January 16, 2006
DHS Phone System Gives Away Secrets
When a landlord called the Illinois Department of Human Services and punched in 1-2-3-4, he was trying to circumvent the automated answering system and talk to a live person. What he got was a surprise. He found himself listening to confidential voicemail messages left for DHS employees by clients of the agency. The messages typically included the name, telephone number, and Social Security number of the client, along with an explanation of the client’s problem. "We were very surprised to learn of this,” said a spokesperson for the agency, “and took immediate steps to correct it, but it's not something that anyone at DHS did wrong. They didn't even know about it." According to the spokesperson, the vendor that provides the voicemail system has corrected the system glitch. “Social security data compromised,” http://www.belleville.com/mld/belleville/news/local/13632008.htm
States Struggle to Prepare for Real ID
Last year Congress enacted the Real ID Act, a statute that gave the states three years to begin issuing identification cards that meet federal standards. See “FAQ: How Real ID will affect you,” http://news.com.com/FAQ+How+Real+ID+will+affect+you/2100-1028_3-5697111.html Brian Bergstein,
Associated Press Technology Writer, has written an article describing the challenges the states are facing in coming into compliance. In addition to setting standards for the issuance of state ID cards, the Act also requires the states to connect their record-keeping systems to national databases to catch duplicate applications, identify illegal immigrants, and share driving records. In addition, states are to check multiple databases to verify the accuracy of documents, such as birth certificates, that are submitted by license applicants. State officials say the cost of implementing these changes far exceeds the $100 million estimated by the Congressional Budget Office when the Act was being considered. Pennsylvania, alone, estimates its cost to be $85 million, with an additional $46 million annually to run the system. Virginia estimates that its initial costs will be $163 million, with additional ongoing costs of $63 million. “Real ID a nightmare for states,” http://www.thedesertsun.com/apps/pbcs.dll/article?AID=/20060115/NEWS10/601150328/1024
January 17, 2006
How Safe Are Hotel Card Keys?
Frequent travelers can rest easy. Computerworld has shown that concerns that electronic hotel room keys include sensitive personal information are unfounded. The hotel industry has frequently said there is no basis for the claims, but the concerns still remain among some travelers. To determine whether there is any basis for concern, Computerworld tested 100 hotel card keys from hotels and resorts ranging from Motel 6 to Hyatt Regency and Disney World. Neither Computerworld nor the expert it engaged to do additional testing of the cards could find any personally identifiable information on any of the cards. According to Computerworld, “Most keys contain only a room number, a departure date and a "folio," or guest account code. . .” “It's Just the Key to Your Room: Computerworld surveys 100 hotel card keys to explode an urban myth,” http://www.computerworld.com/securitytopics/security/story/0,10801,107701,00.html?source=x73; “Sidebar: The Search for the Perfect Electronic Key,” http://www.computerworld.com/securitytopics/security/story/0,10801,107737,00.html?source=x73
Domestic Surveillance Issue Remains Front and Center
The debate over the authority of the President to order the interception of telephone and e-mail messages between persons in the United States and persons overseas will be at the forefront of Congress’s agenda as it returns to Washington. Speaking Sunday on ABC’s “This Week,” Senator Arlen Specter, chair of the Senate Judiciary Committee, which will hold hearings on domestic surveillance, reiterated his belief that the President did not have the authority to order the surveillance. "I started off by saying that he didn't have the authority under the resolution authorizing the use of force,” he said. “The president has to follow the Constitution." When asked what remedy would exist if the President is found to have acted without authority, Specter replied that the remedy could be a variety things including impeachment. Specter added that “I don't see any talk about impeachment here. . . I don't think anybody doubts that the president is making a good-faith effort, that he sees a real problem as we all do, and he's acting in a way that he feels he must." “Specter: Bush has no `blank check' to spy,” http://www.chicagotribune.com/news/nationworld/chi-0601160233jan16,1,413848.story?coll=chi-newsnationworld-hed
Former Vice President Al Gore was not so charitable. He used Martin Luther King Day to speak out against the domestic eavesdropping authorized by President George Bush after the 9-11 attacks on the World Trade Center and the Pentagon. In his speech, Gore accused the President of “breaking the law repeatedly and persistently.” Gore recalled how during the last several years of his life, Dr. King was illegally wiretapped on a regular basis by the FBI. Said Gore:
The FBI privately called King the “most dangerous and effective negro leader in the country” and vowed to “take him off his pedestal.” They government even attempted to destroy his marriage and blackmail him into committing suicide.
This campaign continued until Dr. King’s murder. The discovery that the FBI conducted a long-running and extensive campaign of secret electronic surveillance designed to infiltrate the inner workings of the Southern Christian Leadership Conference, and to learn the most intimate details of Dr. King’s life, helped to convince Congress to enact restrictions on wiretapping.
The result was the Foreign Intelligence Surveillance Act (FISA), which was enacted expressly to ensure that foreign intelligence would be presented to an impartial judge to verify that there is a sufficient cause for the surveillance.
The text of Gore’s speech can be found at: http://rawstory.com/news/2005/Text_of_Gore_speech_0116.html
The New York Times reports today that then FBI head Robert S. Mueller III, expressed his concern that about whether the eavesdropping was legal, as his agency worked to investigate thousands of leads provided to it from the National Security Agency. According to the Times, the FBI employed hundreds of agents to investigate thousands of leads each month. “Spy Agency Data After Sept. 11 Led F.B.I. to Dead Ends,” http://select.nytimes.com/mem/tnt.html?emc=tnt&tntget=2006/01/17/politics/17spy.html&tntemail0=y
Survey Identifies Consumers’ Concerns with Loyalty Programs
David T.S. Fraser at the Canadian Privacy Law Blog pointed us to an article about a soon-to-be-released survey of consumers regarding privacy and loyalty programs. According to the study, “Retail Demand Insights 2006: What Drives Consumers?,” retailers are going to have to take care to address consumers’ privacy concerns in developing their loyalty programs. The survey found that consumers draw a clear line between what is and is not acceptable information to be provided in a loyalty program. The study found that “the most acceptable information shoppers were willing to give retailers include their name (89.8%), e-mail address (78.1%), street address (60.7%), and past transactions (46.8%). Consumers were least likely to allow retailers to track weight (14.4%), income (12.5%), job title (12.1%), employer (10.9%) and net worth (8.2%).” “Shoppers Want Loyalty Programs, but Not at the Cost of Privacy,” http://www.crm2day.com/news/crm/117019.php
January 18, 2006
Concern for Sale of Cell Phone Records Extends Overseas; Methods Used by Records Vendors Revealed
Police in Ireland are concerned about an American website that sells cellphone records. In the recent aftermath of the disclosure that a top official in Sinn Féin has been an informant for the British government, police fear that the handlers of other informants could be exposed by republicans or loyalists in the conflict in Northern Ireland. “Police fear US website could 'out' informers,” http://www.nuzhound.com/articles/irish_news/arts2006/jan16_web_site_could_out_informers.php This concern about the safety of informants is a similar to one expressed by the Chicago police earlier this month. See “Chicago Police Warned of Sale of Personal Phone Records,” In the News, January 6, 2006.
Wired News has an article that details just how operators of a website are able to get private cellphone records to sell. Its reporter reviewed records from a suit filed by Verizon Wireless against cellphone record vendors in Florida late last year. The article describes the tactics as follows:
According to the suit, online cell-phone record vendors placed hundreds of thousands of calls to Verizon customer service requesting customer account information while posing as Verizon employees from the company's "special needs group," a nonexistent department. The caller would claim to be making the request on behalf of a voice-impaired customer who was unable to request the records himself. If the service representative asked to speak with the customer directly, the caller would impersonate a voice-impaired customer, using a mechanical device to distort his voice and make it impossible for the service representative to understand him -- a variant of a widely used social-engineering technique known as the "mumble attack."
The article notes that selling telephone records is not illegal. But it is illegal to obtain them under false pretenses. “Devious Tactic Snags Phone Data,” http://www.wired.com/news/technology/0,70027-0.html
Million Dollar Website Hit by Cyber-Extortionists
Alex Tew’s homepage brought him fortune, fame, and a rude awakening to the criminal element that lurks on the Internet. A third-year university student with more debts than income, Tew decided one afternoon that he needed an idea to become a millionaire. In less than 20 minutes he had his idea. In four months he had his first million dollars. For $50, bought a domain name (milliondollarhomepage.com) and set up a website. He then sold pixels, the little dots that make up a computer screen for $1 a pixel, minimum order 100 pixels. His idea caught on and over the past four months he has sold 1 million pixels to people who want to advertise their own websites on Tew’s homepage. “The million-dollar student,” http://news.bbc.co.uk/1/hi/magazine/4585026.stm
Tew efforts to make a quick million also attracted the attention of hackers who threatened to shut down his site with a denial of service attack unless he paid them $5,000. When Tew ignored the demand, the hackers launched their attack, overloading his site with hits from zombie computers, and effectively shutting it down. And their ransom demand grew to $50,000. His site has been active only intermittently since January 11. “Blackmailers target $1m website,” http://news.bbc.co.uk/1/hi/technology/4621158.stm
Much of the focus of the media’s attention on information security relates to personal identity theft issues. Cyberextortion, however, is a growing and costly crime. The New York Times Magazine featured an article on cyberextortion on August 7, 2005. “The Rise of the Digital Thugs,” http://select.nytimes.com/search/restricted/article?res=F30B14FB3A580C748CDDA10894DD404482 (subscription required). We linked to articles regarding a British gaming company and a British charity who were victimized in December. “Internet Gaming Company and Charity Are Victims of Cyber-Extortion,” In the News, December 20, 2005. In October, we linked to a fascinating article in the New Yorker about a computer engineer who regularly does battle with cyberextortionists. “Hunting Down Zombies and The Criminals Who Use Them,” In the News, October 7, 2005.
January 19, 2006
Google Resists Federal Subpoena for Search Histories
In a move that many privacy advocates feared, the United States Department of Justice has subpoenaed records from the huge database of search histories maintained by Google. According to Mercury News, the records subpoenaed include “one million random Web addresses and records of all Google searches from any one-week period.” Google has refused to comply with the subpoena, claiming that it violates the privacy rights of Google users.
The government is seeking the search histories in a case in which it is defending the constitutionality of the Child Online Protection Act. The act was struck down because it could prohibit adults from accessing legal pornographic sites. The Supreme Court, however, left open to the federal government the opportunity to demonstrate at trial that the act was the only viable way available to address child pornography. The government wants Google’s data to establish the frequency with which web users encounter child pornography. “Feds want Google search records,” http://www.siliconvalley.com/mld/siliconvalley/13657386.htm
Phishing Attacks Grow; Keyloggers and Traffic Redirectors On the Rise
The number of unique phishing attacks in November grew to 16,882, the highest level in at least a year. The Anti-Phishing Workgroup, which tracks phishing activity, identified 4,630 different phishing sites that were active in November. The United States lead the way in the percentage of phishing sites hosted (32.96%), followed by the Republic of Korea (11.34%), China (8.04%), Germany (3.85%), United Kingdom (2.91%), India (2.83%), Canada (2.42%), Japan (2.23%), Romania (1.96%), and the Russian Federation (1.96%). According to the monthly report, the use of keyloggers “continues to grow at a rapid and alarming pace.” The APWG reports several instances in which commercial websites were infected with code designed to place a malicious keylogger on the computer of anyone visiting the site.
In addition to a rise in keyloggers, APWG reports significant increases in the use of traffic redirectors. Traffic redirectors enable the hacker to redirect a user’s computer to a fraudulent site. For example, when you type in the Internet address of your bank, and the traffic redirector would send you to a counterfeit version of the bank’s website.
The report gives as an example, a redirector aimed at users of PayPal. The attack is launched using an email phishing message that offers a link to a "PayPal security tool." The tool is actually a Trojan Horse that modifies the DNS server of the user’s computer and then deletes itself, leaving no trace of the Trojan. The next time the user goes to “paypal.com,” the user will be redirected to a counterfeit PayPal website, where the user is prompted to enter his or her Name, Credit/ATM Card, Billing Address, Phone Number, Social Security Number, Mother's Maiden Name, Date of Birth, Driver's License, and Bank Account/Routing Numbers. The Trojan Horse was not detected by any anti-virus software on the market. “Phishing Activity Trends Report, November 2005,” http://antiphishing.org/reports/apwg_report_Nov2005_FINAL.pdf
Medical Academy Says Privacy a Threat to Medical Research
The Academy of Medical Sciences in the United Kingdom has warned that overzealous concern for privacy is severely restricting large scale medical research. According to Academy, tens of thousands of people in the UK die each year because of rules that restrict the access of researchers to medical data. According to an article in TimesOnline, the website of The Times of London, the Data Protection Act, which requires a patient’s consent before one can obtain access to patient records, includes an exception for “necessary and proportionate” medical research. But the scientists in the Academy report that holders of patient information and regulators responsible for overseeing the Act have widely misinterpreted the act to ignore the medical research exception. The scientists say that researchers have been forced to abandon large studies of the kind, for example, that linked smoking and cancer, because it is impossible to obtain the specific consent of each patient to the use of the data. “Life-saving research is blocked by overzealous data privacy,” http://www.timesonline.co.uk/article/0,,8122-1990964,00.html
Administration Violated National Security Act According to Congressional Research Arm; Civil Liberties Groups File Suit
According to the Congressional Research Service, the Bush administration violated federal law by limiting briefings about its warrantless domestic eavesdropping program to just a few congressional leaders. The Administration’s practice was apparently to brief the chair and the ranking member of both the House and Senate Intelligence Committees. The CRS says that the National Security Act requires that the administration must keep all members of the House and Senate Intelligence Committees “fully and currently” informed about the program. A White House spokesperson responded in a statement that “"We believe that Congress was appropriately briefed."
Earlier this week, the American Civil Liberties Union and the Center for Constitutional Rights filed lawsuits challenging the President’s authority to order domestic surveillance without a warrant. The Electronic Privacy Information Center has also indicated it will file suit. “Congressional Agency Questions Legality of Wiretaps,” http://www.washingtonpost.com/wp-dyn/content/article/2006/01/18/AR2006011802158.html
January 20, 2006
Cell Phones Records Used to Track Users; Lawmakers Propose Legislation to Criminalize Sale of Phone Records
The Chicago Sun Times reports that Internet data brokers and private investigators are doing more than selling cell phone records. They are also selling information about the location of the cell phone owner when he or she makes a call. According to a private investigator interviewed for the story, "We just need the date and time of a specific call and we can let you know within 500-1000 feet where the person was." The article suggests a number of possible uses for such information, such as tracking the movements of an employee, locating a missing child, or tracking the whereabouts of a spouse suspected of having an affair. "You can track 'em for a week with a fully charged cell phone," said another private investigator. A spokesperson for Verizon Wireless said that it was unaware that data brokers were offering to sell location information based on cell phone records. “Cell call lists reveal your location.” http://www.suntimes.com/output/news/cst-nws-cell19.html.
Concern over the availability of cell phone records has been growing in recent weeks. Earlier this week, the Federal Trade Commission announced that it was conducting an investigation into the practices of persons who offer cell phone records for sale. “FCC Probes Selling of Cell Phone Records,” http://www.washingtonpost.com/wp-dyn/content/article/2006/01/17/AR2006011701451.html. On Wednesday, Senators Charles Schumer and Arlen Specter introduced legislation that would make it a felony to obtain cell phone records of another under false pretenses and for a telephone company’s employees to sell customer phone records. “Federal lawmakers act to block sale of phone records,” http://www.post-gazette.com/pg/06019/640330.stm. Representative Joe Barton, Chair of the House Energy and Commerce Committee also will propose legislation. The Washington Post quotes a statement issued by Barton: "I mean to make it very illegal. . . It is also possible because telephone companies may not be doing enough to protect consumer privacy, and I will make it clear that companies owe their customers a duty to privacy and need to devise new ways to foil pretexters." “Rep. Takes Aim at Cell Phone Record Sales,” http://blogs.washingtonpost.com/securityfix/2006/01/congressman_tak.html.
Indian Call Center Industry Launches Database to Track Employees
Information technology and call center companies in India have joined together in launching a database to track information about their employees to enable employers to verify the credentials of job applicants and to permit police to track the backgrounds of workers. The database is being set up in response to recent disclosures of credit card fraud and information theft committed by call center employees. The information technology and call center industry in India employ 1 million people. “With worker database, India aims to fight fraud,” http://news.com.com/With+worker+database%2C+India+aims+to+fight+fraud/2100-1029_3-6028107.html?tag=html.alert
Computer Related Crime Costs U.S. Businesses $67 Billion Annually; 64% of Businesses Report Computer Security Incidents
The Federal Bureau of Investigation calculates that computer related crime costs businesses in the United States $67 billion annually. The FBI based this on a survey of 2,066 business organizations. Sixty-four percent of those organizations reported that they had suffered a financial loss in a computer security incident in the previous twelve months. The average loss was $24,000. While computer viruses, worms, Trojan horses, and spyware were the most commonly cited problems, more than 44 percent of the survey respondents said that the intrusions came from within their company.
“Computer crime costs $67 billion, FBI says,” http://news.com.com/Computer+crime+costs+67+billion%2C+FBI+says/2100-7349_3-6028946.html?tag=cd.top
Yahoo, Microsoft and America Online Give Search Information to Federal Government
Yesterday, we linked to an early report that Google was fighting a government subpoena for search records relating to one million random websites and all of Google’s search records for one week. See, “Google Resists Federal Subpoena for Search Histories,” In the News, January 19, 2006. The Justice Department reported yesterday that Yahoo, Microsoft, and America Online have each complied with similar subpoenas they received in the case. A Yahoo spokesperson said the company had not provided any personally identifiable information and that, “In our view, this is not a privacy issue.” “Other firms handed over data on Web searches,” http://www.miami.com/mld/mercurynews/business/technology/13665364.htm?source=rss&channel=mercurynews_technology
Department of Justice Support’s President’s Claim of Authority to Conduct Warrantless Surveillance
The Department of Justice has provided Congress a 42-page memorandum in support of the President’s power to authorize the National Security Agency to conduct warrantless surveillance of persons in the United States when they are engaged in telephone messages with, or send e-mail communications to, foreigners suspected of terrorist activity. According to the memorandum, “The NSA activities are supported by the President’s well-recognized inherent constitutional authority as Commander in Chief and sole organ for the Nation in foreign affairs to conduct warrantless surveillance of enemy forces for intelligence purposes to detect and disrupt armed attacks on the United States.” The memo also says that “Congress authorized the President to ‘use all necessary and appropriate force against those nations, organizations, or persons he determines planned, authorized, committed, or aided the terrorist attacks’” when it adopted the Authorization for Use of Military Force seven days after the attacks on the World Trade Center and the Pentagon in September 2001. “Legal Authorities Supporting the Activities of the National Security Agency Described by the President,” http://news.findlaw.com/hdocs/docs/nsa/dojnsa11906wp.pdf
In the News yesterday linked to an article about a report from the Congressional Research Service that concluded that the President had violated the National Security Act by failing to keep all members of the House and Senate Intelligence Committees “fully and currently” informed about the surveillance program. See “Administration Violated National Security Act According to Congressional Research Arm; Civil Liberties Groups File Suit,” In the News, January 19, 2006. The administration had limited briefings on the program to the chairpersons and the senior minority member of those committees. (Senator Rockefeller, the Senior Democrat on the Senate Intelligence Committee took the unusual step in 2003 of sending Vice President Cheney a handwritten letter stating that, without the ability to disclose information learned in a briefing to experts on the committee staff, “I simply cannot satisfy lingering doubts about the briefing we received.” The letter is available online at http://www.fas.org/irp/news/2005/12/rock121905.pdf.) Yesterday, the ranking Democratic members of the House and Senate Intelligence Committee, plus Senate Minority Leader Harry Reid and House Minority Leader Nancy Pelosi, sent a letter to Vice President Cheney demanding that in the future the full Intelligence Committees be briefed on the program. “Administration Paper Defends Spy Program,” http://www.washingtonpost.com/wp-dyn/content/article/2006/01/19/AR2006011903276.html.
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at firstname.lastname@example.org or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.