Privacy Working Group

Senate Judiciary Chairman Patrick Leahy hopes the third time will be a charm for his legislation intended to better protect citizens’ personal information.

The bill, which he reintroduced Wednesday and in two previous Congresses, would increase criminal penalties for identity theft involving electronic data and criminalize intentional or willful concealment of a security breach. Leahy said passage of the measure, which would pre-empt a patchwork of state data breach laws, is among his top legislative priorities.

The bill requires entities that maintain personal data to establish policies to protect that material and give notice to individuals and law enforcement when they experience a breach. Failure to do so could result in penalties of up to $500,000 per violation and potentially doubled fines if the activity was deliberate. The bill would let individuals correct personal records held by commercial brokers. Additionally, states would be able to bring lawsuits on behalf of residents, but the bill would not give consumers a private right of action.

Under the measure, federal agencies would be required to set privacy and security rules for use of commercial data broker information. They would have to perform audits of contracts with brokers worth more than $500,000 and would be required to impose penalties on those that fail to meet the requirements. A GAO report this week found that almost all major federal agencies have weaknesses in their information security controls.

Leahy’s cybersecurity bill is one of many expected in the House and Senate. Senate Commerce Chairman John (Jay) Rockefeller and Sen. Olympia Snowe, R-Maine, were first with legislation in April, which could see committee action before the August recess. Rockefeller issued a statement saying he and Snowe are working hard on the measure and hope to mark it up soon.

Read More

When Daniel Carter logged on to a shared computer at a hostel in Rome to check e-mail, he had no idea he was in a hacker’s sights. After his trip was over, he discovered someone had hijacked his e-mail account and sent a message to hundreds of his contacts asking for money.

”Sorry i did not get you informed about my short trip to london … i was attacked on my way to the hotel by some hoodlums and they took away all my belongings,” the e-mail said, ending with a plea for money ”so i can sort out my hotel bills and fly back home” and a promise of repayment.

Most of Carter’s contacts recognized the scam from the poor grammar and lack of upper-case letters. Unfortunately, one older friend fell for it, sending some $2,000 to the scammers. Carter eventually regained control of his e-mail account and cleaned up the mess. But the money his friend sent was lost.

”This was a big wake-up call. I thought, ‘Who’s going to hack me, I’m not important or of large means,”’ said Carter. But, as he found out, a hacker can make a quick profit off an ordinary traveler.

What happened to Carter is a relatively rare phenomenon. But travelers are especially vulnerable to hackers because they often use computers and Wi-Fi networks in hotel lobbies, cafes and airports.

”If you are using an open Wi-Fi network, you are extremely vulnerable,” says computer security consultant Kevin Mitnick. He should know: Mitnick served five years in prison for computer capers that gained him notoriety and prompted an FBI manhunt.

Here are some steps you can take to protect yourself.

NEW YORK (AP) — New York’s attorney general charged Thursday that Tagged.com stole the identities of more than 60 million Internet users worldwide — by sending e-mails that raided their private accounts.

Andrew Cuomo said he plans to sue the social networking Web site for deceptive marketing and invasion of privacy.

”This company stole the address books and identities of millions of people,” Cuomo said in a statement. ”Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their e-mail contacts for Tagged’s unethical — and illegal — behavior.”

Started in 2004 by Harvard math students, Greg Tseng and Johann Schleier-Smith, Tagged calls itself a ”premier social-networking destination.” The California-based company claims to be the third-largest social networking site after Facebook and MySpace, with 80 million registered users.

Cuomo said Tagged acquired most of them fraudulently, sending unsuspecting recipients e-mails that urged them to view private photos posted by friends.

The message read: ”(name of friend) sent you photos on Tagged.”

When recipients tried to access the photos, Cuomo said they would in effect become new members of the site — without ever seeing any photos. Recipients’ e-mail address books would then be lifted, the attorney general said.

Read More

While surfing the Web in December, Keren Brophy got a message on her computer screen telling her to update her antivirus software. The pop-up message looked similar to Windows security warnings she’d routinely received. She paid $49.99 for a program called Antivirus 2009 from a company calling itself Meyrocorp and thought she was safe.

A few days after she installed the software, Ms. Brophy’s computer wouldn’t boot up properly and soon was unusable; she noticed the desktop icon for the software she’d bought had disappeared. She had to wipe her hard drive clean to get the computer working again. Hoping for a refund, she sent email to Meyrocorp but got only automated replies.

“I never got a dime back from them,” says Ms. Brophy, a 37-year-old restaurant hostess from North Port, Fla. Meyrocorp couldn’t be located for comment.

What started out as a small-scale racket to defraud computer users is becoming big business. Rogue antivirus programs — also known as “scareware” — had a banner year in 2008. A recent report published by Microsoft Corp. found that scareware infections increased 48% in the second half of 2008 compared with the previous six months, hitting nearly 8 million. One program turned up on 4.4 million unique computers, a 66.6% increase over the first half of the year, according to the report.

Read More

TORONTO — A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.

Read More