Privacy and Security Law Blog : Privacy & Security Law Blog : Davis Wright Tremaine LLP : Seattle, Los Angeles, Washington D.C., New York, San Francisco, Shanghai, Portland and Anchorage Law Firm

Posted by Bruce Johnson

The Associated Press reports about federal efforts to require banks to demand "two-factor" identification from their customers. As Brian Wong noted recently, the Federal Financial Institutions Examination Council (FFIEC), an umbrella group that includes the Federal Reserve and the Federal Deposit Insurance Corp., has told U.S. banks to strengthen their online authentication procedures by the end of 2006.

• Email This
• Print
• Comments
• Share Link

Posted by Randy Gainer

The indictment of I. Lewis "Scooter" Libby on five counts, including obstruction of justice, giving false statements to the FBI, and perjury to the grand jury, has caused many to question whether Karl Rove will be also be indicted shortly. Paragraph 21 of the Libby indictment states:
On or about July 10 or July 11, 2003, LIBBY spoke to a senior official in the White

House ("Official A") who advised LIBBY of a conversation Official A had earlier that week with columnist Robert Novak in which Wilson's wife was discussed as a CIA employee involved in Wilson's trip. LIBBY was advised by Official A that Novak would be writing a story about Wilson's wife.

• Email This
• Print
• Comments
• Share Link

Posted by Lance Koonce

We don't often do this on this blog, but since Kraig and I are both attending the same conference and listening to many of the same speakers, I thought I'd comment briefly about my take on the issue Kraig just raised about the yin and yang of privacy and security. While I agree that there is a tension between the two concepts, I've always focused more on the complementary aspects: the collection of personal data gives rise to a need for security measures to protect the stored information, and security measures that require high levels of authentication may require collection of personal data in order to function.

• Email This
• Print
• Comments
• Share Link

Posted by Kraig Baker

One more thought about the presentations Thursday at the IAPP's Privacy Academy 2005 here in Vegas. It is increasingly clear to me that no one has figured out the ongoing tension between "security" and "privacy". These two concepts often get lumped together, but in addition to being complementary in some ways, they are, in many ways, conflicting. One can see the tension in almost every presentation at the conference.

• Email This
• Print
• Comments
• Share Link

Posted by Kraig Baker

David Brin, the science-fiction writer and futurist, was one of the keynote speakers this morning. He was quite interesting and was somewhat provocative for a privacy conference. His greatest concern was the impact of the rise of secrecy on accountability in our society. His point was that we are an enlightened society that is not ruled by the rich, the elites, or the strong, because we have transparency and accountability through markets, science, democracy, and the courts. He views the rise of privacy and security as a threat to that accountability and enlightenment and threatens the framework of American society. Although it takes a while to get exactly where Brin is going, Brin's ideas on accountability as a contrast to secrecy are pretty persuasive and an interesting counterpoint to the remainder of the conference.

• Email This
• Print
• Comments
• Share Link

Posted by Lance Koonce

Our afternoon keynote speaker at the IAPP Privacy Academy was Kevin Mitnick, of hacker fame, who spoke on social engineering as the gravest threat to corporate security. Kevin's talk was quite engaging, in particular because it was interspersed with real-life examples of social engineering scams that vividly demonstrated his theme that humans are always the weakest link in any security system.

• Email This
• Print
• Comments
• Share Link

Posted by Kraig Baker

Lance Koonce and I are blogging from the IAPP (International Association of Privacy Professionals) annual conference in Las Vegas this week. The organization seems to be getting a lot of traction as a trade group. They have over 600 attendees this year -- many more than last year. They also have a much more impressive roster of companies and organizations participating and many of the attendees seem to be more senior than in years past. Of course there are also more lawyers here this year...never a good sign.

• Email This
• Print
• Comments
• Share Link

Posted by Lance Koonce

Today was the first full day of the IAPP's Privacy Academy 2005 here in Las Vegas (actually, it's in Henderson, but let's not split hairs). The keynote addresses were given by author David Brin, IBM scientist Jeff Jonas, and Jim Harper of the Cato Institute.

• Email This
• Print
• Comments
• Share Link

Posted by Steve Chung

The Washington Post reports that records turned over as a part of a Freedom of Information Act lawsuit indicate that the FBI has investigated hundreds of potential violations that are connected to its use of secret surveillance operations. In several of these cases, the responsible agents failed to follow Justice Department guidelines and file updates on the ongoing surveillance. In other cases, improper physical searches were conducted, bank privacy statutes were clearly violated and emails were collected after a search warrant had expired. The New York Times is also reporting the story.

• Email This
• Print
• Comments
• Share Link

Posted by Merrill Baumann

Historically, the Internet has "belonged" to the United States. It traces its origin to a Defense Department project; the authoritative root zone server is physically located here; and ICANN reports to the Department of Commerce. But that doesn't sit well with a growing number of countries and international organizations, including the U.N. and EU. This issue will face an increasingly public battle next month at the upcoming World Summit on the Information Society in Tunisia. And in the US, members of Congress have joined a Senate colleague in introducing legislation that calls for the US to maintain oversight control over the Internet. While creating a broader international management platform is attractive, opponents say that more governmental supervision will lead to increased regulations and bureaucracies that will stifle innovation and further development.

What do you think?

• Email This
• Print
• Comments (2)
• Share Link

Posted by Kraig Baker

Gartner reports that phishing attacks grew 28% from May 2004 to May 2005. Almost 2.5 million people reported losing money because of phishing attacks (and that's just those that admitted to it) to the tune of $929 Million and 11 million people clicked on a phishing e-mail. Despite the increase, it doesn't appear to me that phishing attacks have gotten that much more sophisticated. I think this is an outgrowth of people's general fear of computers and gullibility with respect to the written word. People who fall victim to phishing are undoubtedly the same people who used to forward the Bill Gates chain letter.

• Email This
• Print
• Comments
• Share Link

Posted by Kraig Baker
ｬ†ｬ†
Here's a big surprise. The GAO reports that electronic voting systems aren't likely to be sufficiently secure by the 2006 elections. According to the report, the list of vulnerabilities included everything from easily-guessed administrator passwords and voter-verified paper trail design flaws, to incorrect software installation and system failures on Election Day. Here's a link to the GAO report.

• Email This
• Print
• Comments
• Share Link

Doesn't it sound familiar? Emerging from a country or countries where the conditions of human life are more desperate, the virus propagates throughout the globe despite local efforts to contain it, and despite efforts in as-yet-unaffected areas to put up barriers to stop it.

• Email This
• Print
• Comments
• Share Link

Several of us will be blogging this week from the IAPP's Privacy Academy 2005 in Las Vegas, which runs from October 26th through the 28th. Lance Koonce will be speaking on a panel entitled "Privacy in a Public World: Emerging Issues". Hope to see some of you there!

• Email This
• Print
• Comments
• Share Link

Posted by Brian Wong

On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued the guidance "Authentication in an Internet Banking Environment." The FFIEC considers single-factor authentication to be "inadequate for high-risk transactions involving access to customer information or the movement of information to other parties."

• Email This
• Print
• Comments (1)
• Share Link

Posted by K.M. Das

In a 205 page Memorandum Opinion, Judge Lamberth of the United State District Court for the District of Columbia blasted the lack of security of the Interior Department ("Department") computers that contain data relating to Indian Trust assets.

• Email This
• Print
• Comments
• Share Link

Although a bit farther afield from the realm of privacy and security than our regular posts, we just wanted to mention that a DWT colleague of ours, John Parnass, has recently launched his own blog on Construction Law. It's a great looking site and John is an experienced attorney whose insight in this area will be invaluable. Welcome, John!

• Email This
• Print
• Comments
• Share Link

Posted by Peter Mucklestone and Stuart Louie

As recently reported by CNN, a new standard in ATM security is emerging; however, not in the United States or even North America, but in the mountains and jungles of Colombia. BanCafe, Colombia's fifth-largest bank, has installed hundreds of ATM machines across the county which, as an alternative to requiring the traditional ATM card and personal identification number to grant a user access to his/her accounts, operate using fingerprint biometrics. The move by BanCafe was motivated by the increasing need for security among coffee-growers concerned about theft related to ATM use. Since offering fingerprint biometrics as an alternative method of accessing a user's account via an ATM, approximately 15% (or 230,000) of BanCafe's customers have registered for the service.

• Email This
• Print
• Comments (1)
• Share Link

Posted by K.M. Das

In the largest such project in the world, the Missouri Department of Transportation ("MODOT") is in talks with Delcan.NET to implement a statewide traffic monitoring system based on tracking cell phones. The basic idea behind the project is that by tracking specific cell phones as their signal moves from cell tower to cell tower, and overlaying that with highway maps, it will be possible to track how fast or slow traffic is moving. Delcan.NET is already providing this service in Baltimore, on a trial basis, by tracking a 1,000 Cingular users. Delcan.NET and MODOT are expected to finalize the contract within a few weeks and the project is expected to be implemented within six months of that.

• Email This
• Print
• Comments
• Share Link

Posted by Lance Koonce

An amusing competition with some startling results. The Register asked readers to submit image captures from Google Earth revealing potentially sensitive military installations and the like. Here's a sample:

Those are SR-71 "stealth" Blackbirds in the above photo. There a pages and pages of similar photos on the competition results page. A good example of David Brin's "Omni-Surveilled" future (or present, rather)...

• Email This
• Print
• Comments
• Share Link

Posted by Peerapong Tantamjarik

In a recent poll conducted for the Markle Foundation, an information technology policy organization, over 70% of Americans favored the use of electronic health records that can be accessed over the internet. The poll results have made national news. President George Bush has called for nationwide paperless health records by 2014, and the survey reports that four in five Americans (80%) believe that if physicians kept electronic medical records on their patients, health care quality would improve and medical errors would be reduced, because authorized doctors would be able to retrieve a patient's medical history in a matter of seconds. An equal number (81%) believe that the ability of researchers to review millions of records anonymously to determine best treatment practices would help all doctors improve the quality of medical care.

• Email This
• Print
• Comments
• Share Link

Posted by Ronald London

The Federal Trade Commission has reported to Congress that spyware and other "malware" downloaded to consumers' computers without their consent is a serious and growing problem that harms consumers and the Internet, in testimony that coincided with new enforcement action the agency brought alleging a company distributed file-sharing programs that included spyware. In testimony before the Senate Commerce Committee's Subcommittee on Trade, Tourism, and Economic Development, FTC Chair Deborah Majoras stated that spyware causes problems that range from sluggish computer performance to lost personal data, and that the FTC has active programs targeting spyware concerns, including law enforcement initiatives. The testimony comes as Congress has before it several bills that would regulate spyware at the federal level.

• Email This
• Print
• Comments
• Share Link

Posted by Brian Bennett

Several federal spyware proposals would pre-empt state spyware legislation. Proponents of the federal proposals argue that the public is clamoring for the federal government to address the problems of spyware. Critics of federal spyware proposals point to the federal Can-Spam Act, which, by pre-empting stricter state laws, arguably may have increased the volume of spam. Critics warn that the same thing could happen with federal spyware legislation.

• Email This
• Print
• Comments
• Share Link

Posted by Randy Gainer

The special prosecutor Patrick Fitzgerald is reportedly considering asking the grand jury in the Plame leak case to indict Karl Rove and Lewis "Scooter" Libby on espionage charges, according to "lawyers involved in the case" who spoke to The Washington Post. A "lawyer in the case" told the same thing to The New York Times. Other media, including PBS, have speculated that Fitzgerald may be considering a conspiracy charge against Rove, Libby, and possibly others "not to out a CIA agent knowingly, which is a hard case to prove, but a conspiracy rather using classified information in violation of laws protecting classified secrets."

• Email This
• Print
• Comments (2)
• Share Link

Posted by Steve Chung

Although it hasn't happened yet, it seems inevitable that before long "[m]alicious hackers [will] take down cellular networks in large cities by inundating their popular text-messaging services with the equivalent of spam". This from the New York Times, reporting on a paper released by professors at Penn State.

• Email This
• Print
• Comments
• Share Link

Posted by Merrill Baumann

The Department of Homeland Security is continuing its test program whereby RFID tags will be embedded in the I-94 and I-94W Forms issued to foreign visitors to the US. The Electronic Privacy Information Center has issued further comments urging DHS to abandon or delay this project until privacy concerns are adequately addressed. EPIC claims that the RFID tags can be read by countless others, thereby providing persons outside of customs and passport control with unauthorized access to personal information and tracking capabilities. EPIC urges that, at a minimum, DHS look into adoption of "Basic Access Controls" embraced by the International Civil Aviation Organization, which would enable RFID chips to require chip readers to authenticate themselves before any data would be transmitted.

• Email This
• Print
• Comments
• Share Link

Posted by Lance Koonce

The new Meriam-Webster Collegiate Dictionary has been released, and included among the 100 or so new words now recognized by that dictionary are the following that may be of interest to P&SLB readers:

metadata (noun) 1983 : data that provides information about other data

DHS (abbreviation) : Department of Homeland Security

steganography (noun) 1985 1 archaic : cryptography 2 : the art or practice of concealing a message, image, or file within another message, image, or file

Wi-Fi (certification mark) て羽sed to certify the interoperability of wireless computer networking devices

And yet....no dictionary entries for blog, blawg, vlog, moblog, podcast, splog, phish, pharm, mmorpg, VoIP, wardriving, spit, spim, HIPAA, RFID....?

• Email This
• Print
• Comments
• Share Link

Posted by Lance Koonce

In other municipal wifi news, Philadelphia has awarded a contract to Earthlink to build the city's 135-square-mile wireless network. Philly is the largest city thus far to formally put a plan for city-wide wifi into place; Earthlink will fund and build the system, and will also own all of the equipment.

• Email This
• Print
• Comments
• Share Link

Posted by Kraig Baker

Google's offer yesterday to build a municipal Wi-Fi network for the City of San Francisco has many positive and exciting ramifications for convenience, access, and conquering the digital divide. Providing such a network to a wired and technology sophisticated city like San Francisco by a technology provider that will undoubtedly facilitate simple use of VoIP and other multimedia will create massive security headaches. It will be interesting to watch how Google plans to build the network to manage and minimize such headaches. Maybe Google has some ideas that will advance the cause of secure computing and access...

• Email This
• Print
• Comments (3)
• Share Link

Posted by Kraig Baker

The Personal Data Security and Privacy Act, the bill originally sponsored in the wake of the high profile data breaches this summer and shelved while the Judiciary Committee was considering the confirmation of Chief Justice Roberts, has again moved to the forefront. Senators on the Judiciary Committee have agreed on a revised bill that harmonizes a number of the provisions in the original proposals. Chairman Specter and Senator Leahy have suggested that a Committee Vote could take place as early as next week.

• Email This
• Print
• Comments
• Share Link

Posted by Kraig Baker

Consumers' distrust of Corporate America is growing. It's probably not surprising following a summer full of well-publicized data breaches, but a CBS News/New York Times Poll shows widespread concern about what has become a common business practice -- collecting personal information about individuals. A large majority of Americans express negative views about companies collecting personal information about individuals, including what they buy, their credit histories, and income information.

• Email This
• Print
• Comments (3)
• Share Link

Posted by Lance Koonce

On Friday, Governor Arnold Schwarzenegger signed California Senate Bill 355, the Anti-Phishing Act of 2005, which makes phishing schemes illegal in California. The legislation states that "[i]t shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business."

• Email This
• Print
• Comments
• Share Link