Loss of Privacy

According to newlaunches.com, there is a new device that has the ability to detect cell phone use while driving, eliminating the need for police to visually see a driver using a cell phone while driving.  When the system detects a call, it records what car was using the phone.  It will take a picture and, later, someone will look at that photo to determine if the driver was actually breaking the law.

Already in use in a few European countries the system will make it to the US this fall it is designed to detect, identify and cite drivers who break cell phone us laws.”

As usual, there are little details other than European countries are using the same or similar systems.  The company’s website and press release [pdf] also offer little more information.  There are also several problems with such a system.

The company attaches a paint gun to mark the car, or even an EMP gun that can disable the offending cell phone.

Why is it necessary to paint the car if a citation is going to be automatically issued?  A police officer is not going to be stopping said vehicle, therefore, painting it for a police officer to see is stupid.

Who is going to be responsible for broken cell phones due to wrongly issued EMP signals?  And if you send an EMP to the cellphone, how are you going to eliminate the problem of the EMP also disabling, oh, every damned electrical signal, including the owner’s car, other people’s cell phone, other cars, etc., etc.  Since an EMP destroys the phone, can the company assure us, 100%, that the cell phone isn’t going to blow up in the user’s face?  What about pacemakers?  An EMP is surely going to knock that out of commission.

Can this system tell the difference between regular cell phone use and hands free sets?  Will it be able to discern a driver using the phone or a passenger using the phone?  What about OnStar? Or GPS devices?

There are far too many questions without any disclosure of concise answers that make any sense to anyone.

RFID is now in nearly everything from passports to credit cards to animals.  Even some humans have voluntarily chipped themselves.  RFID is becoming so prevalent that, although the FDA approved human implants, some American States are banning the forced chipping of its residents.  Now, the American Medical Association (AMA) has stated its concern of serious privacy risks due to RFID implants.

I have cited before the implications of implanting RFID chips into humans and the dangers associated with it and part of the AMA report echoes those concerns.  For the record, the AMA isn’t overly concerned with the use of passive RFID tags, which are in use today for patients with certain medical conditions, such as strokes and seizures.  However, there are slight concerns even in these cases.

Because of privacy concerns, these RFID devices only transmit a unique identification code; that code can be matched with records to provide information such as current medication lists and past diagnostic test results. Of course, all of this only works when the patient is being treated by someone with access to appropriately stored medical records, something which is hardly guaranteed.

In their current form, RFID tags do nothing more than provide a patient identifier that can be linked to their computerized records; in effect, this shifts the security burden onto whoever maintains those records.

It is because of the lack of guaranteed privacy and security that the AMA questions the risks of RFID implants in humans.  While the AMA believes that, medically, the implants are safe, it doesn’t think that the current technology of RFID implants is safe enough to use, especially if there isn’t an informed consent from the patient.  The report also wants further monitoring before they will make a final decision.

It calls for continual monitoring of the health benefits and privacy problems with current and future devices, noting that “if objective evidence demonstrates negative consequences that outweigh the benefits in relation to health care, the medical profession will bear an important responsibility to oppose the use of RFID labeling in humans.”

In English, that means the AMA still sees it as their responsibility in case the privacy of the patient is compromised.  It also means that loss or theft of privacy will mean many lawsuits for the AMA and, therefore, they are trying to cover their collective asses over a technology that is, quite frankly, still not secure enough.  The AMA also believes that, as the technology develops, the privacy implications will be even greater.  They rightly recognizes that this is a problem now and that it needs to be addressed sooner rather than later.

Although the RFID tags in current use merely connect a patient to their records, the blame still lies with those that control the databases, rather than medical professionals.  Hopefully, the AMA will continue to look at RFID human implants, see its dangers, and continually strive to keep their patients privacy.

Dynahand is a new password authentication program that uses your own handwriting for logging in to websites.  Dynahand would simplify logging in by having the user recognize their own handwriting, eliminating the need for remembering long passwords or biometric devices.  The system works by having the user recognize their own digits that they have previously entered.

University of Glasgow researchers are also working on graphical systems, which they say could help dyslexic children and other people who have trouble with strings of characters.

Dynahand is of benefit to older people and people with learning difficulties precisely because it eliminates the need to remember more, long passwords and the transposing of numbers.  However, it still eliminates the blind, people without hands, and those who never write the same way twice.

Passwords can be secure, but the problem is that people don’t use them properly, often creating the same password for multiple accounts, using weak, and hackable, passwords, and/or leaving their password taped under their keyboards.  Dynahand eliminates this by using digits, as they are harder to recognize by outsiders.  It can even be set so that you must recognize your digits several times before being able to login, creating extra sets of security.

Still, it’s not entirely secure.  An attacker might be able to match the handwriting styles from one login to the next. This is why banks are reluctant to use such a system.

Though Dynahand may not be advisable for sensitive information, such as bank accounts or health records, it sure will find favors with those wary of the computer and its passwords. The main hurdle in getting Dynahand commercial is the creation of new accounts, which is tedious, time-consuming job, says computer scientist Karen Renaud of University of Glasgow, who worked on Dynahand.

Since banks prefer systems that are “something you are and something you know,” Dynahand could be used in conjunction with other security systems already in use.

While Dynahand may not be secure enough for sensitive information, it should be useful, and handy, for social sites.  That still doesn’t mean it’s secure.  If your account on a social site is hacked, it will be destructive to you.  Someone pretending to be you, even online, can destroy your life, online and offline.

It’s a nice idea worth keeping an eye on. However, handwriting samples are all still over the planet (at work, in the garbage, writing checks, knowing your relative’s handwriting, credit card receipts at the restaurant/supermarket), making it easy to steal a sample to study for “future use.”  For now, I’ll stick with the zillion passwords that I currently have.

Massachusetts has become the first state in the nation to require health insurance for each individual citizen of its state.  This may appear to be good for all, however, the State isn’t giving out free health insurance, they are forcing individuals to purchase a plan from their own pocket.

Effective July 1, 2007, the law, which uses federal and state tax dollars, is aimed at making health insurance affordable to all residents of the Commonwealth of Massachusetts, including low-income populations. Those who fall below the federal poverty line may be eligible for health care at no cost. A Health Disparities Council has been created to monitor and reduce racial and ethnic health disparities.

State income tax laws will be used to check and see if health insurance was purchased.  If it was not, there will be penalties.  Employers are also subject to being forced to offer health insurance to its employeees.

This new law essentially requires the residents of Massachusetts to purchase health insurance, whether they want it or not, to a company that has its own bottom line to take care of, not necessarily the coverage and benefits of the individual.

Massachusetts has not fixed their problem of uninsured.  All they have done is make it illegal to not be insured.  What Massachusetts has done is declared that lower income people will pay large premiums or leave the state.  Many will be levied huge fines because they can’t afford the premiums.  A vicious circle will begin, eventually hitting the middle class because they, too, will be forced to purchase insurance that will, most likely, deny their claims on numerous reasons, including pre-existing conditions.

Massachusetts is ignoring the fact that the reason most people don’t have insurance is that they cannot afford it.  These same people are also denied Medicaid/Medicare because they make too much money.  The state of Massachusetts also gets to decide if you get free health care.

A committee has been put into place to find ways to lower costs, but that won’t be implemented until 2008, at the earliest.

This is not subsidized or socialized health care.  It is a cash cow for insurance companies who operate in Massachusetts.  Just when you thought the health care system in America couldn’t get any worse, Massachusetts laughs and throws this crap legislation into the fray.

There are too many questions left unresolved (who pays for those who can’t pay, what about the chronically ill, etc.) that aren’t covered in the new law.  The poor will, supposedly, be taken care of, but those that need the most help, the sick, are overlooked yet again.

Contactless payments have been popping up with more frequency over the past year.  There are commercials encouraging people to use them instead of cash, many focusing on how fast and easy they are to use.  One particular commercial implies that you’re not part of the “in-crowd” if you’re using cash, but are they really secure?

While Visa and Mastercard assure us that they are secure, fears still arise from worries that the wireless systems aren’t secure enough for the planned massive expansion of the systems in the United States.

Concerns over the security of contactless systems were heightened last week by a Federal Reserve decision that will allow for even more casual, low-cost purchases to be made across the country. In recent years, credit card companies have waived their signature requirements for so-called “small ticket” items in order to get a slice of the action. Visa, for instance, doesn’t require your signature for purchases at or below $25.

The Federal Reserve sets rules for receipts, and last week the Feds said that purchases of $15 or less don’t even require a receipt now, let alone a signature. The rule change will usher in a wave of vending machines and other automated payment systems, and many of them will support wireless, contactless payments.

The convenience factor is definitely there for the consumer but, the consumer is still responsible for fraudulent purchases on their cards, no matter how small.  Now, with no receipt or signature, there will be more burdens placed upon the consumer to prove it was not them that made the purchase.

Infoworld reports that the topic was debated at a meeting of the Boston Federal Reserve last May, with representatives from both security firms and major backers of the new payment system on hand. Security researchers independent from credit card companies are sounding alarms, while the credit card companies themselves believe that they have the right balance of security and functionality.

Herein lies the catch.  Credit card companies believe they have found a solution but researchers believe that there are still major problems to be sorted out before the contactless system is rolled out nationwide.  I have written before about how easy it is to copy or clone information transmitted via RFID.  These new systems are more even vulnerable [pdf] .

According to the work of security researcher and University of Massachusetts professor Kevin Fu, a number of RF cards in use today transmit credit card account numbers “in the clear” without any encryption. He suggests that the solutions could be far more robust and that it should be an open system that security researchers can examine for flaws.

Talks between credit card companies and security researchers is ongoing, but, with such a wide gap between the two, it is going to be a while before a good, workable solution is found.  For now, consumers will continue to test these systems in the wild, not knowing that they are the guinea pigs for an untested and unproven technology that puts their privacy at risk.