Re: [Dataloss] Details on AOL search log disclosure
On Aug 8, 2006, at 5:54 PM, security curmudgeon wrote:
>
> : Now that we all have the list -- how ethical are we being by
> using it,
> : for whatever purposes?
> :
> : Which ethical guidelines apply in this circumstance.
> :
> : (would type more but sliced hand opened a harddrive last night)
>
> Hopefully more will pipe up on this isssue, especially any lawyers
> lurking around.
>
> There are a couple issues that I see here. First, having the list in
> general can be debated. If I have such a list, is it unethical? It
> depends
> on how I obtained it really.
Disagree. Principles can relate to possession or usage. Now, what
school of ethics are you? (^_^) I feel a massive online debate about
to start...
> If I hack a server or trick a person into
> giving it to me, no. If I get it from a popular torrent site and
> thousands
> of people are reading through it as I download it, i'd say no. Just
> possessing it in that circumstance isn't necessarily unethical but
> again,
> what am I doing with it?
It's about principles, which can relate to possession, if
appropriate. Since this is not data about you but others (I'm
assuming you don't use AOL (^_^), ethics should apply even with
possession. In my school of ethics, I see something as being ethical
if it benefits, without harm, society, myself, and those impacted by
what's in question, w/o going against my principles. We could debate
ad nauseam what principles are at play here, so let's not.
So, for me, I would ask myself if it does benefit, without harm,
society, myself, and the people who are within the data set for me to
gather, analyze, or report on that information, without violating my
principles. At the minimum, is there a benefit? Sure. A reasonable
person can state that privacy is in the good of society and examples
can be made from this dataset that show an absence of privacy since
it was leaked. One could conclude that no agency should ever get a
massive amount of data without all parties being informed, since
privacy would be violated. And, with this, one can point to the AT&T
vs. EFF case and shake a finger at the gov't. Has that been done
already? Yes, many parties have reported on the ease of figuring out
private information and individuals [1]. So, what other benefit are
you going to provide to society or the person w/i the dataset? If
you're snickering while you look at the data, it's probably unethical
(^_^)
Since most people on this list, I'll assume, are in the information
security biz, then we are often at times custodians to other peoples'
data (OPD, ya you know me). The same ethics code should apply here,
too.
[1] http://news.google.com/?ncl=http://computerworld.com/blogs/node/
3191&hl=en
> Another key point to think about when debating
> the "possession of such a list" angle, is if the victim knows about
> the
> disclosure. In the case of the AOL list, they know it was leaked
> out so I
> don't see myself (or anyone on this list) having an obligation to
> report
> it to them. If I was under the impression that AOL wasn't aware, it
> would
> be an ethical duty to report it to them or law enforcement.
Could it be of benefit? Reasonably speaking, mass media has probably
a larger impact than an individual's announcement at this point, so
there's probably no real benefit.
> Moving on from that issue, once we have the list and resolve any
> ethical
> dilemna in possession.. what are we doing with it? Anyone doing
> analysis
> on the content of the list attempting to determine the extent of
> disclosure, I don't see a problem with that. Obviously if you are
> browsing
> it looking for sensitive information to use in a crime or questionable
> activity, sure it crosses the boundary of ethical use.
See my short dissertation above (^_^)
Cheers,
Jon
_______________________________________________
Dataloss Mailing List (dataloss
attrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Washington - Madrona patients may face ID theft
Courtesy pogowasright.org
http://news.bellinghamherald.com/apps/pbcs.dll/article?AID=/20060811/NEWS09/608110341
Madrona Medical Group is asking thousands of patients to watch their
credit reports after a former employee was charged with illegally
downloading patient files onto his personal laptop computer.
Madrona officials don't believe the files were copied or used for identity
theft, but they sent letters this week to more than 6,000 patients anyway,
asking them to take steps to make sure no one uses the information
illegally.
The records include patients' names, addresses, Social Security numbers
and dates of birth.
"There is no evidence that this individual actually transferred
information to any other source," said Dr. Erick Laine, CEO of Madrona
Medical Group, a large multispecialty practice in Bellingham. But Madrona
officials are required by law to let patients know of the security breach,
he said.
[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Will AOL Goof Trigger New U.S. Law?
Courtesy Richard Forno and Infowarrior (infowarrior.org)
Will AOL Goof Trigger New U.S. Law? By Frederick Lane
August 10, 2006 11:04AM
http://www.sci-tech-today.com/story.xhtml?story_id=02300000MCAG
The bill would require Internet companies to destroy obsolete electronic
data, and particularly data that could be used to individually identify
consumers. The bill would also instruct the Federal Trade Commission to set
up standards for the maintenance and destruction of data, and enforce the
provisions of the law.
The news that AOL released the search histories of 658,000 of its users is
renewing calls for federal legislation to protect consumer privacy online.
In the wake of the disclosure, Representative Edward Markey (D-Mass.) urged
his colleagues to take action on privacy legislation he proposed in February
of this year.
"Technology is the engine which will drive our economy into the next
century, but the success of this technology balances on the public trust,"
Markey said. "If 2005 was the year of the data breach, I want to make sure
that 2006 is the year of safeguarding the privacy of American citizens by
introducing legislation to prevent the stockpiling of private citizens
personal data."
[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 296 incidents over 6 years.
[Dataloss] Veterans Affairs to protect data on laptops
Courtesy Richard Forno and infowarrior.org:
By Anne Broache
http://news.com.com/Veterans+Affairs+to+protect+data+on+laptops/2100-1029_3-
6105477.html
Story last modified Mon Aug 14 14:54:16 PDT 2006
One week after news that another computer from the U.S. Department of
Veterans Affairs had gone missing, the agency announced plans to beef up
safeguards on all of its machines.
In the next week, the agency plans to begin installing data encryption
software on its laptop and desktop machines, VA Secretary R. James Nicholson
said Monday. Data on portable media such as flash drives and CDs will also
be protected.
"A system-wide encryption program will be a tremendous step forward in
improving the safety and security of sensitive veteran information,"
Nicholson said in a statement.
The planned upgrade is the agency's latest effort to step up vigilance over
its computer systems, after the high-profile theft of a laptop and an
external hard drive that housed sensitive information on more than 26
million veterans and active military personnel. The equipment was stolen
from the Maryland home of a Veterans Affairs Department employee in early
May and was ultimately recovered in June--but not before an uproar ensued
among politicians and other watchdogs.
Police arrested two teenagers in connection with the incident last week.
Days later, the agency said it was investigating reports of a new
theft--this time of a desktop machine from the Reston, Va., offices of
Unisys, a subcontractor hired to assist with insurance collections for
Department of Veterans Affairs medical centers in Pennsylvania. The agency
estimated that the computer contained information on about 38,000
veterans--2,000 of whom were deceased.
The Department of Veterans Affairs' laptop computers will be the first to
receive the new encryption software. They will be given products made by
GuardianEdge and Trust Digital, which market themselves as mobile security
specialists. The agency said it awarded a $3.7 million contract last week to
SMS, a Syracuse, N.Y.-based company owned by a "service-disabled" veteran,
to carry out the upgrade.
Final testing of the products is currently under way, and installation is
set to begin on Aug. 18. The agency hopes to have 100 percent of its laptops
covered within four weeks of that date, with desktop machines to follow.
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 301 incidents over 6 years.
[Dataloss] Second laptop from DOT in Miami is also missing
http://www.miami.com/mld/miamiherald/15274879.htm
Posted on Tue, Aug. 15, 2006
The U.S. Department of Transportation inspector general's office is
hunting for not one, but two missing laptops from Miami that disappeared
in the past three months, The Miami Herald learned Monday.
Last week, authorities confirmed that a Miami-based agent with the
inspector general's office lost a laptop filled with the unencrypted
personal information of 133,000 Floridians -- the latest in a string of
embarrassing data breaches by federal agencies.
In late April, one of the agent's bosses reported her laptop stolen from
an Orlando hotel where she was organizing a national transportation fraud
conference.
Barbara L. Barnet, special agent-in-charge of the DOT inspector general's
Miami office, told an Orange County sheriff's investigator that her
missing Dell laptop contained ``several case files which are not encrypted
due to computer conversions at work.''
Barnet said she left the laptop inside a locked conference room at the
Orlando Wyndham Resort for approximately 45 minutes on April 24. When she
returned, the door to the conference room was open, a hotel employee was
inside and the computer was gone.
[...]
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 142 million compromised records in 301 incidents over 6 years.
[Dataloss] U of KY computer security oops
| | | | |
