveillance abuses by both Democrats and Republicans throughout the 20th century. He emphasizes that surveillance isn’t just a threat to privacy — it’s a threat to free speech. That’s why today’s wiretapping debate matters, even to those who may think they have nothing to fear.”

This is the bottom line, and why I’m such a ardent supporter of EFF.  Feel free to join if you are so inclined, but either way, thanks for reading 

Nice to see that others are coming to the same conclusion, after considering all the facts, that telecoms don’t deserve any immunity (retroactive or otherwise) in regards to their illegal wiretapping activities.

Classified documents and testimony about the National Security Agency’s warrantless wiretapping program show that it’s not necessary to grant retroactive immunity to telephone companies accused of unlawfully opening their networks to government spies, key congressional Democrats said on Wednesday. In a five-page statement (PDF), U.S. House of Representatives Judiciary Committee Chairman John Conyers and 18 Democrats on that panel contended the Bush administration has “not established a valid and credible case justifying the extraordinary action of Congress enacting blanket retroactive immunity.” Skepticism about the Bush administration’s once-secret eavesdropping program is nothing new for the Democrats who signed onto the statement. The key difference here is that they say their latest conclusions are based on a series of classified reports and briefings to which many of them only recently had access. “Our review of classified documents has reinforced serious concerns about the potential illegality of the administration’s actions in authorizing and carrying out its warrantless surveillance program,” they wrote.

Now que Dubya squawking on about how we’re less safe because he can’t pardon AT&T and others from breaking the law and ignoring our constitutional rights. Big Business meet Big Brother.

Here’s a good one, it looks like an agency in the UK has lost two computer discs containing “…the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25m people. Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts “for unusual activity.” The Conservatives described the incident as a “catastrophic” failure. In an emergency statement to MPs, Mr Darling apologized for what he described as an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines.” MPs gasped as Mr Darling told them: “The missing information contains details of all Child Benefit recipients: records for 25 million individuals and 7.25 million families.” So that’s a government agency we’re talking about, someone you’d normally trust (perhaps more with your personal information) than companies, since you’d think a government would take extraordinary measures to protect data on its citizens. It’s just so random there’s no way to truly protect yourself from the mistakes of the countless Dilbert’s out there failing to safeguard your data.

Hushmail was always known as a secure, private webmail company that markets itself by saying that “…not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.” So while the stored email is protected by the user’s passphrase, if this passphrase is authorized serverside by the user logging in via SSL the user is not using the more secure method with the Java Applet that they provide to have the passphrase encrypted (and I suspect hashed) before it’s sent over the wire. The advantage of the later approach is that the server never has the chance to see the ‘real’ password, but the user(s) gave up the ghost when they used the the SSL practice, which I suspect they never thought would lead to their downfall, especially when you look at how Hushmail markets themselves. So while not having to install that Java Applet is more convenient, it’s clearly less secure, “The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your pass phrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages.” Continue reading →

While data-mining techniques used for marketing should be viewed with a skewed eye, the fact that AT&T has developed a C language variant called Hancock to mine gigabytes of telephone and Internet records should raise red flags automatically. “…the phone company uses Hancock-coded software to crunch through tens of millions of long distance phone records a night to draw up what AT&T calls “communities of interest” — i.e., calling circles that show who is talking to whom. The system was built in the late 1990s to develop marketing leads, and as a security tool to see if new customers called the same numbers as previously cut-off fraudsters — something the paper refers to as “guilt by association.” [...] recent revelations that the FBI has been requesting “communities of interest” records from phone companies under the USA PATRIOT Act without a warrant. Where the bureau got the idea that phone companies collect such data has, until now, been a mystery. According to a letter from Verizon to a congressional committee earlier this month, the FBI has been asking Verizon for “community of interest” records on some of its customers out to two generations — i.e., not just the people that communicated with an FBI target, but also those who talked to people who talked to an FBI target.” Yep, let’s spread that net far and wide…here’s hoping AT&T is held accountable in it’s current federal court trial on its secret internet spying rooms in its domestic internet switching facilities for the NSA.