Section 2.1.2 and 2.1.3: Storing search data
In a trade-off favoring privacy over improved search service, Google
reduced to nine months the time it stores user search data in a form that
identifies the user. Yahoo announced that it
would store data on user searches, page views, and ad clicks in a personally
identifiable form for only 90 days (except when fraud or security is an
issue). (Sept., Dec. 2008)
Section 2.2.1: DNA collection
The federal government announced that it will begin collecting DNA from
everyone arrested by federal agencies. (April 2008)
Section 2.2.2: Searching laptops at airports
A federal appeals court (9th Circuit) ruled that customs
agents do not need reasonable suspicion to
search or seize a person's laptop or other eletronic devices.
The court stated that the defendant did not show how a search of a laptop
is different from a search of luggage without probable cause
(which the Supreme Court has allowed). (Apr. 2008)
Customs officials search laptops and cell phones of business people, potentially
exposing confidential business and personal data. See, for example,
Ellen Nakashima, "Clarity Sought on Electronic Searches," Washington Post
(www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763.html).
Several orgainzations are attempting to get the government to release its
policy on what files are copied and how long they are kept.
Section 2.2.2: Searching our brains Section 2.2.2: Satellite surveillance. Section 2.2.2: Screening vehicles. Section 2.3.3: Stolen medical billing
records. Section 2.3.3: Credit-card data stolen from
grocery chains. Section 2.3.3: Harvard joins the club Section 2.3.3: Stolen bank account data Section 2.3.3: Pretexting Section 2.3.5: Public records online
with SSNs Section 2.3.6: National ID database in India Section 2.3.6: The REAL ID Act Section 2.4: EU guidelines for
social network sites Section 2.4.1: Data breaches
Return to A Gift of Fire home page.
By studying a person's brain activity
while the person viewed photographs from a test set, researchers
developed a computer model to predict how the brain responds to various
kinds of images. Then they used the model to "guess" which pictures
the person viewed from a new set of photos.
In limited tests, the model was highly accurate.
Such models might eventually help treat vision problems caused by brain
injuries or illnesses. Currently, detecting the brain
activity requires a very large machine (a type of MRI machine) and a lot of
time, so no one can be scanned without their knowledge. What uses and abuses
of such technology can you imagine a few decades from now? (July 13, 2008;
Kay et al, "Identifying natural images from human brain activity,"
Congress authorized funding to begin
a controversial program in which the Department of Homeland Security will share
spy-satellite images with state and local law enforcement.
The Government Accountability Office issued a report saying there was
insufficient assurance that the program would comply with laws and standards
to protect privacy and civil liberties. DHS officials disagreed with the
report. (Oct. 1, 2008)
The New York City Police Department is developing a
plan to screen all vehicles entering Manhattan
(about one million vehicles per day).
The plan would include license-plate readers, cameras,
and radiation detectors. (Aug. 19, 2008)
A Courier left billing records on 2.2 million people
from University of Utah medical facilities in his car overnight.
They were stolen. He was fired. (Oct. 2, 2008)
Two grocery chains in the northeast U.S. and Florida, owned by one company,
reported that data
thieves planted malware in the computer systems of their stores and gained
access to more than four million credit- and debit- card numbers. Almost
two thousand cases of fraud resulted. From the reports I read, it appears the
company followed good security practices; how the software got onto the
computers is still unknown.
(Hannaford Bros. and Sweetbay, Mar. 31, 2008)
A hacker broke into a computer at Harvard University and stole personal
data on thousands of applicants. The applicant files included social security
numbers. The files were not encrypted. (Mar. 14, 2008)
Governments of several countries bought confidential bank account
information from someone who stole it from a financial institution in
Liechtenstein, a country with strong bank privacy laws. The governments
are using some of the client financial information to pursue tax-evasion
charges. (Feb. 25, 2008)
Owners of a detective agency in Seattle and several other people were
indicted for using pretexting to obtain sensitive data on thousands of
people, including income tax records from the IRS, earnings
histories from the Social Security Administration, and bank and
medical records. The case illustrates that government agencies and
businesses are susceptible to fake stories of emergencies and
hardships. (Source: Mike Carter, "Pretexting indictment names Belfair
private investigators," Seattle Times, Dec. 6, 2007)
The state government in Virginia required that counties put land records online.
It did not require that Social Security numbers be removed before posting the
records. It specified that the SSNs be removed by 2010 -- if the state
provided funding for the task of removing them. It didn't.
For several years, county governments in Iowa have provided land records online
with Social Security numbers included.
(Sept. 2008)
The Indian government set up a new agency to develop a national ID database
for its 1.2 billion people. Its stated purposes include improving provision
of government services and catching illegal immigrants. (June 26, 2009)
The REAL ID Act was supposed
to take effect in 2008, but all 50 states have been granted extensions.
Congress and the Department of Homeland Security are considering some
modifications. (Feb. 2009)
A panel of regulators in the European Union devised guidelines for
social networking sites that, the regulators say, would meet the
requirements of the EU's privacy laws. They say the sites should set default
privacy settings at a high level, tell users to upload a picture of a person
only if the person consents, allow the use of psuedonyms, and set limits on
the time they retain data on inactive users. (June 2009)
(See the related student
presentation assignment (Asmt. 12) for Chap. 2.)
A study of several hundred data breaches involving millions of
records found that in two-thirds of the cases, the victim organization
did not even know, before the breach occurred, that the data was
on their system. (For example, some retailers do not know that the
software they use stores credit card numbers.)
The study also found that in 87% of the cases, reasonable security
methods would have prevented the breach. (Verizon Business Investigative
Response team, 2008 Data Breach Investigations Report,
www.verizonbusiness.com/resources/security/databreachreport.pdf) (Feb. 2009)