Shostack + Friends Blog Archive


The Evolution of Apple’s Differential Privacy

Bruce Schneier comments on “Apple’s Differential Privacy:” So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny. Do we know enough about what’s being done? No, and my bet is that Apple doesn’t know precisely what they’ll ship, and aren’t […]


RSA: Time for some cryptographic dogfood

One of the most effective ways to improve your software is to use it early and often.  This used to be called eating your own dogfood, which is far more evocative than the alternatives. The key is that you use the software you’re building. If it doesn’t taste good to you, it’s probably not customer-ready.  […]


What Price Privacy, Paying For Apps edition

There’s a new study on what people would pay for privacy in apps. As reported by Techflash: A study by two University of Colorado Boulder economists, Scott Savage and Donald Waldman, found the average user would pay varying amounts for different kinds of privacy: $4.05 to conceal contact lists, $2.28 to keep their browser history […]


Privacy Enhancing Technologies Registration now open

The program for the 2013 Privacy Enhancing Technologies Symposium is up, and there’s a lot of fascinating looking papers and talks. If you’re interested, registration is also open. PETS is one of my favorite conferences of the year.


Workshop on the Economics of Information Security

The next Workshop on the Economics of Information Security will be held June 11-12 at Georgetown University, Washington, D.C. Many of the papers look fascinating, including “On the Viability of Using Liability to Incentivise Internet Security”, “A Behavioral Investigation of the FlipIt Game”, and “Are They Actually Any Different? Comparing 3,422 Financial Institutions’ Privacy Practices.” […]


A Quintet of Facebook Privacy Stories

It’s common to hear that Facebook use means that privacy is over, or no longer matters. I think that perception is deeply wrong. It’s based in the superficial notion that people making different or perhaps surprising privacy tradeoffs are never aware of what they’re doing, or that they have no regrets. Some recent stories that […]


On Cookie Blocking

It would not be surprising if an article like “Firefox Cookie-Block Is The First Step Toward A Better Tomorrow” was written by a privacy advocate. And it may well have been. But this privacy advocate is also a former chairman of the Internet Advertising Bureau. (For their current position, see “Randall Rothenberg’s Statement Opposing Mozilla’s […]


Privacy, Facebook and Fatigue

Facebook’s new Graph search is a fascinating product, and I want to use it. (In fact, I wanted to use it way back when I wrote about “Single Serving Friend” in 2005.) Facebook’s Graph Search will incent Facebook users to “dress” themselves in better meta-data, so as to be properly represented in all those new […]


Happy Data Privacy Day! Go check out PrivacyFix

It’s Data Privacy Day, and there may be a profusion of platitudes. But I think what we need on data privacy day are more tools to let people take control of their privacy. One way to do that is to check your privacy settings. Of course, the way settings are arranged changes over time, and […]


Privacy and Health Care

In my post on gun control and schools, I asserted that “I worry that reducing privacy around mental health care is going to deter people who need health care from getting it.” However, I didn’t offer up any evidence for that claim. So I’d like to follow up with some details from a report that […]


Proof of Age in UK Pilot

There’s a really interesting article by Toby Stevens at Computer Weekly, “Proof of age comes of age:” It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint […]


Lessons from Facebook's Stock Slide

So as Facebook continues to trade at a little over half of their market capitalization of 3 months ago, I think we can learn a few very interesting things. My goal here is not to pick on Facebook, but rather to see what we can take away and perhaps apply elsewhere. I think there are […]


Will People Ever Pay for Privacy, Part XVI

Every now and then, a headline helps us see the answer to the question “Will people ever pay for Privacy?” Quoth the Paper of record: The seclusion may be the biggest selling point of the estate belonging to Robert Hurst, a former executive at Goldman Sachs, which was just listed by Debbie Loeffler of the […]


Age and Perversity in Computer Security

I’ve observed a phenomenon in computer security: when you want something to be easy, it’s hard, and when you want the same thing to be hard, it’s easy. For example, hard drives fail at seemingly random, and it’s hard to recover data. When you want to destroy the data, it’s surprisingly hard. I call this […]


Future of Privacy Seeks Input

The Future of Privacy Forum (FPF) is an interesting mix of folks trying to help shape, well, the future of privacy. They have an interesting mix of academic and industry support, and a fair amount of influence. They’re inviting authors with an interest in privacy issues to submit papers to be considered for FPF’s third […]


Mozilla's Vegan BBQ

The fine folks at Mozilla have announced that they’ll be hosting a BBQ in Dallas to thank all their supporters. And the cool thing about that BBQ is it’s gonna be vegan by default. You know, vegan. No animal products. It’s good for you. It’s the right default. They’ll have dead cow burgers, but you’ll […]


Study: More than 90% of Americans Take Action on Privacy

That’s my takeaway from a new study of 2,000 households by Consumer Reports: There are more than 150 million Americans using Facebook at this point, and that number is growing. … a new exhaustive study from Consumer Reports on social networking privacy found that 13 million American Facebook users have never touched their privacy settings. […]


Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before. From 1999 until […]


Chaos Emerges from Demanding Facebook Passwords

On the off chance that you’ve been hiding under a rock, there’s been a stack of news stories about organizations (both private and governmental) demanding people’s Facebook passwords as part of the process of applying for jobs, with much associated hand-wringing. In “I hereby Resign“, Raganwald discusses the downside to employers of demanding to look […]


Browser Privacy & Fingerprinting

Ivan Szekely writes in email: A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to […]


More on Real Name Policies

There were a couple of excellent posts about Google+ which I wanted to link in, but the post took a different path: “Google+ and The Trouble With Tribbles” The trouble with social is that it is social – with all the norms, behaviors and expectations that come with that. You cannot re-engineer that overnight (Facebook […]


Yes, Google+ Is a Failure

One of the most common bits of feedback about my post “Google+ Failed Because of Real Names” is that Google+ is now a huge service, and that the word failed is an exaggeration, or a trick of the rhetorician. Some folks might advise me to stop digging a hole, put down the shovel and walk […]


Google+ Failed Because of Real Names

It’s now been a few months since the launch of Google+, and it’s now fairly clear that it’s not a mortal threat to Facebook, or even Orkut. I think it’s worth thinking a bit about why Google+ isn’t doing better, despite its many advantages. Obviously, Google wants to link Google+ profiles to things in the […]


Shocking News of the Day: Social Security Numbers Suck

The firm’s annual Banking Identity Safety Scorecard looked at the consumer-security practices of 25 large banks and credit unions. It found that far too many still rely on customers’ Social Security numbers for authentication purposes — for instance, to verify a customer’s identity when he or she wants to speak to a bank representative over […]


The Irony Overfloweth

@RobArnold tweeted: “Someone thinks targeted Facebook ads are an effective way to ask for Firefox features. Any other Mozillians see this?” The irony of using a targeted ad, on Facebook, to ask for more privacy protection…


"Can copyright help privacy?"

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.” Key quote: One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two […] and Listener Privacy

It turns out that it’s very hard to subscribe to many podcasts without talking to servers. (Technical details in the full post, below.) So I took a look at their privacy statement: Podtrac provides free services to podcasters whereby Podtrac gathers data specific to individual podcasts (e.g. audience survey data, content ratings, measurement data, […]


Telephones and privacy

Three stories, related by the telephone, and their impact on privacy: CNN reports that your cell phone is being tracked in malls: Starting on Black Friday and running through New Year’s Day, two U.S. malls — Promenade Temecula in southern California and Short Pump Town Center in Richmond, Va. — will track guests’ movements by […]


Privacy is Security, Part LXII: The Steakhouse

But in the last year and a half, at least 50 diners at restaurants like the Capital Grille, Smith & Wollensky, JoJo and Wolfgang’s Steakhouse ended up paying for more than just a fine piece of meat. Their card information — and, in effect, their identities [sic] — had been stolen by waiters in a […]


CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like. After you’re done being outraged, […]


MySpace sells for $35 Million, Facebook to follow

So MySpace sold for $35 million, which is nice for a startup, and pretty poor for a company on which Rupert Murdoch spent a billion dollars. I think this is the way of centralized social network software. The best of them learn from their predecessors, but inevitably end up overcrowded. Social spaces change. You don’t […]


A Few Data Points

First, for those who might have missed it, Google has released Google Refine, a free tool for cleaning dirty data sets.  It allows you to pull in disparate data, then organize and clean it for consistency. Next, some interesting thoughts on how “anonymized” data sets aren’t, and some thoughts on the implications of this from […]


Microsoft Backs Laws Forbidding Windows Use By Foreigners

According to Groklaw, Microsoft is backing laws that forbid the use of Windows outside of the US. Groklaw doesn’t say that directly. Actually, they pose charmingly with the back of the hand to the forehead, bending backwards dramatically and asking, “ Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For […]


TSA News roundup

Act: Get this 2-page Passenger’s Rights Sheet: Outrage: “Gaping Holes in Airline Security: Loaded Gun Slips Past TSA Screeners” (Matthew Mosk, Angela Hill and Timothy Fleming, ABC News) “TSA + Police + JetBlue Conspire Against Peaceful Individual at JFK” (George Donnelly, “TSA Lies Again Over Capture, Storage Of Body Scanner Images” (Steve Watson, […]


TSA News roundup

Intrusiveness and outrage: “Homeland Security Is Also Monitoring Your Tweets” “‘Baywatch’ Beauty Feels Overexposed After TSA Scan” (David Moye, AOLnews) “the agent responded, ‘Because you caught my eye, and they’ — pointing to the other passengers — ‘didn’t.’” “POLICE STATE – TSA, Homeland Security & Tampa Police Set Up Nazi Checkpoints At Bus Stations ” […]


Grope-a-thon: Today's TSA roundup

Outrage “Adam Savage: TSA saw my junk, missed 12″ razor blades” (Ben Kuchera, Ars Technica with video) “DHS & TSA: Making a list, checking it twice” (Doug Hadmann, Canada Free Press) claims that DHS has an internal memo calling those 59% of Americans who oppose pat downs “domestic extremists.” No copies of the memo have […]


Israeli Draft, Facebook and Privacy

A senior officer said they had found examples of young women who had declared themselves exempt posting photographs of themselves on Facebook in immodest clothing, or eating in non-kosher restaurants. Others were caught by responding to party invitations on Friday nights – the Jewish Sabbath. (“Israeli army uses Facebook to expose draft dodgers,” Wyre Davies, […]


Grope up: Enough is Enough edition

Analysis: “‘Strip-or-Grope’ vs. Risk Management” Jim Harper, Cato@Liberty blog. Really solid thinking, although I usually don’t like asset-centric approaches, I think that for the physical world they make more sense than they do in software threat modeling. TSA more likely to kill you than a terrorist. thread at Flyertalk (thanks Doug!) “Has Airport Security Gone […]


Daily Grope Up

Outrage: Transcript: Senate hearing on TSA, full-body scanners (yesterday, not one Senator cared.) Today’s hearing: TSA Success Story (You can win in line.) If someone had done that to me at a nightclub I’d call the cops. Violated Traveling with scars Search this one for “pump” to learn about a diabetic’s experience. What would […]


It's time to call your Senator!

There’s no news roundup today, the stories are flying, unlike people, who are sick and tired of the indignities, the nudeatrons and the groping. If you want to see them, you can follow me on twitter or National Opt Out day Tomorrow, there’s a Transportation Security Administration Oversight Hearing whose only witness is TSA Administrator […]


Daily Grope-Up: The Groping Will Continue Until You Drive Edition

“‘Naked’ scanners at U.S. airports may be dangerous: scientists” (National Post) The head of the X-ray lab at Johns Hopkins says “statistically, someone is going to get skin cancer from these X-rays.” “DHS chief tells pilot, tourism reps scans and patdowns will continue ” ( includes link to a CNN story “Growing backlash against TSA […]


Lies, Damned Lies and TSA Statements: Today’s news grope-up

Earlier this week, the White House responded to the UC San Francisco faculty letter on nudatrons. (We mentioned that here.) National Academy of Sciences member John Sedat says “many misconceptions, and we will write a careful answer pointing out their errors.” TSA has claimed that pictures will have blurred genital areas to “protect privacy.” Except […]


Facebook and "your" photos

Facebook Changes Photo Memories to No Longer Show Your Ex-Boyfriends or Ex-Girlfriends: In response to numerous complaints, Facebook has changed its Photo Memories sidebar module to no longer display friends who a user was formally listed as in a relationship with. [Sic] But it’s not just about selective remembering because “Your Memories Will Be Rewritten.” […]


TSA Body Scanners News: Why show ID edition

First, a quick news roundup: EPIC is suing DHS for improper rulemaking, violations of the fouth ammendment, the privacy act, the religious freedom restoration act, and the video voyerism prevention act. The ACLU has a news roundup and a form to report on TSA behavior. The Airline Pilots Association advises pilots to show resistance. So […]


"My little piece of privacy"

Very entertaining video: I love it because curtains are privacy people will pay for, but even more, because, ironically for a privacy-enhancing technology, it generates more attention than not using it.


It's not TSA's fault

October 18th’s bad news for the TSA includes a pilot declining the choice between aggressive frisking and a nudatron. He blogs about it in “Well, today was the day:” On the other side I was stopped by another agent and informed that because I had “opted out” of AIT screening, I would have to go […]


Money is information coined

In the general case, you are not anonymous on the interweb, but economically-anonymous, which I propose to label “enonymous”, and that’s not the same thing at all. If you threaten to kill the President, you will be tracked down, and the state will spend the money it takes on it. But if you call Lily […]


ID theft, its Aftermath and Debix AfterCare

In the past, I’ve been opposed to calling impersonation frauds “identity theft.” I’ve wondered why the term impersonation isn’t good enough. As anyone who’s read the ID Theft Resource Center’s ‘ID Theft Aftermath’ reports (2009 report) knows that a lot of the problem with longterm impersonation problems is the psychological impact of disassociation from your […]


How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]


What They Know (From the WSJ)

Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. Full disclosure, our site uses Mint for traffic analytics.


Credit Scores and Deceptive Advertising

Frank Pasquale follows a Joe Nocera article on credit scores with a great roundup of issues that the credit system imposes on American citizens, including arbitrariness, discriminatory effects and self-fulfilling prophecies. His article is worth a look even if you think you understand credit scores. I’d like to add one more danger of credit scores: […]


A Blizzard of Real Privacy Stories

Over the last week, there’s been a set of entertaining stories around Blizzard’s World of Warcraft games and forums. First, “World of Warcraft maker to end anonymous forum logins,” in a bid to make the forums less vitriolic: Mr Brand said that one Blizzard employee posted his real name on the forums, saying that there […]


Why we need strong oversight & transparency

[The ACLU has a new] report, Policing Free Speech: Police Surveillance and Obstruction of First Amendment-Protected Activity (.pdf), surveys news accounts and studies of questionable snooping and arrests in 33 states and the District of Columbia over the past decade. The survey provides an outline of, and links to, dozens of examples of Cold War-era […]


Between an Apple and a Hard Place

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:” Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you […]


Bleg: How to Delete Kindle Logs?

Well, Amazon has a new update for Kindle (with folders! OMG!), and I’m planning to apply it. However, last time I installed an update, I noticed that it lost the “wireless off” setting, and was apparently contacting Amazon. I don’t want it to do so, and leave wireless off. It’s safer that way, whatever promises […]


Facebook Links

Some worthwhile reads on Facebook and privacy: Facebook’s Privacy Reboot: Is That all You’ve Got for Us? “The devil is in the defaults” Entire Facebook Staff Laughs As Man Tightens Privacy Settings


We'll always have Facebook…

Waitress Is Fired for Her Complaint on Facebook: Lesson Learned for Employers?. From [German Consumer Protection] Minister Aigner to Mark Zuckerberg: the importance of privacy Farewell, Facebook “Why one super-connected internet enthusiast decided it was time to pull the plug” 5 WTFs: I quit Facebook Today Quit Facebook Day versus 10 Reasons You’ll Never Quit […]


Facebook, Here’s Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook: Maybe it […]



Let me tell you how it will be There’s one for you, nineteen for me Chorus: If privacy appear too small Be grateful I don’t take it all Thanks to Jim Harper for the link.


Makeup Patterns to hide from face detection

Adam Harvey is investigating responses to the growing ubiquity of surveillance cameras with facial recognition capabilities. He writes: My thesis at ITP, is to research and develop privacy enhancing counter technology. The aim of my thesis is not to aid criminals, but since artists sometimes look like criminals and vice versa, it is important to […]


Dear SSN-publishing crowd

There’s a bunch of folks out there who are advocating for publishing all SSNs, and so wanted to point out (courtesy of Michael Froomkin’s new article on Government Data Breaches ) that it would be illegal to do so. 42 USC § 405(c)(2)(C)(viii) reads: (viii)(I) Social security account numbers and related records that are obtained […]


Smoke, Fire and SSL

Where there’s smoke, there’s fire, goes the adage. And in the case of an allegedly-theoretical exploit outlined in a new paper by Chris Soghoian and Sid Stamm (the compelled certificate creation attack), the presence of a product whose only use it to exploit it probably indicates that there’s more going on than one would like […]


Well that didn't take long…

The Guardian has reported the first official incident of misuse of full-body scanner information The police have issued a warning for harassment against an airport worker after he allegedly took a photo of a female colleague as she went through a full-body scanner at Heathrow airport. The incident, which occurred at terminal 5 on 10 […]


Women In Security

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science. For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: […]


Logging practices

Via a tweet from @WeldPond, I was led to a Daily Mail article which discusses allegations that Facebook founder Mark Zuckerberg “hacked into the accounts of [Harvard] Crimson staff”. Now, I have no idea what happened or didn’t, and I will never have a FB account thanks to my concerns about their approach to privacy, […]


News from RSA: U-Prove

In “U-Prove Minimal Disclosure availability,” Kim Cameron says: This blog is about technology issues, problems, plans for the future, speculative possibilities, long term ideas – all things that should make any self-respecting product marketer with concrete goals and metrics run for the hills! But today, just for once, I’m going to pick up an actual […]


"We can’t circumvent our way around internet censorship."

That’s the key message of Ethan Zuckerman’s post “Internet Freedom: Beyond Circumvention.” I’ll repeat it: “We can’t circumvent our way around internet censorship.” It’s a long, complex post, and very much worth reading. It starts from the economics of running an ISP that can provide circumvention to all of China, goes to the side effects […]


Can I see some ID?

Or, Security and Privacy are Complimentary, Part MCVII: Later, I met one executive who told me that at the same time of my incident at another restaurant owned by the corporation, a server was using stolen credit card numbers by wearing a small camera on him. He would always check ID’s and would quickly flash […]


I'm not comfortable with that

The language of Facebook’s iPhone app is fascinating: If you enable this feature, all contacts from your device will be sent to Facebook…Please make sure your friends are comfortable with any use you make of their information. So first off, I don’t consent to you using that feature and providing my mobile phone number to […]


How to Make Your Dating Site Attractive

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that. So from a product management and privacy perspectives I found this article very thought provoking: Bookioo does not give men any way to learn about or contact the female members of the […]


Privacy and Security are Complimentary, Part MCIV

Privacy and security often complement each other in ways that are hard to notice. It’s much easier to present privacy and security as “in tension” or as a dependency. In this occasional series, we present ways in which they compliment each other. In this issue, the Financial Times reports that “Hackers target friends of Google […]


Another Week, Another GSM Cipher Bites the Dust

Orr Dunkelman, Nathan Keller, and Adi Shamir have released a paper showing that they’ve broken KASUMI, the cipher used in encrypting 3G GSM communications. KASUMI is also known as A5/3, which is confusing because it’s only been a week since breaks on A5/1, a completely different cipher, were publicized. So if you’re wondering if this […]


Deny thy father and refuse thy gene sequence?

There’s a fascinating article in the NYTimes magazine, “Who Knew I Was Not the Father?” It’s all the impact of cheap paternity testing on conceptions of fatherhood. Men now have a cheap and easy way to discovering that children they thought were theirs really carry someone else’s genes. This raises the question, what is fatherhood? […]


Fordham report on Children's Privacy

Following the No Child Left Behind mandate to improve school quality, there has been a growing trend among state departments of education to establish statewide longitudinal databases of personally identifiable information for all K-12 children within a state in order to track progress and change over time. This trend is accompanied by a movement to […]


Bob Blakley Gets Future Shock Dead Wrong

Bob Blakley has a very thought provoking piece, “Gartner Gets Privacy Dead Wrong.” I really, really like a lot of what he has to say about the technical frame versus the social frame. It’s a very useful perspective, and I went back and forth for a while with titles for my post (The runner up […]


Toyota Stalks Woman, Claims She Consented

In a lawsuit filed Sept. 28 in Los Angeles Superior Court, Amber Duick claims she had difficulty eating, sleeping and going to work during March and April of last year after she received e-mails for five days from a fictitious man called Sebastian Bowler, from England, who said he was on the run from the […]


The Presentation of Self and Everyday Photographs

With the kind help of our awesome readership, Amazon and Glazer’s, I’ve acquired a camera, some books, a tripod, a prime 50mm, a flash diffuser, a polarizing filter, a graduated neutral filter, and some other random photography toys tools. You might question this, but I can quit anytime. Really! I even offered to loan my […]


MA/NY: Using GPS To Track Cars Requires A Warrant

Jennifer Granick reports that in Massachusetts, Cops Can’t Convert Car Into Tracking Device Without Court’s OK. Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control […]


Private Thoughts on Race

So I’m sitting on the plane home from* Seattle, and I had a really interesting conversation on race with the woman next to me. We were talking, and she asked me, why is it so hard to have conversations like this. I thought that the answer we came to was interesting, and insofar as it […]


Ten Years Ago: Reminiscing about Zero-Knowledge

Ten years ago, I left Boston to go work at an exciting startup called Zero-Knowledge Systems. Zero-Knowledge was all about putting the consumer in control of their privacy. Even looking back, I have no regrets. I’m proud of what I was working towards during the internet bubble, and I know a lot of people who […]


Sunday Linkage Security/Privacy In The UK

Quarter of a million Welsh profiles added to DNA database since 2000. [I forget who linked to this one.] CCTV in the spotlight: one crime solved for every 1,000 cameras [Via the security metrics mailing list.]


Perfecter than Perfect

So I’m having a conversation with a friend about caller ID blocking. And it occurs to me that my old phone with AT&T, before Cingular bought them, had this nifty feature, “show my caller-ID to people in my phone book.” Unfortunately, my current phone doesn’t have that, because Steve Jobs has declared that “Apple’s goal […]


What Are People Willing to Pay for Privacy?

So I was thinking about the question of the value of privacy, and it occurred to me that there may be an interesting natural experiment we can observe, and that is national security clearances in the US. For this post, I’ll assume that security clearances work for their primary purpose, which is to keep foreign […]


Social network privacy study finds identity link to cookies

Quick follow up to Adam’s Monday post New on SSRN. Rob Westervelt over at tells us about a social network privacy study finds identity link to cookies. Turns out that passing unique identifiers in referring URLs isn’t such a smart idea after all. Color me shocked. The full paper is linked to from Rob’s […]


New on SSRN

There’s new papers by two law professors whose work I enjoy. I haven’t finished the first or started the second, but I figured I’d post pointers, so you’ll have something to read as we here at the Combo improvise around Cage’s 2:33. Paul Ohm has written “Broken Promises of Privacy: Responding to the Surprising Failure […]


We Live In Public, The Movie

One of the best ways to upset someone who cares about privacy is to trot out the “nothing to hide, nothing to worry about” line. It upsets me on two levels. First because it’s so very wrong, and second, because it’s hard to refute in a short quip. I think what I like most about […]


Hearsay podcast: Shostack on Privacy

Dennis Fisher talks with Microsoft’s Adam Shostack about the Privacy Enhancing Technologies Symposium, the definition of privacy in today’s world and the role of technology in helping to enhance and protect that privacy. As always, a fun conversation with Dennis Fisher. Ran longer than I think either of us expected at 41:15. And speaking of […]


Today's Privacy Loss – English Soldiers' Details Published

Demonstrating that no one’s data is safe, the names, pay records, and other personal information of 90,000 English soldiers was placed on the Internet. These soldiers, who served with king Henry V at Agincourt now have their information listed at, exposing them to the chance of identity theft after nearly 500 years. They soldiers […]


Kindle Brouhaha Isn't About DRM

In case you haven’t heard about it, there is a brouhaha about Amazon un-selling copies of two Orwell books, 1984 and Animal Farm. There has been much hand-wringing, particularly since it’s deliciously amusing that that it’s Orwell. The root cause of the issue is that the version of the Orwell novels available on the Kindle […]


Kindling a Consumer Revolt

Well, by now it’s all over the blogo/twitter spheres, and everything that might be said has already been said about Eric Blair, a publisher and Amazon: This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they […]


UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “ Clear Shuts Down Registered Traveler Lanes.” Clear collected a lot of data: The information that TSA requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration Number (if applicable), current home […]


Mr. Bureaucrat, Please Report to Room 101

As I’ve said before, all non-trivial privacy warnings are mocked and then come true. Sixty years ago today, George Orwell published 1984. He unfortunately failed to include a note that the book was intended as a warning, not a manual. Today, in England, there are an unknown number of surveillance cameras, including many around Orwell’s […]


Democracy, Gunpowder, Literacy and Privacy

In an important sense, privacy is a modern invention. Medieval people had no concept of privacy. They also had no actual privacy. Nobody was ever alone. No ordinary person had private space. Houses were tiny and crowded. Everyone was embedded in a face-to-face community. Privacy, as idea and reality, is the creation of a modern […]


Scalia: Just Because You Can Doesn't Mean You Should

aka it’s not nearly as funny when you are the subject of the probe. At a recent conference Justice Scalia said “”Every single datum about my life is private? That’s silly,” Well, a professor at Fordham University decided to take Mr Scalia at his word, and had one of his classes collect a dossier on […]


Statebook and Database State

So while Statebook is a pretty entertaining demo, “Database State” is a disturbing look at how real the underlying data collection is in the U.K. Via Boingboing.


What Was Wrong With the Old FISA?

The Get FISA Right group is publicizing our need to re-think the laws. They have discussion going on on their site, as well as on The Daily Kos. I recommend catching up there, or reading Adam’s recent post here. I have to ask what was wrong with the old FISA? It wasn’t a bad system, […]


What Should FISA Look Like?

Jim Burrows is working to kick off a conversation about what good reform of US telecom law would be. He kicks it off with “What does it mean to “get FISA right”?” and also here. To “get it right”, let me suggest that we need: One law that covers all spying Require warrants when the […]


Will People Ever Pay for Privacy, Redux

A few years back, I gave a talk titled “Will People Ever Pay for Privacy.” As they say, a picture is worth a thousand words: Tiger Woods’s Boat, Privacy, Attracts Plenty of Onlookers. Photo: Tiger Woods’ Yacht, TheLastMinute.


Facebook: Conform or else

Robert Scoble, discussing Facebook founder Mark Zuckerberg: He also said that his system looks for “outlying” behavior. He said if you behave like an average user you should never trigger the algorithms that will get you kicked off. Let’s be specific here: if you behave like the system’s Harvard undergraduate founders and primarily-male engineering staff […]


More on Privacy Contracts

Law Prof Dan Solove took the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality: Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach […]


Don't put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common. He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with […]


A-Rod had a privacy contract, and so did you

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004. But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any […]


Three on the Value of Privacy

First, the Economist, “Everybody Does It:” WHY is a beer better than a woman? Because a beer won’t complain if you buy a second beer. Oops. There go your correspondent’s chances of working for Barack Obama, America’s president-elect. (Ironically, the Economist’s articles are all anonymous.) Second, Fraser Speirs, “On the Flickr support in iPhoto ‘09:” […]


AOL Search Documentary

Lernert Engelberts and Sander Plug have taken the AOL search data which AOL released “anonymously,” and made a movie with the searchs of user #711391. I Love Alaska, via Guerrilla Innovation. Worth checking out, but be warned, it’s a little on the languid side, using pacing and the voice to build the story. Also, note […]


Daily Show on Privacy

(h/t to Concurring Opinions) The Daily Show With Jon StewartM – Th 11p / 10c Bill O’Reilly’s Right to Privacy Daily Show Full EpisodesImportant Things With Demetri Martin Funny Political NewsJoke of the Day


Politics and Money: Transparency and Privacy

(Or, the presentation of self in everyday donations) So I’ve had a series of fairly political posts about election finance, and in one of them, I said “I’d prefer that the rules avoidance be minimized, and I think transparency is the most promising approach there.” Well, in the interests of transparency, I need to comment […]


Request your travel records

Speaking of how you’re presented and perceived…”How to request your travel records,” by Ed Hasbrouck. By popular demand, I’m posting updated forms to request your PNR’s and other records of your international travel that are being kept by the U.S. Customs and Border Protection (CBP) division of the Department of Homeland Security (DHS)… If you […]


Children, Online Risks and Facts

There’s an interesting (and long!) “Final Report of the Internet Safety Technical Task Force to the Multi-State Working Group on Social Networking of State Attorneys General of the United States.” Michael Froomkin summarizes the summary.” Adam Thierer was a member of the task force, and has extensive commentary on the primary online safety issue today […]


The Identity Divide and the Identity Archepelago

(I’d meant to post this in June. Oops! Chaos reigns!) Peter Swire and Cassandra Butts have a fascinating new article, “The ID Divide.” It contains a tremendous amount of interesting information that I wasn’t aware of, about how infused with non-driving purposes the drivers license is. I mean, I know that the ID infrastructure, is, […]


Privacy Rights & Privacy Law

First, the European Court of Human Rights has ruled that the UK’s “DNA database ‘breach of rights’:” The judges ruled the retention of the men’s DNA “failed to strike a fair balance between the competing public and private interests,” and that the UK government “had overstepped any acceptable margin of appreciation in this regard”. The […]


Quis custodiet ipsos custodes?

There have been a couple of interesting stories over the last week that I wanted to link together. Verizon Employees Snoop on Obama’s Cellphone Records (followed shortly by “Verizon fires workers over Obama cell phone records breach“) and “4 more Ohio officials punished in ‘Joe’ data search.” There’s a couple of things happening here. The […]


Diverse Preferences for Privacy

A Wide Diversity of Consumer Attitudes about Online Privacy shows this picture of Flickr users setting privacy preferences: green is public (default) and red is private. I hope Flickr shares some of the underlying data. I don’t know what anyone would do with it, and there’s two ways to find out. One is to talk, […]


Actually, Randall, We Tried That

And the reason it doesn’t work is that just because you’re allowed to own something doesn’t mean you’re allowed to export it. The use, ownership, production, etc. of crypto was never restricted, only its export. In an Intenet-enabled world, export control brings lots of hair with it, which is why it was important to fight […]


New ID Theft Research And Blog For Debix

Adam and I have discussed Debix several times in the past, so it will come as no surprise, that I am again posting about them. Debix now has a blog, which will be covering issues around identity theft, breaches and privacy. Debix also released a new research study examining child identity theft. The most recent […]


Canadian Privacy and Private Action

In reading Arthur’s post on “Canadian PM FAIL,” I was thinking of the odds that this would be investigated and dealt with under Canadian privacy law. Now, I’m not an expert on that, but my recollection is that the main private sector law, PIPED complements a Federal Privacy Act which would likely be the relevant […]


Researchers Two-Faced over Facebook Data Release

[Update: Michael Zimmer points out that it wasn’t Facebook, but outside researchers who released the data.] I wanted to comment quickly on an interesting post by Michael Zimmer, “ On the “Anonymity” of the Facebook Dataset.” He discusses how A group of researchers have released a dataset of Facebook profile information from a group of […]


The Skype Issue

According to The New York Times in, “Surveillance of Skype Messages Found in China,” the Chinese provider TOM has software in place that reads Skype text messages, and blocks ones that use naughty words and terms, like “Falun Gong,” “Independent Taiwan,” and so on. A group of security people and human rights workers not only […]


This Week in Petard-Hoisting, the Palin Edition

If you are the sort of person who looks at odd legal rulings and opinions, you may remember that a few years ago the US DOJ issued an opinion that stored emails are not protected under the Stored Communications Act. The DOJ reasoning is that when you leave read email on your server, it’s not […]


No Privacy Chernobyls

Over at the Burton Identity and Privacy Strategies blog, there’s a post from Ian Glazer, “Trip report from the Privacy Symposium,” in which he repeats claims from Jeff Rosen: I got to hear Jeffery Rosen share his thoughts on potential privacy “Chernobyls,” events and trends that will fundamentally alter our privacy in the next 3 […]


Solove’s Understanding Privacy

Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, […]


Congratulations to the PET Award Winners

Congratulations to Arvind Narayanan and Vitaly Shmatikov! Their paper, “Robust De-Anonymization of Large Sparse Datasets,” has been awarded the 2008 Award for Outstanding Research in Privacy Enhancing Technologies. My employer has a press release which explains how they re-identified data which had been stripped of identifiers in the Netflix dataset. In their acceptance remarks, they […]


London’s New Transit Card

Transport for London is trying to get as many people as possible to use Oyster Cards. They are cheaper — and theoretically easier to use — than traditional tube / bus tickets. However, using one means that TfL has a record of your journeys on the transport system, which is something that not everybody is […]


Want Real Homeland Security?

All around cool guy, and former provost of the University of Chicago, Geoffrey Stone (the Edward H. Levi Distinguished Service Professor at the University of Chicago Law School), posted earlier this week proposed that “The next president should create a brand new position, which should become a permanent part of the Executive Branch in the […]


Not quite clear on the subject

Slyck News has a story, “SSL Encrpytion Coming to The Pirate Bay” a good summary of which is in the headline. However, may not help, and may hurt. Slyck says: The level of protection offered likely varies on the individual’s geographical location. Since The Pirate Bay isn’t actually situated in Sweden, a user in the […]


L'affaire Kozinski

Kim Zetter on Threat Level has written about Larry Lessig’s comments about Judge Alex Kozinski’s problems with having files on a personal server made public. Zetter has asked to hear people’s opinions about the issue. I thought I’d just blog about mine. Basically, I agree with Lessig. The major place that I disagree with Lessig […]


Quantum Pride

One of the curious features of Quantum Cryptographers is the way they harumph at mathematics. “Don’t trust that math stuff, you should trust physics.” It’s easy to sneer at this attitude because physics has traditionally gotten its cred because of its foundations in math. Physicists are just mathematicians who don’t squick at canceling dxes. Quantum […]


Hats Banned in Yorkshire to Aid CCTV Identification

The Telegraph reports in “Hats banned from Yorkshire pubs over CCTV fears” that Pubs in Yorkshire have been ordered to ban people from wearing flat caps or other hats so troublemakers can be more easily recognised. And in other news this weekend, MPs have stamped their little feet insisting that Britain is not a surveillance […]


This May Be FUD

You may have seen this article from the India Times, “Govt may get keys to your BlackBerry mailbox soon.” Many people have been commenting on it, and the hand-wringing should build up to a good storm in a few days. The gist of the article is that the Indian Government has told RIM that if […]


Credit Bureaus and Outsourcing

The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus: “Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.” He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that […]


Security Cameras Functional

Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. “CCTV was originally seen as a preventative measure,” Neville told the Security Document World Conference in London. “Billions of pounds has been spent on kit, but […]


A question of ethics

Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better. One way to see more would be to look in more places, for example on peer-to-peer file sharing […]


Italy Posts Tax Return Data on Official Website

How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy. How Much Do You Make? The Nation Already Knows. The data has already been removed from […]


Who Watches the Watchlists?

The idea of “watchlists” has proliferated as part of the War on Terror. There are now more than 63 of them: As part of its regular “risk management” service, which provides screening, tracing, and identity and background checks on potential clients or trading partners, MicroBilt will now offer a “watch list” service that checks these […]


One Nation Under CCTV

Banksy has done a wonderful service. The well-known artist has given us delightful commentary on surveillance. Better than that, he did it in a site above a Post Office yard in London (Newman Street, near Oxford Circus), behind a security fence and under surveillance by CCTV. His team erected three stories of scaffolding on Saturday, […]


Privacy Act and "actual damages"

Lauren Gelman writes: I’m breaking blog silence to report on an amazing decision out of the DC Circuit holding that the federal Privacy Act’s requirement that Plaintiffs show actual damages does not require pecuniary harm but can be met by a showing of emotional distress. Am. Fed’n of Gov’t Employees v. Hawley, D.D.C., No. 07-00855, […]


Wendy Richmond’s Surreptitious Cellphone

At the International Association of Privacy Professionals meeting last week, I had the pleasure of meeting Wendy Richmond. Richmond is intrigued with the ways in which we share our public space. Some of us create invisible buffer zones for quiet reverie; others enhance or negate reverie through portable technology like iPods, cell phones and laptops. […]


Avoid ID theft: Don’t run for President

The Washington Post reports: The State Department said last night that it had fired two contract employees and disciplined a third for accessing Sen. Barack Obama’s passport file. Obama’s presidential campaign immediately called for a “complete investigation.” State Department spokesman Tom Casey said the employees had individually looked into Obama’s passport file on Jan. 9, […]


Liechtenstein Über Alles?

The New York Times had a story, “Tax Inquiry? Principality Is Offended:” After weathering days of criticism from Germany over a spectacular tax evasion case, Liechtenstein — sometimes seen as the inspiration for the satirical novel from the 1950s about a tiny Alpine principality that declared war on the United States — is digging in […]


Speaking of Privacy….

I was dismayed to learn that footage of Spitzer’s (alleged) rent-a-babe “Kristin” performing in a class play while in elementary school has been featured at various web sites — among them serious sites that should know better. One could argue that this woman made her bed, and now she can lie in it (puns intended). […]


Banks, Privacy and Revenge

Eliot Spitzer made a name for himself attacking banks. Setting aside the legitimacy of those attacks, I find it shocking that he didn’t realize how much banks know about each one of us. It’s doubly shocking that he didn’t expect revenge. The New York Times claimed that the “Revelations Began in [a] Routine Tax Inquiry.” […]


Microsoft Acquires Credentica’s U-Prove

I am tremendously pleased to say that Microsoft has closed an acquisition of Credentica‘s U-Prove technology. This technology adds a new and important set of choices in how we as a society deal with identity and properties of people. Kim Cameron has the official announcement, “Microsoft to adopt Stefan Brands’ Technology” and Stefan Brands has […]


Not Dead Yet

Dan Solove has an interesting article up, “Coming Back from the Dead.” It’s about people who are marked dead by the Social Security Administration and the living hell their lives become: Dan starts with quotes from the WSMV News story, “Government Still Declares Living Woman Dead” According to government paperwork, Laura Todd has been dead […]


Sivacracy on Privacy and Surveillance

Last week, Siva Vaidhyanathan, of Sivacracy, released a new column in the Chronicle of Higher Education, Naked in the ‘Nonopticon’ has some refreshing thoughts on privacy and surveillance that I wish more of us on the security side understood better. His main themes are (in his own words): 1) Anyone who claims “young people don’t […]


Economist Debates Security V Privacy

The Economist emails: Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you […]


Emergent Privacy Reporting

On December 19th, Denebola, the student run newspaper of Newton South High School, broke the news that video cameras had been secretly installed in their school. Not only were students and parents not notified of the cameras but apparently neither were any of the teachers. From the student article: According to Salzer, only he, Superintendent […]


Merry Christmas, Dr. Hansen!

A surgeon who allegedly took a photo of a patient’s penis during an operation at a US hospital is no longer working there, it has been announced. Dr Adam Hansen, of Arizona’s Mayo Clinic Hospital, is accused of taking the snap while conducting gallbladder surgery earlier in December. (BBC, “US ‘penis photo doctor’ loses job.”) […] is not asking "Will Privacy Sell"

There’s a bunch of press around’s marketing of their new privacy service. I applaud them for thinking about this, and for drawing attention to the issue of search privacy. The New York Times had a story, “ Puts a Bet on Privacy” and now Slashdot jumps in with “Will Privacy Sell?” This is the […]


CA1386 meet AB1298

Life is about to get a lot more complicated for companies that do business in California. I completely missed this getting signed back in October, but on 10/14, the Governator signed AB1298 which updates CA1386 to mandate that medical and health insurance policy information also are to be treated as PII. To say that this […]


Why can't the CIA hire guys like this?

The Telegraph is concerned that The most senior British intelligence official, appointed yesterday to oversee MI5, MI6 and GCHQ, has a website revealing his home address, phone numbers and private photographs of himself, family and friends. The upshot seems to be that the gent in question, Alex Allan, lacks the circumspection one would demand […]


Wednesday Privacy Roundup

Privacy in the EU has been hugely in the news in the last week. Check these out: European Union justice ministers Friday agreed on a minimum set of rules protecting the cross-border exchange of personal data by law-enforcement agencies in the 27 member states. There’s were lots of other proposals discussed, including ones that mimic […]


The Magic Phone

The “gPhone” was announced today. I put gPhone in quotes, because there was no actual phone announcement. What was announced was the “Open Handset Alliance” and their toolkit, Android. They are “…committed to commercially deploy handsets and services using the Android Platform in the second half of 2008.” and “An early look at the Android […]


What Would One Actually Do With A Persona?

I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example: […]


TSA Violates Your Privacy, Ties themselves in Little Knot of Lies

There’s a story in InformationWeek about the latest TSA privacy violation, “TSA Promises Privacy For Subjects Of Clothing-Penetrating Scans:” “We are committed to testing technologies that improve security while protecting passenger privacy,” said TSA administrator Kip Hawley in a statement. “Privacy is ensured through the anonymity of the image: It will never be stored, transmitted, […]


What Secure Flight Really thinks about you

You can find out, by making a request under the privacy act. “Read Your Own DHS Travel Dossier.” Good commentary and context at Threat Level, “Howto: Check Your Homeland Security Travel File.”


Senator Craig and the Behavior Detection Officers

…airport police Sgt. Dave Karsnia, who was investigating allegations of sexual conduct in airport restrooms, went into a stall shortly after noon on June 11 and closed the door. Minutes later, the officer said he saw Craig gazing into his stall through the crack between the door and the frame. After a man in the […]


Giving Data to Auditors

In light of well-publicized failures to maintain appropriate controls by the ‘final four’ audit firms, giving data to auditors without a clear and compelling business purpose is a bad idea. It’s such a bad idea, even an auto body shop objects: Auto body repair shops in British Columbia are complaining to the province’s privacy commissioner […]


Fake Steve and Real Mackey

So with the small, literal men at the New York Times poking through the veil of anonymity that allowed Fake Steve to produce the best blog since “The Darth Side,” we have a serious threat to the stability of the republic, which is the false hope that by assigning people names, we can control them. […]


I can't concieve of a better use for anonymity

There’s a fascinating little sidebar article in the Economist (4 August 2007), “Misconceived:” Now that anonymity is no longer possible, there has been a huge decline in the number willing to donate. So more patients travel for treatment to countries where anonymity is still legal. If this new proposal is implemented, it may give such […]


In Honor of the New Wiretap Law

I’ve been too busy with travel to Blackhat, WOOT and Metricon to really cover the new wiretap law, or the very encouraging results of de-certifying electronic voting machines. I hope to be less buried soon. In the meanwhile, Photo is “Dan Perjovschi´s installation at the Moma, NYC” by Tibau1.


German Biometric Trials

The assessment of the Federal Criminal Police Office (BKA) according to which biometric visual-image search systems are not advanced enough to be used by the police to search for persons has led to mixed reactions. The Federal Criminal Police Office presented the fairly sobering research results of its visual-image search systems project on Wednesday in […]


PET Award

For the last several years, Microsoft has worked with the Privacy Enhancing Technologies community to support a prize for the best work done in the field. I’ve been involved as a member of the selection committee, but when I joined Microsoft, stepped away from that. It’s important to us that the prize is independent. This […]


One Company Gets The Privacy Thing

I currently love my mortgage company. Those that know me in real life, know that I recently bought a house. Yesterday, I received a privacy notice in the mail from them. I figured it was the standard template that everyone uses saying that if I didn’t want my information shared, I should call them up/email […]


On Privacy Law: HIPPA, Library

At, “Hospitals Fear Privacy Claims Over Medical Records:” The Health Insurance Portability and Accountability Act is raising new legal fears for health care providers in light of tougher government enforcement and recent court rulings that could trigger private lawsuits. Labor and employment attorneys who represent health care providers are especially concerned about the prospect […]


Federal Computer Week on SSN Purges

There’s an article in Federal Computer Week explaining that “Agencies face SSN scrubdown.” We mentioned this last week in “White House Data Breach Prevention Guidelines.” I am pleasantly surprised to learn that some data actually will be be declared ‘unnecessary:’ Agencies can eliminate some SSN uses by asking employees not to write their SSNs on […]


"An Empirical Approach to Understanding Privacy Valuation"

Luc Wathieu and Allan Friedman have an article in Harvard Business School’s ‘working knowledge,’ titled “An Empirical Approach to Understanding Privacy Valuation.” In it, they present the results of a survey of 647 people with regard to a number of privacy hypotheses. Their results include: Contrary to some research, the chief privacy concern appears based […]


Billions for Fashion Police, but Not One Cent for Tribute Bands!

Woo hoo! I feel so much safer! The TSA reports, “Transportation Security Officers SPOT Passenger in Fake Military Uniform at Florida Airport.” Picture at right is my foofification of the picture on the TSA site. Our brave protectors write: A TSA behavior detection team at a Florida airport helped catch a passenger allegedly impersonating a […]


Shock Horror! Ashcroft Am Not Devil Incarnate!

In 27 B Stroke 6 Threat Level, Kevin Poulsen writes, “News from Bizzaro World: Ashcroft Opposed Taps.” Kevin, your reality tunnel is showing. There are many things that Ashcroft was (I apologize for using the past tense), starting with prig and prude. I’m not particularly a fan of his, but the Venn diagram of what […]


Facebook Hangover

On Dave Farber’s list, Brock Meeks pointed us to a delightful Facebook Smackdown. Brock says, What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think… Trust me, it’s worth the look. And indeed it is worth looking at, along with Patrick Schitt’s contribution of the background […]


Announcing…The Security Development Lifecycle Blog

My team at work announced the launch of “The Security Development Lifecycle” blog today. After the intro post, Michael Howard leads off with “Lessons Learned from the Animated Cursor Security Bug.” I’m pretty excited. We’re focused on transparency around what we’re learning as we continue to develop the SDL.


Replacing Evite

So I hate Evite, even when it brings me to cool parties. You know who you are. Encouraging my friends to enter social network information, and then using it to contact me feels tremendously invasive. Failing to understand that annoys me. Their lame privacy policy infuriates me. Their success at co-opting my friends to sucking […]


Privacy Policy

“Among other changes, the revisions to our Privacy Policy may have changed your preferences for receiving postal mailings from Alaska Airlines and its partners.” Now that’s the power of policy! Photo, text from “Privacy policy update from Alaska Airlines, received March 24, 2007” by JasonJT, on Flickr. He has great outraged commentary.  


On Anonymity

So Mike Rothman thinks that anonymity is for cowards: During the discussion last night, one guy pointed out that sometimes things are too sensitive or controversial or unpopular to say, so anonymity allows folks to do that. I call bullshit on that. Anonymity is the tool of a coward. And while I agree with Mike […]


Privacy's Other Path

Dan Solove writes: Professor Neil Richards (Washington University School of Law) and I have posted on SSRN our new article, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal __ (forthcoming 2007). The article engages in an historical and comparative discussion of American and English privacy law, a topic that has been […]


Thumbing A Ride…

The DailyBreeze tells us about how Lorna Herf discovered South Bay BMW in Torrance’s sales policy of “No fingerprint, no car.” The dealership claims that this is an effort to prevent identity theft, though how this would help the customer is unclear. Additionally, this effort is being actively supported by the sheriff’s office. I think […]


"Terrorists Proving Harder to Profile"

…terrorism suspects from atypical backgrounds are becoming increasingly common in Western Europe. With new plots surfacing every month, police across Europe are arresting significant numbers of women, teenagers, white-skinned suspects and people baptized as Christians — groups that in the past were considered among the least likely to embrace Islamic radicalism. The demographics of those […]


Dating and Background Checks in the UK

My friend Shimrit saw Cluechick’s post on the dating (“Emerging Dating Paranoia“) and wanted to add a bit herself. She works for the UK’s biggest online dating provider. She has a new book coming out, and a blog at “Everyone’s Guide to Online Dating.” She writes: With all the current craziness surrounding online dating background […]


Privacy Fears Come True, Again

Two reports in the New York Times: “Driver’s License Emerges as Crime-Fighting Tool, but Privacy Advocates Worry” and “Warnings Over Privacy of U.S. Health Network.” Naturally, we’ll have that sorted out by the time the system ships. No reason for you to be worried that your health records will be automatically scanned to see if […]


Medical Privacy News

There’s a great editorial about how your prescriptions are bought and sold all over the place, “Electronic prescribing is no panacea” by Dr. Deborah Peel, in Government Health IT. Also, Health Care IT news reports that “Federal privacy panel leader resigns, raps standards:” The leader of a federal panel charged with providing privacy recommendations for […]


Rootkit on a Stick

The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both. Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they […]


It’s "privacy," Jim, but not as we know it.

The Canadian Privacy Commissioner has issued a number of new rulings, essentially ruling that anyone in Canada can request an ID card whenever they want. The first, summarized by Michael Geist in “Privacy Commissioner on Domain Name Registrant ID Requirements” says: requirements of personal identification, such as a driver’s license, in order to change the […]


Emergent Meanings of Privacy

There’s a really fascinating article in New York Magazine, “Say Everything:” And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street […]


There’s A List?

I received the following in the mail the other week and while I was initially amused that I was getting this without asking for it, it took my wife pointing out the irony of there being an actual directory at all:


Credentica Launches U-Prove

Montreal, QC (PRWEB) February 13, 2007 — Credentica , a Montreal-based provider of innovative security software for identity and access management, today announced the immediate availability of its U-Prove product for user-centric identity management. The U-Prove product enables organizations to protect identity-related information with unprecedented security throughout its lifecycle, wherever it may travel. It is […]


Astronaut Screening & Privacy

Following up on the issue of astronaut screening, there’s an article at MSNBC, “Former NASA doctor says agency must do more,” in which “NASA flight surgeon and professional psychiatrist Patricia Santy” discusses the screening which takes place. It’s an interesting article, in which she discusses the tension between NASA’s organizational culture and psychological screening. What […]


Telephone Privacy

Privacy, being the right to be left alone, is hard to get with a telephone. Two interesting stories make a trend, and we report on trends here. Or something. I think that the profusion of new services around telephone privacy are the start of an interesting market backlash against the cell phone’s effect of making […]


DRM, digitally coded music, and information

Arthur wrote recently about an NYT article about dangers of the iPhone. The NYT has a bizarre policy about articles which makes them available for only a few days, so likely you’ll have to take my word about that article. I liked this article a lot because it mentions eMusic. I’m an eMusic customer and […]


Secrecy is not Privacy

So, I’m really irked by headlines like “Microsoft’s ‘Secret’ Security Summit.” First, it wasn’t Microsoft’s summit. It was an ISOTF meeting that had public web pages. Microsoft provided conference facilities and lunch. I don’t think we even bought the beer. Second, it wasn’t a secret. It has web pages: “Internet Security Operations and Intelligence II […]


Two Quickies on Credit

“The spread of the credit check as civil rights issue,” in the Christian Science Monitor: Bailey, with her lawyer, has lodged a complaint against Harvard charging racial discrimination. The reason: Studies show that minorities are more likely to have bad credit, but credit problems have not been shown to negatively affect job performance. and “Insurers […]


Information Security Needs

The NYT reports, “Rough Treatment for 2 Journalists in Pakistan” and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years. However, a computer was seized, sources were roughed up and possibly jailed or killed: Since then it […]


"Not Having a Discussion About What I'm Buying? Priceless."

There’s a fascinating article in Sunday’s New York Times, “Money Doesn’t Talk.” The money quote: Through her store, Pesca, Ms. Azizian has earned her financial independence, but to avoid the disapproval of her husband of 27 years, she adopts a low profile by using cash. “His tastes aren’t as expensive as mine, and he doesn’t […]


Trusting Privacy Promises

Michael Arrington writes at Techcrunch about a former law firm, all of whose records are going to be opened to the public: Brobeck, Pleger & Harrison LLP was a well known law firm in silicon valley during the first Internet boom. They had thousands of startup and public company clients and handled all aspects of […]


OCR and License Plate Cameras

In “The Vehicular Thomas Crowne Affair: how to creatively defeat photo radar,” Scrollin On Dubs points out that: I just got my plate from AZ DMV and happily installed it this morning. It can still be read by the keen eye but from one of those crappy photo radar pictures it will be a non-trivial […]


All Privacy Invasion Fears Come True: Thanks, Alec

In March of 2005, Alec Muffett predicted “National loyalty cards,” and I mocked him for it. Since then, I’ve decided that all non-trivial privacy fears come true. And since then, Alec’s plan has taken another step. The BBC reports about a new “Blair plan for ‘people’s panels’.” No, I didn’t make that up, Comrade. He […]


DHS says one thing, does another. Film at 11.

The Department of Homeland Security (DHS) Privacy Office conducted a review of the Transportation Security Administration’s (TSA) collection and use of commercial data during initial testing for the Secure Flight program that occurred in the fall 2004 through spring 2005. The Privacy Office review was undertaken following notice by the TSA Privacy Officer of preliminary […]


Akaka-Sununu Bill Repeals Key Aspects Of The Real ID Act

Daniel Akaka and John Sununu have introduced a bill to repeal title II of the Real ID Act. From the press release: The Identification Security Enhancement Act (S. 4117) replaces REAL ID with language from the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458), which took a more measured approach in mandating tougher […]


Aspen Privacy Breach

The Wall Street Journal reported yesterday that “Stars Find Privacy Breached In Aspen by Phone Book” (behind paywall, sorry). According to the Journal: When the Yellow Book directory for Aspen, Colo. came out recently, residents of this ultra-chic ski town found it contained more than the usual list of local bars, hair salons and ski […]


Fines, Settlements in Privacy Invasions

Topping the list, Vodaphone has been fined $100M (€76M) for failing to protect 106 mobile accounts. “Greek Scandal Sees Vodaphone fined” at the BBC, via Flying Penguin. On this side of the Atlantic, Choicepoint, Experian and Reed-Elsevier are looking to pay $25 million to settle claims that they invaded the privacy of 200 million drivers […]


Have Some Soma, and Don’t Mind The Cameras

The BBC reports that “Prozac ‘found in drinking water’” in Britain, and that: In the decade leading up to 2001, the number of prescriptions for antidepressants went up from nine million per year to 24 million per year, says the paper. They point to a Observer story, “Stay calm everyone, there’s Prozac in the drinking […]


One passport, please…

hold the RFID. I just got my US passport renewed, and I was pleasantly surprised when it came back Old Skool — no RFID.  I’m happy…until 2016 anyway.


Medical Privacy

There’s a really interesting story in the New York Times last Sunday, “Health Hazard: Computers Spilling Your History.” Money quote: Some patients are so fearful that they make risky decisions about their health. One in eight respondents in a survey last fall by the California HealthCare Foundation said they had tried to hide a medical […]


So I’m Idly Curious…

“Please put your bra in the bin,” at Flyertalk: items used to augment the body for medical or cosmetic reasons such as mastectomy products, prosthetic breasts, bras or shells containing gels, saline solution, or other liquids; and, … 1. Separate these items from the liquids, gels, and aerosols in your quart-size and zip-top bag. 2. […]


Privacy For Hedge Funds

In “Citadel, Sensitive Data, and Plusfunds’ Bankruptcy” Paul Kedrosky looks at the impact of youthful chattiness on an industry: Apparently hedge fund Citadel is trying to purchase data from bankrupt Plusfunds that would detail trading strategies at some of its major competitors. The latter company had run a hedge fund index underlying which were trading […]


Dear TSA, How Do We Contact Thee?

Phil Schwan, who was able to read to the end of “Homeland Security tracks travelers’ meals” without blowing a gasket, noticed that they said they’d only gotten 15 comments: I tried for 30 goddamn minutes to figure out how to comment. That’s why there are only 15 comments. All I could find was a Privacy […]


Small Bits of Chaos

Michael Giest is covering Canadian Parliamentary hearings over that country’s privacy law in “PIPEDA Hearings – Day 01 (Industry Canada)” “PIPEDA Hearings – Day 02 (B.C. Privacy Experts)” Bakelblog vents about the petty tyranny of immigration bureaucrats in “Welcome to America, Fuckwads!” Alec Muffet has interesting and detailed comments about the broken security of the […]


England and Wales to fingerprint motorists at traffic stops

Via the Beeb: Drivers who get stopped by the police could have their fingerprints taken at the roadside, under a new plan to help officers check people’s identities. A hand-held device being tested by 10 forces in England and Wales is linked to a database of 6.5m prints. Police say they will save time because […]


Privacy and "Required, not used"

So, I was commenting over on Econlog, and noticed this: “Email Address (Required. Your email address will not display to the public or be used for any other purpose.)” So, umm, what is it being used for? This is both snarky (obviously) and serious (less obviously). The less obvious part is that information is being […]


All Non-Trivial Privacy Fears Come True

A few months back, I said “Ironically, privacy advocates warned that the number would become a de facto national ID, and their concerns were belittled, then proven right, setting a pattern that still goes on today.” In thinking about Alec Jeffrey’s come-to-Jesus moment, I realized that we can state that another way: All non-trivial privacy […]


Two On Identity

There’s the Budapest Declaration on Machine Readable Travel Documents: By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies […]


Invade Privacy in Haste, Repent at Leisure

A pioneer of Britain’s DNA database said on Wednesday it may have grown so far beyond its original purpose that it now risks undermining civil rights. Professor Alec Jeffreys told BBC radio that hundreds of thousands of innocent people’s DNA was now held on the database, a disproportionate number of them young black men. … […]


Participatory Security

Cutaway, over at Security Ripcord provides us with an alternate take on the fact that security needs to understand the business constraints and goals of the organization. He (She?) quite rightly points out that security is a part of the “Service and Support” Group. He has two essential points: I have been hearing a lot […]


What a Sad Waste

Someone who likes his privacy sent me this link to an “Encyclopedia of Privacy.” It’s 672 pages, for $199. How many people are going to read that? How many copies are they going to sell? Its sad that they’ve chosen to lock up all that work that way, rather than putting it somewhere where the […]


Health Care Privacy

Bob Sullivan has an article at Red Tape, “Health care privacy law: All bark, no bite?” and focuses on the lack of penalties. Two years ago, when Bill Clinton had heart surgery performed in New York’s Columbia Presbyterian Medical Center, 17 hospital employees — including a doctor — peeked at the former president’s health care […]


Long Term Impact of Youthful Decisions

There’s a fascinating article in the New York Times last week, “Expunged Criminal Records Live to Tell Tales” about how companies like Choicepoint which collect and sell public records don’t pick up orders to expunge those records. I didn’t have much to add, and figured the Times doesn’t need me to pimp their articles (they […]


Contactless Credit Cards Cracked

Well calling it cracked implies encryption or some semblance of security of which there is none according to the New York Times. In Researchers See Privacy Pitfalls in No-Swipe Credit Cards we learn that a team of folks from UMass Amherst and EMC/RSA tested a small batch of RFID Credit Cards from Amex, Visa and […]


A Very Silly Idea: #privacy, and

With recent data leaks at AOL, governments seeking information from Google on its users, and no simple user privacy solutions available, a standard for empowering user search privacy has finally been proposed. is spearheading a search privacy revolution with its proposed #privacy standard. Our proposal is that the #privacy flag could be added to […]


The Crap in Credit Reports

On August 10, after his family was refused a home loan, an Arcata man was mortified to find the phrase “son of Saddam Hussein” included on his credit report. “I looked at it and couldn’t believe my eyes!” Said the Arcata man who asked that only his middle name, Hassan, be divulged. The routine credit […]


More on RFID Zappers

This seems to be the weekend of redux posts and back tracking to earlier in the year. Way back in January, Adam wrote about the RFID Zapper created by the folks at the annual Chaos Computer Club conference. Along a similar vein, Julian of, has also produced an RFID Zapper made from a disposable […]


No Expectation of Privacy

Here in the U.S., one of our Old Order Amish communities has recently suffered an infamous crime — the murder of several schoolchildren.  Interest in this case has been high.  Naturally, the public’s right to know has been ably served, as journalists took plenty of funeral photographs, despite the fact that the Amish, on strict […]


The Canadian Privacy Landscape

There’s a really interesting article at Blogging on the Identity Trail, “Bouquets and brickbats: the informational privacy of Canadians:” In the course of our investigations, I frequently found myself reflecting on two broader questions: first, I wondered how best law could protect the personal information of Canadians—and by extension the privacy of Canadian citizens—in the […]


The Value of Location Privacy

There is a Workshop on Privacy in The Electronic Society taking place at the beginning of November. We (George Danezis, Marek Kumpost, Vashek Matyas, and [Dan Cvrcek]) will present there results of A Study on the value of Location Privacy we have conducted a half year back. We questioned a sample of over 1200 people […]


Computers Will Make Our Lives More Private

Social Security Administration officials believe computerization of files has contributed to their security. In the manual era, the applicant’s record was an individual ledger sheet. Thus if a person could get to the file drawer and then the ledger, he could check any record. Although entry to the files area was restricted by guards who […]


Which Stupidity to Stop?

Stupid bills before legislatures seem to be a target rich environment which is to say, its hard to even say where to start. So allow me to offer a suggestion: California’s SB768 will slow RFID stupidity. Take a look at EFF’s fact sheet, and then, if you’re in California, call your local Governator, and tell […]


Stick a fork in her…

..’cause she’s Dunn! What’s the over/under on how long Hurd lasts? Image credit: progodess


CSO Breach SOP == FUD?

Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business […]


Fingerprinting At Disney: The Police-Entertainment Complex

In “Walt Disney World: The Government’s Tomorrowland?” Karen Harmel and Laura Spadanuta discuss how Disney has moved from finger geometry (to constrain ticket re-sale) to fingerprinting their customers. I think the most important bit about this is about the links between Disney and the government: Former Disney employees have filled some of the most sensitive […]


Interesting Posts on HP, Sept 10

Eric Rescorla ties HP’s use of traffic analysis to that of the NSA in “I told you traffic analysis was useful.” Apparently, HP didn’t just chase down directors and reporters, but also the father of at least one journalist. See “HP Leak Investigation Extended Beyond Reporters, Directors.” (I say HP rather than HP’s investigators because […]


The Facebook Privacy Scandal

It’s only with the understanding that privacy has many meanings that I can comprehend people on Facebook complaining about privacy. (People interested in this should read Alessandro Acquisti’s work.) That’s not what I wanted to post about. What I wanted to post about was the great way the CEO of Facebook took the wind out […]


HP Roundup

The best posts I’m seeing are coming from Paul Kedrosky, who has posts like “Patricia Dunn Lectures on Corporate Governance,” and Playing Truth or Dare with HP’s Patricia Dunn” and Robert Scoble, with posts like “HP Story Keeps Getting Worse,” and “HP Has Major Ethical Problem, Day 2.” I’m using Scoble’s picture here. Don’t miss […]


Data Dilemma

Various folks at Northwestern’s Medill School of Journalism have done some great work, which they call Data Dilemma: Privacy in an Age of Security. I was led to this by various stories about the US Department of Education feeding information on financial aid applicants to the DHS for five years without bothering to inform those […]


40% of Fraud Alerts Don’t Propagate

[Update 3: I should have disclosed affiliations with Debix in this post. See “Mea Maxima Culpa.”] Debix is reporting that 40% of fraud alerts don’t propagate between all three major credit agencies. You remember those fraud alerts? They’re supposed to protect you from identity theft, right? Well, let me let you in on a secret. […]


AOL data release fallout

AOL’s CTO has “decided to leave” the company, “effective immediately”, according to an email message sent to remaining employees by CEO Jon Miller. Additionally, CNet news reports that the researcher who posted the data, and the researcher’s supervisor (a direct report of ex-CTO Maureen Govern) have been fired.


Identity 2.1

Dave Weinberger absolutely nails why I worry about the whole Identity 2.0 plan, in “Anonymity as the default, and why digital ID should be a solution, not a platform.” If you know what Identity 2.0 means, you owe it to yourself to read this post. If you build Identity 2.0 platforms/solutions/best-of-breeds, you owe it to […]


Biometrics Enable Guilty Men to Go Free?

Don’t miss the picture that Jerry Fishenden paints in “biometrics: enabling guilty men to go free? Further adventures from the law of unintended consequences:” Outside, armed policemen, guard dogs and riot barriers prevent the curious crowds pushing too close. On the office rooftops – police marksmen. In the Victorian drains below the courtroom – boiler-suited […]


Dell Batteries and Privacy?

Kip Esquire has a blog post about liabilities and restatments and product liabilities with an interesting twist for the capture-everything crowd: As for the costs of warning: How geographically diverse are the customers? How easy or difficult would it be to communicate the warning — would a press release be sufficient? Is the product likely […]



Is that enough acronyms yet? In Adam’s previous post, Justin Mason commented: There’s another danger of this — even if the number is an opaque ID, the *presence* of the RFID chip means than an attacker can remotely detect the presence of an I-94, therefore a foreign passport, therefore a tourist ripe for a mugging […]


The Assignment of a Mandatory Identifier

So two stories came out recently, and they’re connected by a thread, which is the assignment of identifiers. The first was in Government Computer News, “IG: U.S. Visit RFID needs better security controls,” which opens: The RFID on the Form I-94s was designed with privacy protections, the inspector general said. Specifically, the RFID tag, which […]


AOL search records 'research'

Most readers will have read by now of America Online publicly releasing a large sample of search records. From the README supplied with the data: The data set includes {AnonID, Query, QueryTime, ItemRank, ClickURL}. AnonID – an anonymous user ID number. Query – the query issued by the user, case shifted with most punctuation removed. […]


RFID Passport Security Clarified

Not that it needed clarification. RFID passports have been a boondogle without a purpose for a long time. It’s been clear that they make us less secure. Now it turns out they can be easily cloned: German computer security consultant has shown that he can clone the electronic passports that the United States and other […]


Return on (Other People’s) Investment

‘The Australian’ has a great story on “Focus key to crack money-laundering.” Its focused on the testimony of a British expert on “money laundering” and includes: Last year, British banks, accountants and lawyers made some 200,000 reports to the authorities. But in the three years since Britain’s law was implemented, there had been only one […]


"Privacy" International

As mentioned by Ben Laurie; Simon Davies, the Director of Privacy International, was quoted in IT Weeks’s Will industry rescue the identity card? as saying: “I’ve believed for some months that a ‘white knight’ consortium from industry is needed,” Davies said. “Companies that can see the benefits of the ID card idea should approach the […]


Usable Security: SOUPS Blog posts

There are about twenty good posts talking about the Symposium on Usable Security and Privacy (SOUPS) over at Ka-Ping Yee’s Usable Security blog. If you’re reading this in the archives, start here and go forward, or here and go back. Some favorites: How will the scourge really be killed? (Panel) Decision Strategies and Susceptibility to […]


Security, Privacy and A Digression into Copyrights

(Via Caspar and Nicko.) I hesitated before posting this. I’m pretty sure it’s a Dr. Fun cartoon, but the jerks in “my confined space” have obscured the signature. I try hard to attribute all the images I use here. I’ve given credit to Galerie which we use to produce the frames. (They even added a […]


Skype reverse-engineered?

According to Charlie Paglee, Skype has been cracked, and a compatible client implemented. This promises to have wide ramifications, about which Charlie writes at length.


Spying As a "Lifestyle Choice"

“The Plot to Hijack Your Computer” in Business Week lays out some of the history of “Direct Revenue,” a spyware company whose products are so beloved of their customers that DR receives regular death threats. Cryptome presents an except from a complaint in a lawsuit against AT&T, claiming that “NSA/AT&T Spying Began 8 Months beofre […]


Proud Comments About Bank Spying

Over at the Counterterrorism Blog, Dennis Lormel writes “Initial Comments about Terrorist Financing and “The One Percent Doctrine”” and “U.S. Government Terrorist Financing Initiative Involving SWIFT:” …I was in the FBI in a leadership role responsible for terrorist financing. Immediately after 9/11, we realized we had to develop financial investigative methodologies different than anything we […]


SWIFT spies

The United States Treasury Department has had secret access to records maintained as part of the SWIFT system, which it has been using secretly for years to identify financial ties to terrorist entities. The Washington Post has more.


The "Privacy-Enhanced Data Mining" Trap

The Associated Press pushed a story to the wires about the Data Surveillance workshop which I’d mentioned a while back: As new disclosures mount about government surveillance programs, computer science researchers hope to wade into the fray by enabling data mining that also protects individual privacy. Largely by employing the head-spinning principles of cryptography, the […]


Jangl, Private Phone Numbers

SiliconBeat has a story, “Jangl’s new angle on phone calling:” Jangl is a new phone service that, initially anyway, will allow people to anonymize their phone numbers the same way they can their email addresses when posting on places such as craigslist. When you sign up with Jangl, you get access to disposable phone numbers […]


Marketing Privacy as a Feature

Paxx Telecom has issued a press release that they’ll hand over records only when given a court order: The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree […]


Voting Registration Fraud

One of the motivators often discussed for voter ID card requirements is voter registration fraud. I believe that ID card requirements are like poll taxes, and are not justified. I believe that they’re not justified even if they’re free, because of personal privacy concerns, regarding addresses. You know, like Gretchen Ferderbar had before her 911 […]


911 Dispatcher Kills Woman by Abusing Database

An emotionally disturbed 911 emergency dispatcher abused his access to the call center’s databases while tracking his ex-girlfriend and her new boyfriend before murdering both of them. See Declan McCullagh, “Police Blotter: 911 dispatcher misuses database, kills ex-girlfriend,” which covers the court case stemming from a 2003 shooting, described in “Job loss tied to fatal […]


Homeland Security Privacy Office Slams RFID

Via Kim Cameron (“Homeland Security Privacy Office Slams RFID Technology“), I read about “The Use of RFID for Human Identification.” This is an important report. The money quote is useful because it comes out of DHS: Against these small incremental benefits of RFID are arrayed a large number of privacy concerns. RFID deployments’ digitally communicated […]


6th Workshop On Privacy Enhancing Technologies

We’ve announced the program for the 6th Workshop on Privacy Enhancing Technologies, and space is still available for registrants. The program is so cool that I’m not going to try to summarize it, but rather quote Kim Cameron (“SEE IF YOU CAN MAKE PET 2006“): Here’s one conference I definitely won’t miss. I’ve been lucky […]


The Internet Channel, at Risk

Lack of trust in online banking among U.S. consumers is a serious constraint because of doubts about banks’ security measures, according to eMarketer’s new report, “Online Banking: Remote Channels, Remote Relationships?” The result is a slowing rate of adoption, with online banking households increasing by only 3.1% in the last quarter of 2005 — the […]


Cell phone records market seemingly no longer important?

Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users’ privacy has been sent to a “legislative ‘Guantanamo Bay’” in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.


Boarding Passes, Privacy, and Threat Models

There’s a great article in the Guardian, “Q. What could a boarding pass tell an identity fraudster about you? A. Way too much:” This is the story of a piece of paper no bigger than a credit card, thrown away in a dustbin on the Heathrow Express to Paddington station. It was nestling among chewing […]


Big Brother Has Your Best Interests At Heart

So pay no attention to the thoughtcriminals who are not bored, and their ridiculous propaganda documenting “Abuses of surveillance cameras.” We all know that cameras never lie, film can’t be edited or mis-interpreted, the police would never use cameras to look in your bedroom window, and that the videos taken will be strictly controlled. Those […]


Kudos to Avis

I happened to look recently at the little card that Avis puts in the cars of frequent renters. The idea is that you land, get to Avis, see your name on a board, and walk directly to the car with one fewer line to stand in. So as you drive away, the fellow who checks […]


Perspective on Brian Doyle, Background Checks

“We try to weed out those who pose a security risk,” Chertoff said in a briefing with reporters. “I don’t know … that background checks with people hired will predict future behavior.” Well, golly, Mr. Secretary, I don’t know…that either. So will you please cancel CAPPSIII/Secure Flight/Free Wheelchairs for Paraplegic Children, rather than invading the […]


Readability of Financial Privacy Notices

Federal regulators today released Evolution of a Prototype Financial Privacy Notice… The report’s release concludes the first phase of an interagency project […] to explore alternatives for financial privacy notices that would be easier for consumers to read, understand, and use than many of the notices consumers currently receive from financial institutions. These six agencies […]


Privacy Enhancing Technologies Award/Call for Nominations

We’re looking for nominations of great work in Privacy Enhancing Technologies: The PET Award is presented annually to researchers who have made an outstanding contribution to the theory, design, implementation, or deployment of privacy enhancing technology. It is awarded at the annual Privacy Enhancing Technologies Workshop (PET). The PET Award carries a prize of 3000 […]


Privacy Grants from the Canadian Privacy Commissioner

The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the renewal of funding through her Office’s Contributions Program which, for the last three years, has allowed some of Canada’s brightest privacy experts to develop a wealth of information on various privacy challenges of the 21st century. From “Privacy Commissioner’s Office renews its cutting-edge privacy research […]



By Banksy, via Saar Drimer.


How Private Are Your Tax Records?

In “How private are your tax records? You’ll be surprised,” Bob Sullivan illustrates why the “opt-in/opt-out” way of discussing privacy is so destructive: Any information you give to a company that helps you prepare your taxes can be sold to anyone else. Only a single signature on a permission slip stands between you and the […]


Many Meanings of Privacy

I regularly talk about how privacy has many meanings, but haven’t put those in a blog posting. Since this blog has more readers than most of my talks have attendees, I figure it’s a sensible thing to blog about. The point of this list is to illustrate the dramatically different things people mean when they […]


Government Issued Data and Privacy Law

I’d like to say more about the issue of privacy law, and clarify a bit of jargon I often use. (Alex Hutton pointed out it was jargon in a comment on “There Outta be a Law“.) As background, some people have objected to privacy laws as being at odds with the First Amendment guarantees of […]


Slightly Unique Identifiers

One of the neat things about Blue Hat is that people get pulled aside and introduced to people who have problems that they’d like your thoughts on. In one of those meetings, it came out that the person I was meeting with was destroying lots of data before it came to his group. Very cool. […]


Identity Theft and Child Pornography

The CBC has a story on how “Global child porn probe led to false accusations:” An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and […]


"I've turned into my mother!"

…or, more generally, “I’m now doing that weird thing I saw an influential elder do, but now it seems to make sense”. I have several examples from my own life (generally rather predictable for a balding 40-something suburbanite), but just today I found another one, and I didn’t see it coming.


Justice Department Weighs In On Google Subpoena

Surprise surprise, the Department of Justice doesn’t think that the Bush administration’s request for search data violates users’ privacy rights. [Edit: Fixed broken link] [Update: Try this link instead. ] Sent 'Race-Customized' Valentines

How are’s Valentine’s Day e-mails targeted? Very simply: one version of their e-mail targets black singles, another targets East Indian lonely hearts, and other versions target the Asian and Hispanic loveless. (Our multi-cultural bots were lucky enough to get one of each). There’s nothing wrong with that on the surface. But we wondered how […]


Police Chiefs Gone Wild

Harold Hurtt has suggested that surveillance cameras be placed “in apartment complexes, downtown streets, shopping malls and even private homes”, according to this story in the Seattle Post Intelligencer. In response, I hereby found…. The Hurtt Prize The Hurtt Prize is a $1120 (and growing) reward for the first person who can provide definitive videotaped […]


CPNI Public Comment

The FCC has asked for comments on “TELECOMMUNICATIONS CARRIER’S USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION.” “Customer Proprietary Network Information” is newspeak for “selling your phone records.” Several anonymous readers commented on “Selling Your Phone Records” about their troubles with T-Mobile. Here’s a chance to tell the FCC what you went through. […]


Salesman uses credit application to stalk and rape customer

Police say a convicted murderer used his job as a car salesman in Sandy to track a female customer to her home and rape her. Cleon Jones, 34, was arrested Wednesday on multiple first-degree felonies and remains in the Salt Lake County Jail without bail. Authorities allege Jones tracked down his victim by using her […]


Selling Your Phone Records

Buried in your wireline and wireless telephone subscriber agreement is a notice concerning “customer proprietary network information” (CPNI). CPNI is your calling records. CPNI shows the phone numbers you called and received and for how long you talked. Privacy Rights Clearing House has a guide to “opting out of CPNI sharing.” This is great, because […]


Do no evil

As readers of this blog probably are already aware, Google has been subpoenaed. The United States government is demanding, in part, that they provide a list of all URLs they index. This is something I’d expect them, or any other search firm, to want to keep secret. Imagine my surprise when I read this in […]


More on "A Ping" Privacy Invasion

Before I’d had much in the way of coffee, I thought that the “Firefox Ping URLs” might offer a way to scan the web for sites to avoid. It would be simple. For each site mentioned in a ping URL, add it to a blacklist. The trouble with this is that the same set of […]


Firefox Ping URLs

It’s all over the internet that Mozilla has added a “ping” attribute to URLs: I’ve been meaning to blog about a new web platform feature that we’ve added to trunk builds of Firefox. It is now possible to define a ping attribute on anchor and area tags. When a user follows a link via one […]


Hotel Room Keys

For example, last fall, an IT director at a travel club in Wyomissing, Pa., told Computerworld that he had found personal information on magnetic hotel key cards when visiting three major hotel chains. The IT professional said he read the cards using a commonly available ISO-standard swipe-card reader that plugs into any USB port. At […]


Real ID Even More Expensive Than Predicted

Bruce Schneier links to an AP article about the hideous costs of the RealID Act. Early estimates were for $120 million, current estimates are for $300 million for the first year alone, and that’s just for three states, Pennsylvania, Virginia and Washington state. So we can safely say that nationally we’re looking at billions of […]


More Victims of Money Laundering Regulations

In a comment on “Atlantis Resort (Bahamas) 50,000, Hacker,” Ian Grigg explains that the reason Bahamas Casinos collected 55,000 SSNs is that the various and sundry “anti-money laundering” regulations force them to, or be labeled “naughty.” Err, ‘non-compliant.’ How’s that for NewSpeak? There’s a pretty large steamroller behind such rules and regulations, and the push […]


Friendster this ain't!

When you’re facing hard time, and the chips are down, you need to hunker down and dig up all the dirt you can on the stool pigeon who fingered you. That’s where comes in: Who’s A Rat is a database driven website designed to assist attorneys and criminal defendants with few resources. The purpose […]


RFID Zapper

I’ve been mulling over John Robb’s description of the (very cool) RFID zapper the Chaos Computer Club demoed at their conference. He calls them “the German branch (privacy activists) of the global guerrilla innovation network.” He also states that “In order to correctly route and track items from inception to purchase, these chips are attached […]


Anonymous Blogging Wiki!

The Blog Safer Wiki was announced by the Spirit of America’s Anonymous Blogging project. There’s a lot of technology know how, and a lot of cultural issues that go into this, and Curt is doing a great job at bringing the technical knowledge to those who need it, and helping them help each other: Spirit […]


Mobile Phones, Modernity, and Stress

The study, which followed more than 1,300 adults over 2 years, found that those who consistently used a mobile phone or pager throughout the study period were more likely to report negative “spillover” between work and home life — and, in turn, less satisfaction with their family life. From “Cell phones tied to family tension,” […]



I realized today that Chris Hoofnagle’s blog at EPIC West wasn’t on my blogroll. He’s had lots of important posts up lately, from the informational (“ CA OPP: 13 New Privacy Laws in Effect“) to the amusingly disgusting (“Pretexting Isn’t Lying, According to“) California’s Office of Privacy Protection just released an announcement that 13 […]


Privacy Competition in Politics

Two leading governor candidates are trying to outdo each other in protecting Minnesotans’ privacy…The candidates’ dueling news conferences produced more politics than policy, with each charging the other with not doing enough to protect citizens’ privacy. From “Governor is seeking privacy law changes.” I don’t like some of the proposals. It seems to me that […]


Fingerprint Readers and the Economics of Privacy

I used to feel bad advocating for privacy laws. I’m generally down on laws restricting private contracts, and privacy laws seemed to be an intellectual inconsistency. I’ve resolved that feeling because almost a great many privacy invasive systems depend on either social security numbers, or government issued identity documents. It seems quite consistent to restrict […]


Florida workers claim outsourced HR system reveals PII, lacks audit trail

The Tallahassee Democrat reports on an interesting disclosure instance: whistleblowers revealing allegedly shoddy data security practices at their former employer. The twist is that those doing the talking are not the folks whose jobs were outsourced, but former employees of the outsourcing firm. From the article: In an affidavit taken for a lawsuit by five […]


The shame of it all

[Adam updates: The reporter has recanted his story, “Federal agents’ visit was a hoax .”] Apparently, the Staasi are watching what we read. A senior at UMass Dartmouth was visited by federal agents two months ago, after he requested a copy of Mao Tse-Tung’s tome on Communism called “The Little Red Book.” Two history professors […]


NSA Spying on Americans Without Warrants

“Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say.” A 10 page story in the New York Times opens: Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without […]


Insurance Claims and Privacy

One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in “Insurers’ Road Service Could Prove Costly:” TAMPA – Andrea Davis can’t understand what two flat tires and […]


Tracking Graz (Austria)

Speaking of tracking and databases: Mobile Landscape Graz in Real Time harnesses the potential of mobile phones as an affordable, ready-made and ubiquitous medium that allows the city to be sensed and displayed in real-time as a complex, pulsating entity. Because it is possible to simultaneously ‘ping’ the cell phones of thousands of users – […]


Planespotters vs. the CIA

Ever-increasing requirements that every item be uniquely identifiable are combining with the power of the internet to invade everyone’s privacy. The Guardian (UK) has a story about how ‘planespotters’ are gathering data that allows the after-the-fact tracking of CIA torture planes. (“How planespotters turned into the scourge of the CIA.”) Paul last saw the Gulfstream […]


Like Taking Candy from a Database

Candice “Candy” Smith, 44, of Blue Springs, Mo., pleaded guilty to making unauthorized inquiries into data aggregator LexisNexis’s database of non-public information on millions of consumers, such as driver’s license information and credit-history data. Many people might assume that only cops can look up this type of information, but Smith was granted access to the […]


NJ's Strong Privacy Law

Apparently, I woke up on the right side of the bed, and am just handing out kudos left and right today. Consumers will gain strong new protections when New Jersey’s Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses. Social Security numbers will be out as […]


Effective Privacy Law Requires Penalties

Michael Geist has a column today “Canada’s Privacy Wake-Up Call” in which he follows up on the Macleans story about the Canadian Privacy Commissioner’s phone records being stolen. (See my “Epic Problems With Phone Privacy.”) Although major Canadian telecommunications providers such as Bell Canada sought to characterize themselves as “victims” of fraudulent activity and claim […]


Hoder's Denial

Recently, Hossein Derakhshan blogged about his denial of entry into the United States. (“Goodbye to America.”) This is really too bad. Hoder’s an insightful fellow, and even if he happened to be one of the 15 or so million living in the United States without official permission, we profited from his visits. I believe that […]


Google buys Riya, Steamrollers Your Pictures' Anonymity

Riya is a Redwood City startup that makes facial recognition software. Rumor from Om Malik says Google is buying them. I believe that this purchase has some of the farthest reaching privacy implications we’ve yet seen from Google. Anonymity, in its most literal meaning of “without a name,” is the current state of many photographs […]


Choicepoint's Custom Products

I appreciate all the notes you’ve been sending me telling me about “FBI, Pentagon pay for access to trove of public records.” I’d love to have something insightful to add to this, but I don’t. Ryan Singel has a bit more: The article, which relies on heavily redacted documents acquired through an open government request, […]


Data Destroying Anonymity

New Scientist reports “Anonymous sperm donor traced on internet:” LATE last year, a 15-year-old boy rubbed a swab along the inside of his cheek, popped it into a vial and sent it off to an online genealogy DNA-testing service. But unlike most people who contact the service, he was not interested in sketching the far […]


Joseph Ansanelli, Brad Smith on Privacy Law

The [Stearns] bill would also require companies to notify not just consumers of a breach, but also the F.T.C., which would then be permitted to audit the company’s security program. “But it needs better enforcement language,” said Joseph Ansanelli, the chief executive and co-founder of Vontu, an information security company in California, who has frequently […]


American Express and Privacy

There’s a fascinating story at imedia connection, “Why Consumers Trust American Express:” How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that “American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy.” Moreover, she felt that American Express had done a […]


Adding Silent Insult to Injury (Senator Sessions' "privacy" act)

I just skimmed the Sessions’ bill which Chris linked to. It has a great provision for allowing the fox to not only guard the henhouse, but also to control the alarm system: 3(b)(1)(A) IN GENERAL- If an agency or person that owns or licenses computerized data containing sensitive personal information, determines, after discovery and a […]


The hand is quicker than the eye

Arlen Specter and Pat Leahy have proposed the “Personal Data Privacy and Security Act of 2005“. This is a comprehensive proposal, and is opposed big-time by various industry lobbies. As reported in the October 21, 2005 American Banker, this bill has hit a snag, and is languishing in Committee. Meanwhile, another bill, courtesy of Jeff […]


The prescience of the Beeb

Via Alec Muffett’s dropsafe, I learned of a British SF television program which eerily predicted a future Britain in which a sinister governmental department that has abolished individual rights and introduced ID cards for all citizens, rationing and sophisticated electronic surveillance I would have preferred to have gotten a transdimensional police box.


Your Printer, Tool of the Man

The EFF has done some great work on how high resolution color printers are embedding tracers in every document they print. It’s at “DocuColor Tracking Dot Decoding Guide.” I’d call them high quality printers, but how could I? They intentionally distort every document they print on the off-chance it contains evidence of thoughtcrime. The work […]


Security 360 With Mike Nash (and Adam)

Last week, I was in Redmond for a few days, filming a roundtable discussion with Amy Roberts of Microsoft, Gerry Gebel of the Burton Group and Peter Cullen, Microsoft’s Chief Privacy Strategist. I think we had a great discussion, the time went by really quickly. I hope that the good energy we had in the […]


Businesses For Privacy

Some prominent business organizations are complaining to Congress that the Patriot Act makes it too easy for the government to get confidential business records. These groups endorsed proposed amendments that would require investigators to say how the information they seek is linked to individual suspected terrorists or spies. The changes also would allow businesses to […]


Bankers 1, Privacy 0

A federal judge on Tuesday struck down a California law that restricts banks from selling consumers’ private information to their affiliates, ruling that the state law is pre-empted by federal rules. The American Bankers Association, the Financial Services Roundtable and Consumer Bankers Association had sued California Attorney General Bill Lockyer, arguing that the federal Fair […]


Who Has Fingers That Short?

PaybyTouch has arrived, and that finger in their logo looks awfully short to me. Maybe subconsciously, they know the truth? See my “Fingerprint Privacy” or “A Picture is Worth A Thousand Words” for some actual analysis, rather than silly sniping. (via Silicon Beat, who has notes on their unusual financing techniques.)


Harper's Privacy Framework for DHS

Jim Harper writes: At this week’s meeting of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, Joanne McNabb, Chief of the California Office of Privacy Protection, and I circulated and presented a draft ‘Framework’ for assessing homeland security programs in terms of their consequences for privacy and related values. Members of the […]


Bugger Productivity

It’s not like I was getting any work done anyway. (Ok, actually I was: Five of yesterday’s six posts took under 10 minutes, and four took 5 minutes or less.) But: Scientists invade the privacy of Giant squid, intruding on their long-preserved solitude. Also be sure to notice National Geographic’s beautiful user interface for selecting […]


FinCEN Effectiveness

At the Counter-Terror blog, Andrew Cochran writes: “Treasury Department’s FinCEN Unit Recovering From “Cyberjacked” E-Mail System:” The most important impact of the cyberjacking has been to shut down the automated system whereby FinCEN and law enforcement request and receive information from financial institutions for use in terrorism and money laundering cases. The system, enacted under […]


Google VPN, Macs, and Privacy

NudeCybot (hey, you’re blogging again!) asked me for opinions on Google Secure Access (or just GSA), and sent me a link to Kevin Stock’s Google Secure Access on Mac OS X. There’s a lot of critiques of Google’s Privacy policy around GSA: “Hide what you’re doing from everyone but us! And, umm, anyone who asks […]


A Life, Observed

A blogger who I’d recently discovered has retired: I’ve always had my two lives separated – my offline world and my online one. That’s the way I wanted it and that’s the way I set it up and I’ve got my own reasons for it. And someone decided to ruin all the fun and be […]


Sweet Land of Databases

In “Stuck on the No-Fly List,” Ryan Singel discusses the procedure for, no not getting off the list [1], but for getting onto yet another “cleared” list.[2] Confused? I was too. The head of the Terrorist Screening Center [3] told me recently that I’d mixed up “No-Fly” and “Selectee.” As Daniel Solove explains in “Secure […]


Security Implications of Economics of ID Cards

Some of the precepts that proponents of national ID often put forth is that it can make “illegal immigration more unpleasant for immigrants,” or “a national ID system has some substantial potential to be the cornerstone of a national fraud-prevention system.” These are attractive notions, but will not be borne out in reality. Actually, the […]


Thoughts on Chapell's View

Alan Chapell has some interesting thoughts in “CONSUMER WATCH: Localities put private data in harm’s way:” As an aside, some might argue that there’s little distinction between “evil doer” and “data broker”. I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. […]


Parental Privacy

My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby’s due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not […]


Roberts on the Right to Privacy

The term “right to privacy” has, in the debate over the Supreme Court, become a code-word for a woman’s right to abortion (or more specifically, to a liberty to choose without government interference.) As someone who believes that privacy is broader than that, I was very pleased to see that Roberts said: “Senator, I do. […]


Skype, EBay, and Communications Privacy

EBay has bought Skype, for reasons that I don’t quite understand. Perhaps all that cash was burning holes in their pockets. The BBC reports: “Communications is at the heart of e-commerce and community,” said eBay chief executive Meg Whitman. “By combining the two leading e-commerce franchises, eBay and PayPal, with the leader in internet voice […]


Small Bits: Clearance, Security Legislation, Schneier Pointers, Get Me An Operator

Richard Bejtlich comments on a Federal Computer Week article, “Security clearance delays still a problem” in “Feds Hurry, Slow Down.” “ITAA officials said 27 member companies that responded to a survey are coping with the backlog by hiring cleared employees from one another, sometimes paying premiums of up to 25 percent.” I’m glad to see […]


Enforcement and Incentives

In “Getting Serious about Smog,” Virginia Postrel writes: After many years of bureaucratic resistance, California is finally getting serious about air pollution from cars. These days, most cars don’t spew much pollution. But the few that do, account for a lot, and many of them still manage to pass state inspection. Now, the LAT reports, […]


Small Bits: Alex Haislip, Chinese Censorship, TSA Xrays

Alex Haislip is blogging up a storm at VC Action. I love journalist bloggers; there’s so much interesting backstory that they talk about. And working at Red Herring, Alex has more dirt than he could dish and stay in business. 😉 Curt Hopkins points to a fascinating story about the folks who run the great […]


New Blog Pointers

Frequent commenter Allan Friedman has started Geek/Wonk. In “Speaking of duct tape,” he links to an interesting essay Duct Tape Risk Communication. And Mario’s comments on tor vs the Freedom Network are interesting: Interestingly, the usability issues are _exactly_ the same as they were ~5 years ago! It’s sometimes s-l-o-w! While I agree with this, […]


Risks of Data Collection and Use

David Cowan tells a sad story about his experience with unauthorized data collection and use in “Freshman Week.” Speaking of unauthorized data collection and use, Jonathan Krim reports that “License-Screening Measure Could Benefit Data Brokers:” Jason King, spokesman for the American Association of Motor Vehicle Administrators, said commercial data brokers are notorious for refusing to […]


If You Have Nothing to Hide…

In “Behind-the-Scenes Battle on Tracking Data Mining,” the New York Times reports that the Department of Justice really does care about privacy, and really doesn’t want those nosy Congressional committees poking about how the government operates. So, why should they care? Are they hiding something? Of course, this being a New York Times article, there’s […]


Small Bits: Privacy for Infringers, IEEE Cipher, Oracle, Footnotes, and a Mug

Michael Geist continues to take the Privacy Commissioner’s office to task for protecting the privacy of infringers: Moreover, the Commissioner canvassed other banks and found that at least two others did allow their customers to opt-out of such marketing. Now if only the Commissioner would reveal which banks respected their customers’ privacy and which decided […]


Nelson-Smith Data Protection Bill

Kim Zetter reports in Wired, Bill Strives to Protect Privacy : Another bill introduced in the Senate judiciary committee about two weeks ago addresses some of the same issues in a comprehensive way, and several other bills address individual issues, such as notification to consumers. The commerce bill, however, is likely to go the distance […]


Small Bits on Privacy

Larry Ponemon has a good article in Computerworld, “After a privacy breach, how should you break the news?:” We learned that about one-third of subjects believed that the notification was truthful. Another 41% believed that the notice they received failed to communicate all the facts. The remaining 26% were unsure about the integrity or honesty […]


Backup Tapes?

Allan Friedman asks for comments on Lauren Weinstein’s post to Interesting People: (Lauren W) Ironically, it’s true that the probability of lost backup tapes being used opportunistically for ID theft is probably fairly low, at least in comparison to all the “ID theft supermarkets” that are out there — crooked commercial and government employees willing […]


Russia's Information Market

Bruce Schneier mysteriously titles a post “Russia’a Black-Market Data Trade.” But its not clear to me that this is black-market at all. Does Russia have a data protection law? Quoting from The Globe and Mail: At the Gorbushka kiosk, sales are so brisk that the vendor excuses himself to help other customers while the foreigner […]


Fingerprint Privacy

There have been a slew of stories lately about fingerprint readers being tied into payment mechanisms. I don’t particularly like the idea, but if you do, feel free. At least until your lack of care about privacy starts displaying externalities. Many of these vendors are making claims like it is not possible to recreate the […]


UK ID Cards, Choicepoint, and Privacy

Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“: Personal details […]


A Privacy-Openness Tradeoff

In “Adoptees File Human Rights Complaint Against Canadian Privacy Commissioner,” reports on a dispute between the parents and children, mediated by the state: A group of Ontario adoptees has filed a human rights complaint against Privacy Commissioner Ann Cavoukian after she lobbied the province to amend its proposed adoption disclosure law with a clause […]


Small Bits of Privacy

CSO has a “Do it Yourself Disclosure.” Hey, you skimped on security, you might as well skimp on the PR. Wired News comes out in favor of a data protection and privacy law for the US in “Conress Must Deal with ID Theft.” The Financial Times has an article on [UK] “Regulator urges tougher laws […]


Schneier, Solove on Medical Privacy

In U.S. Medical Privacy Law Gutted, Bruce Schneier analyzes the new rules on who gets prosecuted for violating your medical privacy. Answer: fewer people than you’d think or hope: I’ve been to my share of HIPAA security conferences. To the extent that big health is following the HIPAA law — and to a large extent, […]


New Law Protects You, Shredder Makers

At MSNBC, Bob Sullivan reports “Got a nanny? You need a shredder:” Even if you ordered a background check on your kid’s coach, or nanny, or — as is the latest trend in online dating — on a prospective blind date, the law applies to you. Transgressions — such as tossing paperwork containing personal information […]


Small Bits: Wives Vs. The Dark Side, Diamonds, FRCA, Brill & Lexis-Nexis

VikingZen posts her Two Cents about Revenge of The Sith, and closes with: My big question: Why didn’t Padme just release a can of whoop-ass on her husband? I mean, they’re secretly married, the guy’s off in some outer galaxy playing space cowboy while she’s lugging around a pregnant belly full of twins? How about […]


W. Mark Felt aka Deep Throat

For more than 30 years, W. Mark Felt, and three co-conspirators have protected his privacy after one of the most spectacular whistleblowing act in history. He’s admitted to being Deep Throat in this Vanity Fair article. The Washington Post has coverage in “FBI’s No. 2 Was ‘Deep Throat’“, and “Conflicted and Mum For Decades.” I’ve […]


Speaking of Usability: Privacy and Openness

Jon Mills, who has been heading up Florida’s Committee on Privacy and Court Records. He has an article in the HeraldTribune: How do we balance the competing values of privacy and openness? The Internet makes possible greater openness, so indispensable to good government, and allows for greater convenience in accessing government services, including court records. […]


Small Bits: Xrays, Free Speech, Law, Cowards and Crypto School

Justin Mason has a good post on the new backscatter radiation xray machines that TSA would like to deploy. My favorite part: They create child pornography. Interestingly, these are one of the relatively few places that a privacy invasion makes us safer. Also interesting is that different people perceive either the hand-pat or the naked […]


Emergent Bits of Security

(Updated shortly after posting with Eric Rescorla’s evidence presentation.) Nick Owen has a post about Net Present Value and Annual Average Loss Expectancy. If you think security is all about vulns and 0day, you probably don’t need to read this post, and your boss is going to keep rejecting your spending proposals. Carrie Kirby argues […]


Private to CIBC: That wasn't a challenge

Last month, I asked “What Do You Need To Do To Get Fined?” in reference to CIBC’s improper disclosure issues. Now the Ottawa Citizen is reporting that “Bank springs another privacy leak:” Fresh off fax blunders that earned it a rebuke from the federal privacy commissioner, the Canadian Imperial Bank of Commerce admitted yesterday that […]


Emergent Privacy Bits

TechDirt points to a Cnet story by Declan McCullagh, “Kiss your old SSN goodbye:” Rep. Joe Barton, another Texas Republican who happens to chair the House Energy and Commerce Committee, said last week that he plans to “outlaw the use of Social Security numbers for any purposes other than government purposes.” … “The time has […]


Primary Colors, Author Unknown

In discussing private blogging at Blognashville, the idea of identifying bloggers by their writing style kept coming up. The example that was used (at least) twice was the “computerized” identification of the anonymous author of Primary Colors. The trouble is, the identification wasn’t done by computer. It was done by Vassar English Professor Don Foster. […]


Customer Relationships, Data Relationships

The computer industry is good at coming up with Orwellian names for things. The software that call center operators and others use is called a “Customer Relationship Management” system (or ‘CRM.’) The goal of such systems is to help you decide which of your customers are profitable, and give them better service. Cynics might add: […]


Anonymous Blogging Roundtable

I think the roundtable went well. Mark Glasser started us off with a review of the state of the world, with China having 67 bloggers in jail, Bahrain requiring bloggers to register, Cuba having a black market in email accounts with one costing $240, out of an average annual income of $1700. We talked a […]


Small Bits of Chaos all Starting with Names

Mike Solomon, of PithHelmet fame, comments on RSS spam, and promises to do something about it. (Incidentally, I’ve been wondering about NetNewswire’s cookie behavior when you load pages, but some rummaging in it’s files didn’t seem to turn up cookies, and I needed to go blog earn money.) Alan Chapell (whose blog is looking much […]


Small Bits: Labelling Software, People, Aaron Weisburd's Foreign Policy

Gunnar Peterson offers up a label for software that he stole from Jeff Williams. I had a good, if short, back and forth with Geoff, of Screen Discussion, in his comments, on using photographs to enhance criminal background checks, by including photos with the records of criminals, so the viewer of a report can compare. […]


Usability as a Security Concern

Building new technologies involves making tradeoffs. A programmer can only develop so many features in a day. These tradeoffs are particularly hard in building privacy enhancing technologies. As we work to make them more secure, we often want to show the user more information to help them make better decisions. This impacts usability. The security […]


Small Bits: Airport Security, Tax Web Bugs

Stupid Security covers an AP story: Security at U.S. airports is no better under federal control than it was before the Sept. 11 attacks, a key House member says two government reports will conclude. None of us here [at Stupidsecurity] are surprised. The real fun begins with the second paragraph: “A lot of people will […]


Small Bits: Ameritrade, Tax & web privacy, revolution, medicine

It turned out someone I had dinner with last night had gotten an Ameritrade letter. According to her, Amertrade is not offering credit monitoring service.* “Lotus, Surviving A Dark Time,” has some good analysis: Well, duh with a PR stamp. How could they have heard of any such “misuse?” If customers had any bad experiences, […]


What Do You Need To Do To Get Fined?

As I covered in “Canadian Privacy Law and CIBC,” CIBC spent years faxing information to, amongst others, a West Virginia scrap yard. Today, the Privacy Commissioner released her report, and asks that they please, pretty please do better next time. See the press release, if you really want to. Via Dave Akin.


Small Bits: Digitizing Art, Making Sense, Wages of Sin, Pookmail

Capturing the Unicorn is an article at the New Yorker about the hubris of technologists trying to capture art. (The technologists win, but the archivist in me asks: CDs?) 13 things that do not make sense is a New Scientist article about, well, 13 things that don’t make sense. Some foolish people might look at […]


Small Bits

Newsday reports on Orange County, Florida Sheriff Kevin Beary abusing law enforcement access to records. He sent a letter to Alice Gawronski’s home, objecting to her letter to a local neswpaper. He claims it was “legitimate use of public records.” Dan Farmer’s new company, Elemental Security, has launched. Speaking of launched, Steve Hofmeyer, of Sana […]


More on AIM & Privacy

Recently, I griped about AOL’s privacy policy. Today, PGP Corp announced their second public beta of PGP 9, which includes support for encrypting AIM sessions. Its not clear if this will be in the personal edition. I sure hope so.


5th Privacy Enhancing Technologies Workshop

The program has been posted for The Fifth Privacy Enhancing Technologies Workshop, which will be held in Drubrovnic , Croatia, 30 May – 1 June. (Corrected spelling.) There’s an affiliated executive briefing, 2-3 June.


Student Database

Both Blog*on*Nymity and Kip Esquire are covering a massive student database, that seems to be there to ensure that, well, you know, look! A terrorist! More compulsory privacy invasions for little apparent benefit to anyone, except the newly fully employed bureaucrats. And you thought Berkeley losing a laptop was bad?


Three Privacy Breaches

“DMV hopes to reassure clients about security.” The DMV on Wednesday will send out letters describing the incident and new driver’s licenses with different numbers to the 8,738 people whose personal information was stored on the stolen computer, said Kevin Malone, spokesman for the DMV. “Audit: State voter system left information vulnerable:” The state elections […]


Small Bits: Hell, TSA, Insurance, Mutual Funds, Telephone Privacy

Asteroid analyzes Sisyphean volunteers and the modern condition in a brilliant essay. It just goes to show, the Greeks really did invent everything. Robert Poole and Jim Harper debate the TSA in “Transportation Security Aggravation” at Reason. Tyler Hamilton looks at two schemes to cut your auto insurance premiums by monitoring your driving, and their […]


Electronic Voyeurism

Jason Young has a great, thoughtful post at Blog*on*nymity: Like other nations, Canada has moved to adopt criminal sanctions for electronic voyeurism, a social problem that has become acute with the availability of cheap and inobtrusive surveillance technologies. The legislative efforts are welcome and yet I cannot help but wonder if we are missing the […]


Response to Solove & Hoofnagle

As I mentioned previously, Daniel Solove and Chris Hoofnagle have written a paper on “A Model Privacy Regime.” This post makes a lot more sense if you’ve read their paper. I’ve read through it, and think that it’s pretty good. My responses to specific sections are below. First I’d like to comment on the free […]


Bad advice on SSNs

Bad advice on use of social security numbers abounds, often in technical documentation. Credit goes to reader Jonathan Conway for digging many these out. There are a few very common errors which we can find, thank to Jonathan’s research: Social security numbers are un-changing. No, they are not. Victims of identity theft, domestic abuse, or […]


Colleges and SSNs

For a very long time, colleges have been using social security numbers as identifiers for their prospects, students, and alumni. This is starting to change, driven by liability and brand concerns. No school wants to transform your (hopefully) fond memories of your time there into a firestorm over privacy. From ZDNet: Dunn said [Boston] college […]


More on Nevada DMV

In working on the Choicepoint roundup for tomorrow, I found Axinar pointing to this story about the Las Vegas DMV heist. Apparently, all that encryption? Err. Never mind. But Lewis said Friday that Digimarc Corp., the Beaverton, Ore.,-based company that provides digital driver’s licenses in Nevada, told her Thursday the information was not encrypted, and […]


Leaving AIM

Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on […]


Hank Asher

Dennis Bailey at The Open Society Paradox objects to my characterization of Hank Asher, and says: Rather than debate the merits of the program, they have to make this a personal attack on the man. Well, let’s talk about the programs. DBT, the first company Asher founded, was deeply involved in disenfranchising Florida voters. MATRIX […]


Small Bits: ID Angel, Books and Garbage

Latanya Sweeney has announced a new tool, Identity Angel, to crawl the web and discover if there’s enough information to steal an identity. Stefan Brands has made the first four chapters of a book on Electronic Money available. This will be a great reference for people wanting to think about privacy and payments. I’d like […]


New American Privacy Law: What Could It Say?

With recent events (Choicepoint, Bank Of America, PayMaxx, and Lexis Nexis) leading to a new privacy law for the United States, what should it say? How can we tell a good law from a bad one? Some disclaimers: I’m not entirely in favor of a new law. There’s a lot of potential for harm when […]


Identity Trail

There’s some great blogging at the Identity Trail conference. I wish I’d been there. Read the official blog for Friday, Saturday AM, Saturday PM, or Michael Froomkin‘s post.


Small Bits of Chaos: Tempest Tents, Medical Records, Openness

One of the neat things about talking to different sorts of conferences is that you find neat stuff that you don’t otherwise see. At the Southeast Cybercrime Summit, I was supposed to talk about “Reducing Crime In Cyberspace, a Privacy Industry View.” (The talk I used to give for Zero-Knowledge.) Due to a small error […]


Publishing a List of SSNs Will Not Fix Anything

Pete Lindstrom suggests: My proposal: List SSNs publicly. The Social Security Agency can notify all of its intent to publish all SSNs at some point in the future – enough time for organizations to absorb and react to this news. The net result is to eliminate the notion that perhaps SSNs are “secure enough” for […]


Choicepoint Won't Benefit from Bank of America Leak

I wasn’t going to blog on BofA‘s little kerfuffle. But then Ian went and blogged about it, and I think he gets it partially right and partially very wrong. His actual conclusion is spot on: In order to share the information, and raise the knowledge of what’s important and what’s not, we may have to […]


Quick Followups

David Akin says CIBC is getting sued for faxing information around. Prior posts are “Privacy Lessons from CIBC and Canadian privacy law & CIBC. 19 days after the vulnerability was announced, Mozilla releases Firefox 1.01.


Small Bits of Chaos: Conferences and What Would Dylan Do?

This Concealled I conference in Ottawa March 4-5 looks really good. Bob Dylan joins the cypherpunks in skipping Woodstock for his trig homework: “I wouldn’t even think about playing music if I was born in these times… I’d probably turn to something like mathematics.” (NME, via Scrivner.) Who did this: Privacy Enhancing Technologies, May 30-June […]


When The Future Has No Shadow

I remember when I was in college, discussing what we’d do if we discovered we had a terminal disease. Being college students, there were lots of ways to maximize short-term fun before the disease ate you. The game theory folks talk about “the long shadow of the future,” the idea that cooperation can be rewarded […]


The Open Passport

Third, this may be all moot if the government takes the easy step of giving citizens a passport cover made of aluminum foil. According to one article “Even Schneier agrees that a properly shielded passport cover should solve the problem. He wonders why this wasn’t included in the original plans for the new passports.” writes […]


Cool Tech at RSA: i-Mature

At RSA, I didn’t get a demo, but did talk to John Brainard of RSA about i-Mature, a fascinating biometrics company. There’s been some discussion on Interesting People. Vin McClellan discusses the tech, Seth Finkelstein maps their web site, reporter Andy Sullivan plays with one, Lauren Weinstein on probable attacks, Herb Lin on the limits […]


Small Bits of Chaos: Passports, Financial Crypto

Ryan Singel has a good post on chipped passports: Bailey is right that the new passport will be harder to forge with the inclusion of RFID chips, especially since the chip would be digitally signed to prevent changes to the data in the chip. That’s a solid security measure. But, the chips create a new […]


The Real-ID Theft Act of 2005

The “Real ID” act is likely to get written into law, in two ways. First, it will pass the Senate, and be signed into law. Second, it will be one of the best examples of the law of unintended consequences in a long time. The bill would force states* to fingerprint people, and do various […]


US National ID Card

This was first created in December 2004’s Intelligence bill, loosely called the Patriot II act because it snuck in provisions like this without the Representatives knowing it. The deal is basically a no-option offer to the states: either you issue all your state citizens with nationally approved cards, or all federal employees are instructed to […]


Wachovia Misdirects Customer Information

Wachovia said that, overall, 86 statements or tax forms were mistakenly sent to Pirozzi, including information on 73 individuals. Pirozzi said the number of pieces of mail was significantly higher, closer to 140. … Pirozzi tried desperately to get the problem fixed once the first batch arrived last spring, but he says that no one […]


Stefan Brands Blogging

Stefan Brands has a new blog. Stefan is not only one of the top two or three folks in the world in privacy enhancing cryptography, but he writes eloquently about the social reasons privacy is important. We worked together at ZKS, and I’m very sad we didn’t get further selling his technology. I look forward […]


SSNs and Drivers Licenses

JihadWatch is upset because (9/11 hijacker) Nawaf Alhazmi got a CA drivers license with a fake SSN. But so did 184,000 other people, most of whom have not turned terrorists. Perhaps we should focus on things other than SSN fraud in tracking down terrorists?


Small Bits: ICANN, Mock Trials, S.116, etc

Ian Grigg and I have a letter to ICANN about Verisign. See his post. Eric Rescorla has a Kafka-esque excerpt from the “trial” of Mustafa Ait Idr, who wasn’t allowed to see the evidence against him. Mort points me to US Senate Bill 166116, introduced by Diane Feinstein, making it a crime to sell social […]


Privacy and Obscenity?

Put bluntly, the law of obscenity, no matter how longstanding, has never satisfied constitutional requirements, and it never will. Finally, a judge has been brave enough to say as much. This opinion is notable for that reason – and for Judge Lancaster’s novel approach. His opinion attacks the obscenity laws on privacy grounds – and […]


Small Bits of Irony: Secure Flight, Insecure Borders

Bruce Schneier talks about the Secure Flight being an improvement over the current watchlist system, but can’t give us details. The new system will rely on more information in the reservation. But if we don’t have that more information on the person on the watchlist, what will happen? Eg, if there’s no known birthday for […]


More on Nothing to Hide

Chapell points out a very interesting correction at the top of this Seattle Times story: A previous version of this story on Tukwila firefighter Lt. Philip Lyons being charged with first-degree attempted arson incorrectly stated that police reports indicated he had used his Safeway Club Card to purchase 16 fire-starters between June and August. Lyons […]


Nothing to Hide, Plenty to Fear

Longtime security and privacy researcher Richard M. Smith tells Farber’s IP list about Philip Scott Lyons, a Tukwila, Washington firefighter. Lyons was accused of arson because he’d bought the same type of fire starters at Safeway. Or, that’s what Safeway’s “Club Card” records show. How or why they were obtained isn’t clear. The charge was […]


Small Bits of Chaos: Blind overflows, National ID, and Looney Tunes

SecurityFocus has a new article on blind buffer overflows. I’m glad these techniques are being discussed in the open, rather than in secret. Julian Sanchez has the perfect comment on Congressman Dreier’s new national ID plan, at Hit & Run. And finally, don’t visit this Looney Tunes site if you’re busy. (Via Steven Horowitz at […]


California Privacy Law

CIO Magazine has an article “Riding The California Privacy Wave,” reviewing California’s new and pending privacy laws. There’s bits I wasn’t aware of, such as SB 186 168, preventing “businesses from using California residents’ Social Security numbers as unique identifiers.” There’s a slew of new laws in California, a great many of which affect IT […]


Congrats to David Akin

I first met David Akin when he was covering Zero-Knowledge Systems, where I worked. David was always insightful, and even when he thought he saw us blowing smoke, he was pleasant about it. So I’m both disappointed and excited to see that he “will join CTV’s Ottawa bureau as a Parliamentary Reporter.” I sincerely hope […]


Small Bits of T-Mobile

A friend wrote to T-Mobile and asked if his data was compromised in the T-Mobile break-in. A service droid sent him a press release. My comments are pointed to by the brackets. Customer, Please see the press release below regarding the hacker investigation with T-Mobile’s customer information. If your information was compromised you would have […]


Trouble with Surveying Cybercrime

In a comment yesterday, Chris Walsh said: In any case, this should not be a difficult nut to crack, in principle. The US government conducts surveys of businesses all the time, and is capable of obtaining quality samples and high response rates in which academics justly have confidence. In theory, I agree with Chris. In […]


More on DNA Dragnet

Chapell nails the “why you might have nothing to hide, but hide anyway” angle: Even more troubling is the possibility that the person who’s DNA was inside this woman may very well have had nothing to do with the crime. But rest assured, that won’t matter to the hundreds of police, FBI, press, and other […]


More on TMobile

The LA Times has a story on Jacobsen, the hacker, and the AP has a story with more technical details. The Infosec Potpourri blog has some analysis of the AP story.


Small Bits of Chaos

Scrivner points out a basic lack of agreement amongst the pundits: Damn that Bush, cleverly whipping up this fantasy of a threat to scare people into voting for him. … Damn that Bush, ineptly bungling America’s defense against the most dangerous threat Ian has a post about Ron Paul trying to ban the government issuance […]


DNA Dragnets and Criminal Signaling

In responding to my comments about Truro’s DNA dragnet, with a fascinating discussion of signaling, Eric Rescorla writes: Even if they’re not the perp, they may have other reasons not to have their DNA collected–for instance they’ve committed another crime that their DNA might match to. (The police say they’re only going to use the […]


Private Lives and Psychology

“In a very deep sense, you don’t have a self unless you have a secret, and we all have moments throughout our lives when we feel we’re losing ourselves in our social group, or work or marriage, and it feels good to grab for a secret, or some subterfuge, to reassert our identity as somebody […]


DNA Dragnet

The city of Truro, Massachusetts is trying to collect DNA from all 790 residents to solve a crime, reports the New York Times. Its not clear why they believe that residents are more likely to be the criminal than non-residents, and it is clear that they don’t get the 4th amendment, against dragnet searches, or […]


Economics of Price Discrimination

Scrivner points out that the airlines, masters of price discrimination are giving up: In response they’ve become perhaps the world’s most expert practitioners* of price discrimination, mastering the art of charging the business traveler $1,000 more than the tourist in the next seat in exchange for a short-notice booking with few restrictions. But even that […]


Does Ryan Singel Need A Privacy Policy?

Yesterday, I commented that Ryan Singel, in his review of Robert O’Harrow’s* new book, had an Amazon tracking URL. I was mostly noting the irony of aiding tracking in a post titled “Pay Cash for This Book,” but Ryan comments: “it got me to thinking that this site has no privacy policy.” Not to pick […]


Small Bits of Chaos

Ryan Singel reviews Robert O’Harrow’s new book, No Place To Hide. O’Harrow covered the CAPPS-II and other privacy stories for the Washington Post. In the spirit of the story, I’ve left the little tracking bits from Ryan’s Amazon URL. If you’d like a less tracked version, click here, or type the title into Amazon. There’s […]


Educated Pat-Downs

Eric Rescorla has two good posts on screening at Educated Guesswork. I’d still like to expand the range of questions, and ask, is intense personal screening effective or needed? Can we use air marshals, different aircraft designs, and armed pilots so that we don’t need to compare rub-downs to millimeter-wave xrays?


More on SSNs and Risk

In writing about Delta Blood Bank earlier today, one of the issues I was thinking about was the unnecessary use of social security numbers, and how it’s an industry standard. One area where this is particularly evident is in the bifurcated market for cell phones. At one end are providers like Virgin and MetroPCS, who […]


Delta Blood bank

Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud. … In addition to the letter…The blood bank will no longer require Social Security numbers from its donors… No longer require […]


The problem(s) with ID cards

Europhobia nails the link between privacy and economics in the UK imposes national ID cards stupidity: But usually what gets them is “what? I’ll have to pay eighty-five quid for this thing?” No, Europhobia, they’ll have to pay 85 quid for the card, and another 10 quid in taxes for the backend database. (Figuring 60% […]


Browser privacy from the server?

A friend writes and asks: I’m working in NYC now, as the Web Admin for Safe Horizon. We’re the largest service agency in the US for victims of violence, crime or abuse. We’re interested in putting in some features into our site, but we have to protect our visitor’s privacy, since they might be visiting […]


Strictly Off The Record…

Nikita Borisov and Ian Goldberg have released Off-the-Record Messaging, an IM plugin for private communication providing not only the usual encryption and authentication, but also deniability and perfect forward secrecy. Deniability avoids digital signatures on messages (while preserving authenticity and integrity), so there is no hard-to-deny proof you wrote anything in particular; in fact, there […]


CIBC & SB136

CIBC is a Canadian bank, who has recently been sued by a West Virginia scrapyard operator for faxing their customer’s private data to him. I’ve blogged about them here and here. (It turns out that other banks are doing the same thing, as David Akin blogs.) SB 1386 is a California law that requires companies […]


Google Groups, Privacy and Spam

Writing to Farber’s Interesting People list, Lauren Weinstein writes: Their new system is obscuring *all* e-mail addresses in *all* netnews messages in the archive (including the vast numbers of messages that do not originate within the Google environment and/or that predate the existence of Google Groups). This includes not only the addresses of individual netnews […]


Privacy lessons from CIBC

The disaster over at CIBC is telling, and bears a little exploration. The real victims, whose details were faxed to never saw the violation of their privacy. It was CIBC tossing data around incompetently, all the while publicly proclaiming their commitment to privacy. Wade Peer, a scrapyard operator in West Virginia brought the three years […]


Canadian privacy law & CIBC

Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada’s largest banks was flooding his fax machine […]



The CBC reports on documents that the US tried to bury by releasing the day after Thanksgiving, admitting that “…Canada, Germany, the Netherlands and Britain share the suspicion that the international standard set for the electronic passports inadequately protects privacy and security.” These chips can be read from 30 feet away, today. That’s the opinion […]



These women and a good many others, both frequent and occasional travelers, say they are furious about recent changes in airport security that have increased both the number and the intensity of pat-downs at the nation’s 450 commercial airports. And they are not keeping quiet. … Most of the women interviewed said they did not […]


So who likes them?

Ryan Singel catches an AP article on RFID passports: On the latest passports, the agency has “taken a ‘keep it simple’ approach, which, unfortunately, really disregards a basic privacy approach and leaves out the basic security methods we would have expected to have been incorporated for the security of the documents,” said Neville Pattinson, an […]


A downside to data warehousing

A long story in the New York Times ends: Still, as Wal-Mart recently discovered, there can be such a thing as too much information. Six women brought a sex-discrimination lawsuit against the company in 2001 that was broadened this year to a class of about 1.6 million current and former female employees. Lawyers for the […]


9th Circuit limits police privacy

The chief warned Anthony Johnson to point his video camera elsewhere, then wrestled the camera away and put Johnson in jail for recording communication without permission, court records say. … A 9th Circuit U.S. Court of Appeals panel last week reinstated Johnson’s suit, which had been thrown out by a federal magistrate in Tacoma, and […]


Al Qaeda's use of cryptography – scant evidence

Not too long ago, I gave a talk on privacy technology to the Atlanta chapter of the High Tech Crime Investigators Association. It was a talk that several of us at Zero-Knowledge had learned to give. The basic method for talking to police about privacy is to start from the need to reduce and prevent […]


Return Addresses

Canada Post has apparently told the world that they’ll only deliver mail with a return address. This is clearly silly, phone books are full of valid return addresses for your city. Over at StupidSecurity, nrh asks: Part of the reason I delayed was that I was trying to find out if this was even legal. […]


Symposium on Usable Privacy and Security (CFP)

The Symposium on Usable Privacy and Security (SOUPS) will be held July 6-8, 2004 at Carnegie Mellon University in Pittsburgh, PA. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature refereed papers, tutorials, a poster session, panels and invited talks, and […]


Canadian Privacy Law again

Last week, I commented on Michael Geist’s column. In part 2, he took an excellent direction. He suggests not only economics, but a legal structure that forbids Canadian companies’ compliance with US orders. Read it.


Privacy Protectionism

This month the B.C. government passed a law to prevent the U.S. from examining information on British Columbians that is in possession of private U.S. companies. The CBC reports on information about Canadians being sent to the US for processing, and the attendant legal risks. In Canada, they have strong-sounding data-protection laws that they don’t […]


1.4 Million Californians Exposed

A computer hacker accessed names and Social Security numbers of about 1.4 million Californians after breaking into a University of California, Berkeley, computer system in perhaps the worst attack of its kind ever suffered by the school, officials said Tuesday. (This is all over the web, I found a version at A few questions […]


Polite Technology

Michael Froomkin points to Wired’s article Inventor Rejoices as TVs Go Dark, is enough to make me want a TV-B-Gone. It fits on your keychain, “looks like an automobile remote, has just one button. When activated, it spends over a minute flashing out 209 different codes to turn off televisions, the most popular brands first.” […]


Canadian Privacy Law

Michael Geist’s recent … Toronto Star Law Bytes column focuses on a recent Canadian privacy finding involving an inadvertent email disclosure. The column contrasts the finding with a similar incident in the United States and argues that for Canadian privacy law to garner the respect it needs to achieve widespread compliance, the Privacy Commissioner’s office […]


Google and "Privacy"

There’s a critique of Google’s new Desktop Search that it…wait for it…searches your computer! No, really, it does. And so it finds things that are … on your computer! Some of these things, like your email, your spouse’s email, your IM logs, are things that Microsoft hides intra-user are exposed. This is probably a bad […]


RFID passport data won’t be encrypted

Ed Hasbrouck, who in a more perfect world would be paid to be the TSA’s chief privacy officer, writes RFID passport data won’t be encrypted: So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able — without ever having actually seen you or your passport — to […]


Secondary Screening

Ryan Singel has a couple of good posts up: Why Privacy Laws and Advocates Matter and Trusty Logo Not Worth The Pixels It Is Printed On. The later explains in detail what economics predicts: Trusty won’t shaft its paying customers to make them actually enforce privacy policies, when people who rely on the trusty seal […]


Economics of Information Security

Jean Camp and Stephen Lewis have done a great job of bringing together papers on Economics of Information Security in a new volume from Kluwer Academic press. (It’s even better because it has my first book chapter, which is What Price Privacy, joint work with Paul Syverson. We’ll put it online as soon as the […]


Verisign's Kid Credentials

So Verisign has teamed up with I-safe to issue “USB tokens” to children. The ZDnet story states that it “will allow children to encrypt e-mail, to access kid-safe sites and to purchase items that require a digital signature, said George Schu [A Verisign VP].” To me that sounds a lot like an X.509 certificate, which […]


Ian Grigg on Verisign

Ian Grigg has some very interesting comments on Verisign’s certificate business and what it means for privacy, over at Financial Cryptography


Secret Laws Work So Well

So it seems that two members of Congress have now been added to “watch lists.” “[Representative John] Lewis contacted the Department of Transportation, the Department of Homeland Security and executives at various airlines in a so-far fruitless effort to get his name off the list, said spokeswoman Brenda Jones.” It seems that this sort of […]