Privacy and Identity Theft

According to the AFP, the Indian Government wants the ability to spy on all manner of their citizen’s communications on the Internet. Recently they made news by joining the United Arab Emirates and Saudi Arabia in demanding access to Blackberry communications. Now it seems that the government is demanding access to Google Gmail communications and voice communications from Skype.

“If a company is providing telecom services in Indian, then all communications must be available to Indian security services,” a government representative told AFP. “If Google or Skype have a component that is not accessible, that will not be possible. The message is the same for everybody.”

The Indian government is also said to be wanting access to corporate VPN traffic. How they will do this without compromising the security of corporations is really up for debate.

I wonder if they will be trying to ban IronKeys next?

Germany’s Schleswig-Holstein Data Protection and Privacy Commissioner Thilo Weichert has issued a call to end so-called data handling “safe harbor” for US companies doing business with European customers. In 2000, the European Commission agreed to recognize the US Department of Commerce “safe Harbor” principles, essentially allowing US companies to self-certify that they exercise good practices to protect the information about their European customers.

Safe harbor compliance entails:
1. Notice: An organization must inform individuals about the data processing and about possibilities to file inquiries or complaints;
2. Choice: An organization must provide a general opportunity for individuals to choose to object (opt out) and must ask for consent (opt in) for processing of sensitive data;
3. Onward Transfer: Disclosure of information is only permitted if the recipient adheres to the notice and choice principle;
4. Security: Protection of data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
5. Data Integrity: Observance of purpose limitation of data;
6. Access: Right to access personal information hold by an organization about the individual concerned;
7. Enforcement: Mechanisms for assuring effective compliance and data subjects rights.

Weichert’s statement is based on research by privacy research Chris Connolly who has done research showing that of 2,170 US companies that claim to be safe harbor compliant, many were in fact not. 940 out of the 2170 US companies do not provide information on how to enforce individuals’ rights. Strangely, 388 of these companies were not even registered with the Department of Commerce!

The United Arab Emirates, Saudi Arabia, Indonesia, and India are now planning to ban Blackberrys in their countries. The Blackberry service uses encrypted connections between devices and the email and web browsing service, which are operated from North America. The above countries have a policy of monitoring the email, messaging and browsing of their citizens, and even of foreign visitors to those countries.

It seems that RIM, the maker of Blackberry, is looking to add security back-doors so that governments in these countries can spy on Blackberry users in those areas.

Pharmacy chain Rite Aid has been fined $1 Million for violating privacy standards of the Health Information Portability and Accountability Act (HIPAA). It is good to see that the Office for Civil Rights (OCR) put some teeth into the HIPAA act, and actually extract a meaningful fine for violating the personal privacy rules of the act. Apparently Rite Aid did not properly dispose of identifying information on pill bottles of customers.

I was in the United Kingdom last week. The UK government is said to be ready to sign a law that would permit police from other EU countries to demand details of UK citizens suspected of crimes in other countries. Details that could be released to foreign police include banking records, phone records, and even DNA samples.

This is happening under the auspices of the European Investigation order (EIO).

Civil liberties organizations are very concerned that UK citizen’s personal details could be shared with foreign police for such mundane offenses as not paying for a meal at a restaurant.

London, UK.

Conservative Member of Parliament Rob Halfon claims that the UK government is not doing enough to investigate privacy invasions by Internet companies. He warns that if government does not take more action to investigate Internet companies that are accused of privacy violations, the UK risks having a “privatized version of Big Brother”.

His comments come in the wake of concerns about Google’s StreetMap project that “inadvertently” mapped out the wifi spots of thousands of people.

Dan Raywood of SC Magazine interviewed me about privacy issues and data protection today here in London. You can read the full article here.

11 alleged Russian spies have been arrested and charged with conspiracy to commit an offense against the United States by not registering with the attorney general. 9 of these individuals have also been charged with money laundering. Details on the people arrested are here. One couple is based in Cambridge, MA.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.

White house cybersecurity coordinator Howard Schmidt has announced the NSTIC, the National Strategy for Trusted Identities in Cyberspace. The initiative is a blend of federated identities combined with government (or trusted third party)- issued digital identities (primarily in the form of digital certificates).

I do think that a national federated identity scheme requires strong authentication, at least for any site that can do transactions or reveal personal information (which is pretty much any site of value). I also think that the Federal government is one of the only hopes we have of achieving such a system, as it will require a big infusion of cash.

However, I am skeptical that this plan can be achieved, given the diverse interests of the private sector and the federal government agencies, and the myriad of agendas and technological approaches. Look, Microsoft has failed at this many times, and they control 90%+ of the computer desktops out there.

According to a research report by security firm SMobile Systems, about 20 percent of the 48,000 Android apps in the Android marketplace allow a third party to access the user’s data. This is typically apps sending SMS messages to premium phone numbers, or making phone calls on behalf of users.

Many of those applications are legitimate, but some are definitely malicious. Some of these applications do many of the things that spyware does: getting access to email and text messages, tracking phone call information and device location, etc.

At the 2010 Consumer Privacy Consultation conference, held in Calgary Alberta Canada this week, FTC officials met with their counterparts at the Office of the Privacy Commissioner of Canada (OPC) to discuss privacy issues related to cloud computing practices and their implications for individuals, organizations, and businesses.

Kathryn Ratte, a senior attorney in the FTC’s consumer protection bureau, said that existing privacy laws create a mish-mash of different privacy policies on the Internet, and that its almost impossible for consumers to compare the privacy practices of different companies.

“To compare the privacy policies of two companies is an almost impossible task.”

Privacy laws on the Internet typically rely on disclosure requirements for data collection and use, and on consumers being informed. “In some very basic sense it isn’t working,” said Ratte.

Recent weeks have seen online privacy concerns escalate in the minds of consumers and the media. Google is facing a high profile investigation of its data collection activities in relation to google street view, and Facebook has come under scrutiny for recent changes to their privacy policies and tools.

Some suggest that the FTC is considering increased regulation of cloud computing services. The ability of cloud services “to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities not originally intended or understood by consumers,” said David Vladeck, Director FTC Bureau of Consumer Protection at a privacy roundtable meeting in January 2010 at Berkeley, CA.