Rina Steenkamp - Privacy and technology
[Free speech is only as strong as the weakest link | W3C announces first draft of standard for online privacy | Hacking away at the truth - Alan Rusbridger's Orwell lecture | Cyber war wil not take place | Privacy and security in the implementation of health information thechnology (electronic health records) - U.S. and EU compared | 2011 Global Information Security Survey | Text-based CAPTCHA strenghts and weaknesses | Why Johnny can't opt out - a usabilty evaluation of tools to limit online behavioral advertising | Social engineering capture the flag results - Defcon 19 | Why parents help their children lie to Facebook about age - Unintended consequences of the [COPPA] | The Socialbot Network - when bots socialize for fame and money | The role of government in commercial cybersecurity | Orwell's armchair | The law enforcement surveillance reporting gap | Symantec Intelligence Report - October 2011 | Europe versus Facebook]
A web publication by EFF.
From the linked page:
"Speech on the Internet requires a series of intermediaries to reach its audience. Each intermediary is vulnerable to some degree to pressure from those who want to silence the speaker. Even though the Internet is decentralized and distributed, "weak links" in this chain can operate as choke points to accomplish widespread censorship.The Internet has delivered on its promise of low-cost, distributed, and potentially anonymous speech. Reporters file reports instantly, citizens tweet their insights from the ground, bloggers publish to millions for free, and revolutions are organized on social networks. But the same systems that make all of this possible are dangerously vulnerable to chokeholds that are just as cheap, efficient, and effective, and that are growing in popularity. To protect the vibrant ecosystem of the Internet, it's crucial to understand how weaknesses in the chain of intermediaries between you and your audience can threaten speech."
EFF: Free speech is only as strong as the weakest link
[Open link in this window | Open link in new window]
EFF: Free speech is only as strong as the weakest link [blog post]
[Open link in this window | Open link in new window]
Draft documents by W3C.
From the press release:
"To address rising concerns about privacy on the Web, W3C publishes today [14 November 2011] two first drafts for standards that allow users to express preferences about online tracking [...] These documents are the early work of a broad set of stakeholders in the W3C Tracking Protection Working Group, including browser vendors, content providers, advertisers, search engines, and experts in policy, privacy, and consumer protection. W3C invites review of these early drafts, which are starting points of work to come. W3C expects them to become standards by mid-2012."
W3C: W3C announces first draft of standard for online privacy (press release with links to the documents)
[Open link in this window | Open link in new window]
W3C: Tracking preference expression (DNT)
[Open link in this window | Open link in new window]
W3C: Tracking compliance and scope
[Open link in this window | Open link in new window]
The Register: 'Do not track' standard edges towards daylight
[Open link in this window | Open link in new window]
Wired Epicenter: W3C privacy workgroup issues first draft of Do Not Track standard
[Open link in this window | Open link in new window]
Tweakers.net: W3C schetst contouren voor privacystandaarden
[Open link in this window | Open link in new window]
Out-law.com: Web standards body proposes universal 'do not track' system
[Open link in this window | Open link in new window]
Inside Privacy: Web-standards group releases draft "do-not-track" mechanism
[Open link in this window | Open link in new window]
FPF: W3C work group releases "Do Not Track" draft documents
[Open link in this window | Open link in new window]
Full text of the Guardian editor's Orwell lecture on journalism and the phone hacking scandal.
From the text:
"The phone-hacking saga tells us things about privacy, as well. Firstly, it shows us that, in the wrong hands, there is sometimes a fine line between the exposure of private lives and blackmail. In several recent cases involving privacy injunctions the judges have actually used the word 'blackmail' about material being hawked around Fleet Street and its agents. They're not describing a literal criminal offence which the police should investigate. They're describing a trade-off between money for secrets, and/or money for silence of the sort that is familiar from blackmail cases. [...] Secondly, it teaches us how sickened people feel when their privacy is invaded. 'Violated' was the word used by the former Sun editor, Kelvin MacKenzie, when he looked at the pages which showed how his own phone messages had been intercepted. If you speak to other victims of the hacking they will tell you how deeply repulsive it was to think of a stranger listening into private communications with loved ones or family. [...] What else did we learn from the phone-hacking saga? Well, talking of rules and codes, we discovered that the thing that we call 'self-regulation' in the press is no such thing."
The Guardian: Hacking away at the truth - Alan Rusbridger's Orwell lecture
[Open link in this window | Open link in new window]
An article by Thomas Rid.
From the Abstract:
"For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does not take place in the present, and that it is unlikely that cyber war will occur in the future."
Thomas Rid: Cyber war wil not take place
[Open link in this window | Open link in new window]
Schneier on Security: Journal article on cyberwar
[Open link in this window | Open link in new window]
An article by Janine Hiller, Matthew S. McMullen, Wade M. Chumney and David L. Baumer.
From the Abstract:
"The importance of the adoption of Electronic Health Records (EHRs) and the associated cost savings cannot be ignored as an element in the changing delivery of health care. However, the potential cost savings predicted in the use of EHR are accompanied by potential risks, either technical or legal, to privacy and security. The U.S. legal framework for healthcare privacy is a combination of constitutional, statutory, and regulatory law at the federal and state levels. In contrast, it is generally believed that EU protection of privacy, including personally identifiable medical information, is more comprehensive than that of U.S. privacy laws. Direct comparisons of U.S. and EU medical privacy laws can be made with reference to the five Fair Information Practices Principles (FIPs) adopted by the Federal Trade Commission and other international bodies. The analysis reveals that while the federal response to the privacy of health records in the U.S. seems to be a gain over conflicting state law, in contrast to EU law, U.S. patients currently have little choice in the electronic recording of sensitive medical information if they want to be treated, and minimal control over the sharing of that information. A combination of technical and legal improvements in EHRs could make the loss of privacy associated with EHRs de minimis. The EU has come closer to this position, encouraging the adoption of EHRs and confirming the application of privacy protections at the same time."
Janine Hiller, Matthew S. McMullen, Wade M. Chumney and David L. Baumer: Privacy and security in the implementation of health information thechnology (electronic health records) - U.S. and EU compared (PDF)
[Open link in this window | Open link in new window]
Privacy Lives: BU Law Journal - Privacy and security in implementation of health information technology
[Open link in this window | Open link in new window]
A report by Ernst & Young.
From 'Into the cloud, out of the fog':
"According to our survey, 59% of respondents plan to increase their information security budgets in the next 12 months, however indications suggest that the money might not be spent as wisely as it should be and fewer than half (49%) of respondents stated that their information security function is meeting the needs of the organization."
Ernst & Young: 2011 Global Information Security Survey
[Open link in this window | Open link in new window]
Accountant.nl: Beveiligingsrisico's geen prioriteit bij nieuwe technologie en media
[Open link in this window | Open link in new window]
DarkReading: Security still an afterthought, study says
[Open link in this window | Open link in new window]
A report by Elie Bursztein, Matthieu Martin, and John C. Mitchell.
Abstract:
"We carry out a systematic study of existing visual CAPTCHAs based on distorted characters that are augmented with anti-segmentation techniques. Applying a systematic evaluation methodology to 15 current CAPTCHA schemes from popular web sites, we find that 13 are vulnerable to automated attacks. Based on this evaluation, we identify a series of recommendations for CAPTCHA designers and attackers, and possible future directions for producing more reliable human/computer distinguishers."
Elie Bursztein, Matthieu Martin, and John C. Mitchell: Text-based CAPTCHA strenghts and weaknesses (PDF)
[Open link in this window | Open link in new window]
The Register: Report - popular CAPTCHAs easily defeated
[Open link in this window | Open link in new window]
Security.nl: Populaire CAPTCHA's eenvoudig te kraken
[Open link in this window | Open link in new window]
Tweakers.net: Onderzoekers kraken captcha's van grote sites
[Open link in this window | Open link in new window]
A report by Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang.
From the abstract:
"We tested nine tools, including tools that block access to advertising websites, tools that set cookies indicating a user’s preference to opt out of [online behavioral advertising (OBA)], and privacy tools that are built directly into web browsers. We interviewed participants about OBA, observed their behavior as they installed and used a privacy tool, and recorded their perceptions and attitudes about that tool. We found serious usability flaws in all nine tools we examined."
Pedro G. Leon, Blase Ur, Rebecca Balebako, Lorrie Faith Cranor, Richard Shay, and Yang Wang: Why Johnny can't opt out - a usabilty evaluation of tools to limit online behavioral advertising (PDF)
[Open link in this window | Open link in new window]
Carnegie Mellon University: Technical reports - CMU-CyLab-11-017
[Open link in this window | Open link in new window]
Naked Security: Research finds that privacy tools don't work
[Open link in this window | Open link in new window]
The Register: Boffins - punters can't get a grip on online privacy tools
[Open link in this window | Open link in new window]
MediaPost: Consumers don't understand opt-out tools
[Open link in this window | Open link in new window]
Security.nl: "Consument begrijpt privacy-tools niet"
[Open link in this window | Open link in new window]
Future of Privacy: Research released on usability of internet privacy tools
[Open link in this window | Open link in new window]
A report by Social-Engineer.org.
From the executive summary:
"In approaching the organization of this second year, we wanted to attempt to answer some questions that we were left with after Defcon 18’s SE Capture the Flag event. The first question being, is there any difference between two companies in the same industry regarding defenses against social engineering attacks? Second, what techniques were effective in eliciting information from companies and why? Finally, what defenses were effective in preventing the leakage of information from companies in the course of the contest?"
Social-Engineer.org: Social engineering capture the flag results - Defcon 19 (PDF)
[Open link in this window | Open link in new window]
Tweakers.net: Grote Amerikaanse bedrijven vatbaar voor social engineering
[Open link in this window | Open link in new window]
DarkReading: Major companies 'fail' social engineering test
[Open link in this window | Open link in new window]
A report by dana boyd, Eszter Hargittai, Jason Schultz, and John Palfrey.
From the abstract:
"In this paper, we provide survey data that show that many parents know that their underage children are on Facebook in violation of the site’s restrictions and that they are often complicit in helping their children join the site. Our data suggest that, by creating a context in which companies choose to restrict access to children, COPPA inadvertently undermines parents’ ability to make choices and protect their children’s data."
dana boyd, Eszter Hargittai, Jason Schultz, and John Palfrey: Why parents help their children lie to Facebook about age - Unintended consequences of the [COPPA]
[Open link in this window | Open link in new window]
dana boyd apophenia: Why parents help children violate Facebook's 13+ rule
[Open link in this window | Open link in new window]
Techmeme
[Open link in this window | Open link in new window]
MediaPost: Report - COPPA turns parents into scofflaws
[Open link in this window | Open link in new window]
TLF: New study on the unintended consequences of COPPA
[Open link in this window | Open link in new window]
An article by Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu.
From the abstract:
"In this paper, we evaluate how vulnerable [Online Social Networks (OSNs)] are to a large-scale infiltration by socialbots: computer programs that control OSN accounts and mimic real users. We adopt a traditional web-based botnet design and built a Socialbot Network (SbN): a group of adaptive socialbots that are orchestrated in a command-and-control fashion. We operated such an SbN on Facebook|a 750 million user OSN|for about 8 weeks. We collected data related to users' behavior in response to a large-scale infiltration where socialbots were used to connect to a large number of Facebook users."
Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu: The Socialbot Network - when bots socialize for fame and money (PDF)
[Open link in this window | Open link in new window]
Ars Technica: One in five willing to make Facebook friends with complete strangers
[Open link in this window | Open link in new window]
BBC News: Socialbots used by researchers to 'steal' Facebook data
[Open link in this window | Open link in new window]
AG: Facebook-gegevens makkelijk te stelen
[Open link in this window | Open link in new window]
WebWereld: Bots oogsten 250 GB aan persoonlijke Facebookdata
[Open link in this window | Open link in new window]
Naked Security: Socialbot Network finds it easy to harvest data from Facebook users
[Open link in this window | Open link in new window]
More at... [11/11/13 (NL/01)]
A paper by Christopher Wolf.
From the Abstract:
"Privacy consists of two components: (1) conforming one’s collection, use, and sharing of personal data to existing laws and norms, and (2) securing the data against unauthorized access and use. Even with the best of intentions as to the treatment of personal data, there can be no privacy where there is no data security. With the interconnected Internet, cybersecurity is a critical component of privacy. Given the dramatic increase in cybersecurity incidents, including Advanced Persistent Threats, some look to government to take control of the cybersecurity problem. In the United States, there is recognition of both the legal restrictions on the government “taking charge” of the flow of information through network access, monitoring, and/or control, as well as the limitations of government technical capabilities. As a result, US cybersecurity policy is collaborative, with the government working with industry to develop flexible standards rather than prescribing complex regulations."
Christopher Wolf: The role of government in commercial cybersecurity (PDF)
[Open link in this window | Open link in new window]
HL: Role of government in cybersecurity addressed by Chris Wolf at Geneva ITU meeting
[Open link in this window | Open link in new window]
A paper by Derek E. Bambauer.
From the Abstract:
"America has begun to censor the Internet. Defying conventional scholarly wisdom that Supreme Court precedent bars Internet censorship, federal and state governments are increasingly using indirect methods to engage in 'soft' blocking of on-line material. This Article assesses these methods and makes a controversial claim: hard censorship, such as the PROTECT IP Act, is normatively preferable to indirect restrictions."
Derek E. Bambauer: Orwell's armchair (SSRN)
[Open link in this window | Open link in new window]
Concurring Opinions: Censoring the internet
[Open link in this window | Open link in new window]
An article by Christopher Soghoian.
From the Abstract:
"Third party facilitated surveillance has become a routine tool for law enforcement agencies. There are likely hundreds of thousands of such requests per year. Unfortunately there are few detailed statistics documenting the use of many modern surveillance methods. As such, the true scale of law enforcement surveillance, although widespread, remains largely shielded from public view. [...] The existing surveillance statistics might be sufficient if law enforcement agencies’ surveillance activities were limited to wiretaps and pen registers. However, over the last decade, law enforcement agencies have enthusiastically embraced many new sources of investigative and surveillance data for which there are no mandatory reporting requirements. As a result, most modern surveillance now takes place entirely off the books and the true scale of such activities, which vastly outnumber traditional wiretaps and pen registers, remains unknown. In this article, I examine the existing electronic surveillance reporting requirements and the reports that have been created as a result. Some of these have been released to public, but many have only come to light as a result of Freedom of Information Act requests or leaks by government insiders. I also also examine several law enforcement surveillance methods for which there are no existing legally mandated surveillance reports. Finally, I propose specific legislative reporting requirements in order to enable some reasonable degree of oversight and transparency over all forms of law enforcement electronic surveillance."
Christopher Soghoian: The law enforcement surveillance reporting gap (SSRN)
[Open link in this window | Open link in new window]
Google: Transparency report
[Open link in this window | Open link in new window]
Techdirt: Google reveals 70% increase in requests for content removal; including law enforcement wanting to hide police brutality
[Open link in this window | Open link in new window]
The Register: US gov requests for Google user data grow 29%
[Open link in this window | Open link in new window]
Security.nl: Overheid vraagt Google 64 keer om gegevens
[Open link in this window | Open link in new window]
CNet: Google - governments seek more about you than ever
[Open link in this window | Open link in new window]
A report by Symantec.
From the Introduction:
"With the advent of social networking we have all become accustomed to using URL shortening services in our online lives, and as their use by cyber criminals has increased, Symantec Intelligence has also tracked how these legitimate services have been used in different ways for malicious purposes in the dissemination of malware and spam over the past few years. Following on from the preceding advance in May 2011, when spammers appeared to have established their own shortening services, albeit a Web site that would redirect visitors to the same spam Web site. On that occasion there was no actual shortening service in use, it was a simple redirection that gave the appearance of a shortened URL. However, for the first time, Symantec Intelligence has identified that spammers have now established a genuine URL shortening service that is publically available and will generate real shortened links. These have so far only been found in spam emails."
Symantec: Symantec Intelligence Report - October 2011 (PDF)
[Open link in this window | Open link in new window]
Symantec: Intelligence reports
[Open link in this window | Open link in new window]
DarkReading: Symantec discovers spammers leaving their own URL-shortening services open to the public
[Open link in this window | Open link in new window]
A website created by Max Schrems.
From Objectives of "europe-v-facebook":
"It is almost impossible for the user to really know what happens to his or her personal data when using facebook. For example “removed” content is not really deleted by facebook and it is often unclear what facebook exactly does with our data. Users have to deal with vague and contradictory privacy policies and cannot fully estimate the consequences of using facebook. A company that constantly asks its costumers to be as transparent as possible should be equally transparent when it comes to the use of its costumers personal data. Transparency is not only a question of fairness but it is also a principle of European data protection law. It is time that the biggest social network worldwide sticks to these legal principles."
Europe versus Facebook
[Open link in this window | Open link in new window]
BoF: Tweeëntwintig klachten na inzage gegevens op Facebook
[Open link in this window | Open link in new window]
SOLV: Europeanen vs Facebook - Oostenrijkse student strijdt voor privacy
[Open link in this window | Open link in new window]
More at... [11/11/06 (NL/01)]