Privacy Working Group

No, that isn’t the name of a new grunge rock band.  It refers to the City of Los Angeles trying to decide whether or not to use Google Apps as a replacement for the Novell Group Wise e-mail and Microsoft Office Applications.

There are huge taxapayer and privacy concerns with such a move.  In a press release and letter to members of the Information Technology and General Services Committee, we expressed our concerns:

On behalf of the 193,000 members and supporters of Citizens Against Government Waste in the state of California I would like to express our concerns with this proposed contract.  As the nation’s premier taxpayer watchdog, we applaud your desire to evaluate technology use and the potential to save taxpayer money.  However, there are cost and privacy issues associated with Google Apps that could negatively impact taxpayers and put critical information at risk.

Even though some news reports have claimed that there will be cost savings from the switch, a July 10, 2009 report from the Office of the City Administrative Officer to the Information Technology Agency (ITA) contradicts those assertions.  According to the ITA report, “In the City’s experience with other systems replacement projects, contractors that supported implementation of the new system have often remained involved with the project for a longer period of time than originally anticipated. … That no such costs are anticipated here is inconsistent with this experience. … GroupWise licensing savings totalling $269,700 will only be achieved if the City can fully implement Google’s system by December 31, 2009. … For this date to be met, ITA must submit a notice to proceed to CSC no later than August 1, 2009.”

In addition to cost, privacy should also be a key component in the decision- making process.  In a July 16, 2009 letter to Los Angeles Mayor Antonio Villaraigosa, the World Policy Forum (WPF) concluded that, “…the City should conduct a formal independent risk assessment of the privacy, security, and confidentiality issues the contract raises….  A risk assessment focused on this issue will assist the City in clarifying the problems before harm occurs.”

The savings estimates for Los Angeles are based on fully implementing Google Apps by December 31, 2009.  That means all employees must be utilizing the new system by that date.

In addition, a July 17, 2009 Los Angeles Times article said that “City Administrative Officer Ray Ciranna, the city’s top financial advisor, said the LAPD has raised questions about Google’s ability to shield sensitive arrest information.

We urge you to conduct more research on cost, security and risk, starting with learning more about the D.C. experience and why so few are using Google Apps.

It’s fun to have shiny new toys but when it comes to taxapyers paying for those new toys, there needs to be a serious discussion about cost and in the case of software or computing, privacy.

Governments at all levels have a duty to ensure that privacy is guaranteed.

Senate Judiciary Chairman Patrick Leahy hopes the third time will be a charm for his legislation intended to better protect citizens’ personal information.

The bill, which he reintroduced Wednesday and in two previous Congresses, would increase criminal penalties for identity theft involving electronic data and criminalize intentional or willful concealment of a security breach. Leahy said passage of the measure, which would pre-empt a patchwork of state data breach laws, is among his top legislative priorities.

The bill requires entities that maintain personal data to establish policies to protect that material and give notice to individuals and law enforcement when they experience a breach. Failure to do so could result in penalties of up to $500,000 per violation and potentially doubled fines if the activity was deliberate. The bill would let individuals correct personal records held by commercial brokers. Additionally, states would be able to bring lawsuits on behalf of residents, but the bill would not give consumers a private right of action.

Under the measure, federal agencies would be required to set privacy and security rules for use of commercial data broker information. They would have to perform audits of contracts with brokers worth more than $500,000 and would be required to impose penalties on those that fail to meet the requirements. A GAO report this week found that almost all major federal agencies have weaknesses in their information security controls.

Leahy’s cybersecurity bill is one of many expected in the House and Senate. Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, were first with legislation in April, which could see committee action before the August recess. Rockefeller issued a statement saying he and Snowe are working hard on the measure and hope to mark it up soon.

Read More

Consumers who have spent hours locking up their passports, shredding their billing statements and filing away their tax returns may soon learn they’ve wasted a great deal of time. Their efforts to shield themselves from identity theft by guarding their Social Security numbers are being undermined by government officials and social networking sites.

These nine-digit combinations, unique for each individual, have for years been displayed on public-record documents published online by state government agencies. And according to a recent study, guessing one’s Social Security number is substantially easier if you know that person’s date and place of birth: information many share on their social networking profiles.

Originally created as a record-keeping system to manage the Social Security program, SSNs have quickly become the identifier most widely used by creditors, education institutions and health care and other service providers. They’ve also become a sought-after commodity in criminal circles. Identity fraud claimed 9.9 million victims last year – the highest in five years – and Social Security numbers were among the data most frequently compromised (38% of the time), along with names and addresses (43%), according to a report on identity fraud conducted by the research firm Javelin Strategy & Research.
Yet, when a Carnegie Mellon professor and a doctoral student said they had developed an algorithm that can predict, with alarming accuracy, a person’s Social Security number, privacy advocates weren’t surprised.

“The report makes clear something that has long been known,” says Marc Rotenberg, the executive director of the Electronic Privacy Information Center (EPIC) in Washington, D.C. “The Social Security number is not a reliable identifier and its increasing use in the private sector has clearly contributed to the problem of identity theft.”

To predict a person’s SSN, Carnegie Mellon professor Alessandro Acquisti and PhD student Ralph Gross used only information that was publicly available through voter registration lists, data brokers such as Peoplefinders.com, free online people searches like Zabasearch.com, or social networking sites.

Read More

When Daniel Carter logged on to a shared computer at a hostel in Rome to check e-mail, he had no idea he was in a hacker’s sights. After his trip was over, he discovered someone had hijacked his e-mail account and sent a message to hundreds of his contacts asking for money.

”Sorry i did not get you informed about my short trip to london … i was attacked on my way to the hotel by some hoodlums and they took away all my belongings,” the e-mail said, ending with a plea for money ”so i can sort out my hotel bills and fly back home” and a promise of repayment.

Most of Carter’s contacts recognized the scam from the poor grammar and lack of upper-case letters. Unfortunately, one older friend fell for it, sending some $2,000 to the scammers. Carter eventually regained control of his e-mail account and cleaned up the mess. But the money his friend sent was lost.

”This was a big wake-up call. I thought, ‘Who’s going to hack me, I’m not important or of large means,”’ said Carter. But, as he found out, a hacker can make a quick profit off an ordinary traveler.

What happened to Carter is a relatively rare phenomenon. But travelers are especially vulnerable to hackers because they often use computers and Wi-Fi networks in hotel lobbies, cafes and airports.

”If you are using an open Wi-Fi network, you are extremely vulnerable,” says computer security consultant Kevin Mitnick. He should know: Mitnick served five years in prison for computer capers that gained him notoriety and prompted an FBI manhunt.

Here are some steps you can take to protect yourself.

SAN FRANCISCO — You might think your password protects the confidential information stored on Web sites. But as Twitter executives discovered, that is a dangerous assumption.

The Web was abuzz Wednesday after it was revealed that a hacker had exposed corporate information about Twitter after breaking into an employee’s e-mail account. The breach raised red flags for individuals as well as businesses about the passwords used to secure information they store on the Web.

On Web sites containing personal information like e-mail, financial data or documents, there is usually just a user name and password for protection. More individuals are storing information on Web servers, where it is accessible from any online computer through services offered by Google, Amazon, Microsoft, social networks like Facebook or back-up services like Mozy.

But password-protected sites are growing more vulnerable because to keep up with the growing number of passwords, people use the same simple ones on numerous sites across the Web. In a study last year, Sophos, a security firm, found that 40 percent of Internet users use the same password for every Web site they access.

The attack on Twitter highlights the problem. For its internal documents, the company uses the business version of Google Apps, a service that Google offers to individuals free. Google Apps provides e-mail, word processing, spreadsheets and calendars over the Web.

The content is stored on Google’s servers, which can save time and money and enable employees to work together on documents at the same time. But it also means that the security is only as good as the password. A hacker who breaks into one person’s account can access information shared by friends, family members or colleagues, which is what happened at Twitter.

Read More

Climbing into his Volvo, outfitted with a Matrics antenna and a Motorola reader he’d bought on eBay for $190, Chris Paget cruised the streets of San Francisco with this objective: To read the identity cards of strangers, wirelessly, without ever leaving his car.

It took him 20 minutes to strike hacker’s gold.

Zipping past Fisherman’s Wharf, his scanner detected, then downloaded to his laptop, the unique serial numbers of two pedestrians’ electronic U.S. passport cards embedded with radio frequency identification, or RFID, tags. Within an hour, he’d “skimmed” the identifiers of four more of the new, microchipped PASS cards from a distance of 20 feet.

Embedding identity documents _ passports, drivers licenses, and the like _ with RFID chips is a no-brainer to government officials. Increasingly, they are promoting it as a 21st century application of technology that will help speed border crossings, safeguard credentials against counterfeiters, and keep terrorists from sneaking into the country.

But Paget’s February experiment demonstrated something privacy advocates had feared for years: That RFID, coupled with other technologies, could make people trackable without their knowledge or consent.

He filmed his drive-by heist, and soon his video went viral on the Web, intensifying a debate over a push by government, federal and state, to put tracking technologies in identity documents and over their potential to erode privacy.

Putting a traceable RFID in every pocket has the potential to make everybody a blip on someone’s radar screen, critics say, and to redefine Orwellian government snooping for the digital age.

Read More

NEW YORK (AP) — New York’s attorney general charged Thursday that Tagged.com stole the identities of more than 60 million Internet users worldwide — by sending e-mails that raided their private accounts.

Andrew Cuomo said he plans to sue the social networking Web site for deceptive marketing and invasion of privacy.

”This company stole the address books and identities of millions of people,” Cuomo said in a statement. ”Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their e-mail contacts for Tagged’s unethical — and illegal — behavior.”

Started in 2004 by Harvard math students, Greg Tseng and Johann Schleier-Smith, Tagged calls itself a ”premier social-networking destination.” The California-based company claims to be the third-largest social networking site after Facebook and MySpace, with 80 million registered users.

Cuomo said Tagged acquired most of them fraudulently, sending unsuspecting recipients e-mails that urged them to view private photos posted by friends.

The message read: ”(name of friend) sent you photos on Tagged.”

When recipients tried to access the photos, Cuomo said they would in effect become new members of the site — without ever seeing any photos. Recipients’ e-mail address books would then be lifted, the attorney general said.

Read More

Researchers have found that it is possible to guess many — if not all — of the nine digits in an individual’s Social Security number using publicly available information, a finding they say compromises the security of one of the most widely used consumer identifiers in the United States.

Many numbers could be guessed at by simply knowing a person’s birth data, the researchers from Carnegie Mellon University said.

The results come as concern grows over identity theft and lawmakers in Washington push legislation that would bar businesses from requiring people to supply their Social Security number when purchasing a good or service.

“Our work shows that Social Security numbers are compromised as authentication devices, because if they are predictable from public data, then they cannot be considered sensitive,” said Alessandro Acquisti, assistant professor of information technology and public policy at Carnegie Mellon University, and a co-author of the study.

Read More

The New York State Bar Association Monday became the latest bar group to protest new Federal Trade Commission rules requiring lawyers to become involved in preventing identity theft, calling the move unauthorized, unnecessary and destructive to the attorney-client relationship.

The State Bar’s objections follow those submitted last week by the American Bar Association and the New York County Lawyers’ Association.

In addition, the ABA reports that statewide bar associations in Arkansas, Colorado, Illinois, Ohio and Virginia have also contacted the FTC to express their opposition, with Oregon and Wisconsin expected to follow shortly.

The rules, which are slated to take effect on Aug. 1, implement a 2003 statute aimed at curbing identity theft.

Read More

Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston, has never had any real health problems and, luckily, he has never stepped foot in an emergency room. So imagine his surprise a few years ago when he learned he owed thousands of dollars worth of emergency-service medical bills.

Mr. Sharp, as it turned out, was a victim of a fast-growing crime known as medical identity theft.

At the time, Mr. Sharp was about to get married and buy his first home. Before applying for a mortgage he requested a copy of his credit report. That is when he found he had several collection notices under his name for emergency room visits throughout the country.

“There was even a $19,000 bill for a Life Flight air ambulance service in some remote location I’d never heard of,” said Mr. Sharp, who made this unhappy discovery in 2003. “I had emergency room bills from places like Bowling Green, Kan., where I’ve never even visited. I’m still cleaning up the mess.”

The last time federal data on the crime was collected, for a 2007 report, more than 250,000 Americans a year were victims of medical identity theft. That number has almost certainly increased since then, because of the increased use of electronic medical records systems built without extensive safeguards, said Pam Dixon, executive director of the nonprofit World Privacy Forum and author of a report on medical identity theft.

And uncountable, Ms. Dixon said, are the people who do not yet know they are victims. They may not know that their medical information has been tampered with for months or even years until, as in Mr. Sharp’s case, it shows up in collections on a credit report.

Medical identity theft takes many guises. In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

Read More