Dec 05 2008

Telcos and information privacy

Category: Information PrivacyDISC @ 2:26 pm

Mobile Phone
Image via Wikipedia

With the economy in the tank, breach of privacy is not going to be a priority in Obama’s administration to do list. It will be quite difficult to make it a priority when Obama has signed a bill indemnifying telcos from suits due to privacy breaches.

During the presidential election campaign, Verizon employee gained unauthorized access to President-elect Obama’s mobile phone records. You might assume that if telcos are having a hard time protecting the privacy of high profile individuals, how would that make you feel as a cell phone owner? Don’t you wonder why the mainstream media didn’t publicize this case of high profile privacy breach more widely?

Basically Telcos have been immunized from privacy lawsuits so that big brother can snoop around our private phone records as they please. In this instance, law only applies to people and makes it illegal to snoop on each other but the telecom entities have been granted an exception by congress. Legal ruling require law enforcement to meet high “probable cause” standard before acquiring cell phone record. In recent report, document obtained by civil liberties group under FOIA request suggest that “triggerfish” technology can be used to pinpoint cell phone without involving cell phone provider and user knowing about it.

Organizations should implement directive, preventive and detective controls to protect the privacy of information. Where directive controls include the policies, procedures, and training. Preventive controls deal with the separation of duties, principle of least privilege, network, application and data controls. Detective controls involve auditing, logging and monitoring.

Verizon case shows lack of detective controls. Organization should have a clearly defined privacy policy which states that private information should be logged, monitored and audited. High profile individual should be identified and documented and reviews of audit logs should be conducted to identify inappropriate access to the privacy information of high profile individuals. The authorized person who has access to private information should be audited on regular basis to find out if they are following the privacy policies and procedures of the company. For privacy information, log who accessed which data, for who and when. Managers should train and monitor subordinate to help protect privacy information, which not only educate the subordinate but also serve as a major deterrence. Privacy is an essential ingredient of liberty and must be guarded with utmost due diligence.

“Those who give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety” Benjamin Franklin

Presidential Phone Compromised

Privacy Debate: Shouldn’t Public Demand High Threshold?
httpv://www.youtube.com/watch?v=HR6IEz4T7Yw

Reblog this post [with Zemanta]

Tags: auditing, Barack Obama, breach of privacy, Civil liberties, detective, directive, Lawsuit, logging, mobile phone, monitoring, preventive, privacy, Security, tiggerfish, Verizon


Oct 08 2008

Skype and Information Privacy

Category: Information PrivacyDISC @ 1:00 am

According to an SF chronicle article by Peter Svensson (Oct 3, 2008, pg. c4) “A Canadian researcher (Nart Villeneuve) has discovered that the Chinese version of eBay Inc.’s Skype communication software snoops on text chats that contain keywords like “democracy”. “

In other words, the Chinese version of Skype was used for surveillance of text messages between two users. Researcher Nart Villeneuve not only found that the application was filtering specific words but that it was also passing the messages caught by the filters to other servers. Because of poor security on those servers, Nart was able to recover more than a million messages from those servers.

Well, based on Skype’s previous claim that messages between two systems are encrypted and only public keys on those systems can decrypt those messages, this is questionable. Also, this revelation does not agree with Skype’s claim that software discards the filtered messages.

Now the question arises that how do we know that our text messages on Skype are not being tapped in the United States?

Are privacy and security laws only applicable to consumers but not the corporations? If that’s true then our state of security and privacy is in pretty dire shape. It seems like consumers’ information is for sale to the higher bidder without our consent or appropriate compensation.

Without any credible evidence, our Govt. should not be able to perform wholesale surveillance (profiling) for the sake of security. We are building a society of fear where everybody is under surveillance and is a suspect until proven innocent, which sounds like we are living in a police state.

Laws of secrecy and unnecessary surveillance will ultimately diminish the fundamentals of democracy. To lift the cloud of secrecy behind these sorts of initiatives the public needs to put pressure on their public representatives to dig out the truth. Otherwise the mound of voluminous data from surveillance can be used to harass innocent people and be used as a tool to distract from reality.

We cannot expect our information to be secure unless we trust our Govt. to protect our privacy and corporations to secure our information.

Skype’s China Spying Uncovered
httpv://www.youtube.com/watch?v=60SFGH3lxLg


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: compensation, credible evidence, democracy, dire shape, encrypted, filtering, poor security, reality, snoops, surveillance, voluminous


« Previous Page