Harper's Privacy Framework for DHS

Jim Harper writes:

At this week’s meeting of the Department of Homeland Security’s Data
Privacy and Integrity Advisory Committee, Joanne McNabb, Chief of the
California Office of Privacy Protection, and I circulated and
presented a draft ‘Framework’ for assessing homeland security
programs in terms of their consequences for privacy and related values.

Members of the Committee will be reviewing it and ?test-driving? it
in their respective work and studies of DHS programs and technologies.

Public comment on the draft would also be welcome, addressed to


I’ve skimmed it, it looks really interesting. Wish I had more time to think about it deeply. From Politech, via IP.

Fishermen's Friend, Breathalyzers

It comes after a 24-year-old driver was found to be over the legal drink-drive limit during a routine control in Munich. He was taken to the police station where blood tests found he had no alcohol in his system. The man was released after officers found the strongest thing he had taken was a Fisherman’s Friend.

Forensic doctor Thomas Gilg said the essential oils contained in the throat sweets reacted in the same way as alcohol on hand-held breathalysers. He said in tests they found just three of the mentholated sweets could cause a motorist to test three times over the legal limit.

My first question is, is this for real? Turns out there is a Prof. Dr.med. Dr.med.habil. Thomas Gilg at a medical school in Munich. I can’t find a paper or abstract, but I can see that T. Gilg publishes on forensic analysis. Good enough for now.

My second question relates to the breathalyzer, and its scientific validity. As Schneier pointed out in “DUI Cases Thrown Out Due to Closed-Source Breathalyzer,” the people who make these things don’t like to talk about how they work. If we don’t know how they work, how can we assign guilt on the basis of what it says? (Me, I think everyone with halitosis is guilty.) Is the breathalyzer the next polygraph — beloved of the CIA, but with no validity under Daubert?

From Ananova, “Sucking a Fishermen’s Friend could get you into trouble,” via Blondesense, via Sivacracy.

"Remains Safely Anonymous"

People seem to dig Star Wars posts. I could probably blog for a month on security lessons, illustrated with Star Wars quotes, but I’d need to buy the DVDs and get some video capture technology, and …


…ok. You’ve convinced me. Friday Star-Wars-security-lessons-blogging it is.

Ben: The “other” he spoke of is your twin sister.

Luke : But I have no sister.

Ben: Hmm. To protect you both from the Emperor,
you were hidden from your father when you
were born. The Emperor knew, as I did, if
Anakin were to have any offspring, they would
be a threat to him. That is the reason why
your sister remains safely anonymous.

That’s right. Keep listening to the crazy old hermit, he knows security: Anonymity protects children from those who would do them harm. If you can’t find the child, you can’t turn them to the dark side.

Be sure to tune in next Friday, when Admiral Piett’s actions illustrate Kerkhoff’s principle.

Bugger Productivity

It’s not like I was getting any work done anyway. (Ok, actually I was: Five of yesterday’s six posts took under 10 minutes, and four took 5 minutes or less.) But:

  • Scientists invade the privacy of Giant squid, intruding on their long-preserved solitude. Also be sure to notice National Geographic’s beautiful user interface for selecting photographs.
  • Ray Everett-Church has the right comments on the sad passing of Don Adams, in “Owner of World’s First Mobile Phone Dies.”
  • EPIC has good commentary on “Mass. Grocer to Market to Customers’ Wireless Phones,” including why this is more invasive than other “loyalty card” programs, and why they’re fooling you with the promise of lower prices.
  • The Wall St Journal has an article on the mash being made of the Do-Not-Call list, “Do-Not-Call Lists Under Fire.” It’s enough to make you think that the forthcoming data protection law shouldn’t have any state preemption. (Thanks to Rob for the pointer.)
  • And lastly, Republican Congressmen are questioning if the Pentagon is trying to evade oversight, as the New York Times reports in “Republicans See Signs That Pentagon Is Evading Oversight.”

University of Georgia, 2400 SSNs, Hacker

ATHENS – A hacker broke into a computer database at the University of
Georgia, gaining access to the Social Security numbers of employees in
the College of Agricultural and Environmental Sciences and people who
are paid from that department.

More than 2,400 numbers, belonging to roughly 1,600 people, may have
been exposed, UGA spokesman Tom Jackson said Wednesday.

The names and numbers were not connected on the documents, Jackson
said, but an experienced hacker could be able to interpret the data
well enough to match them.

I don’t understand how 1,600 people have 2,400 social security numbers unless one of them worked for RBC Dain Rauscher.

From the Atlanta Journal Consitution, “Computer breach reported at UGA,” via InfoSec News.

FinCEN Effectiveness

At the Counter-Terror blog, Andrew Cochran writes: “Treasury Department’s FinCEN Unit Recovering From “Cyberjacked” E-Mail System:”

The most important impact of the cyberjacking has been to shut down the automated system whereby FinCEN and law enforcement request and receive information from financial institutions for use in terrorism and money laundering cases.

The system, enacted under section 314(a) of the PATRIOT Act, took several years and numerous hiccups to implement, but it’s operated quite smoothly for over a year. Starting in March, FinCEN posted 314(a) requests for information on a secure website for review and response by over 24,000 financial institutions. FinCEN periodically issues results of the 314(a) requests, with the most recent out on September 13 (I had posted discussions of 314(a) request reports earlier this year here and here). According to this report, the requests for information issued since the 314(a) request system began in February 2003 have resulted 157 cases involving terrorism or terrorist financing and 272 cases involving money laundering. The results of the cases thus far are, quoting from the September 13 report:

1091 Grand Jury Subpoenas
13 Search Warrants
154 Administrative Subpoenas/Summons/Other
77 Arrests
72 Indictments
10 Convictions

$14,405,053.64 Total Dollar Amount Located

In my opinion, that’s a good track record which merits a ‘congrats’ to FinCEN, law enforcement, and the participating financial institutions. Although there was no compromise in the 314(a) system itself, FinCEN was wise to shut it down while they run security tests. They plan to transmit 314(a) requests in another manner until they can restore the automated system.

That’s a good track record? 24,000 institutions all reviewing these requests for ten convictions? (And is that a normal ratio of 1258 subponeas/warrants/etc to 77 arrests?) No wonder our credit card fees are going up. Note especially the FDIC’s instruction:

SISS can only be accessed by the financial institution’s designated Section 314(a) points of contact. If you use a third-party vendor or product to conduct searches, your institution is still required to log on and review the information on the SISS. (Emphasis mine.)

As Cochran’s co-blogger Victor Comras pointed out, “these rules have turned out to be a much more controversial matter than originally envisaged, and have provoked the ire of banking managers across the country.” 24,000 institutions required to review an endless stream of requests to find, well, on first glance, it’s to find enough money to fund 28 September 11th scale attacks. Or perhaps, since roughly 2/3ds of the cases are “money laundering” not terrorism related, it’s enough “terrorist money” to fund 9 attacks. But its not broken down by investigation type, so its hard to say what fraction should be attributed to “terrorist financing.” Maybe they’ve seized some Convent’s savings account, much like they’ve put nuns on the no-fly list? I just don’t understand how this can be seen as a good return on investigative effort.

What About My Needs?

While everyone (FCC, FBI, RIAA) is lining up to decide what software you can run, I’d just like to ask that I be included in the list.

The Federal Communications Commission thinks you have the right to use software on your computer only if the FBI approves.

No, really. In an obscure “policy” document released around 9 p.m. ET last Friday, the FCC announced this remarkable decision.

According to the three-page document, to preserve the openness that characterizes today’s Internet, “consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement.” Read the last seven words again.

Actually, no. I’d like to decide what software I run, subject to my needs. Thank you. (From “FBI to get veto power over PC software?“)

RBC Dain Rauscher, 300,000 SSNs, Disgruntled former employee


The FBI has opened an investigation into the possible theft of personal information about some clients of RBC Dain Rauscher Inc.

The chief executive of the Minneapolis-based brokerage firm disclosed the problem in a letter sent to 300,000 households. Dain Rauscher has not yet detected any fraudulent activity in their accounts, according to the letter from Dain head John Taft.

“While we have no information to believe that your personal information has been compromised in any way, we are treating this as a serious situation,” Taft wrote.
FBI agent Paul McCabe said the agency does not know how many accounts might be affected.

(Yeah, I don’t have “no information to believe” neither. But I do have reason to believe that information about these people have been compromised.)

Dan Callahan, a Dain Rauscher spokesman, said some clients have received anonymous letters sent last week by someone claiming to be a former Dain employee. The letter, received by a seemingly random group of more than 100 account holders, contained each recipient’s name, address, tax identification number, birthdate and Dain Rauscher account number.

You mean social security number, don’t you?

The Star Tribune obtained a copy of the profanity-laced letter, whose author said he was seeking revenge on Dain Rauscher because the company fired him.

The writer claims to have been able to copy information from “thousands” of accounts because Dain Rauscher did not remove his password from a mainframe computer. He claims to have sold the information to an unidentified buyer.

and finally, the company takes a cunning move from the Choicepoint playbook, putting their own victimhood ahead of that of their customers:

“We are a victim, just like our clients,” Callahan said. “We take their protection very seriously.”

Hint to Dain Rauscher: I referenced Larry Ponemon’s “After a privacy breach, how should you break the news?” months ago. It has some useful advice.

Quotes are from “FBI checking theft of Dain clients’ data,” via InfoSecurity News.

CUNY, Hundreds of SSNs, Exposed Files

The CUNY foul-up that put students’ personal information a Google search away from identity thieves was more widespread than first reported, with school officials saying yesterday that the Social Security numbers of hundreds of employees also got on the Web.

City University of New York officials detected the unprotected payroll link for Hunter College Campus Schools this past Wednesday after a law student tipped them about search engine links to CUNY files.

Delayed response

But while 335 Queens College law students got alerts on the breach Thursday, CUNY waited until Friday to e-mail memos on the Hunter problem that involved 265 workers and 171 former workers and retirees from the elementary and high schools, according to the Hunter memo and CUNY’s chronology.

From Newsday, “New CUNY security slip“, via Privacy.org.