Entries Tagged "privacy"

Page 133 of 145

U.S. Compromises Canadian Privacy

A Canadian reporter was able to get phone records for the personal and professional accounts held by Canadian Privacy Commissioner Jennifer Stoddart through an American data broker, locatecell.com. The security concerns are obvious.

Canada has an exception in the privacy laws that allows newspapers to do this type of investigative reporting. My guess is that’s the only reason we haven’t seen an American reporter pull phone records on one of our government officials.

Posted on November 17, 2005 at 2:32 PMView Comments

Metadata in MS Office

Hidden metadata is in the news again. The New York Times reported that an unsigned Microsoft Word document being circulated by the Democratic National Committee was actually written by, wait for it, the Democratic National Committee.

Okay, so that’s not much of a revelation, but it does serve to remind us that there can be all sorts of unintended information hidden in Microsoft Office documents. The particular bits of unintended information that precipitated this news story is the metadata.

Metadata is information on who created the file, what it was originally called, etc. To see your metadata, open a file, go to the “File” menu, and choose “Properties.”

I’ll bet at least some of you will be really surprised by what’s in there. Not because it’s secret, but because it has nothing to do with you or your document. That’s because metadata follows the file, and not its contents.

Here’s what I do when I want to create a MS Word document. Maybe it’s a file I’ve written, and maybe it’s a file I received from someone else. I find some other document that has basically the same style I want, open it up, delete all the contents, and save it under a new filename. MS Word doesn’t change the metadata, so whatever was in the “Title,” “Subject”, “Author,” “Company,” and other fields of the original document remains in my new document. This means that occasionally those metadata fields are filled with information I’ve never seen of before and from who knows where. I’m sure I’m not the only one who uses this trick to avoid dealing with MS Word stylesheets. So metadata is much less a smoking gun than many make it out to be.

I don’t mean this to minimize the problem of hidden data in Microsoft Office documents. It’s not just the metadata, but comments, deleted parts of the document, even parts of other documents (it’s happened).

I have two recommendations regarding Microsoft Office and hidden data. The first is to realize that programs like Word and Excel are designed for authoring documents, not for publishing them. Get into the habit of saving your documents into pdf before distributing them. (Although if you’re going to redact a pdf document, be smart about it or you’ll have similar problems.)

The second is to install Microsoft’s tool for deleting hidden data. (Works for Office 2003; there are third-party tools for older versions.) Or at least read the page about deleting private data in MS Office files. And to follow through on deleting data.

This probably won’t work for many of us, though. The last sentence of the article explains why:

“The real scandal here,” Mr. Max told The Los Angeles Times after Democrats expressed outrage over the White House’s fingerprints on the testimony, “is that after 15 years of using Microsoft Word, I don’t know how to turn off ‘track changes.'”

Posted on November 14, 2005 at 12:07 PMView Comments

The FBI is Spying on Us

From TalkLeft:

The Washington Post reports that the FBI has been obtaining and reviewing records of ordinary Americans in the name of the war on terror through the use of national security letters that gag the recipients.

Merritt’s entire post is worth reading.

The closing:

The ACLU has been actively litigating the legality of the National Security Letters. Their latest press release is here.

Also, the ACLU is less critical than I am of activity taking place in Congress now where conferees of the Senate and House are working out a compromise version of Patriot Act extension legislation that will resolve differences in versions passed by each in the last Congress. The ACLU reports that the Senate version contains some modest improvements respecting your privacy rights while the House version contains further intrusions. There is still time to contact the conferees. The ACLU provides more information and a sample letter here.

History shows that once new power is granted to the government, it rarely gives it back. Even if you wouldn’t recognize a terrorist if he were standing in front of you, let alone consort with one, now is the time to raise your voice.

EDITED TO ADD: Here’s a good personal story of someone’s FBI file.

EDITED TO ADD: Several people have written to tell me that the CapitolHillBlue website, above, is not reliable. I don’t know one way or the other, but consider yourself warned.

Posted on November 7, 2005 at 3:13 PMView Comments

Microsoft Calls for National Privacy Law

Here’s some good news from Microsoft:

In an eight-page document released on Capitol Hill today, Microsoft outlined a series of steps it would like to see Congress take to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information.

According to the press release:

[Microsoft’s senior vice president and general counsel Brad] Smith described four core principles that Microsoft believes should be the foundation of any federal legislation on data privacy:

  • Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should pre-empt state laws and, as much as possible, be consistent with privacy laws around the world.
  • Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.

    • Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals’ consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.

  • Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

Here’s Microsoft’s document, with a bunch more details.

With this kind of thing, the devil is in the details. But it’s definitely a good start. Certainly Microsoft has become more pro-privacy in recent years.

Posted on November 7, 2005 at 12:06 PMView Comments

Instantaneous Data Grabbing

I think this is a harbinger of the future:

A high roller walks into the casino, ever so mindful of the constant surveillance cameras. Wanting to avoid sales pitches and other unwanted attention, he pays cash at each table and anonymously moves around frequently to discourage people who are trying to track his movements.

After a few hours of losses, he goes to the cashier and asks for a cash advance off of his credit card. The card tells the casino his name, but not much else. As is required by card issuers, the cashier asks for some other identification, such as a driver’s license. That license offers the casino a ton of CRM identification goodies, but the cashier is only supposed to glance at the picture and the name to verify identity and hand the license—and its info treasure trove—back to the gambler.

Not any more, at least if a Minneapolis company called Cash Systems Inc. has anything to say about it. The firm was recently awarded a U.S. patent for a device that can grab all of the data of almost any U.S. driver’s license in seconds and instantly dump it into a casino’s CRM system.

On the one hand, the technology isn’t very interesting; it’s probably just a camera and some OCR software optimized for driver’s licenses. But what is interesting is that the technology is available as a mass-market product.

Where else do you routinely show your ID? Who else might want all that information for marketing purposes?

Posted on November 7, 2005 at 7:45 AMView Comments

A 24/7 Wireless Tracking Network

It’s at MIT:

MIT’s newly upgraded wireless network—extended this month to cover the entire school—doesn’t merely get you online in study halls, stairwells or any other spot on the 9.4 million square foot campus. It also provides information on exactly how many people are logged on at any given location at any given time.

It even reveals a user’s identity if the individual has opted to make that data public.

MIT researchers did this by developing electronic maps that track across campus, day and night, the devices people use to connect to the network, whether they’re laptops, wireless PDAs or even Wi-Fi equipped cell phones.

WiFi is certainly a good technology for this sort of massive surveillance. It’s an open and well-standardized technology that allows anyone to go into the surveillance business. Bluetooth is a similar technology: open and easy to use. Cell phone technologies, on the other hand, are closed and proprietary. RFID might be the preferred surveillance technology of the future, depending on how open and standardized it becomes.

Whatever the technology, privacy is a serious concern:

While every device connected to the campus network via Wi-Fi is visible on the constantly refreshed electronic maps, the identity of the users is confidential unless they volunteer to make it public.

Those students, faculty and staff who opt in are essentially agreeing to let others track them.

“This raises some serious privacy issues,” Ratti said. “But where better than to work these concerns out but on a research campus?”

Rich Pell, a 21-year-old electrical engineering senior from Spartanburg, S.C., was less than enthusiastic about the new system’s potential for people monitoring. He predicted not many fellow students would opt into that.

“I wouldn’t want all my friends and professors tracking me all the time. I like my privacy,” he said. “I can’t think of anyone who would think that’s a good idea. Everyone wants to be out of contact now and then.”

Posted on November 4, 2005 at 12:44 PMView Comments

The Security of RFID Passports

My fifth column for Wired:

The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn’t have enough of the expertise it needed to do this right.

Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don’t know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.

The State Department’s plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it’s already committed to a scheme before knowing if it even works or if it protects privacy.

My previous entries on RFID passports are here, here, and here.

Posted on November 3, 2005 at 8:30 AMView Comments

Eavesdropping Through a Wall

From The New Scientist:

With half a century’s experience of listening to feeble radio signals from space, NASA is helping US security services squeeze super-weak bugging data from Earth-bound buildings.

It is easy to defeat ordinary audio eavesdropping, just by sound-proofing a room. And simply drawing the curtains can defeat newer systems, which shine a laser beam onto a glass window and decode any modulation of the reflected beam caused by sound vibrations in the room.

So the new “through-the-wall audio surveillance system” uses a powerful beam of very high frequency radio waves instead of light. Radio can penetrate walls – if they didn’t, portable radios wouldn’t work inside a house.

The system uses a horn antenna to radiate a beam of microwave energy –between 30 and 100 gigahertz – through a building wall. If people are speaking inside the room, any flimsy surface, such as clothing, will be vibrating. This modulates the radio beam reflected from the surface.

Although the radio reflection that passes back through the wall is extremely faint, the kind of electronic extraction and signal cleaning tricks used by NASA to decode signals in space can be used to extract speech.

Here’s the patent, and here’s a Slashdot thread on the topic.

Wow. (If it works, that is.)

Posted on October 26, 2005 at 3:12 PMView Comments

1 131 132 133 134 135 145

Sidebar photo of Bruce Schneier by Joe MacInnis.