December 12, 2005
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
Gaining Access to Cell Phone Tracking Data
The New York Times ran an article on Saturday about challenges to the authority of police to require cell phone companies to give them live tracking information generated by cell phones without a showing of probable cause. In the last four months, three magistrate judges have refused to grant access to tracking information unless the government could show probable cause that a crime has been, or is being, committed. Government attorneys argued that under the 1986 Stored Communications Act, all they are required to show is “specific and articulable facts” demonstrating that the records they seek are “relevant and material to an ongoing investigation.” The federal magistrates ruled that a higher standard is necessary because the cell phone acts as a live tracking device that follows people into their homes and other places where privacy is reasonably expected. “Live Tracking of Mobile Phones Prompts Court Fights on Privacy,” http://www.nytimes.com/2005/12/10/technology/10phone.html
Canadian Government Proposes Shielding Data from Anti-Terror Investigators from U.S.
The Canadian government is advancing a proposal that would allow government departments to terminate any contract they have with an American firm if that firm provides personal information about Canadians to U.S. officials investigating terrorism. Earlier this fall, the Assistant Privacy Commissioner concluded that, the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) “cannot prevent U.S. authorities from lawfully accessing the personal information of Canadians held by organizations in Canada or in the United States, nor can it force Canadian companies to stop outsourcing to foreign-based service providers.” See, “Canadian Privacy Commissioner Okays Cross-Border Sharing,” In the News, October 21, 2005. Draft guidelines under review would recommend that federal databases containing sensitive information be located in Canada and only be accessible from within Canada. The guidelines would also give a federal department authority to terminate a contract if the department is presented with an order compelling the release of data about Canadians to U.S. investigators. “Canada wants to shield personal data from anti-terror law,” http://cnews.canoe.ca/CNEWS/Canada/2005/12/11/1348514-cp.html
Using Play-Doh to Foil Biometrics
Stuff Magazine reports that researchers at Clarkson University in New York have demonstrated the ability to fool a biometric fingerprint scanner 9 our of 10 times by using a phony finger molded out of Play- Doh. “Fingerprint tech foiled by Play-Doh,” http://www.stuffmag.co.uk/hotstuffarticle.asp?de_id=927
Firm Cracks Sober Code
Last Thursday, we linked to articles about the return of the Sober X virus and its use to spread Nazi propaganda on the upcoming 87th anniversary of the founding of the Nazi party. “Sober Worm Slows E-mail Traffic; Prepares to Spread Nazi Propaganda,” In the News, December 8, 2005. Late last week, a Finnish security firm, F-Secure, announced that it had cracked Sober’s code and identified the websites to which infected computers will be redirected on January 5, 2006. Systems administrators can block access to those websites to ensure that the virus cannot update itself and get further instructions. The websites are listed in the following article: “Sober code cracked,” http://news.com.com/Sober+code+cracked/2100-7349_3-5989094.html?tag=nl
University Computers Hacked Second Time This Year
For the second time this year, someone has hacked into computers at Idaho State University containing sensitive information. The information accessed included Social Security numbers, passwords, names, and birth dates. The breach occurred in September but was not discovered until last Wednesday, when the University noted “unusual activity” on the computer system. University officials suspect that the attack originated in another country, perhaps Romania. “Hacking program found on ISU computers,” http://www.casperstartribune.net/articles/2005/12/11/news/regional/ab40c8795e0adffe872570d2007a30bc.txt
A Healthy Dose of Skepticism
An article appearing at ConsumerAffairs.com, reminds us of the need to read news stories with a healthy bit of skepticism. The author looks at three examples of claims appearing recently in the news and raises questions about their accuracy. For example, the article examines claims by an advisor that losses from Internet-related crimes exceed the sale of illegal drugs. See “Cybercrime Pays More than Drug Trafficking,” In the News, November 29, 2005. The advisor has estimated that Internet crimes netted $105 billion in profits in 2004. But Consumer Affairs points to a report from the United Nations that sets the global drug trade at $322 billion in 2004.
Consumer Affairs also suggests that it is important to look carefully at the sponsorship of studies reported in the news. For example, the recent study that showed that only 1 out of every 1,100 customers who were the victims of a data breach was later a victim of identity theft. Consumer Affairs notes that the company that prepared that study recently announced partnerships with Visa and Equifax. “Given that creditors and businesses stand to lose serious profits as consumers shy away from credit and online shopping,” says Consumer Affairs, it’s not unreasonable to assume the industry will do all it can to minimize the threat of identity theft or fraud.” “Identity Theft Fears: Underreported or Overblown?” http://www.consumeraffairs.com/news04/2005/id_theft_fears.html
December 13, 2005
European Data Retention Law Expected to Pass
The New York Times reports this morning that the European Parliament is expected to pass legislation that requires telecommunications companies to kept details of customer phone calls and faxes for two years and e-mail messages for six months. Current law permits companies to store the information only as long as it is needed for billing purposes, typically no longer than two months. The measure, which has passed through the Parliament in record time, is aimed at helping combat terrorism. “Europe Expected to Require Keeping of Phone-Call Data,” http://select.nytimes.com/mem/tnt.html?emc=tnt&tntget=2005/12/13/business/worldbusiness/13data.html&tntemail0=y.
The Cyberthreat to National Security
NPR’s Morning Edition is running a series of reports on the threat to national security from cyberhackers, many of whom work for foreign governments. Monday’s installment reports that in 2004 the Pentagon experienced 80,000 intrusions attempts – attempts that went beyond probing and attempted to break into the system – compared 55,000 in 2003. Only about six hundred of those attempts were successful, according to the Pentagon, which says none of the successful attempts were directed against classified systems.
With over five million computers, the Pentagon faces a daunting task to educate its employees on data security. “Many of our people don’t understand the consequences of having this type of connectivity,” says Colonel Carl Hunt, Director of Technology for the Pentagon’s Joint Taskforce for Global Network Operations.
Another problem discussed in the report is the Pentagon’s reliance on commercially available technology. “So the very same thing you might use at home for cruising the net and playing video games is being purchased and deployed at the Pentagon with some configuration to do command and control and weapons control,” the story quotes Purdue University Professor Gene Stafford, who is a consultant to the White House on cybercrime. “We need to get into a mode where we evaluate the risk and try to pick the best possible tool rather than the cheapest and most convenient,” Stafford says. “Pentagon Faces Computer Security Problems,” http://www.npr.org/templates/story/story.php?storyId=5048451&ft=1&f=1019
NPR’s series continues today with an article about cyberattacks on defense contractors.
Update: Enforcing Italy’s Internet Café ID Law
Back in October, In the News linked to a story about requirements imposed by the Italian government that any person who makes available Internet, phone or fax services, such as at an Internet café, must obtain a copy of each customer’s passport and retain information regarding the machines that were used, including when each customer logs in and logs out. “Italy Requires ID To Use Internet Cafes and Other Telecommunications Services,” In the News, October 6, 2005. The Associated Press reports that compliance with those requirements is haphazard. Foreign workers, who frequent Internet cafés, often refuse to provide passport information, fearing that questions may arise about the legality of their presence in the country. "People either won't register their documents, and others will show fake ones,'' says one professor who has studied the impact of the new law. "I think this law is useless.'' Nonetheless, the police are enforcing the law, shutting down seven internet cafés in Florence in November. The Associated Press notes that several Asian countries have laws similar to Italy’s. However, those are prompted not out of concern for potential terrorism, but instead to inhibit free speech. “Italian law hits cybercafés,” http://www.mercurynews.com/mld/mercurynews/business/technology/13389225.htm?source=rss&channel=mercurynews_technology
December 14, 2005
Do Not Call Settlement the Largest Civil Penalty Ever Paid to the FTC
In what the FTC calls the largest civil penalty every paid to the agency, DirecTV has agreed to pay $5.3 million to settle allegations that telemarketers working on its behalf made calls to telephone numbers on the FTC’s Do Not Call registry. The FTC also alleged that one of the telemarketers “abandoned calls to consumers by failing to put a live sales representative on the line within two seconds after the called consumer completes his or her greeting, as required under the law.” DirecTV maintained that the calls were made by former independent retailers who failed to adhere to DirecTV’s policies. The FTC maintained that DirecTV remained responsible for those retailers. According to the FTC press release, “”This multimillion dollar penalty drives home a simple point: Sellers are on the hook for calls placed on their behalf,’ said Chairman Deborah Platt Majoras. ‘The Do Not Call Rule applies to all players in the marketing chain, including retailers and their telemarketers.’” FTC Press Release, http://www.ftc.gov/opa/2005/12/directv.htm.
Cyber Security Group Sets National Agenda
The Cyber Security Industry Alliance, an organization composed of security vendors, such as McAfee and Symantec, and other companies, such as Visa, that are concerned with security issues, has issued its National Agenda for Information Security in 2006. Among the items on the agenda is the passage of national legislation regarding data breach notification and spyware protection. In addition, the agenda calls for a national policy for security and privacy of electronic health records and the creation of upfront security and privacy standards for healthcare IT. The CSIA advocates that the federal government should “encourage the private sector to apply information security governance to business operations. . . [and] should urge CEOs to review cyber security measures during board meeting reviews of business operations.” “National Agenda for Information Security in 2006,” https://www.csialliance.org/StateofCyberSecurity2006/Information_Security_Report.PDF
In announcing its agenda, the CSIA criticized both the Congress and the President for a lack of progress over the past year. “Currently, there is little strategic direction or leadership from the executive branch in the area of information security,” said in its press release. “Ensuring the resiliency and integrity of our information infrastructure,” it says, “and protecting the privacy of our citizens should be higher on the priority list for our government.” CSIA Press Release, https://www.csialliance.org/StateofCyberSecurity2006/CSIA_ASOS_Release_121305.pdf; see also “Tech Group Blasts Federal Leadership on Cyber-Security,” http://www.washingtonpost.com/wp-dyn/content/article/2005/12/13/AR2005121301294.html.
In releasing the call for greater government action, the CSIA also released the results of a consumer survey it says supports its point of view. The survey found that consumers are confident that critical networks work well but are concerned about the security of those networks. According to the CSIA: “Americans are much more likely to believe that the networks of interconnected computers and machines that facilitate modern life are working well than they are to believe that the networks are safe. On a scale of 1 to 10, more than half of adults give the Internet (74 percent), the telecommunications network (61 percent), the financial network (61 percent) and the power grid (56 percent) scores of 7 or higher. Yet when it comes to assessing the safety of these networks from failure — whether from natural disaster, outside attack or random malfunction — no more than 30 percent of adults is willing to say that any of the networks is safe (a score of 7 or higher).” Internet Security National Survey, No. 2, https://www.csialliance.org/StateofCyberSecurity2006/National_Survey_121305.PDF.
Congress Will Take Up the USA Patriot Act on Friday; Opposition Mounts
Both houses of Congress are scheduled to vote this Friday on renewing provisions of the USA Patriot Act that otherwise will expire on December 31. Meanwhile, opponents of the renewal, including both conservative and liberal groups, are mounting a last-ditch effort to stop it. Senators Russ Feingold (D-WI) and Larry Craig (R-ID) are threatening a filibuster. “An 11th-hour drive to amend Patriot Act,” http://www.csmonitor.com/2005/1214/p03s02-uspo.html. Other opponents of the agreement reached by the Conference Committee of the House and Senate are considering granting just a three-month extension so that the more controversial provisions of the bill can be considered further.
Attempts to reach agreement on the Patriot Act Amendments before the Thanksgiving were unsuccessful, in part because of disclosures that the FBI issues 30,000 national security letters each year, 100 hundred times the historic average. See “Use of National Security Letters Up 100 Fold; Information Used in FBI Data-Mining,” In the News, November 7, 2005. Now, NBC has obtained a 400-page document it says is a database of domestic surveillance activities by the Pentagon. The database includes 1,500 “suspicious incidents” that occurred during a 10-month period. While Pentagon guidelines limit its ability to retain information on U.S. citizens, NBC says the database includes 20 references to U.S. citizens and records of surveillance at four dozen peace rallies and antiwar meetings. “Is the Pentagon spying on Americans? Secret database obtained by NBC News tracks ‘suspicious’ domestic groups,” http://www.msnbc.msn.com/id/10454316/.
Defense Contractors Targeted by Cyber Hackers
NPR reported on Monday that the Pentagon faced 80,000 cyberattacks in 2004. In a report on Tuesday, NPR says that defense contractors are subject to an even great onslaught of attacks. It quotes a security specialist, Ira Winkler, who describes the vulnerabilities created by the interconnected network of contractors serving the Pentagon. While some contractors have taken exceptional security measures, contractors who possess less sensitive information are less vigilant. This, according to the security specialist, creates a backdoor for hackers to gain access to the highly sensitive information through the network. The story recounts the activities of Titan Rain, a group of Chinese hackers who were able to steal information from defense contractors, including flight planning software used by the Army and the Air Force. “Defense Contractors May Be Chink in Cyber Security,” http://www.npr.org/templates/story/story.php?storyId=5050285
When Do Hackers Shop?
According to USA Today, yesterday was supposed to be “the day hackers and fraudsters attack with a vengeance.” It was the final day that many prominent Internet retailers offered free shipping. According to a security firm quoted in the story, fraudsters were expected to choose yesterday to make purchases using stolen credit cards in order to take advantage of an expected high volume of Internet sales that would overtax security workers and make detection less likely. “Online Grinches exploit Christmas shipping deadline,” http://www.usatoday.com/money/industries/technology/2005-12-12-efraud_x.htm.
December 15, 2005
God Hears Your Prayers, but Should Others?
David Fraser, writing in the Canadian Privacy Law Blog, quotes from an article in Today’s Family News, a publication of Focus on the Family, that discusses the fear that some Canadian churches have that they may violate Canada’s privacy law. The article cites ministers who are concerned that praying aloud for people by name or circulating a church directory could violate the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”). Fraser notes that PIPEDA applies only to the use and disclosure of personal information in the course of commercial activities. The Canadian constitution permits the federal government to regulate commerce generally, but not to regulate a non-profit organization, says Fraser. He warns, however, that in certain circumstances a church may be engaged in a commercial activity, such as when it sells or leases its membership list. “Charging admission to a benefit concert for the church is not commercial,” writes Fraser, “Church fund-raising is not a commercial activity, nor is praying out loud or listing members in a directory.” “Churches and the federal privacy law,” http://www.privacylawyer.ca/blog/2005/12/churches-and-federal-privacy-law.html
Update: Patriot Renewal Passes House; Battle Looms in Senate
The United States House of Representatives yesterday approved a bill that would extend 16 provisions of the USA Patriot Act that are set to expire on December 31, 2005. But a battle looms in the Senate, as a growing bipartisan group of Senators voice their opposition and their intent to filibuster. Senate Majority Frist moved yesterday to close debate on the issue and shut off the expected filibuster. The cloture vote will occur on Friday. “House Votes to Revise, Extend Patriot Act, Angering Senators,” http://www.washingtonpost.com/wp-dyn/content/article/2005/12/14/AR2005121402051.html
According the Congressional Quarterly, the group opposing the current bill includes six senators who successfully stalled passage before Thanksgiving. They include Republican Senators Sununu (NH), Craig (ID) and Murkowski (AK) and Democrats Feingold (WI), Durbin (IL) and Salazar (CO). Joining the group this week are Republican Senator Hagel (NE) and Democrats Kerry (MA) and Obama (IL). Democrats are to meet today to decide if they will take a united approach on the bill. Forty-four Democrats in the House of Representatives voted for the bill. “Senate Leaders Welcome Debate on Patriot Act As House Votes to Renew Law,” http://www.cq.com/display.do?dockey=/cqonline/prod/data/docs/html/news/109/news109-000002004693.html@allnews&metapub=CQ-NEWS&binderName=cq-today-binder&seqNum=13 (subscription required)
Update: Pentagon to Review Allegations of Improper Domestic Surveillance
In response to an NBC News report to which we linked in yesterday’s In The News, the United States Department of Defense has ordered a review of a program, known as Talon, that gathers unconfirmed reports of suspected threats to defense facilities. The NBC Report revealed a database printout from Talon showing that the Pentagon had engaged in domestic surveillance. Undersecretary of Defense for Intelligence Stephen Cambone, says the review will seek to determine whether Pentagon officials broke rules limiting the kinds of information that the military can collect domestically.
“Pentagon Will Review Database on U.S. Citizens,” http://www.washingtonpost.com/wp-dyn/content/article/2005/12/14/AR2005121402528.html
December 16, 2005
Bush Administration Secretly Authorized NSA to Spy on Americans following 9/11
On the eve of a vote in the United States Senate on renewing the USA Patriot Act, the New York Times reports that President Bush secretly authorized the National Security Agency to spy on Americans and others in the United States without obtaining a warrant. The authorization permits the NSA, which specializes on intercepting foreign communications, to eavesdrop on telephone and e-mail communications between the persons in the United States and in foreign countries. According to officials in the executive branch, the Times says, “The eavesdropping program grew out of concerns after the Sept. 11 attacks that the nation's intelligence agencies were not poised to deal effectively with the new threat of Al Qaeda and that they were handcuffed by legal and bureaucratic restrictions better suited to peacetime than war.” Supporters of the President’s decision credit the eavesdropping program with helping to expose the plot of an Ohio trucker to blow up the Brooklyn Bridge in support of Al Qaeda and another Qaeda plot to attack British pubs and train stations. Others argue that the program is illegal or at least unnecessary, since warrants can be obtained from the federal Foreign Intelligence Surveillance Court with a lower standard of probable cause and are rarely refused.
The eavesdropping is not addressed in the USA Patriot Act. Nonetheless, the disclosure may add fuel to the arguments of Senators who oppose renewing controversial provisions of the act that allow the FBI to obtain business records without a showing of probably cause. “Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say,” http://select.nytimes.com/mem/tnt.html?emc=tnt&tntget=2005/12/15/politics/15cnd-program.html&tntemail0=y
Senate Patriot Vote Expected to be Close
Senator Dianne Feinstein, who was an original sponsor of the USA Patriot Act in 2001, has given her support to those who oppose renewing the act unless limits on the ability of the government to obtain business records are stiffened. She has said she will support a filibuster of the bill. Also joining the opposition yesterday were Senators Max Baucus (D – MT) and Hillary Clinton (D-NY). A vote is scheduled later today to shut off debate and bring the bill to a vote. Majority Leader Frist predicts that the cloture vote will prevail. Opponents are seeking a three month delay to allow further negotiations. Frist says that, rather than agree to that, he will simply allow the Patriot Act provisions to expire if a vote on cloture is unsuccessful. “Frist Warns ‘Patriot Act’ Could Expire,” http://www.cq.com/display.do?docid=2007072&sourcetype=6 (subscription required)
Crystal Meth and Identity Theft
Yesterday’s USA Today has a fascinating article describing how crystal meth addicts have become significantly engaged in online identity theft. According to USA Today, “Identity theft has fast become the crime of preference among meth users for three reasons: It is non-violent, criminal penalties for first-time offenders are light — usually a few days or weeks in jail — and the use of computers and the Internet offers crooks anonymity and speed with which to work.” USA Today’s reporters were given inside access to the investigation of a crystal meth ring in Edmonton, Alberta, Canada. The article gives a detailed account of how the group got started in identity theft, using underlings to steal sensitive information from discarded trash. The group became adept at converting the information into cash by stealing money from the bank accounts of Edmonton residents. Eventually, the group was introduced, through Internet chat rooms, to cybercriminal rings in Quebec Romania and Egypt who were able to steal large amounts of personal and financial information using phishing attacks, keyloggers and other methods but had difficulty converting that information into cash. The crystal meth group became a customer of the global cybercriminals, purchasing full profiles of identity theft victims in the United States. For $200, a profile would include a victim’s bank account number, credit card number, password, and social security number By linking up with the global cybercriminals, the Edmonton group was able to avoid the labor-intensive effort of stealing identifying information on Edmonton residents and to reduce the risk of getting caught (by striking victims far from Alberta). But the group did get caught. Before that happened, however, the Edmonton group had strengthened its ties with the cybercriminal groups by engaging in laundering money for them through Edmonton banks. “Meth addicts' other habit: Online theft,” http://www.usatoday.com/tech/news/internetprivacy/2005-12-14-meth-online-theft_x.htm#
Phishing on the Rise Once Again
The Anti-Phishing Working Group reports that phishing is once again on the rise. In October 2005, after declining three months in a row, the number of phishing attempts reported to APWG was 15,820, a 17 percent increase over September and a 127% over October 2004. “Phishing Activity Trends Report,” http://antiphishing.org/apwg_phishing_activity_report_oct_05.pdf
Note:Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.