ILI Student Blog

Month: September 2012

  • Secretly Installed Software on Rented Computers Collected Information, Took Pictures of Consumers in Their Homes, Tracked Consumers’ Locations

    Here’s an interesting story, public action, and settlement about a company secretly spying on users from their rental computers.From: http://www.ftc.gov/opa/2012/09/designware.shtm

    “Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers.

    The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint. The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers.”

  • New GAO report on medical device security

    In response to congressional requests, the GAO produced a new report on medical device security (http://www.gao.gov/assets/650/647767.pdf).  Unlike agencies like NIST, the GAO provided a number of specific recommendations for the FDA (apparently the oversight of medical device security falls to the FDA). And by “specific” I mean very general, almost cliché recommendations:

    1) The FDA should increase its focus on manufacturers’ identification of potential unintentional and intentional computer security threats and vulnerabilities and strategies to mitigate these risks during its pre-market approval review process;
    2) Utilize available resources, including those from other entities, such as other federal agencies;
    3) Leverage its post-market efforts to identify and investigate information security problems; and
    4) Establish a specific schedule for completing this review and implementing these changes.

    I really have no idea what any of that is really supposed to do. However, despite that, the GAO report is extensive in its detail and description of medical threats and risks.

  • Do Fair Information Practices (FIPs) really create better outcomes?

    http://www.markleweeklydigest.org/2012/09/eu-and-us-eye-privacy-in-parallel.html

    The article linked above adds to the comparative discussion between EU and US privacy regimes. In every conversation I can recall, Americans consider both the European and Canadian models of FIPs and Privacy by Design to be much superior to the sectoral approach here in the US. And on their face, I think this makes a lot of sense: keep the focus on the use, collection, and storage of *all forms* of personal data, rather than trying to chase down, and apply rules governing, singular instances of data abuse (e.g. mobile device IDs, GPS location, drone surveillance, etc, etc).

    During a conversation the other day with a colleague, we wondered: is there actually any evidence to support the claim that the European model leads to better consumer or industry outcomes? This isn’t meant to be a normative question, but an empirical one. Are there fewer cases of medical identity theft in Europe? Are there fewer privacy intrusions? Is there less cyberstalking, tax or government fraud, or forged identification documents? Is there any evidence at all that FIPs create better outcomes?

    One paper I can think of compares the effect of US and EU privacy regimes on consumer credit and debt (http://userpage.fu-berlin.de/~jentzsch/eu-vs-us.pdf). The paper finds that the EU has stronger data protection and credit reporting laws (i.e. allows less information exchange), but also less consumer debt than the US. In addition, the US, having a weaker privacy regime (i.e. allowing more information flow), has fewer national credit bureaus and that US consumers enjoy broad access to credit (which we may feel is good) — but they also suffer from more consumer debt (which we may feel is bad). While it would be unfair to characterize this as a causal model, what might be a possible explanation?: that weaker privacy regimes lead to cheaper credit, but induce more consumer debt. So on net, is this good or bad?

    Of course, this is just one paper. I’d love to hear of any other empirical work on this topic.

  • Roger Ford: White Paper on Mobile Privacy

    location white paper