Blog

Here’s a story below from SANS NewsBites Vol. 14 Num. 94. A high school in Texas is RFID ing students as a means of funding. In addition to the unexpected use of this technology, what I find most interesting about the story is that because it’s a public school, the issue potentially becomes a Constitutional violation. Were it a private school (or company), the matter would be much more restricted in it’s scope, but because it’s a state run agency, the issue become much more complex.

“Texas HS Student Fighting Suspension for Refusing to Wear RFID Nametag (November 21 & 23, 2012) A Texas high school student has been suspended for refusing to wear an RFID badge. The Northside Independent School District’s John Jay High School’s Science and Engineering Academy in San Antonio implemented the RFID program to increase state funding. Schools in Texas receive funding based on student attendance; the tags can be used to determine that students are present at the school even if they are not in class. A Texas judge has issued a temporary injunction blocking the girl’s suspension pending a hearing scheduled for this week. Student Andrea Hernandez and her parents say that requiring her to wear the tag is a violation of her First Amendment rights.

http://www.wired.com/threatlevel/2012/11/student-suspension/

…In apparent protest, individuals claiming association with the Anonymous hacking collective have taken down the school’s website http://www.theregister.co.uk/2012/11/27/annymous_takes_down_northside_independent_school_district_as_revenge_for_rfid_tracking/ “

I came across a recent post regarding proctoring during online exams (http://www.technologyreview.com/news/506346/in-online-exams-big-brother-will-be-watching/). As you might imagine, teachers face a legitimate problem of being assured that students taking online classes are not cheating. This solution?: startup firms that provide online proctoring using webcams and screen sharing technologies. The issue, this article claims, is precipitated by the surge in popularity of free online classes provided by some top schools. Some of these classes can even reach enrolments of hundreds of thousands!

Interestingly, the people hired by these proctoring firms are, themselves, students. Given that the goal is to reduce cheating — or at least the perception or possibility for cheating — I have no idea whether that should matter. Overall, the article claims a (known) cheating rate of 0.7% (7 out of every 1000) — a fair bit lower than typical class rooms, I would bet. And while expectation of privacy is appropriately low during a typical classroom exam, one would not think that online monitoring with a webcam should not violate any social norms.

There’s a story (http://www.securityprivacyandthelaw.com/admin/trackback/289911) about a lawsuit filed against the game company, Blizzard, which seeks class action status. It appears that the company is being sued for enabling two factor authentication for their online gaming service. Yeah, that’s what I thought: why on earth would someone sue a company for *having* strong authentication? The lawsuit isn’t really about any particular breach, or any harm resulting from negligent actions by Blizzard, or any actual identity theft suffered by its customers. Rather, the complaint appears to argue that customers might, someday, experience harm, possibly, in the future, should Blizzard be (again) hacked. Uh-hun. It further states that, “defendant’s acts have … harmed plaintiffs’ and class members by devaluing their video games … by adding elements of risk to each and every act of playing said games.” Really? Devaluing their video game? How, exactly? Is there any evidence of this? No, there’s not.

It also suggests that customers were deceived into purchasing the game only to later learn that they also needed a $6.50 device to enable two-factor authentication (the RSA ID fob). Now, fine. If it’s true that customers were misled in some material way, then an allegation of consumer fraud might be appropriate (though, isn’t this the role of the FTC?), and if there was some evidence of any kind of harm (even a real privacy harm), then that might be valid, but these claims seem to be quite stretched.

I had occasion to visit the NYU law librarian recently. I was looking for information regarding WestLaw’s search strategy for federal cases. In addition to being very helpul, Gretchen also send me this link of privacy resources. The site is really quite impressive, and not something I had seen before. There are links to privacy preserving software (PETs), web and email anonymizers, reserach links and many other resources. Worth checking out.

She also pointed me to this link to an EPIC story regarding FBI collection of individual data:
http://epic.org/2012/10/fbi-exempts-massive-database-f.html

FBI Exempts Massive Database from Privacy Act Protections
The Federal Bureau of Investigation has exempted the FBI Data Warehouse System, from important Privacy Act safeguards. The database ingests troves of personally identifiable information including race, birthdate, biometric information, social security numbers, and financial information from various government agencies. The database contains information on a surprisingly broad category of individuals, including “subjects, suspects, victims, witnesses, complainants, informants, sources, bystanders, law enforcement personnel, intelligence personnel, other responders, administrative personnel, consultants, relatives, and associates who may be relevant to the investigation or intelligence operation; individuals who are identified in open source information or commercial databases, or who are associated, related, or have a nexus to the FBI’s missions; individuals whose information is collected and maintained for information system user auditing and security purposes.” The Federal Bureau of Investigation has exempted these records from the notification, access, and amendment provisions of the Privacy Act. Earlier this year, EPIC opposed the Automated Targeting System, another massive government database that the Department of Homeland Security exempted from Privacy Act provisions.

Scary, indeed.

From SANS Newsbites 14(82):
–Senator Rockefeller Seeks Information About Data Brokers’ Business  Practices  (October 10, 2012)
US Senator Jay Rockefeller (D-West Virginia) has sent letters to nine data brokerage companies, asking them to provide answers to a dozen questions about where and how they gather information, with whom they share the information, and what information is shared. Senator Rockefeller is also asking what level of control individuals have over the information the companies collect. The companies are asked to respond by November 2, 2012. Earlier this year, two US Representatives launched an inquiry into data compilers, and the Federal Trade Commission (FTC) is also looking into some data brokers’ practices.
http://thehill.com/blogs/hillicon-valley/technology/261249-rockefeller-pushes-data-brokers-for-answers-on-business-practices-

Text of letter:
http://commerce.senate.gov/public/?a=Files.Serve&File_id=3bb94703-5ac8-4157-a97b-a658c3c3061c

I received a notice about this journal issue:
http://idpl.oxfordjournals.org/content/2/4.toc?etoc

I’m not sure why I received it, exactly, but it scanning the articles, many of them look quite interesting. It’s particularly nice to hear from Fred Cate again. I’ve always appreciated his views and discussions. No doubt many of you will recognize many of the other authors, too.