Superconductor

 *** Only 23 spaces left ***

Voltage Security invites you to "Voltage Security Live 2011" at Bridgewaters in New York City on November 9, 2011. This customer summit will focus on data-centric security and will feature several leading Voltage customers, such as American Express, Wells Fargo, State Street and others, who will discuss how they have implemented encryption projects for email encryption, data-centric encryption and end-to-end payment encryption. Also presenting will be Eric Ouellet, research vice president with Gartner Group, who is currently working on a new analysis of how companies use encryption. The goal of the summit is to enable Voltage customers to network with each other and pick up valuable best practices.

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now at www.voltage.com/live

Join Voltage customers including: ADP, American Express, Bank of America, AT&T, Citigroup, Deloitte, Deutsche Bank, Elavon, Fidelity Investments, Heartland, JPMorgan Chase, McGraw-Hill, UBS and Wells Fargo. 
.
Highlights of the agenda include:

• CxOs Panel – Business dynamics for data-centric encryption security – How to get your security project funded
• Key Note – Eric Ouellet, Vice President Research, Gartner Group                      
• How to maximize customer adoption – Kim Mroczkowski, Wells Fargo
• 4. How to structure a data-centric encryption project – Emily Mossberg, Deloitte
• 5. “Birds of a Feather” Networking lunch
• 6. Tracks: Customer and Best Practices – American Express, State Street, Thales, PwC, Coalfire 
• 7. Security Leadership Panel – Gartner Group, State Street, American Express, Wells Fargo

Stop Press: Thanks to our sponsors - Coalfire, OpenPath, Teradata and Thales, we are able to offer registration for eligible particpants at no cost.  Register now atwww.voltage.com/live 

I just came across an interesting application that's available for Android devices. This particular app let's you create and read encrypted QR (quick response) codes.

QR codes are those images that you see that look something like this:

These were created by Toyota back in 1994 to help track vehicles while they were begin manufactured, but now they're widely used in cell phones and other portable devices. Just take a picture of the QR code and many portable devices can easily translate that picture into a URL, phone number, or whatever was encoded in it. If you're really interested in how these work, you can find out in ISO/IEC 18004:2006 ("Information technology -- Automatic identification and data capture techniques -- QR Code 2005 bar code symbology specification").

The good thing about QR codes is that they're a standard, so anyone with a standards-compliant device can read one. But that also means that there's no privacy for information in QR codes because anyone with a standard-compliant device can read one. One workaround for this is to encrypt the data in a QR code, and that's just what QR Droid lets you do. It uses password-based encryption, so a typical use might be to encrypt those potentially-compromising pictures that you post on Facebook and to only share the password with your friends, thereby keeping any nosy HR people from blackballing you from future jobs because of what you did on your vacation to Cozumel.

Password-based encryption isn't very secure, of course, but it might be secure enough to protect the privacy of what you post on Facebook. If that's what you need, then QR Droid might be just what you're looking for.

At the J.P. Morgan Technology Innovation Symposium, yesterday afternoon, JPMorgan Chase inducted Voltage Security into its Innovation Hall of Fame in front of hundreds of Silicon Valley executives. 

Only two vendors were selected in this year's awards which recognize top emerging technology vendors for business impact, measured in terms of driving value for the firm, disruptiveness of technology and the overall quality of the partnership. Voltage was selected by top IT executives at JPMorgan Chase for its innovative data-centric encryption approach for protecting structured and unstructured data across datacenters, the cloud and mobile devices.

Over the past 10 years, IBE has become the one of the fastest deployed encryption technologies as measured by the commercial adoption of Voltage SecureMail™ and the use of IBE as a general purpose key management solution used across the Voltage Security product line. Since its commercial launch 8 years ago, Voltage SecureMail has become one of the most widely adopted secure email products in the world with over one billion secure business emails sent annually and over 50 million worldwide users; those numbers are expected to double by 2014.

IBE was first introduced on Tuesday August 21 at the 2001 Crypto conference in a seminal paper by Dan Boneh, Stanford University, and Matt Franklin, University of California Davis. The paper, entitled “Identity-Based Encryption from the Weil Pairing,” set forth a simple but powerful approach for encrypting information with identity-based keys. This cryptography breakthrough became the founding technology for Voltage Security that was incorporated in 2002 by three Stanford students working with Professor Boneh: Matt Pauker, Rishi Kacker and Guido Appenzeller. In July 2003, the new company launched Voltage SecureMail, an email encryption product using IBE to secure messages without the difficulties and expenses of traditional certificates.

Key metrics in the 10 year history of IBE:

• 50 million Voltage SecureMail users worldwide.
• Approximately one billion IBE secured business emails will be sent in 2011.
• By 2014, it is estimated there will be 100 million Voltage SecureMail licensed users and over two billion secure emails will be sent that year.
• All the messages protected by IBE in 2011, if printed out, would circle the globe seven times.
• Nearly a third of the world’s 20 biggest public companies (per the Forbes Global 2000) have standardized on Voltage SecureMail.

 World’s Biggest Companies Standardize on Voltage SecureMail

Nearly 30% of the world’s 20 biggest public companies (as listed by Forbes Global 2000) have standardized on Voltage SecureMail powered by IBE including four of the world’s largest global financial institutions; one of the world’s largest retailers, one of the largest U.S. managed healthcare providers and several large regional healthcare providers.

Notable Voltage SecureMail customers from the last year include:

• One of the largest Wall Street banks with over 230,000 employees standardizes on Voltage SecureMail
• A major Wall Street bank and Fortune 100 financial services provider with global operations chooses Voltage SecureMail for its 100,000 employees around the world.
• A major credit card brand with over 60,000 employees standardizes on Voltage SecureMail
• An award-winning regional health care organization replaces a non-functioning email security solution from one of the largest technology companies in the world with a policy-based encryption solution from Voltage SecureMail

• A Fortune 50 global financial services company deploys Voltage SecureMail to over 320,000 internal and several million external users across 86 countries, replacing an aging PKI-based encryption technology.

In addition, over 1000 enterprise companies have standardized on Voltage SecureMail, and thousands of mid-size to smaller business use the cloud-based Voltage SecureMail Cloud™ solution to protect private and confidential information.

More information at www.voltage.com

A group of Canadian researchers have shown another example of how hard it can be to anonomize sensitive data. In this case, the researchers found that it was relatively easy to uniquely identify a person based on information that isn't usually considered to be the sort of PII that needs to be protected. Here's how they summarized what they found:

Background

The public is less willing to allow their personal health information to be disclosed for research purposes if they do not trust researchers and how researchers manage their data. However, the public is more comfortable with their data being used for research if the risk of re-identification is low. There are few studies on the risk of re-identification of Canadians from their basic demographics, and no studies on their risk from their longitudinal data. Our objective was to estimate the risk of re-identification from the basic cross-sectional and longitudinal demographics of Canadians.

Methods

Uniqueness is a common measure of re-identification risk. Demographic data on a 25% random sample of the population of Montreal were analyzed to estimate population uniqueness on postal code, date of birth, and gender as well as their generalizations, for periods ranging from 1 year to 11 years.

Results

Almost 98% of the population was unique on full postal code, date of birth and gender: these three variables are effectively a unique identifier for Montrealers. Uniqueness increased for longitudinal data. Considerable generalization was required to reach acceptably low uniqueness levels, especially for longitudinal data. Detailed guidelines and disclosure policies on how to ensure that the re-identification risk is low are provided.

Conclusions

A large percentage of Montreal residents are unique on basic demographics. For non-longitudinal data sets, the three character postal code, gender, and month/year of birth represent sufficiently low re-identification risk. Data custodians need to generalize their demographic information further for longitudinal data sets.

So the bottom line is that we need to protect all data, not just some of the data. Any other approach probably doesn't provide as much protection as you might think that it does.

I just learned that I somehow missed Data Privacy Day 2011. It was actually January 28. But I don't feel too bad about missing it - the US Senate's resolution supporting it wasn't actually introduced until January 31. (It passed the same day by Unanimous Consent.)

Even worse, it turns out that this is the third annual Data Privacy Day, so I also managed to miss the events in 2010 and 2009.

I'm guessing that this event wasn't actually very helpful. It's probably important to increase people's awareness of the data privacy risks that they face, but I'm not sure that Data Privacy Day is a very effective way to do this.

Verizon's recent 2011 Data Breach Investigations Report (PDF) seems to show that very few records were exposed by data breaches in 2010. The report says that all of the breaches that Verizon investigated in 2010 only added up to about 3.9 million records that were exposed.

That doesn't mean that only 3.9 million records were exposed in 2010. 

The Open Security Foundation's data breach database lists breaches in that year that exposed over 28 million records. So although the amount of data that was exposed through data breaches was lower in 2010 than it was in the previous few years, there was still a significant amount of data exposed. Much more that the 3.9 million that Verizon's investigators looked at.

A breach that exposes 5 million records doesn't really look that big when it's compared to other recent breaches. Here's a graph that I created with IBM's Many Eyes data visualization tool. It shows the relative size of recent data breaches (from the Open Security Foundation's data breach database), with a single breach of 5 million records highlighted. 

This seems to tell us that a breach that exposes 5 million records really isn't very notable.

If a breach that exposes 5 million records really isn't that notable, that's a sure sign that we're losing way too much data.

Data breaches that expose 1 million or more records aren't really that rare. There have been over 50 of these since 2006, or almost one per month. And if you look at how much data has been exposed by data breaches, 1 million records doesn't really look like that many. Here's a graph that shows this. The single highlighted breach exposed 1 million records.

Excerpted from recent posts about data breaches by Luther Martin

Anonymizing data doesn't really work very well. In many cases, it's actually fairly easy to recover a full data set from anonymized data. Despite this, lots of privacy laws treat anonymized data differently than the full data set. Here's how Paul Ohm summarized this in his paper "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization," in the UCLA Law Review.

Modern privacy laws tend to act preventatively, squeezing down the flow of particular kinds of information in order to reduce predictable risks of harm. In order to squeeze but not cut off valuable transfers of information, legislators have long relied on robust anonymization to deliver the best-of-both-worlds: the benefits of information flow and strong assurances of privacy. The failure of anonymization has exposed this reliance as misguided, and has thrown carefully balanced statutes out of equilibrium.

At the very least, legislators must abandon the idea that we protect privacy when we identify and remove PII. The idea that we can single out fields of information that are more linkable to identity than others has lost its scientific basis and must be abandoned.

So it certainly looks like some lawyers understand how technology has the possibility to dramatically reduce our privacy, but it also looks like the politicians who create privacy laws don't understand this as well. If you're interested in this, Ohm's paper seems to be a good overview of the issues and how they're being handled today.

Not too long ago, start-up Dropbox had a security bug that let people access the data of other users. The bug went unpatched for about four hours. According to Dropbox, during that time the data of fewer than 100 users was accessed and only a single person exploited the bug. But that didn't stop Cristine Wong from filing a class-action suit (PDF) against Dropbox. In this suit Wong claims that

As a result of the Defendant's breach of its warranties, Plaintiff and the Class have been damaged in the amount of the purchase price of Defendant's services they purchased.

That seems like an overly-broad definition of damages to me, and one that might not stand up to much scrutiny. If this suit makes it to trial, I wouldn't be surprised if any damages are limited to the 100 or fewer people whose data was actually accessed before Dropbox's bug was patched. And that might actually disqualify this from being a class-action suit.

I've been asked lots of questions in the past day or two about Ostergren v. Cuccinelli (PDF), a case in Virginia where a judge ruled that it was OK for a woman to post official documents on her web site that contained Social Security numbers of Virginia residents. The ruling in this particular case is an interesting balancing act between privacy and freedom of speech. I'm not sure that I agree with the judge's conclusion in this particular case, but here's my understanding of what happened and why.

Betty Ostergren, a privacy activist, noticed that some of the official documents for the state of Virginia that were publicly available contained SSNs. The state government then tried to clean up the documents, but there were still some SSNs that weren't cleaned up.

To get the state to do a better job of this, Ostergren decided to post examples of the still-unsanitized documents on the Internet. The state objected, claiming that this violated the existing privacy laws that protect SSNs. A judge finally ruled that Ostergren had the right to post the documents, even though they clearly contained SSNs that would otherwise be illegal to expose.

The judge's reason for doing this seems to be based on the idea that the right of freedom of speech was "designed to allow individuals to criticize their government without fear." And because Ostergren's motivation for exposing SSNs was to criticize the government's inaction on protecting sensitive information, it's protected by the First Amendment.

I don't like the way that this particular case turned out. It seems to set the precedent that it's OK to expose my SSN as long as you're doing it in a way that's protesting the government's actions. And it seems to me that there are just too many ways in which that could be abused.

The Information and Privacy Comissioner of Ontario just released an interesting paper about de-identification of sensitive data. This is "Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy," (PDF) by Ann Cavoukian and Khaled El Emam.

Here's the conclusion that this paper reaches:

The claim that the de-identification of personal data has no value and does not protect privacy due to the ease of re-identification is a myth. If proper de-identification techniques and re-identification risk measurement procedures are used, re-identification remains a relatively difficult task. However, we recognize that this is not a static exercise – it is everchanging. As re-identification techniques become more sophisticated and more personal information becomes available to facilitate re-identification, it is important to reassess and strengthen de-identification and re-identification risk management techniques.

While there may always be a residual risk of re-identification, in the vast majority of cases, de-identification will protect the privacy of individuals, as long as additional safeguards are in place. While de-identification may not be a perfect solution to reduce all privacy risks when personal information is being considered for secondary purposes, it is an important first step that should be used as part of an overall risk assessment framework. We urge you not to abandon your efforts to de-identify personal data in a comprehensive and responsible manner.

It looks to me like this is partially right and partially wrong.

It's probably true that the claim that de-identification of sensitive data has absolutely no value isn't true. But then that's not really what people are claiming about it. What they're claiming, and what's probably true, is that anonymization of sensitive data in a way that makes it hard to re-identify the data is almost always harder than you might first think it is. It's easy to do but hard to do right. So in one way it's much like encryption – if you try to do it yourself without expert advice, you'll probably do it in a bad way.

On the other hand, this paper's claim that re-identification is a relatively difficult task is probably not true. There's more than one commercial product that makes it very easy to re-identify data that has been anonymized. I've talked to people who work on these products from time to time and some of the stories that they've told me about how their customers have used their products to find patterns in anonymized data are quite amazing. I've also talked to people who have written their own de-anonymizer applications who have told me similar stories. From their discussion of this topic, I'd guess that neither of the authors of this paper have either tried to re-identify data or to use one of the available products that can help you do this.

It sounds like the goal of this paper may be to justify a future government policy that will say that anonymized data doesn't need to be handled with the same care as data that hasn't been anonymized. As a policy goal, that's probably fairly reasonable. But it's going to be very hard to clearly and carefully define what types of anonymization can be used to qualify for a lower level of care.

Earlier today, one of the Senate Subcommittees of the Commerce Committee heard testimony about Consumer Privacy and Protection in the Mobile Marketplace. If you're interested in this, you can find a webcast of the testimony archived here. It certainly looks like they want to pass laws regulating what mobile devices can and can't do with things like location information.

There's certainly lots of innovation happening in the mobile market right now, and I hope that the government doen't stop this by regulating things too much. I still have almost two more years on my current phone contract and I want things to be much more advanced in two years than they are now when I go shopping for a newer phone.

View Larger Map

I once had a custom URL made at tinyurl.com that showed that route that Jorkens and Terbut followed in Lord Dunsany's story "Jorkens' Revenge." In this story, the Munchausen-like Jorkens manages to win an unusual wager with his nemesis, Terbut. Jorkens bets him £5 that it is further from Westminster Bridge to Blackfriars Bridge than it is from Blackfriars Bridge to Westminster Bridge. The perplexed Terbut then finds that the taxi ride one way is indeed longer than the ride the other way and grudgingly pays Jorkens £5 without fully understanding why he lost.

Jorkens won this particular bet because the road between the two bridges is shaped like an arc of a circle, and driving an arc of a smaller radius gives you a shorter distance than driving an arc with a larger radius. That's fairly easy to see in the above map.

This is the standard example that I give that shows that exactly how you measure something can be important.

The TinyURL for this map is easy to remember: http://www.tinyurl.com/JorkensRevenge. I can't find any handy examples of this, but I've also created other TinyURLs to use in footnotes in various articles that I've written. Something like http://www.tinyurl.com/ArticleTitle instead of a long, cumbersome URL for some reference that I wanted to cite. I've always assumed that for things that nobody will care about in a year or two, a TinyURL is probably good enough, and that they're probably no less ephemeral than any other URL.

When I was thinking about this earlier this morning, I wondered what other custom TinyURLs people might have created. I then tried several custom TinyURLs made from combination of days of the week, meals, common first and last names, etc.

When I did this, I found a surprising number of custom TinyURLs that had been created by other people. Lots of them even had detailed directions either to or from someone's house on Google maps, much like I did with "Jorkens' Revenge."

So those custom TinyURLs seeem to leak information that you might not want people to easily find, particularly when the URL might contain information about what you were doing at one of the endpoints of the trip.

The bottom line seems to be that if something is convenient for you it's also convenient for someone else, so don't make it too easy for people to learn things that you might not want them to learn.

As you will have read or watched in every media outlet today, Epsilon, a company that provides some of the top brand name companies with email marketing services had a data breach that uncovered the names and email addresses of millions of customers. These customers as reported in the New York Times and other blogs such as Byron Acohido's "The Last Watchdog", will now probably suffer from further attempts on their private information - Here's some resources that will help you make sense of the data breach and ensure that your company is not the next Epsilon:

		What do you need to know about the Epsilon Data Breach?
		By now, everyone has read about a company named Epsilon. In fact, many people most likely have direct involvement, having received one or more emails from companies they do business with warning them to be very careful after a recent incident. These notifications stem from Epsilon Interactive, a third-party service provider of managed email, getting compromised and having some of their 2,500 clients customer emails stolen. Epsilon provides email and customer loyalty services to more than 2,500 corporations, including seven of the top 10 Fortune 100 companies. The company sends more than 40 billion emails annually on behalf of these clients. So even if you haven't heard of it before, chances are high that your bank or your favorite retailer or hotel chain is using Epsilon for email and other services. The company touts itself as the world's largest permission-based email marketing provider and is believed to store more than 250 million email addresses. A list of companies whose customer data has been breached can be found at http://datalossdb.org/incidents/3540 and http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/ – these lists are being updated as companies send out their data breach notifications.
		What to tell your customers and employees to do now?
		If you yourself have received data breach notifications from companies that you do business with then chances are your own email was amongst those breached – here's some basic guidelines on how to avoid follow-up fraud from the perpetrators of this data breach: Don't open emails from people you don't know Don't respond to emails asking to verify your password or other personal details Hang up on phone calls from the bank or others who call asking to verify personal info Don't open email attachments - even 'Data Breach Notification' letters - if do you make sure anti-phishing countermeasures are active Do change your passwords - go direct to company website - don't click on a link in an email
		How to protect your data?
		Like most companies Epsilon had extensive security measures in place – however, sophisticated criminals found a way to breach those defenses. Once inside they were able to make off with millions of emails, because this type of data was lying around in the clear – no one thought the data was at risk. The best defense is to protect the data itself. That way, even if hackers force their way into your systems, the data itself is useless. The solutions to accomplish this – typically encryption or tokenization are widely available and are used extensively by payment processors, retailers, financial institutions and healthcare organizations to protect sensitive data – wherever it goes. In fact, the best approach is to encrypt information as quickly as possible and keep it encrypted for as long as possible until it is actually needed – this is often referred to as End-to-End Encryption. Voltage has provided some of the largest brand name companies in the world with solutions to protect emails, information stored in databases and used by applications – inside and outside the cloud. To learn more click on one of the following links: In addition: Consumers need to know what data is being captured, what it is used for, and how it is being protected as a matter of corporate policy Corporations must demand that their business partners and IT secure personal data so it cannot be exploited in this all to easy manner as illustrated by the Epsilon attack Protect non-regulated personal data – Email may not be a regulated field in regulations like PCI, but if it's being captured, it can be exploited Access to personal data within a corporation needs to be locked down – on a need-to-know basis – reducing access to e.g. the last 4 fields of an SSN instead of a whole one, or using encryption and tokenization to reduce the exposure of real data to employees, partners and customers. Communication with consumers and business partners needs to be secured and trusted – use a secure email solution but make sure it has anti-phishing countermeasures activated. Avoid using live data in test systems by de-identification and masking to reduce exposure outside production controls Learn how a top financial services firm protects sensitive data
		Making sure your 3rd party service providers protect your data
		The other big lesson to learn from the Epsilon data breach is that while you may implement safeguards to protect sensitive data within your datacenters, your third-party service providers must also do the same – it is critical that your sensitive information is protected via encryption or tokenizaton by the third party. In fact many in the industry are calling for contractual clauses that insist on data encryption by 3rd parties. Learn how a top insurance company made sure its service providers protected its data
		Consumer Data Protection Manifesto
		In order to safeguard sensitive customer information many customer advocates are calling for new rules that force companies to certify that they have adequate data protection in place to protect data even in the event of a breach – similar to Sarbanes-Oxley, this would bring board level visibility to a critical issue in the minds of consumers. Secondly to protect data that is being used by 3rd party service providers, companies should insist on a data protection clause in their contract that mandates the use of encryption of all consumer data. Data transferred to a service provider should be encrypted in line with making sure that consumer information is encrypted at the earliest opportunity and remains encrypted until needed. See Voltage co-founder, Matt Pauker's, Op Ed in Forbes on the subject.

I just read CDW's "Elevated Heart Rates: EHR and IT Security Report" (PDF - giving personal information may be required). It looks like lots of people are concerned about the privacy implications of electronic health records. Here's how CDW's survey found that people thought that EHRs would affect the privacy of personal information and  health data:

Significantly negative: 9 percent

Somewhat negative: 40 percent

No effect: 24 percent

Somwhat positive: 20 percent

Significantly positive: 7 percent

So 49 percent, or almost half, think that the use of EHRs will have a negative effect on their privacy.

The other 51 percent are wrong.

We really don't quite know how to protect sensitive information in a cost-effective way yet, and this applies to EHRs as well as it does to other types of sensitive information.

National governments do a reasonable (but not perfect) job of protecting classified information, but they way that they do it is very expensive and doesn't work well when you're actually worried about things like costs and people being able to do their jobs efficiently.

Or you could just encrypt your sensitive information, but using that approach relies on having strong key management to support the use of encryption, and how to do interoperable key management securely and in a cost-effective way is still an unsolved problem. (This is why a big fraction of Voltage's R&D focuses on key management and lots of our products are really designed to make key management easier - we want to be the first to solve this problem.)

But in the absence of a good way to protect EHRs, we're definitely going to see them compromised. That's whey I get worried every time I hear people in Congress talking about EHRs as a good way to reduce the cost of health care in the US. They might actually allow some cost savings, but it would almost certainly also allow the disclosure of sensitive information on an enormous scale. So because the technology to adequately protect EHRs really isn't there yet, it probably isn't time to move to them yet. Let's work out how to address the privacy concerns first.

They started using the number. They thought it was their own. I can't understand how people can be so stupid.

Hilda Whitcher, early victim of identity theft

Before we had hackers stealing identities, there was the E. H. Ferree company (now part of Tilley of Canada, a big manufacturer of souvenirs and other gifts). Ferree made wallets, and it seems that back in 1938 they included a fake Social Security card in their wallets, maybe to show people the sort of stuff that their wallets were capable of holding. In any event, it seems that Douglas Patterson, the Treasurer of the Ferree company apparently though that would be clever to use the Social Security number of his secretary (Mrs. Hilda Whitcher) on these fake cards.

The result was probably the most misused Social Security number of all time. According to the Social Security Administration's web site, in 1945 there were actually 5,755 people using Mrs. Whitcher's Social Security number and a total of over 40,000 people actually used that number as their own. Fortunately, the Social Security Administration issued Mrs. Whitcher a new Social Security number. Which certainly makes it look like it is possible for the government to revoke a Social Security number and issue a new one. They've done it before, haven't they?

As someone who works in the information security industry, I sometimes wonder if we really need all of the data security and privacy laws that we have these days. After all, don't we all do our best to protect sensitive information? Do we really need laws to require that?

A recent incident that I heard about provided yet another clear example of why we need laws that require personal information to be protected.

It seems that my wife is (actually was, but that's because of this particular incident) a member of a support and social organization for stay-at-home moms. The president of her local chapter recently decided to post a list of all members of the chapter, along with their home addresses, phone number, names and birthdays of their kids, etc., on the chapter's web site.

My wife, along with a few others, was shocked at how someone would even consider doing this. The concerned individuals complained to the president of the chapter, and then to the state and national leadership of this particular organization. And they never found anyone who was taking this incident seriously or who was overly concerned about it. The president of the local chapter eventually removed the personal information from their web site, but she still doesn't understand why people got upset over the information being posted in the first place. 

So if stay-at-home moms don't think that protecting the personal information of other stay-at-home moms is really worth worrying about, how much effort will businesses put into protecting the sensitive information that they handle?

The Federal Trade Commission just released its report "Protecting Consumer Privacy in an Age of Rapid Change." This report describes the privacy challenges faced by consumers today. Here's some of what it says:

Consumers live in a world where information about their purchasing behavior, online browsing habits, and other online and offline activity is collected, analyzed, combined, used, and shared, often instantaneously and invisibly. For example:

• if you browse for products and services online, advertisers might collect and share information about your activities, including your searches, the websites you visit, and the content you view;
• if you participate in a social networking site, third-party applications are likely to have access to the information you or your friends post on the site;
• if you use location-enabled smartphone applications, multiple entities might have access to your precise whereabouts;
• if you use loyalty cards at a grocery store or send in a product warranty card, your name, address, and information about your purchase may be shared with data brokers and combined with other data.

The FTC also admits that their current approach isn't working:

In recent years, the limitations of the notice-and-choice model have become increasingly apparent. Privacy policies have become longer, more complex, and, in too many instances, incomprehensible to consumers. Too often, privacy policies appear designed more to limit companies’ liability than to inform consumers about how their information will be used. Moreover, while many companies disclose their practices, a smaller number actually offer consumers the ability to control these practices. Consequently, consumers face a substantial burden in reading and understanding privacy policies and exercising the limited choices offered to them.

So it seems that the FTC realizes that there's a problem. They even have a proposed framework for addressing the problem. But when I read this report it wasn't clear to me that anything that the FTC might do any time soon would actually address the problem that we now have.

According to MSNBC, a study by San Diego start-up ID Analytics indicates that there's a significant chance that your Social Security number is being used by someone else. This report apparently claims that this happens to about one in seven people.

I couldn't find a copy of the report that MSNBC referred to to see exactly what ID Analytics was measuring to get this estimate. It's certainly not easy to find on their web site. So at this point I'm inclined to interpret this report as an attempt by a company that sells an ID-monitoring service to make fraudulent use of identities sound more common than it really is to get media attention and to encourage sales of their services.

The same MSNBC article quotes someone from credit reporting firm Experian who says that most of these cases are caused by an honest mistake - someone mistyping their SSN, for example, instead of intentionally using the wrong SSN, and that Experian's systems catch most of these errors. So your SSN may indeed be used by someone else right now, but it's probably just because of an unintentional error instead of something that should be called "identity theft."

There was an interesting article in The Wall Street Journal this Wednesday about "fingerprinting" computers. It was part of the WSJ's "What They Know" series. This particular article talked about how it's possible to get a good idea of who you are from information that your web browser freely gives out. Things like the fonts installed on it, the order in which the fonts were installed, the screen size, the number and type of plug-ins that you have installed, etc. Apparently it's possible to tell who you are from this information almost 90 percent of the time.

Advertisers think that this technology is great, of course, becase it can let them target you with ads that are aimed at you instead of a random person. But if you're not one of the few people who make their living off of advertising, this looks like yet another example that shows that Scott McNealy was right when he said, "You have zero privacy, anyway. Get over it."

There's been lots of discussion of the recent publication on Wikileaks of conversations between diplomats. Some people seem to think that it's fine to openly publish classified information that somehow manages to leak out.

It seems to me that there's a bigger privacy issue here that's being overlooked.

Would people feel differently if a large batch of Social Security numbers or credit card numbers were openly published on the Internet? What about proprietary information that's covered by an NDA? What about openly divulging all of the details of negotiating an enterprise software sale?

In each of these cases we'd have a misuse of sensitive information, but many people (perhaps all of them) who I've talked to that support the right of Wikileaks to freely publish classified information don't agree that it would be OK to freely publish other sensitive information, and I don't see a way to make that point of view consistent with the need to protect other types of sensitive information.

There may be a need to be able to expose the actions of governments, but it seems hard to justify openly publishing classified information in a way that doesn't start us on the first step towards also accepting the misuse of other sensitive information. Privacy is important, even for people who work for government agencies and it's probably better to respect it than to openly violate it.

It looks like the EU is kicking around the idea of a "right to be forgotten," which will essentially require web sites to give their users the ability to have all of the personal information that they have provided deleted. This is what the relatively new proposed revision to their 1995 Data Protection Directive will require, although the actual law that will contain this new right won't be proposed until next year. It will be interesting to see how that works out.

The proposed law will also strengthen other protections around personal information, but because those are harder to describe in a short, attention-getting phrase like "the right to be forgotten," they probably won't be mentioned as much.

This will almost certainly end up having more substance than the proposed idea to make traveling for tourism a human right that European Comissioner Antonio Tajani tried to get going earlier this year. That didn't seem to go anywhere, although it certainly got lots of coverage in the media.

I recently noticed that a potentially interesting game was listed as being available on my My Yahoo! page. I noticed that there was a link to click that would give you information about "What I am sharing? (and other legal information)" if I were to try this game.

When I checked to see exactly what type of information Yahoo! would share if I played this game I found this:

You grant [GAME NAME REDACTED] and [GAME COMPANY REDACTED] (developer) access to:
Obtain your Contacts data from Yahoo! Contacts.
Obtain your shared and public profile data and profile data your Connections share.
Obtain and update your status message.
Share your activities and manage the updates you receive.

That seemed a fairly high price to pay for a free game, so I didn't play it.

I recently noticed that a former co-worker had disappeared from LinkedIn. When I asked him about this he explained that he had canceled all of his memberships in social networking sites because they were asking for too much personal information and didn't seem to take his concerns about privacy seriously. He then went to to say, "I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own. I resign."

I did warn him that things didn't work out too well for the person who said that the first time, but he didn't seem concerned. All I could think to say was, "Be seeing you."

I just came across an article that talks about how the use of biometric data for identification can cause a security problem. Here's what this article said:

When biometrics get down to the local gym, however, serious questions must be raised. Your biometric identifiers are immutable and, once stored on a computer, impossible to take back. So if the 24-Hour Fitness database gets hacked and some enterprising Black Hat team of computer experts makes off with this sensitive information, many people could forever lose control of this permanent identification marker. Of course, you could scrape off your fingerprints and replace them with new ones. (This is probably possible). But that's getting a little too close to Total Recall for my taste.

This seems to miss the point of biometrics. Biometric data isn't secret and the security model of biometric identification systems doesn't assume that it is. Instead, biometrics need to ensure that the data that they capture is fresh instead of stored. This subtlety seems to have been missed by the author of this article.

I just finished an interesting book, Stand on Zanzibar, by John Brunner. It's about a dystopian future in which the Earth's population grows to the point that governments take all sorts of extremely draconian measures to keep it in check. It was published in 1968 but is set in the year 2010, and it's interesting to see how accurate Brunner's predictions of the future were. Like in any other work of speculative fiction, he managed to get a few things right but he also got others totally wrong. In general, Brunner's vision of the year 2010 is very different from the real 2010. It may not be as different as George Orwell's vision of the year 1984 was from the real 1984, but it really didn't seem very close.

I also read this book because I managed to get a copy that was published in 2009 yet autographed by Brunner, who died in 1995. It seems that before he died he signed some signature pages for a book that never got published, and that the most recent publisher managed to get ahold of these and use them in their edition of Stand on Zanzibar.

It looked to me like Brunner totally missed the affects of IT on society. Or maybe he didn't. Brunner wrote Stand on Zanzibar to point out how overpopulation could end up being a problem. It wasn't meant to point out how the rise of IT could cause a dramatic decrease in privacy. I actually don't know of any books that focus on that particular angle, but I'd probably read one if someone wrote it.

I'm sure that it wouldn't be too hard to extrapolate from the dramatic loss of privacy that we've seen happen in the past decade to the point that it would make the basis for an interesting story. It's not clear to me, however, whether such a story would be better classified as science-fiction or as horror.

Our marketing guys have yet another webinar planned, this time it will be held on June 16, 2010 from 10 am Pacific/1 pm Eastern and will last for 60 minutes. The topic this time is Managing 3rd Party Data Privacy - Protecting Your Own and Your Partners Information. Like some of our previous webinars, this one's also sponsored by FS-ISAC, the Financial Services - Information Sharing and Analysis Center.

Here's what they plan to talk about:

• How to ensure the protection of partner information and confidently manage third-party access to card holder and personal data, including protecting terabytes of files on mainframe and legacy systems
• Why a comprehensive end-to-end approach to data protection is critical to ensure the privacy of personal and sensitive information
• What market-leading organizations — such as AAA — really require in an enterprise data protection solution

The fact that one of the infrastructure consultants for AAA will be talking about his experiences is probably a good enough reason to check out this webinar. Every industry has it's own interesting set of problems that it faces and it's fascinating to see how they find clever uses of IT to solve these problems. I've never dealt with an organization like AAA, so I have no idea of the particular challenges that they face, but I'm certainly looking forward to hearing about them on this webinar.

Getting privacy right is tricky. People say that they want lots of privacy, but their behavior often tells us that they really don't value their privacy that much. If you promise to email someone a weekly cartoon, for example, they'll often give you lots of personal information that they claim they want to keep private.

The club cards that grocery stores are another example of this. The stores essentially pay you to let them track your purchases; they just pay you in discounts instead of cash. I was fairly surprised recently when I learned exactly how much stores pay you to let them track your purchases.

Voltage has social event every Friday afternoon. Someone buys a reasonable amount of food and drink for this event and they get reimbursed by Voltage. I bought the supplies for one of these events a week or so ago and was somewhat surprised to see that the total went from about $110 to about $85 with the discounts that my wife's club card gave me. That's almost 20 percent of the purchase.

I don't know how representative that single data point is, but if a grocery store is willing to give you that much of a discount if you let them track what you're buying, people must be fairly unwilling to let stores do this.

The Health Information Technology for Economic and Clinical Health (HITECH) Act that recently went into effect has provisions that encourage, but don't require, covered entities to encrypt PHI. The Interim Final Rule (45 CFR Parts 160 and 164) that implements part of the HITECH Act requires notification of the unauthorized use or disclosure of unencrypted PHI that "poses a significant risk of financial, reputational, or other harm" to an individual.

Some conspiracy theorists seem to believe that this wording was included to allow businesses to avoid the high costs of breach notifications by arguing that their analysis shows that their breach didn't cause a significant risk of harm. A more reasonable explanation is that similar language dates back as far at the original Privacy Act of 1974, and is already included in the existing state breach notification laws.

But if the breach notification requirements of the HITECH Act aren't there to let businesses freely violate our privacy while giving us the illusion of it being protected, why are they there?

The breach notification requirements of the HITECH Act are probably best understood as part of a trend that's slowly but surely increasing the protection that sensitive data needs to have. This started with laws and regulations that required organizations to protect sensitive information, although the exact way in which they protect it is typically very flexible. It then moves to requiring notification of breaches of unencrypted sensitive information. At this point, encryption still isn't required, but there's a strong incentive to use it to avoid expensive breach disclosures. The next step is to require organizations to encrypt sensitive information.

The HIPAA Privacy Rule was the first step in this process for PHI. It required health care organizations to protect PHI, although they could implement this protection in many ways. The HITECH Act is the next step. It essentially requires the notification of breaches of PHI that isn't encrypted. In the future, we will probably see a federal law that actually requires the encryption of PHI. This has already happened in some states.

In 2008, Nevada law (NRS 597.970) required the encryption of Nevada residents' sensitive information when it's transmitted outside a business' secure network. The Massachusetts encryption law (201 CMR 17.00) did the same for Massachusetts residents a short while later. Legislators are now considering similar laws in other states, and similar data encryption laws will probably become widespread over the next several years. It's now hard to avoid complying with these state laws, and it's going to get even harder in the future.

How to comply with these laws in a reasonable way is still an unsolved problem. Legislators want businesses to protect sensitive information, but not at cost that's too high to be practical for a business that needs to be profitable to survive.

Encryption is notoriously hard and expensive to use, but a combination of newer technologies and motivated IT departments is leading to solutions that are much more practical than they were a few years ago. Technologies like identity-based encryption, for example, are at least a factor of three less expensive to own and operate than the aging PKI technology that dates back to the dot-com boom. That's often enough of a difference to make encryption practical where it once wasn't.

Once the states find what works and what doesn't, it's likely that the federal government will raise the bar and require the encryption of all PHI, and when they do this, they will probably base exactly what they require on the lessons that the states have learned. Let's hope that this happens soon.

There has been lots of media coverage of the recent data breaches that have exposed millions of credit card numbers to hackers. But while it's relatively easy to cancel a compromised credit card and get a new one, it's not really practical to cancel and get a new medical history. Once it's compromised, it's compromised forever. Because of this, PHI deserves to have strong protection, and encrypting PHI is the best way to do this. The breach notification requirements of the HITECH Act only encourage encryption, but they're a good step towards ensuring that PHI gets the protection that it deserves.

In his article "Did Privacy Cause Identity Theft?" law professor Lynn LoPucki claims that the problem of identity theft that we have today is directly due to the increased privacy that various laws have given us in the past several years. He says that as recently as the '70s, identity theft was very hard for a criminal to pull off because there was so much public information about our identities. And because identity thieves need privacy to commit their crimes, the very privacy that we think is making things better for us has actually made it easier for identity theft to happen.

There's certainly a correlation between the proliferation of privacy laws and identity theft, but attributing the identity theft to the laws may be an example of post hoc reasoning. It seems to me that the ways in which identities were verified in the past didn't really take advantage of the additional information that was available at the time, even though it was available.

Instead of believing that our higher level of privacy has caused the higher rates of identity theft that we see today, I'd guess that it's just a case of criminals using the technology that's available to them. At the same time that stricter privacy laws made it easier for identity thieves to commit identity theft, information technology also proliferated. When this happened, there was much more information available to identity thieves, so they naturally used this information to commit identity theft. I'd guess that's why identity theft is a bigger problem today than it once was, and that the increased amount of identity theft isn't related to the stricter privacy laws at all.

On the other hand, I could be wrong. If that's the case, then I would expect LoPucki's model to predict that identity theft will decrease over the next several years as the proliferation of social networking web sites provides a handy source for lots of public information about our identities. Or I would expect his model to predict that users of social networking web sites suffer less identity theft than people who don't.

I don't believe that either of these will turn out to be true.

The 1890 Harvard Law Review article "The Right to Privacy" by Samuel Warren and Louis Brandeis is probably one of the most influential articles ever written on the topic of the protection of privacy. In this article, Warren and Brandeis argued that common law contained the foundation for effectively protecting privacy and that it was possible to modify and extend common law to make this happen.

From reading "The Right to Privacy," it certainly looks like Warren and Brandeis started thinking about the need to protect privacy because technological innovations were making it easier and easier to violate privacy. We have this same problem today. Cell phone carriers have databases of every call that we make as well as where we are when we make these calls, and e-commerce web sites track every click that you make and every page that you view.

Back in the 1880s, however, the problem was apparently a bit different. The example that Warren and Brandeis use again and again is that of the loss of privacy that the new technologies for photography allow. After all, if anyone can take a photograph without you knowing it, the possibilities for abuse of the technology are limited only by the imagination of the people who have cameras.

From the early twenty-first century, it almost seems hard to believe that cameras could cause so much concern. I wonder if people 100 years from now will have the same reaction to the privacy concerns that we have today. People seem to have adjusted to the widespread use of cameras fairly well, and they seem to have done this by accepting that the violation of privacy that they allow is an acceptable cost of using the technology. It may seem hard to believe now, but we might adjust to today's information technology by accepting that the violations of privacy that they allow. I wouldn't be surprised if that's how things turn out in the future.

Although identity theft is now getting more media coverage than it once did, the need to protect the sensitive personal information that’s used to commit identity theft has been well known for many years. As far back as 1973 this was know to be a problem. That’s when the report Records, Computers and the Rights of Citizens was written for Caspar Weinberger, who was then Secretary of Health, Education, and Welfare.

This report discussed the problems of privacy and recommended that the following five principles be used to create a “federal code of fair information practice” that would be enforced by one or more federal laws:

• There must be no personal data record keeping systems whose very existence is secret.
• There must be a way for an individual to find out what information about him is in a record and how it is used.
• There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
• There must be a way for an individual to correct or amend a record of identifiable information about him.
• Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

The government has known for over 35 years that protecting sensitive personal information is a problem that needs to be addressed. Let’s hope that they can manage to do what needs to be done before we can say that they’ve known about the problem for over 40 years and still not addressed it.