Useful Links

Recent Posts

Archive

Threat Models

29 March 2008

The good (and sometimes bad) thing about being an Internet security guy is that you always wonder about threat models, even in the physical world.

I recently visited my local hospital for some medical tests. I was told to bring a picture ID. Why, I wondered? Was it security theater? Does the Department of Homeland Security have a "no treat" list? Was my visit to be reported to the Immigration and Customs Enforcement agency, to see if I was a legal resident?

The truth was more mundane, though at least as depressing. The person checking me in first tried to brush off my question with "I just work here", but she eventually explained it: they have a problem with patients presenting other people's health insurance cards. Yes, this is a bad idea for all concerned: the medical records both the card owner and the patient will be merged, causing great confusion and possible serious consequences down the road. But there are so many uninsured and health care in the US is so expensive that people are desparate. The person I was talking with said she initially didn't believe there was a problem, until she'd seen a fair number of examples herself. (I should note that the hospital in question is not in a poor neighborhood. In fact, the median family income in that town was about $117,000 in 2000; neighboring towns are equally well off.)

So — if this is happening, is there a street price for health insurance cards accompanied by picture IDs? If not, I'm sure that such a market will develop soon, unless the underlying problem is solved.

Comcast Will Stop Blocking BitTorrent

27 March 2008

A few months ago, I mentioned that Comcast was blocking BitTorrent traffic. Today, Comcast has announced that they will stop doing so. Instead, they'll use traffic-shaping to limit bandwidth consumption without regard to the protocol being used. That's the right answer.

The Passport File Controversy

26 March 2008

There have been a lot of news stories about State Department workers looking at the passport files of the major presidential candidates. That is unquestionably a violation of their privacy; beyond that, given that a similar incident in 1992 was motivated by political concerns, a full investigation is warranted.

However — I really want to talk about the good news. The passport file system has some pretty good privacy protection: it's possible to flag the records of prominent people; supervisors are notified when their records are accessed. Some years ago, at least, the IRS did not have such a feature and it was indeed a problem.

There's one more feature I'd add to that: random audits of records accessed by employees. That would help deter — or detect — snooping on people who aren't celebrities. For all I know, the system already has that; if not, they've taken a good first step with what they have done.

Privacy: Little Brother

13 March 2008

When it comes to privacy, lots of people worry about Big Brother: the government. I worry as much about Little Brother: corporations. Quite apart from the monitoring they do on their own account, in the US at least the government has been known to buy or subpoena such data.

What brought this to mind was an article in the Wall Street Journal about how Nielsen — the dominant company in television ratings — is going to start gathering data based on set-top boxes. According to the article,

Supporters of set-top-box data say it is more useful to marketers and less burdensome to participants than traditional Nielsen ratings. The set-top boxes cover many more households, and, unlike the panels, researchers don't have to secure agreement from those households to participate.
Clearly, people have no need to consent to having their viewing habits monitored...

Nielsen isn't the only one, of course. I mentioned a few months ago that TiVo is doing the same thing. Several British ISPs are going to monitor user browsing habit, all the better to serve them ads. Major Internet portals track your every move; some could even serve personalized ads.

How about Apple? They will know — and control what software you load onto your iPhone. What will they do with that information?

Private companies such as Microsoft and Google are going into the health records business. Because they aren't health care companies the privacy protections in HIPAA don't apply. What will they do with this data, not so much today as tomorrow?

I could give many more examples, but the trend is clear: corporations are gathering an immense amount of data. In the EU, there are laws regulating this; there are no such laws in the US. That is creating a very large privacy threat.