Hello!

Tumblr is where tens of millions of creative people around the world share and follow the things they love.

In recent years, online tracking companies have begun to monitor our clicks, searches and reading habits as we move around the Internet. If you are concerned about pervasive online web tracking by behavioral advertisers, then you may want to enable Do Not Track on your web browser. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond. As more and more websites respect the Do Not Track signal from your browser, it becomes a more effective tool for protecting your privacy. EFF is working with privacy advocates and industry representatives through the W3C Tracking Protection Working Group to define standards for how websites that receive the Do Not Track signal ought to response in order to best respect consumer’s choices.

The [linked] tutorial walks you through the enabling Do Not Track in the four most popular browsers: Safari, Internet Explorer 9, Firefox, and Chrome.

NEW! Consumer Data Symbology: What data do companies hold?

This is the 3rd post in my series of Consumer Data Symbology.

Be sure to also check:

NEW! Consumer Data Symbology: Anonymous or Personally Identifiable

NEW! Consumer Data Symbology: Sharing data - Anonymous or Identifiable

With the first 2 sets of symbols consumers can readily see how their information is shared with third parties, including if location information is shared. Importantly they can also see if their data is shared in an anonymous or uniquely identifiable way.

The set of symbols below talks about the 3 major categories of data. Publishers, service providers and applications could have any combination of these three symbols.

HOW YOU ACT

While visiting a website, using a service or application the owners may collect information about what you did while you were there. This might include the web pages you visited, the products you searched for, the amount of time you spent on a single page and other information related to how you behaved during the time you were interacting with the website, service or application. This information comes in a form that are similar to “tracks” left in the sand. Depending on the other symbols shown it may be that your tracks are anonymous - or they may be associated directly with you as a unique consumer.

PROFILE DATA PROVIDED

If you have joined a website and created an account then you have provided information associated with your profile. This could be as minimal as your e-mail address or could be a complete list of your friends, your interests and other. The main difference between information about “HOW YOU ACT” and “PROFILE DATA PROVIDED” is that you were asked and specifically answered questions to complete your profile.

NEW DATA FROM PROCESSING

Besides data that you provided in your profile, and information collected about how you act, some companies will take this information to create new data. For example, if you spend lots of time reading stories about movie stars and completed your profile that you like “pop culture”, a company might use that data to decide that you would like a trip to Hollywood. You never told the company you wanted to go to Hollywood and you never went to a web page about Hollywood, but the company processed your other data to create new data.

Admittedly, these symbols are some of the most volatile for those consumers who are plugged into the press. There has been so much press about “tracking” that some consumers will see this and immediately understand that they are being “tracked” and it may make them unconfortable unless they trust the brand behind the tracking.

The idea of “NEW DATA FROM PROCESSING” is an important concept as it is unclear who “owns” data resulting from processing. Does the consumer own it? - It wasn’t their data? - Does the company with the algorithm and the servers doing the processing own it? Most likely they do as they have rights to the consumers provided and tracked data as well as the processing. Consumers may understand that their data is being processed - but not all consumers will understand this and it is important to make it clear.

Tomorrow will be the final installment of the symbols: - How is the data used.

Photography and Text (c) 2011 Mobile Soul Ltd. All right reserved.
Eventually I would like to offer this content on the Creative Commons license scheme.

Why am I being tracked?
Who is tracking me?
What is happening to my data?

Robert Plant (HBR) tries to answer these questions that are mostly ignored by the majority of Internet users in this Google/Facebook era:

The first question has a simple answer: Don’t take it personally, but you’re not a customer anymore. You’ve become a commodity, one of 7 billion datapoints on the planet. Your every activity, tracked and logged, has a potential value.

While I’ve tried not to sound paranoid about privacy, when writing about the future of BigData marketplaces and seeing signs of possible big flaws in the process, I’ve expressed my concerns about data ownership and privacy. Optimistically I do expect that at some point all these details will be regulated. Hopefully not too late.

Original title and link: Who’s Been Trafficking in Your Data? 3 Questions for You (NoSQL database©myNoSQL)

#bigdata

Adapted from a post on Mastering Data Management Blog.

…I am excited about today’s announcement of InfoSphere Optim v9.1, a single offering with three simple packages: InfoSphere Optim Archive, InfoSphere Optim Test Data Management and InfoSphere Optim Data Privacy. This new release will focus on market leadership features for data lifecycle management and privacy, particularly around four key themes:

1. Expand data lifecycle management – continued leadership

Customers have been asking our team, “How do I leverage Optim in my enterprise?” In this release, we’ve listened to our customers and found the most common integration patterns. InfoSphere Optim v9.1 is now tightly integrated with InfoSphere Information Server, InfoSphere Guardium, IBM Smart Cloud Enterprise and IBM Global Retention Policy and Schedule Management. These ease the process of leveraging and integrating comprehensive data lifecycle management.

2. Deliver data lifecycle management to big data environments

It is rare now that customers will not ask us about one or more of the four Vs - variety, velocity, veracity and volume. In the latest IOUG survey, 1 in 6 enterprises manage more than a petabyte of information. I expect this figure will double by 2014. In addition to Hadoop support, this release supports big data environments such as Teradata and delivers new pre-configured accelerators for Netezza.

3. Implement quickly and easily – the need for speed

Optim is known as the most powerful and flexible product on the market. In InfoSphere Optim v9.1, we have unified and simplified the next generation user experience, providing automated workflows to improve productivity, empower novice users and ensure faster projects.

4. Mask data on demand – yes, you can

Customers have frequently asked the team if they leverage the robust capabilities that InfoSphere Optim has been using to mask sensitive data in non-production systems, and make it available as a service to meet the needs of various use cases. InfoSphere Optim v9.1 offers this, providing flexible, real-time capabilities to de-identify sensitive data across the enterprise to protect privacy while promoting business objectives….

NEW! Consumer Data Symbology: Anonymous or Personally Identifiable

For the next 2 weeks I will begin posting my ideas for symbology that can be used to improve the way content owners and service providers can communicate to consumers about how their data is used.

Here are the first 2 symbols:

IDENTIFIABLE

This symbol indicates that the data we hold about you includes information necessary to identify you as a speicifc consumer. It could be a means to contact you such as your email address, telephone number, credit card details or any other combination of information that could identify you specifically. Each organisation could hold a different set of information. This symbol means that any of the data described by the other symbols shown is NOT anonymous.

Organisations with this symbol should have robust security measures in place to ensure that your personal data is safe.

Only organisations you trust should be given permission to hold data that is personally identifiable.

TRIVIA: Embedded in the fingerprint symbol you can see three letters: PII - This is an industry acronym for “Personally Identifiable Information”

ANONYMOUS

This symbol indicates that the data we hold is associated with a unique but random number. We do not know your identity and have no way to contact you directly. The data described by the other symbols shown is unique only to this device and this browser or application.

You should use care when accepting this symbol to ensure that you trust the organisation to honor their commitment to keep your data anonymous.

These symbols are literrally version 0.1 and I expect them to change a lot based upon the feedback and input I get from you - so please do give me feedback.

Over the next 2 weeks I will be sharing the remainder of the individual symbols that I would like to propose to the industry as means to communicate clearly and easily to the consumer - What data is held, How the data is used and How data is shared.

At the end of 2 weeks I will provide you with access to a demonstration of how I believe the EU Cookie Directive and Do Not Track functionality could be enhanced to ensure a) that consumers have a clear understanding about their data and b) that publishers and service owners have a new method to build improved consumer relationships.

Want to know the current scoop on me?

Check out: http://about.me/troy.norcross

Researcher: Facebook's Timeline will be boon for hackers

by Gregg Keizer, Computerworld Sep 24, 2011 1:30 am

Editor’s Note: This story is excerpted from Computerworld. For more Mac coverage, visitComputerworld’s Macintosh Knowledge Center.

Facebook’s new Timeline will make it even easier for criminals and others to mine the social network for personal information they can use to launch malicious attacks and steal passwords, a researcher said today.

According to Facebook CEO Mark Zuckerberg, Timeline is “the story of your life,” Timeline, which Facebook unveiled yesterday at a developer conference and plans to roll out to users in a few weeks, summarizes important past events in a one-page display. That has experts at U.K.-based Sophos concerned. “Timeline makes it a heck of a lot easier [for attackers] to collect information on people,” said Chet Wisniewski, a Sophos security researcher. “It’s not that the data isn’t already there on Facebook, but it’s currently not in an easy-to-use format.” Cybercriminals often unearth personal details from social networking sites to craft targeted attacks, noted Wisniewski, and Timeline will make their job simpler. “And Facebook encourages people to fill in the blanks [in the Timeline],” said Wisniewski, referring to the new tool’s prompting users to add details to sections that are blank. Because people often use personal information to craft passwords or the security questions that some sites and services demand answered before passwords are changed, the more someone adds to Timeline, the more they put themselves at risk, said Wisniewski. “Remember the hack of [former Alaska governor] Sarah Palin’s account?” asked Wisniewski. “That hacker found the answers to her security questions online.” A former University of Tennessee student who bragged it took him just 45 minutes of research to reset Palin’s Yahoo Mail account password was convicted on multiple federal felony counts last year. Hackers can also use what they find on Facebook and elsewhere to craft convincing emails that include malware or links to malicious sites, noted Wisniewski, even if the individual is not the target. “It may be about the fact that you work for RSA [Security],” he said, referring to the emails sent to low-level employees at that firm earlier this year. Those emails, which included malware embedded in Excel spreadsheets, gave attackers a foothold on RSA’s network. The criminals then scoured RSA’s systems and stole confidential information about its popular SecurID authentication token technology. Others, not strictly hackers, could use Timeline to quickly dig up dirt as well, said Wisniewski. “Someone could use it to gather information to harass you, or someone at work competing for your job could use it,” he said. “The more you put in there to make it complete—and we’ve been conditioned to finish forms—the easier it is for someone with ill intent to gather information about you,” said Wisniewski. Although current Facebook privacy settings will apply to the Timeline—letting users decide who sees what—and the Timeline can be edited to remove an embarrassing past, Wisniewski was pessimistic about users’ decision making. “Call us paranoid or prudent—we’re paid to worry about this—but for 99 percent of people, the danger doesn’t even cross their mind,” said Wisniewski. In an unscientific survey Sophos ran on its website today, nearly 50 percent agreed that the Facebook Timeline worried them, while about 17 percent said they liked the idea or would get used to it. Wisniewski admitted that the poll probably doesn’t reflect most Facebook users’ opinions. “They’re doubly self-selected,” he acknowledged, “first for taking the survey and second because they’re concerned enough about security to go to our website.”

GMANews

In light of the recent spate of hacking directed toward its websites, the government reiterated its support for the passage of the cybercrime and data privacy bills, saying they are not taking these attacks lightly.

In a statement, the newly formed Information and Communications Technology Office (ICTO) under the Department of Science and Technology (DOST) said the passage of the two bills will help government agencies in combating cybercrime in the country.

“We believe that these bills, when enacted, would solidify government policy as regards these threats and deter crimes committed using cyberspace,” said DOST Undersecretary Fortunato de la Pena, officer in charge of the ICTO.

De la Pena’s statement comes on the heels of recent attacks and defacement of government websites, the latest of which is the online portal of the National Disaster Risk Reduction and Management Council (NDRRMC).

On Sunday, visitors of the NDRRMC website were greeted with a black background and what appeared to be a map of the Persian Gulf.

“P E R S I A N G U L F 4 EVER,” a message on the hacked page read. The window title of the site was also altered to read “Hacked by Cocain TeaM.”

In July, meanwhile, a hacker group which identified itself as “PrivateX” hacked into the websites of the Office of the Vice President and the website of the Philippine Nuclear Research Institute.

While no sensitive data were stolen or leaked, the ICTO said it is noting these incidents with concern.

“Unfortunately, most of the cyber attacks on government are due in part to websites and systems that are developed in-house using coding practices that are below standards,” Fortunato said.

“[These codes also] did not undergo rigorous security testing which may mitigate or prevent common security attacks such as SQL injection and cross-site scripting,” he added.

De la Pena added that there are still government agencies which do not have a firewall or have firewalls that are not configured properly, leaving them vulnerable to such attacks.

In June, then Commission on Information and Communications Technology chair Ivan John Uy admitted that cybersecurity is not necessarily on top of the government’s budget priorities, leaving agencies with less than desirable security systems.

The ICTO OIC said it will be advocating for increased awareness of cyber attacks, the capacity building of website administrators to ward off such attacks and the knowledge sharing between the government and private sector in terms of cyber security.

“It is difficult to stop hackers from initiating attacks, but through concerted effort by government website administrators and experts in the public and private sector, the success of such attacks can be mitigated or thwarted altogether,” he added.

The cybercrime bill currently pending before Congress has already gone through committee-level deliberations, and is on its way to be passed on first reading.

The data privacy bill, on the other hand, has been approved on third reading in the lower house, and is currently being studied by a technical working group organized by the Senate committee on Science and Technology. — TJD, GMA News

In one of the most appropriate interpretations of “there are no problems, only solutions”, MIT offers this:

According to Sandy Pentland, a professor at MIT’s Media Lab, the best chance people may have of controlling their data online is a modern version of “if you can’t beat them, join them.”

#mit

Your personal data is being overshared with companies and advertisers. So how much control should you have over your private info

With so much data being collected about us online, can our offline identities ever be divorced from our web personas? Today, Google executive chairman Eric Schmidt offered a simple solution for kids being brought up in the age of Facebook, Twitter, and Snapchat.

Developer Claims Mailbox iPhone App Has 'No Data Protection'

AppAdvice / Joe White / April 24, 2013

Mailbox is an attractive, popular email app for the iPhone, and back in February we gave it a positive review. However, it would appear that while Mailbox features an impressive design and user interface, its data protection and security leave rather a lot to be desired. In fact, according to one developer, Mailbox effectively “has no data protection.”

The opinion is that of Subhransu Behera, who describes Mailbox as “a security fail.” Using the simple iExplorer app, which allows users to view an iOS application’s Documents and Library directories on a desktop computer, Behera was able to pull up a file of unprotected email attachments that is located in the Documents directory.

Source: AppAdvice

The House of Representatives passed a controversial cybersecurity bill as expected on Thursday, moving toward a possible confrontation with the Senate and White House.

The Cyber Intelligence Sharing and Protection Act of 2013, or CISPA, passed by a vote of 288 to 127, with 17 abstentions.

The bill makes it easier for companies to share information with other companies and the government about cyber attacks. Large tech companies pushed hard for the legislation amid escalating cyber attacks, calling it a necessary step to shore up their defenses.

…

By contrast, critics waged an online campaign attempting to create a groundswell of opposition. They argued that the bill made it too easy for companies and the government to gain access to private data, absolved companies of too much legal liability, and failed to ensure that civilian rather than military agencies would facilitate the sharing of information.

…

The issue now moves to the Senate, where a companion bill has yet to be introduced. But earlier this week, the Obama administration made clear its promise to veto the House version of CISPA unless greater provisions were made to protect privacy and civil liberties.

From the Techdirt article, which, while clearly written with a point of view on the bill, does a pretty good job as the ‘loyal opposition’:

One of the key things we’ve seen in the pushback on CISPA is that its backers insist that people arguing against it don’t really understand how the bill works, and that it does protect privacy. CISPA sponsor Rep. Mike Rogers himself took to Twitter this morning to tell the EFF that it’s misreading his bill. But, of course, as we’ve seen, it seems that Rogers himself is the one being misleading when it comes to privacy. If he truly believed in privacy protections, he would have supported a variety of straightforward amendments that made it clear how privacy could be protected. But he didn’t. Instead, he clearly left it open for abuse.

#cispa

[Health & Privacy] Doctor, Doctor, Gimme The News – Just Not Via Text…

Text messaging lets healthcare providers communicate with patients in simple and timely fashion. But it may violate privacy laws, write attorneys Cory Fox and Lynn Sessions from law firm BakerHostetler:

“According to a recently published report in the American Journal of Public Health, text messages containing protected health information (PHI) would be impermissible under the HIPAA Security Rule (Security Rule) unless the covered entity either removed PHI from the message or complied with the Security Rule’s administrative, physical and technical safeguard requirements.”

In plain English: the laws intended to keep our confidential health information from falling into the wrong hands may prevent us from using today’s technology to communicate with our doctors.

What to do? Providers who want to communicate via text with patients have a couple of options. First, they should make sure they don’t include protected health information in their messages. But that might not be particularly useful for either party, explain Fox and Sessions:

“[G]iven the broad definition of PHI (which includes information in any form or media, whether electronic, paper, or oral that could be used to identify an individual and that ‘relates to’ the provision of healthcare to that individual), excluding it from a text message altogether could diminish the message’s usefulness. Moreover, excluding PHI from a text page could cause confusion and lead to medical errors.”

The second option is equally problematic: analyze the risks of transmitting confidential patient information via text, and take steps to reduce those risks:

“The primary risk most covered entities face when seeking to employ text messaging and text paging is the risk that the PHI in the message could fall into the wrong hands… One Security Rule protection that could mitigate such risks is the use of encryption technology. However, due to the current state of technology, encrypting text messages or text pages may not be reasonable and appropriate for all covered entities. Thus, covered entities may need to implement alternative measures equivalent to encryption in order to comply with the Security Rule, including policies and procedures specifically related to text messaging and text paging, best practices, and workforce education.”

Come to think of it, there’s probably a third option that most doctors and healthcare providers are choosing: just say “no.” At least until the federal government figures out a way to bring 21st century health care into the 21st century.

And where does all of this leave the patient? Probably on hold with the doctor’s office…

—-

Read the full update, Can Covered Entities Utilize Text Messaging and Text Paging Without Violating HIPAA? – BakerHostetler»

—-

Find more on HIPAA Data Protection laws at JD Supra»

Facebook Wins Court Challenge In Germany Against Its Real Names Policy

#SuryaRay #Surya

Facebook has won a court challenge against its real names policy in Germany. Yesterday an administrative court in the North of Germany granted Facebook’s request for “suspensive effect” against a ruling made by Schleswig-Holstein’s Data Protection Commissioner that Facebook was violating German and European law. http://dlvr.it/2y3Vzv @suryaray

California Ups the Ante on Consumer Data Protection

While several states – and the federal government – consider strengthening legislation to protect consumers against data breaches, identity theft, and other privacy violations, California is taking action.

Earlier this month, California Attorney General Kamala Harris created a new “Privacy Enforcement and Protection Unit.” From law firm Morrison & Foerster:

“The Privacy Enforcement and Protection Unit will be organized under the state’s new eCrime Unit, which was formed in August, 2011 and will centralize a number of existing California Justice Department programs intended to enforce privacy laws, combat identity theft, educate consumers, and create partnerships with private industry under one umbrella.”

Three takeaways:

1. The new agency has a very broad mandate:

“The Privacy Unit will enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. In addition to online privacy regulation, the Privacy Unit will investigate data breaches, identity theft, and violations of offline health, financial, and government privacy regulations.” (California Steps Up Privacy Efforts with New Privacy Enforcement and Protection Unit by Wilson Sonsini Goodrich & Rosati)

2. This is only the beginning:

“Harris has made online privacy protection a major focus of her administration, and the creation of the new Privacy Enforcement and Protection and eCrime Units are just two of her initiatives aimed at fighting online crime and protecting consumer privacy.” (California Attorney General Creates Privacy Enforcement and Protection Unit; Increased Enforcement Likely by Morrison & Foerster LLP)

3. Penalties can be severe for businesses that violate consumer privacy:

“With the Privacy Unit in place, actions enforcing California’s data privacy regulations, which are among the strictest in the nation, are certain to increase… ‘The Privacy Unit,’ according to Attorney General Harris, ‘will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.’ Based on prior comments from Harris, such enforcement may include prosecutions under California’s Unfair Competition Law and/or False Advertising Law, which imposes penalties of up to $500,000.” (Law & Order PEPU: California’s new Privacy Enforcement and Protection Unit by Mintz Levin)

—-

Additional privacy law updates:

• Cops Can Read Your Text Messages Without a Warrant - Lawyers.com

• Access Denied: Public Agencies and the Release of Public Records - Dinsmore & Shohl LLP

• STAR Test Results Delayed Due To Security Breach - Kronick, Moskovitz, Tiedemann & Girard

• MAC and IP Addresses: Personal Information? - Fraser Milner Casgrain LLP

• Senate Republicans Introduce a New Data Privacy Bill: Data Security and Breach Notification Act of 2012 - White & Case LLP

• EPIC Demands Evidence of TSA Body Scanner Rulemaking - Electronic Privacy Information Center

• From the Data Protection and Privacy Conference: Words of Advice from the Federal Trade Commission - Mintz Levin

• EPIC Recommends Protections for Use of Commercial Facial Recognition Technology - Electronic Privacy Information Center

• First Circuit Holds Bank May Be Liable For Customer Losses from Cyber Attacks - BuckleySandler LLP

• EPIC Calls on FCC to Require Mobile Phone Carriers to Protect Privacy - Electronic Privacy Information Center