Monday, December 31, 2007

RFID Chips in Passports

Despite widespread opposition to RFID technology being used in passports, the Department of State has approved its use in some new American passports.

The Center for Democracy and Technology reports:

Today, the Department of State released a final rule for the new "Passport Card," which is intended to be used by American citizens who frequently travel by land or sea to Canada, Mexico, the Caribbean, and Bermuda. The new rule calls for the use of "vicinity read" RFID technology without the use of encryption. This means the card will be able to be read remotely, at a long distance. CDT strongly objected to the use of this technology--developed for tracking inventory, not people--because it is inherently insecure and poses threats to personal privacy, including identity theft, location tracking by government and commercial entities outside the border control context, and other forms of mission creep.

4 congressmembers, the Government of Canada, a Native American government, privacy interest groups, technology companies and dozens of city, county and municipal governments expressed their concerns about the new rule.

The Federal Register text of the rule states their concerns:

The opinion expressed by many commenters is that vicinity read technology is not as secure as the proximity read technology currently used in the United States e-Passport. In their opinion the use of vicinity read technology could result in the unauthorized reading of information that would lead to identity theft and tracking of United States citizens by terrorists (security groups) and the government (privacy groups). In addition, commenters asserted that employing two different technologies at the same border crossing is redundant, inefficient, and unnecessarily costly.

Click here to read the text in its entirety

The government has stated that in order to avoid identity theft they are going to take several precautionary measures.

The Washington Post Reports:

The government said that to protect the data against copying or theft, the chip will contain a unique identifying number linked to information in a secure government database but not to names, Social Security numbers or other personal information. It will also come with a protective sleeve to guard against hackers trying to skim data wirelessly.

Avi Rubin, a professor at Johns Hopkins University, said that two years ago, he duplicated an RFID chip in his "speedpass" used for buying gas, copied the information onto a laptop and, after extending a radio antenna from the laptop out the car door, was able to buy gas with the cloned RFID chip.

Randy Vanderhoof, executive director of the Smart Card Alliance, represents technology firms that make another kind of RFID chip, one that can only be read up close, and he is critical of the passport card's technology. It offers no way to check whether the card is valid or a duplicate, he said, so a hacker could alter the number on the chip using the same techniques used in cloning.

Click here to read the text in its entirety

When it comes to protecting our privacy and identity, we should always expect and demand the government falls on the side of security. Unfortunately, as this program currently stands, the government has failed to take the necessary precautions to protect our privacy and guard us against identity theft.

Thursday, December 27, 2007

Google/Doublick Merger: EPIC Statement

To expand on the FTC's recent approval of the merger between Google and Doubleclick - particularly its privacy implications - I thought this statement by Marc Rotenberg, of the Electronic Privacy Information Center (EPIC), was a worthy post.

Some highlights include:

But the competition at issue here is not simply the development of a product or a service, it concerns the techniques that are used to collect information on American consumers in the Internet advertising industry, whether by text-based advertising, display-based advertising or some combination of the two.

Further, unlike typical merger reviews where the Commission may assume that the market analysis of suppliers and consumers captures all of the relevant parties, the market for Internet-based advertising is different. These companies target individual consumers based on their interests, their activities, even their personal behaviors. The “consumers” for Internet advertisers are web-based publishers. Assuming there is healthy competition, they make choices among competitors for advertising services. But for the consumer whose data is gathered, there is no choice. The market relationship exists between the advertiser and the publisher. It does not include the consumer.


But a majority of the Commissioners chose to ignore the privacy implications ofthe Google-Doubleclick merger and to propose instead the same self-regulatory approachto privacy protection that has repreatedly failed American consumers and could have been put forward whether or not a merger review was also underway.


As Senator Kohl said recently, “The antitrust laws were written more than a century ago out of a concern with the effects of undue concentrations of economic power for our society as a whole, and not just merely their effects on consumers’ pocketbooks. No one concerned with antitrust policy should stand idly by if industry consolidation jeopardizes the vital privacy interests of our citizens so essential to our democracy."

Moreover, in the last several years, the Commission has become increasingly aware of the new risks to American consumers. The FTC’s annual surveys repeatedly find that identity theft is the number one concern of American consumers. But consumers have little understanding of how their personal information is collected, how it is used, or what they might do when problems arise. The reality is that the gap between the risks to consumer privacy and the protections for consumer privacy is growing.


The Federal Trade Commission had an opportunity to establish the necessary safeguards for personal data and competition that could have allowed a global framework to emerge. Instead, the Commission’s failure to act leaves the question of how best to address the privacy and competiton implications of this deal to others.

The Federal Trade Commission is a public agency funded by taxpayer dollars. Its sole purpose is to protect the public interest. It failed to do so today in a case that will have far-reaching implications for the Internet economy and the privacy rights of American consumers.

Click here for the statement in its entirety.

Friday, December 21, 2007

FTC Clears Google-DoubleClick Merger

I'd be remiss if I left for the holidays without covering the now FTC approved merger between Google and DoubleClick. As E-Week makes clear, this is a biggie:

"The acquisition would combine two of the biggest players in online advertising. Google's text-based AdSense business is based on clickable links, while DoubleClick's technology places targeted banner ads and other display advertising on popular online sites."

The question being posed to both the FTC and the European Commission is how will this deal effect the consumer, in terms of it's privacy implications, the cost and affordability of the services themselves, and the more general effect on market competition. Consumer rights and privacy groups, in the United States and Europe, have aligned strongly against the merger.

In response to the FTC's decision, the groups that filed the original complaint ( The Electronic Privacy Information Center, the Center for Digital Democracy and U.S. PIRG ) with the FTC shortly after Google announced the deal - arguing the acquisition would give Google unprecedented ability to "record, analyze, track and profile" the activities of Internet users - made their disappointment clear:

"Despite the FTC's claims, privacy is most certainly an antitrust issue," CDD Executive Director Jeff Chester said in a statement. "A key component of the online market dominance that companies such as Google have achieved is the aggregation and analysis of consumer profiles, including the merger of far-flung data sets and vast data warehouses that only a handful of companies now have at their disposal."

The FTC's primary argument for not stepping in to prevent the merger was that Google and DoubleClick aren't direct competitors and therefore there are no "relevant antitrust" issues.

Further, as E-Week reports:

The FTC said its examination of the online advertising market shows "vigorous" competition in the space. Even though the agency found the merger poses no potential competitive harm to the marketplace, the FTC warned it would "closely watch these markets and, should Google engage in unlawful tying or other anticompetitive conduct, the Commission intends to act quickly."

But, as E-Week also reports, the European Commission still must weigh in:

The deal still needs the approval of the European Commission, which opened an extensive investigation into the merger in November. The EC has until April 2, 2008, to make a final decision on whether Google's acquisition of DoubleClick would "significantly impede" effective competition within the European Economic Area or any substantial part of it.

And this leads me to what European consumer advocates are saying about the deal, as all eyes are now on them. If the new report by the BEUC (The European Consumers' Organisation), which represents 41 pro-consumer groups from across Europe is any indication, this merger is far from a "done deal".

Click Z reports:

Following its initial warnings issued in late June, consumer group BEUC has once again written to the European competition commissioner Neelie Kroes to express concerns over Google's proposed $3.1 billion acquisition of Doubleclick...The letter cited three main areas of concern: pricing and competition, harm to consumers, and matters of privacy.

Finally the letter expresses concerns over consumer privacy and welfare, stating that the merger would create a structure that would "almost certainly be less respectful of user privacy." It argues that privacy protection is a competitive differentiator in the ad serving market, and that the merger would eradicate incentives for Google to innovate in the area since competition will have been diminished.

The European Commission is now carrying out a second-phase investigation into competition concerns surrounding the deal. As previously reported by ClickZ news, disapproval from the European Commission is likely to result in a collapse of the entire deal irrespective of the FTC's decision, since both companies generate significant revenue from within Europe.

This story should provide sufficient intrigue for everyone in the coming months...

Happy Holidays to all!

Thursday, December 20, 2007

FBI Recorded 27 Million FISA 'Sessions' in 2006

I know I've been doing a lot of posts on the FISA issue of late, but I just couldn't leave this one out. As more information comes to light - demonstrating why granting retroactive immunity to telecom companies would be so devastating to the fact finding process - we are learning just how expansive the administration's illegal wiretapping program has been over the past 5 years.

It should also be repeated here that the program was initiated well BEFORE 9/11...which only adds to the perception, and reality for that matter, that this program is a lot more about expanding executive power than "keeping us safe".

Now we find this...from Wired Magazine:

At the end of 2006, the FBI's Telecommunications Intercept and Collection Technology Unit compiled an end-of-the-year report touting its accomplishments to management, a report that was recently unearthed via an open government request from the Electronic Frontier Foundation.


Twenty-seven million is a staggering number given that the FBI only got 2,176 FISA court orders in 2006 from a secret spy court using the Foreign Intelligence Surveillance Act.
According to the math that means each court order resulted in 12,742 "sessions," all in regards to phone, not internet, surveillance.

FISA watchers have long wondered whether FISA warrants covered more than one person. Knowing how many calls or text messages the FBI captured could add a piece to the puzzle. Unfortunately, nothing in the documents turned over yet to the Electronic Frontier Foundation explain what a session is.

Click here to read the article in its entirety.

Wednesday, December 19, 2007

Democrats Delay a Vote on Immunity for Wiretaps

Mark this one down on your calendar...US Senators actually stood up on principle, and prevented the passage of the privacy eviscerating FISA bill! You know the one, that if passed, would have given retroactive immunity to the same telecom companies that gave the administration open access to your private phone and email conversations!

Well, thanks to the likes of Chris Dodd, Ted Kennedy, Russ Feingold, Barbara Boxer, and a handful of others, this abhorrent piece of legislation won't be debated again until January. If nothing else, this means that all Americans who care about the Constitution, the rule of law, and their inalienable right to NOT be spied on by their own government, have time to ban together and pressure lawmakers to strip retroactive immunity from any new FISA law!

Before I get to the article, watch the following Senate Floor speeches:

Senator Russ Feingold

Senator Chris Dodd

Senator Ted Kennedy

The New York Times reports:

The Bush administration had pushed for immediate passage of legislation to grant immunity to the phone companies as part of a broader expansion of the N.S.A.'s wiretapping authorities. But that will not happen now.


"Today we have scored a victory for American civil liberties and sent a message to President Bush that we will not tolerate his abuse of power and veil of secrecy," Mr. Dodd said in a statement. The president should not be above the rule of law, nor should the telecom companies who supported his quest to spy on American citizens," he said. "I thank all my colleagues who joined me in fighting and winning a stay in the rush to grant retroactive immunity to the telecommunications companies who may have violated the privacy rights of millions of Americans."


Ultimately, the Senate is likely to consider three different approaches: a plan by the Senate Intelligence Committee to immunize the phone carriers from liability; a plan by the Judiciary Committee to leave out immunity; and an alternative plan by Senator Arlen Specter, Republican of Pennsylvania, to indemnify the companies from legal liability by making the government responsible for any damages instead. Senator Dianne Feinstein, Democrat of California, threw a fourth option into the mix Monday by proposing that the foreign intelligence court, the FISA court, be allowed to decide whether individual companies should get immunity.

And one quick note on the role of the telecom industry, and the peoples' right to hold them accountable. To date, there are 40 lawsuits pending against AT&T, Verizon and other major phone companies over their alleged cooperation in the eavesdropping program. No surprise that the administration, and their corporate allies want immunity...that keeps the truth from ever seeing the light of day.

Click here to read the article in it's entirety.

Tuesday, December 18, 2007

ACLU presses candidates to repeal Real ID card law

The ACLU has rightly thrust the REAL ID Act - and the need for all candidates to proclaim their opposition to it - into the Presidential campaign.

For those that follow the campaign - or privacy for that matter - its probably not a great suprise to know that Democratic candidates Dennis Kucinich and John Edwards, as well as Republican candidate Ron Paul, are the only ones to date to CLEARLY articulate the threat the REAL ID Act poses to civil liberties.

New Hampshire's Union Leader reports:

Begun in July, the national and state organizations' efforts to get the candidates to publicly reject the plan to turn the state driver's license into a de facto national identification card haven't had much success.

While former Sen. John Edwards and Ron Paul are on record against Real ID as a threat to civil liberties, as is Congressman Dennis Kucinich, Sen. Barack Obama's only response so far has been to object on grounds it's an unfunded mandate and not enough has been done to help the state's implement it.

Ebel said requests to the national office of Sen. Hillary Clinton have produced no response, so she's hoping the campaign organization here will be more receptive. On the Republican side, former Mass. Gov. Mitt Romney's campaign said that he favors a national ID, but opposes driver's licenses for illegal immigrants. Former Arkansas Gov. Mike Huckabee has said he doesn't think DMV workers should be in the immigration business.


Calabrese said the ACLU projects that although Real ID calls for the states to be in charge of their own information, ultimately the Feds will say "let us handle the database."

Ebel and Calabrese said the Department of Homeland Security is beginning to figure out there's growing opposition to Real ID at the state level, so they've introduced the Western Hemisphere Travel Initiative that ACLU officials termed a "bait and switch" plan, which would hook up the driver's license base to customs databases.

Although people were originally going to have a passport to cross the border, DHS said if states linked their driver's license base to customs databases, they'd then be in compliance with Real ID. A key concern is that the DHS could expand the uses beyond the official purpose of Real ID. As specified by legislation, the Real ID is a secure card issued by states to be used only for the following reasons: to access a federal facility, board federally regulated commercial aircraft and enter nuclear plants.

Click here to read the article in its entirety.

Monday, December 17, 2007

Wider Spying Fuels Aid Plan for Telecom Industry

As the "FISA Retroactive immunity" bill is being debated on the Senate floor (and in fact just passed 76-10), Senator Chris Dodd is preparing a filibuster.

This critical debate, as often discussed here, is over whether the telecommunications industry should be protected from lawsuits for their aiding the National Security Agency’s warrantless, and illegal, eavesdropping program.

But aside from the political maneuverings taking place in the Senate as I write this, as the New York Times reported this weekend, this debate is as much about what was the relationship between the government and private industry, as it is about what the Bush administration wants this relationship to be in the future.

The New York Times reports:

But the battle is really about something much bigger. At stake is the federal government’s extensive but uneasy partnership with industry to conduct a wide range of secret surveillance operations in fighting terrorism and crime. The N.S.A.’s reliance on telecommunications companies is broader and deeper than ever before, according to government and industry officials, yet that alliance is strained by legal worries and the fear of public exposure.


After the disclosure two years ago that the N.S.A. was eavesdropping on the international communications of terrorism suspects inside the United States without warrants, more than 40 lawsuits were filed against the government and phone carriers. As a result, skittish companies and their lawyers have been demanding stricter safeguards before they provide access to the government and, in some cases, are refusing outright to cooperate, officials said.


The government’s dependence on the phone industry, driven by the changes in technology and the Bush administration’s desire to expand surveillance capabilities inside the United States, has grown significantly since the Sept. 11 attacks. The N.S.A., though, wanted to extend its reach even earlier. In December 2000, agency officials wrote a transition report to the incoming Bush administration, saying the agency must become a “powerful, permanent presence” on the commercial communications network, a goal that they acknowledged would raise legal and privacy issues.


The accusations rely in large part on the assertions of a former engineer on the project. The engineer, who spoke on the condition of anonymity, said in an interview that he participated in numerous discussions with N.S.A. officials about the proposal. The officials, he said, discussed ways to duplicate the Bedminster system in Maryland so the agency “could listen in” with unfettered access to communications that it believed had intelligence value and store them for later review. There was no discussion of limiting the monitoring to international communications, he said. “At some point,” he said, “I started feeling something isn’t right.”


The facts behind a class-action lawsuit in San Francisco are also shrouded in government secrecy. The case relies on disclosures by a former AT&T employee, Mark Klein, who says he stumbled upon a secret room at an company facility in San Francisco that was reserved for the N.S.A. Company documents he obtained and other former AT&T employees have lent some support to his claim that the facility gave the agency access to a range of domestic and international Internet traffic.

The telecommunications companies that gave the government access are pushing hard for legal protection from Congress. As part of a broader plan to restructure the N.S.A.’s wiretapping authority, the Senate Intelligence Committee agreed to give immunity to the telecommunications companies, but the Judiciary Committee refused to do so. The White House has threatened to veto any plan that left out immunity, as the House bill does.

“Congress shouldn’t grant amnesty to companies that broke the law by conspiring to illegally spy on Americans” said Kate Martin, director of the Center for National Security Studies in Washington.

Click here to read the article in its entirety.

Friday, December 14, 2007

Did Blockbuster, Facebook Break Privacy Law With Beacon?

Just when you thought the Facebook/Beacon scandal had been laid to rest, I find this article in PC World.

Apparently, there's a 1988 law called the Video Privacy Protection Act (VPPA). The law clearly "prohibits movie rental companies such as Blockbuster from disclosing personally identifiable rental records of the people who rent or buy movies from them to others -- unless the customer consents to the practice in writing."

We also happen to know that movie choices made by Facebook members on Blockbuster's website were made available to other members of the social network.

PC World details the story:

The case against Blockbuster is quite straightforward," said James Grimmelmann, associate professor at the New York Law School. "I'm surprised that there haven't been lawsuits already in terms of Blockbuster. The one against Facebook requires a couple more steps. It's one of those interesting issues" that can be viewed in multiple ways legally.


Civil remedies under the law include fines of at least US$2,500 for each violation. In the few situations where the law has been invoked, the cases involved the disclosure of customer movie rental records to law enforcement authorities by rental companies. The law has never been tested in an online situation such as the one involving Blockbuster and Facebook, and could raise interesting issues, according to Grimmelmann.


Facebook's Beacon ad service was released in early November as a part of the Facebook Ads platform. It is ostensibly designed to track the activities of Facebook users on more than 44 participating Web sites and to report those activities to the users' Facebook friends, unless specifically told not to do so. The idea is to give participating online companies a way to monitor the activities of Facebook users on their Web sites and to use that information to then deliver targeted messages to Facebook friends.

The problem with that arrangement, at least for Blockbuster, is that such information sharing put it in violation of VPPA before Facebook changed its privacy policies following an outcry over Beacon, Grimmelmann said. The mere fact that Blockbuster passed on movie choice information to Facebook friends without user consent is a violation of VPPA...

Click here to read the article in its entirety.

Unlikely allies unite to fight enhanced-ID plan

Not uncommon when it comes to the issue of privacy, unlikely allies from the left and right have joined forces. In this case, its the ACLU, the John Birch Society, and various Republican lawmakers voicing their opposition to Arizona Gov. Janet Napolitano's plan to create an enhanced state driver's license...which opponents believe moves the state a whole lot closer towards adopting requirements laid out in the REAL ID Act.

The Arizona Republic reports:

Napolitano last week signed an agreement with Homeland Security Secretary Michael Chertoff to create a three-in-one identification card. It would function as a driver's license, a valid ID for crossing the borders into Mexico and Canada, and a way for employers to verify workers' status under the soon-to-be-launched employer-sanctions law.


Under the terms of the agreement, the ID would be voluntary. It would cost $20 to $25 more than a standard driver's license because it would include an embedded information chip that could be read through radio-frequency identification technology. It's that technology that has opponents nervous and angry.


Alessandra Soler Meetze, executive director of the ACLU of Arizona, said the technology opens people up to having their identities stolen and to the government tracking citizens' every move."Any wireless signal is inherently insecure," she said.

As reported in the Arizona Daily Star, the debate centers around whether the idenities of those carrying the cards are truly at risk being that they contain no personal information, just an identification number. And, also argued by the Governor, is because the cards themselves are voluntary, not mandatory, they don't represent a government power grab or privacy invasion.

These arguments do not satisfy opponents of the program:

"I think they just value very much their privacy," the senator said. "And although it is voluntary at the moment, once the federal government gets involved I have no faith that it would stay voluntary."


Napolitano said the chips contain no personal information, just an identification number. She said only someone with access to the state Department of Public Safety database could learn anything more about the holder.

Homeland Security spokes-man Russ Knocke said the maximum range for reading the chips is 10 to 20 feet.

But Alessandra Meetze, executive director of the Arizona chapter of the American Civil Liberties Union, said that provides little comfort, even if true. She said it still would permit anyone with the right electronic equipment to track the movements of individuals.

Click here to read the article in the Arizona Republic.

Click here to read the Arizona Daily Star.

Thursday, December 13, 2007 Puts a Bet on Privacy

It appears consumers are going to have an option now for greater privacy when searching the web. The fourth largest search engine company has begun offering a service called AskEraser, which allows users to make their searches more private.

The small company (compared to Google or Yahoo that is) from Oakland California is hoping that this new technology will help give them a leg up on the competition. Let us hope so.

The New York Times reports: and other major search engines like Google, Yahoo and Microsoft typically keep track of search terms typed by users and link them to a computer’s Internet address, and sometimes to the user. However, when AskEraser is turned on, discards all that information, the company said.


The service will be conspicuously displayed on’s main search page, as well as on the pages of the company’s specialized services for finding videos, images, news and blogs. Unlike typical online privacy controls that can be difficult for average users to find or modify, people will be able to turn AskEraser on or off with a single click.


I think that it is a step forward,” said Ari Schwartz, deputy director of the Center for Democracy and Technology, about AskEraser. “It is the first time that a large company is giving individuals choices that are so transparent.”

But underscoring how difficult it is to completely erase one’s digital footprints, the information typed by users of AskEraser into will not disappear completely. relies on Google to deliver many of the ads that appear next to its search results. Under an agreement between the two companies, will continue to pass query information on to Google. Mr. Leeds acknowledged that AskEraser cannot promise complete anonymity, but said it would greatly increase privacy protections for users who want them, as Google is contractually constrained in what it can do with that information.


Last year, AOL released the queries conducted by more than 650,000 Americans over three months to foster academic research. While the queries where associated only with a number, rather than a computer’s address, reporters for The New York Times and others were quickly able to identify some of the people who had done the queries. The queries released by AOL included searches for deeply private things like “depression and medical leave” and “fear that spouse contemplating cheating.”

The incident heightened concerns about the risks posed by the systematic collection of growing amounts of data about people’s online activities. In response, search companies have sought to reassure consumers that they are serious about privacy.


In recent months, privacy has emerged as an increasingly important issue affecting major Internet companies. Several consumer advocacy groups, legislators and competitors, for instance, have expressed concerns about the privacy implications of the proposed $3.1 billion merger between Google and the ad serving company DoubleClick, which is being reviewed by regulators in the United States and Europe.

Last month, the Federal Trade Commission held a forum to discuss concerns over online ads that appear based on a user’s Web visits. And just last week, the popular social networking site Facebook suffered an embarrassing setback when it was forced to rein in an advertising plan that would have informed users of their friends’ buying activities on the Web. After more than 50,000 of its members objected, the company apologized and said it would allow users to turn off the feature.

The question remains - and perhaps will be answered to a degree with the offering of this new product - whether privacy is a strong enough concern among consumers to turn a feature like AskEraser into a major selling point for Click here for the article in its entirety.

Surveillance Court Declines to Release Secret Opinions

While not a surprise, this news is a disappointment. Despite the ACLU's best efforts, the Foreign Intelligence Surveillance Court has refused to release documents related to two past opinions it has given on the legality of the Bush administration wiretapping program.

The two decisions in question conflicted with one another, with the first seeming to give the administration more leeway in its continuation of the program it had been secretly conducting without court approval, while the second one was more restrictive.

The New York Times reports:

When Congress began debating changes in August, the civil liberties union asked the court to release the two opinions, arguing that the public had a right to know the court’s legal reasoning in the midst of a Congressional debate on the issue. The court’s presiding judge, Colleen Kollar-Kotelly, said then that it would consider the request, which she called “unprecedented.” In its own brief filed with the court, the administration opposed disclosure of the documents.


But, Judge Bates said, such benefits do not outweigh the government’s need or right to keep the material classified. Disclosure, he said, could allow the nation’s enemies to avoid detection and might compromise American intelligence activities. The potential damage is “real and significant, and, quite frankly, beyond debate,” the judge wrote.


Jameel Jaffer, director of the National Security Project at the A.C.L.U., said in an interview that he was disappointed. “A federal court’s interpretation of federal law should not be kept secret,” Mr. Jaffer said.

Click here to read the article in its entirety.

Wednesday, December 12, 2007

Ad-targeting system monitors your interests with ISP's help

The whole Facebook controvery over the past few weeks has highlighted the larger issue of internet privacy, and the role of advertiser targeting techniques.

A new product has been created to improve on Web sites' practice of dropping tiny tracking files known as cookies on visitors' computers. When those cookies indicate enough about a Web surfer's interests, related ads can be made to appear.

So, what are some of the privacy pro's and con's with this new technology? As you may have guessed, from a privacy perspective, it again comes down to the all important difference between "opt-in" or "opt-out". And to no ones surprise, industry wants to keep it as it is..."opt-out".

The Mercury News Silicon Valley reports:

...the fact that you visited a site doesn't say as much about your interests as knowing what you did there and afterward. Did you read several articles or quit halfway through one? Did you leave the site to research the topic further on a search engine?

To glean those deeper insights, NebuAd installs equipment inside the facilities of Internet service providers (ISPs), which see everything their customers do online. NebuAd's boxes examine many of the sites people visit, what they do there and what they hunt for on search engines.


Aspects of NebuAd's technique are already in play. For example, besides cookies, many online retailers deploy "clickstream analysis" tools that monitor what customers do on a given site - what they browse, what they read, which items they put in their shopping carts but fail to buy. As a much wider-ranging eye in the sky, NebuAd could pique more worries about privacy.

...Pam Dixon, director of the World Privacy Forum, said NebuAd should instead use an opt-in mechanism - automatically excluding anyone who doesn't sign up. She said even if a marketing profile is anonymous, someone might be able to tie it to an individual Web user, if its details were as richly detailed as NebuAd indicates.

"For this particular business model ... it's got to be opt-in, because people's expectation of privacy is that this isn't happening," Dixon said. The degree to which this privacy equation has been managed will likely be key for NebuAd.

Click here to read the article in its entirety.

Tuesday, December 11, 2007

Theft of personal data more than triples this year

According to a USA TODAY analysis of data losses reported over the past two years, more than 162 million records have been reported lost or stolen in 2007, triple the 49.7 million that went missing in 2006.

The article states:

Names, birth dates, account numbers and Social Security numbers have become like gold in the cybercrime underground. Meanwhile, organizations expose rich veins of such data as they convert paper documents into digital records. Business data worldwide are expected to swell to 988 billion gigabytes by 2010, up from 161 billion gigabytes in 2006, says researcher IDC.

As they "cram more and more data into a single place," companies and agencies present thieves with more opportunities for a big score, says Benjamin Jun, vice president of technology at Cryptography Research.


Organized-crime rings are on the lookout for unattended laptop computers, mail that contains disks or tapes and employees susceptible to bribery, says John Watters, CEO of security firm iSight Partners. "They're looking for the weak link," he says, "and aiming their resources at it."

Click here to read the article in its entirety.

Monday, December 10, 2007

Legislators, residents speak out against REAL ID program

The REAL ID Act - passed as an attachment to a supplemental spending bill for the Iraq war effort in 2005 - continues to meet resistance across the country whenever the public gets a chance to comment on it. Unfortunately, the Homeland Security Department (HSD) has kept such public gatherings to a minimum.

The Real ID Act would turn our state driver’s licenses into a genuine national identity card and impose numerous new burdens on taxpayers, citizens, immigrants, and state governments – while doing nothing to protect against terrorism. This new federal identity document would be required of every American in order to fly on commercial airlines, enter government buildings, open a bank account, and more.

The common reaction from concerned public citizens across the country to the Act has centered on the threat it would pose to individual privacy, the high costs states would incur to implement it, the increased danger of identity theft, and the possible loss of freedoms due to expanded government power. The recent hearings in Pennsylvania were no different. The good news is that 17 states have already passed legislation that opposes the Real ID Act...with Pennsylvania currently debating the passage of their own such bill.

The Daily American reported on the overwhelming public opposition displayed at the hearings:

The problem begins with a number of constitutional issues, opposition leaders say, and will only get worse when the identity database created by the act begins to be linked to financial institutions and essentially becomes a national identity card.


Many of the residents attending the event were uncomfortable with the program. Chris Faris, of Somerset, said that the act is not about security. “It’s about money. There’s a cottage industry of buying and selling information. They’re going to profit from it and say that we’re alarmists crying Fascism,” he said.

Click here to read the article in its entirety.

Friday, December 7, 2007

Report cautions consumers to look at online privacy policies

I thought this might be useful for readers being that it is the holiday season. A new report by, a project of the New York Public Interest Research Group, rates retail websites on how well their customers' personal information was protected.

AP details the findings:

The group reviewed the privacy policies of 484 online retailers in October and November, focusing on two aspects: how well customers were informed about how their information would be used, and how much control customers have over who has access to their information. and received screen door awards; sites that won steel door awards include, and was rapped because its privacy policy is "very technical and lengthy" and may be hard for people to understand, said Tracy Shelton, a consumer attorney with NYPIRG.

... was singled out because its policy says personal information may be transferred if the company is sold.

I did not see which companies it gave 'steel door' ratings to. I'll follow up on this post next week. To read the article in its entirety click here.

Thursday, December 6, 2007

Apologetic, Facebook Changes Ad Program

So Mark Zuckerberg, founder and chief executive Facebook, has apologized, says "they've made mistakes". Well, something tells me their deal with advertisers, and the use of Beacon, wasn't so much a "mistake" as an intentional desire to make as much money as possible.

Perhaps he means he made a mistake in getting caught?

At any rate, the Facebook flap highlights growing concerns about the increasingly sophisticated technologies used to track online activities in an effort to more precisely target advertising. It goes without saying these type of social networking sites have not exactly been forthcoming about how much user information they harvest, share, and with whom.

Nonetheless, as the New York Times article conveys, the Facebook story is one privacy advocates should feel good about. We made some noice, got some concessions, and now must broaden the scope of the fight.

The article details some of the reactions and aftermath to Facebook's apology:

Mark Zuckerberg, founder and chief executive of the social networking site Facebook, apologized to the site’s users yesterday about the way it introduced a controversial new advertising feature last month. Facebook also introduced a way for members to avoid the feature, known as Beacon, which tracks the actions of its members when they use other sites around the Internet.


Although Facebook has made the changes that and others requested, some users said they believed the company had not been forthcoming. “I feel like my trust in Facebook has been violated,” said Christopher Lynn, 30, a Facebook user who also writes a blog on social media. “Facebook created this space that was a private space, where we share our experiences, and to share this data behind our backs is upsetting.”


Jeff Chester, executive director of the Center for Digital Democracy, said Mr. Zuckerberg should have explained Facebook’s full advertising and data collection program to users.

The user needs to decide how their information is going to be used, whether it’s going to be used for targeting at all, which advertisers have access to it and whether Facebook has the right to collect and analyze it,” he said. “Facebook is saying it is a safe place for you to share your innermost secrets; what’s not being told to users is that they are selling those secrets.”

Wednesday, December 5, 2007

Wiretap Oversight Urged

It's good to see The Center for Democracy and Technology taking yet another strong stand on behalf of individual privacy. I've covered the illegal wiretapping issue pretty extensively here, and it goes without saying that the telecommunications industry does not deserve immunity for the crimes they committed against their customers.

But, as CDT notes, there are numerous other problems with the FISA "reform" bills making their way through congress.

PC World reports:

The legislation, as approved by the Senate Intelligence Committee, would reauthorize warrantless wiretapping of some U.S. residents' telephone and electronic communications in the name of protecting the U.S. against terrorists. One of the most controversial provisions would give telecom carriers immunity from civil lawsuit judgements for assisting the government wiretapping efforts, but CDT officials said Tuesday that there are other important debates raised by the legislation, including the role of the U.S. FISA (Foreign Intelligence Surveillance Act) court in overseeing the wiretapping program.

The Senate Intelligence Committee version of the bill, which was put together with help from President George Bush's administration, offers "no meaningful protection" to U.S. residents and limits the involvement of the FISA court in approving wiretapping, CDT said. Several civil liberties groups have called the wiretapping program illegal because it spies on U.S. residents communicating with oversees suspects without court approval.


The CDT would prefer a substitute amendment from the Senate Judiciary Committee that's likely to come before the Senate during debate on the bill. That bill would give the FISA court more oversight of the wiretap orders, would prohibit the bulk collection of international communications and would sunset the bill in four years instead of six, as in the Senate Intelligence version. Even better is a House of Representatives bill, the Restore Act, which would allow ongoing FISA court supervision of the wiretapping program, and would require prior court approval of wiretaps in most cases, CDT said. The House narrowly passed the Restore Act Nov. 15.

Click here to read the article in its entirety.

Tuesday, December 4, 2007

California Government Surveillance Cameras Thrive Without Safeguards

Do you ever get that feeling you're being watched? Well, if you live in California - and most definitely in the UK - you probably are. One of the growing little privacy violation secrets in the US, particularly California, is the rapid expansion of the governments use of surveillance cameras with next to no safeguards or oversight.

A recent report by the ACLU entitled "Under the Watchful Eye", details this very real, and frightening encroachment on our privacy and civil liberties. But rather than me explain all the findings and suggested reforms, I suggest you read this article by Stella Richardson of the ACLU summarizing some of the report's findings.

She writes:

California cities are moving quickly to install video surveillance cameras on public streets and plazas without regulations, with little or no public debate, and without an evaluation of their effectiveness... public records survey done by the ACLU disclosed that, even though 37 cities have some type of video surveillance program and 10 are considering expansive programs, none has conducted a comprehensive evaluation of the cameras’ effectiveness [full list of cities and their responses].


In the last two years, the federal Department of Homeland Security has made more than $1.4 billion available to cities for anti-terrorism projects. This funding, along with rising homicide rates and aggressive marketing by security companies, has led many cities to approve and install surveillance camera systems.


Surveillance camera programs do not significantly reduce crime in city centers, the report argues. Mark Schlosberg, Police Practices Policy Director of the ACLU of Northern California and co-author of the report said, “The use of surveillance cameras, unfortunately, comes at the expense of proven crime reduction measures such as better lighting, foot patrols, and community policing. In this sense, throwing money at video surveillance actually detracts from law enforcement’s efforts to reduce crime.”

The report cites a survey commissioned by the British Home Office, which found that improved lighting led to “a 20 percent average decrease in crime, with reductions in every area of criminal activity including violent crime,” while cameras led only to reductions “no more significant” than in control areas with no cameras. Britain has more than four million cameras operating in more than 500 towns and cities.


Nicole Ozer, Technology and Civil Liberties Policy Director and report co-author, raises another serious concern. “The threat of widespread government surveillance only multiplies when cameras are combined with other new technologies.” She cited automated identification software among such technologies. “In this light, video surveillance cameras provide a critical pillar for an emerging government surveillance infrastructure,” Ozer added.

For the ACLU's recommendations, as well as the article in its entirety, click here. From my perspective, allowing anyone, especially government, to have such broad reaching and all encompassing surveillance abilities begs two questions: "How much do you trust those in power to always do the right thing? And more importantly, "How much do you trust anyone that is given such enormous power to keep doing what's right?" The old adage "Absolute power corrupts absolutely" keeps coming to mind.

Oh, and they don't reduce crime either!!

Monday, December 3, 2007

Editorial: Facebook move doesn't clear up privacy fears

During my 5 days absence a lot has happened in regards to the MoveOn versus Facebook clash. Unless you've been living under a rock, I'm sure you heard the people won this round.

As MoveOn noted in a November 30th action alert, Facebook's "about face" is something we should all celebrate:

Big news! Last night, Facebook changed their policy and announced that no private purchases made on other websites would be displayed publicly on Facebook "without users proactively consenting." This is a huge victory for online privacy—and shows how regular people can band together to make a difference as the rules of the Internet get written.


The Washington Post, New York Times, and media outlets around the world cited the 50,000 Internet users who joined MoveOn's Facebook group and online petition as critical in getting Facebook to reconsider their policy. The New York Times called it a "mass protest" and London's Telegraph newspaper said we achieved "dramatic change."

But, before we pop the champaigne and declare the 29th of November to be "National Privacy Protection Day", check out this editorial by the San Jose Mercury News entitled "Facebook move doesn't clear up privacy fears".

As the editorial points out, this is only one part of a much larger struggle to protect ones personal information - particularly in cyberspace:

The backlash against Facebook last week is a lesson to all Internet companies: Tread more carefully with consumer privacy, even in this linked-in age.


But the issue of privacy in the Internet age doesn't stop there. Facebook fixed the notification feature, but it's still collecting the data. Web sites like Facebook and MySpace make it possible to share intimate details of our lives with online friends and contacts. That allows the sites themselves to collect troves of personal data, such as what movie we saw, what books we like and where we plan to go on vacation. And they can share that data with Internet marketers.


Despite Facebook's concession, the Center for Digital Democracy and other privacy groups plan to press the Federal Trade Commission to examine Internet marketing practices. It's time to look at updating the ground rules for marketing in the Internet age. Social networking sites have brought us into a new era of connectedness. But the basic expectation of privacy must not change.

Click here for the complete editorial...