Loss of Privacy

In case you missed all the new information coming from the TSA and those fun guys in the government, here’s the latest news.

Airline passengers on the government’s no-fly list can sue the government to get their names removed, according to a federal appeals court ruling Monday that swept aside complicated judicial rules that insulated the government from lawsuits over the sprawling list of suspected terrorists.

This is the best news, but it’s also time consuming.  Look for the court system to take forever on this one.

The TSA, which maintains the list of who can and can’t fly added 16,500 people to the list because they forgot their IDs.  After some public harassment, they reconsidered their position.

The TSA began storing the information in late June, tracking many people who said they had forgotten their driver’s license or passport at home. The database has 16,500 records of such people and is open to law enforcement agencies, according to the TSA.

Asked about the program, TSA chief Kip Hawley told USA TODAY in an interview Tuesday that the information helps track potential terrorists who may be “probing the system” by trying to get though checkpoints at various airports.

Later Tuesday, Hawley called the newspaper to say the agency is changing its policy effective today and will stop keeping records of people who don’t have ID if a screener can determine their identity. Hawley said he had been considering the change for a month. The names of people who did not have identification will soon be expunged, he said.

No word, though, on how soon “soon” will be.

A 7-year old Minnesota boy has been on the terror watch list since he was 2.  His parents are still struggling to get his name off the list.

An 8 year old is also on the list.  He doesn’t know if he’s a terrorist or not though.

A commercial pilot is also on the list and has been given two weeks to get himself off the list or he’ll lose his job.

This pilot is authorized by the TSA to carry a gun on a plane, but it doesn’t keep him from losing his job either if he can’t get off the list soon.  Apparently, there are too many James Robinsons in the world and they are a danger to us.  Fortunately, a smart mother has gotten around this pesky name thing.

Denise Robinson says she tells the skycaps her son is on the list, tips heavily and is given boarding passes. And booking her son as “J. Pierce Robinson” also has let the family bypass the watch list hassle.

Capt. James Robinson said he has learned that “Jim Robinson” and “J.K. Robinson” are not on the list.

Starting in October, the FBI will be allowed to conduct warrantless searches on American citizens who aren’t suspected of any crimes.  This power has a long history of abuse, most notably on Martin Luther King Jr.

“Several senators have formally complained that citizens could be investigated ‘without any basis for suspicion,’ which the Justice Department denies.”

“Given the importance of these guidelines, providing a period of time for public comment would be a reasonable and responsible way to move forward and achieve the best possible end result,” the Democrats wrote.

The politicians should have seen this coming after capitulating on FISA.  This administration has displayed, time and again, that they will stop at nothing when it comes to collecting data on its own citizens.  Then again, Congress has allowed the White House to wipe its ass with the 4th amendment so many times that it can’t be read anymore.  The White House takes this to mean that it’s been wiped clean and the 4th amendment no longer exists.

Because they can’t seem to remember what the 4th amendment really says, I’ve taken the liberty of posting it below.  That way, they might be able to understand why this new FBI power is highly illegal.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

As Bruce Schneier said:

We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.

After losing data on more than 25 million child benefit claimants last year, one would think that the British government would set and enforce regulations for the transportation of important, private data.  Instead of getting better at security, the British government appears to have gotten worse.  This time, it has been disclosed that they have lost data on 4 million people over the last year.

The memory stick contained un-encrypted details about 10,000 prolific offenders as well as names, dates of births and some release date of all 84,000 prisoners in England and Wales – and 33,000 records from the police national computer.

Earlier this week, the Ministry of Justice admitted it had lost 45,000 people’s details throughout the year, on laptops, external security devices and paper, and that 30,000 of them had not been notified.

Before that, the Home Office announced it had lost the data of 3,000 seasonal agricultural workers on two unencrypted CDs.

In May, the Department for Transport lost the data of three million learner drivers. Other data losses occurred at the Foreign Office, which lost 190 people’s data in five incidents.

In January, the Ministry of Defence said it had lost a laptop containing the details of 620,000 recruits and potential recruits, and some information on 450,000 referees for job applicants.

In march the UK government revealed over 11,000 military ID cards have been lost or stolen in the last two years, while the UK Home Office launched an investigation in February after a buyer acquired a laptop on eBay that contained a disc with confidential information.

As the government spends £12.7 billion (US$25.4) putting NHS patient health records onto a central computer, there have been a string of data losses from NHS hospitals. In June, two NHS trusts lost unencrypted laptops containing 31,000 patient records. In May, 38,000 patient records on tape were lost after being posted by the Isle of Wight Primary Care Trust.

After all this, there has been, yet another, security breach.  This time, it was a USB stick containing data on 84,000 prisoners.

The memory stick contained unencrypted information from the electronic system for monitoring offenders through the criminal justice system, including information about 10,000 of the most persistent offenders.

For the love of God, why can’t anyone encrypt information?  It’s not that difficult to do, yet the government keeps insisting on keeping highly personal information readily available to anyone who can get a hold of a USB stick.

Smith said PA Consulting had broken the terms of its contract in downloading the highly sensitive data. She said: “It runs against the rules set down both for the holding of government data and set down by the external contractor and certainly set down in the contract that we had with the external contractor.”

How about you actually start enforcing these rules and stop using companies that can’t, or won’t, comply?  They breached a contract.  Cancel the contract, prosecute those responsible, and get someone who can do the job instead of constantly allowing these companies to walk away from the incident.

Do the people in the UK know and understand that these are the same types of people who are going to be running the national ID scheme?  Do they really want their private information bandied about so carelessly?

Best Western has lost the details on every single customer it has had in Europe over the past 12 months.  8 million customers have now had their private details exposed in one of the largest security breaches ever in Europe.

A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defences of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia.

It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007.

Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment.

Because the compromised information included future bookings, the gang now has the capacity to sift through the data and sell “burglary packs”, giving the home addresses of local victims and the dates on which they are expected to be away from their home.

While this is damaging news, Best Western’s CEO made a comment on the Sunday Herald story and is claiming that the theft isn’t as big as first reported.

You may be aware on Sunday 24th August the Scottish Herald printed a story claiming a hacker had gained access to Best Western guest information. This story is grossly unsubstantiated!

After a detailed investigation we can confirm that on 21st August a single hotel in Germany was compromised by a virus. The compromise permitted access to reservations data for that property only. This has affected only ten customers who we are currently being contacted to offer our assistance, none of these were GB customers. There is no evidence of any unauthorized access to any other customer data. Most importantly Best Western purges all reservations data within seven days of guest departure.

We are working with the FBI and other international authorities to investigate further.

So, they think it was only one hotel, but they are still investigating.  If they were sure it was one hotel and ten customers, there would be no need for further investigation.  Just because there is no evidence of unauthorized action doesn’t mean that it didn’t happen, nor does it mean that authorized action didn’t happen.

Debate and analysis is ongoing, however, regardless of whether it was 10 customers or 8 million, this is still a serious security breach.    It is also curious how a reporter was able to obtain a screenshot of data going back nearly a year when Best Western claims that it only keeps such records for seven days after guest departure.

A trojan is difficult to detect and can easily hide within a system.  They disguise themselves as something innocuous and continue to steal little bits of information until detected and purged.  If one account or system is infected, it is likely that many more are too.

Siemens has developed a multi-purpose surveillance system that can scan and integrate different types of automated data, including telephone calls, email, Internet activity, bank transactions, and insurance records.  The system uses advanced pattern recognition to detect unusual activity and important data.

According to a document obtained by New Scientist, the system integrates tasks typically done by separate surveillance teams or machines, pooling data from sources such as telephone calls, email and internet activity, bank transactions and insurance records. It then sorts through this mountain of information using software that Siemens dubs “intelligence modules”.

This software is trained on a large number of sample documents to pick out items such as names, phone numbers and places from generic text. This means it can spot names or numbers that crop up alongside anyone already of interest to the authorities, and then catalogue any documents that contain such associates.

Once a person is being monitored, pattern-recognition software first identifies their typical behaviour, such as repeated calls to certain numbers over a period of a few months. The software can then identify any deviations from the norm and flag up unusual activities, such as transactions with a foreign bank, or contact with someone who is also under surveillance, so that analysts can take a closer look.

“THIS data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time.”

However, it is far from clear whether the technology will prove accurate. Security experts warn that data-fusion technologies tend to produce a huge number of false positives, flagging up perfectly innocent people as suspicious.

So, it’s been sold to more than 60 countries, yet no one knows how accurate it is going to be.  We already know that more surveillance doesn’t not equal more security, but these governments appear more than ready to purchase systems to collect data on all its citizens, regardless of its usefulness.  Given Siemens recent track record, is it such a wonder that they created this system?

This system is not designed for catching terrorists.  It’s designed to collect data on the largest swath of people possible.  The data can then be manipulated however it wants to be.  All it takes is for that one day you change your routine and the gestapo er police will be coming ’round for a visit.