April 5, 2008

Magstripe Bandits

Jack Dunning says the mail-order companies are really in the business of selling your personal information. Their partners in crime are credit agencies, and with the power of a card swipe they tie it all into a neat little package to be sold at a high markup:

She even gives a blueprint of how to pull off the caper. You lift the information from the magnetic strip on the back of the card, which normally includes the card holder’s name and address. Then, proceed to the third party data service -- which Experian provides -- to append the extra juicy stuff like your age, income, occupation, education, home value, and the list goes on and on. They even know if you gamble, drink, smoke and have your medical ailments and prescriptions taken.

The first rule of personal privacy: use cash. The second rule of personal privacy: USE CASH.

March 1, 2008

Defeat infrared surveillance cameras

A German arts group is publicizing a technique to defeat surveillance cameras that can see in the infrared range by overwhelming their arrays with infrared light from IR LEDs mounted on a headband or hat.

According to commenters, this technique would work best against low-light surveillance cameras with particular sensitivity in the infrared range, optimized for low-light situations.

Many cameras have sensitivity into the IR but wouldn't be so easily overwhelmed by the brighter infrared LEDs.

Security Insider claims this technique would only work intermittently against cheap CCTV cameras:
I can tell you that this may work for a second or two on cameras that have a cut filter (that's the real name for "IR sensitive" cameras), but all that is really going to happen is your face will get illuminated in between the frames that are actually "flared" out by the light. Also, you're more likely to be noticed doing this due to the motion detection alarms going off due to the large pixel change. You would be much better off with a laser, than an LED. We've been doing these type of tricks for years in the lab to try to trick the cameras. Anymore, its not the cameras you need to trick, but the intelligent video algorithms that are going to pick up on the anomaly and register it as an event. Oh, one more thing. Don't even try to attempt this during the daytime. Like another poster said, the cut filter doesn't activate until a timer either trips it (set on a schedule) or a preset low lux threshhold is met. (it gets dark). Even then many cameras these days have dynamic range circuits that will tame the bright spots and highlight the dark spots. Look up some Pelco, Panasonic, or Sony cctv specs for more info.

February 25, 2008

The black box in your car

Event Data Recorders, EDRs, have been used by car manufacturers on fleet vehicles since the 1970s to collect data about performance of airbags and other safety features in the event of a vehicle impact. Much like an aircraft "black box", current EDRs record vehicle speed, engine RPM, whether the driver's seat belt is latched, and the position of brake and accelerator pedals, as well as information about the status and deployment of the air bag.

General Motors started including black boxes on higher-end models, like Cadillacs, in 1994, and was putting them in all passenger car models by 1999. Some other makes, like Toyota and Ford, have been using them in some cars since 1996, and Ford has included event data recorders in all models since 2000. Approximately 64% of model year 2005 cars have event data recorders.

IIHS says "General Motors, Ford, Isuzu, Mazda, Mitsubishi, Subaru, and Suzuki voluntarily equip all of their vehicles with EDRs, according to NHTSA's estimates. More than half of Toyotas have the devices, too. Passenger vehicles from BMW, Daewoo, Honda, Hyundai, Kia, Mercedes, Nissan, Porsche, and Volkswagen don't have what NHTSA defines as EDRs, according to the agency's estimates of 2004 and 2005 models."

Tools are available to download Ford and GM EDR data, but only Toyota can read Toyota data recorders. One vendor provides an online list of cars with event data recorders accessible by their crash data retrieval tool. NHTSA has mandated manufacturers provide tools to download EDR data within 90 days.

The biggest privacy issue is from police or accident investigators, working on behalf of lawyers or insurers, using these tools to download data without consent from one or more vehicles involved in a crash. Police or private investigators could seek the recorded data for other types of cases, though, such as car theft or chops shop busts. It's not even hard to imagine a high-profile, high-stakes custody case where one parent is looking for evidence that their ex-partner was speeding with the kids in the car.

Recent legislation or court orders could force disclosure of EDR data even if laws give ownership of that data to vehicle owner or lessee.

Insurers Encouraged to Harvest Data

[T]he Texas-based company offers insurance carriers the ability to retrieve, harvest, and store data concerning the events of a collision and provides analysis and interpretation of the data. [...] "for use in claims adjudication".

The initial question which springs to mind is how insurers are obtaining the data in the first place. If the vehicle is repairable and the information is coming from a vehicle intended to be returned to the owner, is the insurer, body shop, or someone associated with Injury Sciences LLC extracting the information? Searching the company's website does not provide the answer, but it suggests that insurers and/or body shops are accessing the information themselves. Otherwise, the company offers "access to a network of service providers" who are equipped to harvest the data.

If insurers are mining data without disclosing that activity to the insured or the third party, they may well be engaging in unfair claims practices or violations of privacy rights under individual state law. If insurers use this data against their own insureds, that action could easily be the basis for a bad faith insurance claim and could have broader implications as well.

Event Data Recorders and privacy

  • Experts agree that EDRs are extremely impractical to disable, because they are almost always integrated into the car's existing computers. They are factory installed and are not optional features on the cars that are built with them.
  • Know if any cars you drive regularly have EDRs. Toyota, Ford and GM currently disclose the existence of the recorder in the vehicle owner's manual. NHTSA has ruled that all manufacturers will have to disclose EDRs included in their cars made after September 1, 2010.
  • Check auto insurance and car rental contracts for stipulations requiring you to give the access to an EDR, or turn over EDR data in the event of an accident, perhaps under general provisions requiring you to cooperate with your insurer.
  • Don't consent to anyone downloading data from the EDR unless advised to do so by your lawyer. In this event, keep copies of your signed consent form.
  • Assume that even if your car has no EDR, any modern car involved in an accident is likely to have one, and any collision is likely to be recorded by traffic surveillance cameras.
  • EDR data belongs to the car's owner or lessee. Until served with a court order, there is no compulsion to turn EDR data over to any investigators, insurance companies or lawyers. You might be able to contract to have the EDR data preemptively erased before any such court order is issued, if you feel that erasure would protect your rights.

February 16, 2008

The Anonymity Experiment

A Popular Science writer spends a week staying anonymous in the digital age: paying cash, dodging surveillance cameras and using disposable cellphones.

January 16, 2008

Outfits mine Voter Registration records

Vanity Fair reports that database broker Aristotle is amassing, cross-referencing and selling voter registration and political donation information:

“People are getting hassled by marketing firms and hassled by consultants, and much of that information comes from signing petitions or off the voting databases."

In most states, voter registration databases are public information, by law. The governments sell this information, along with driver's license data.

"One such [commercial data] supplier is Acxiom, the Arkansas-based behemoth that stores unimaginable quantities of data. In 2003, a single hacker stole Acxiom records on 20 million people, according to Washington Post reporter Robert O’Harrow’s 2005 book, No Place to Hide."

Aristotle's data gatherers might soon be taking photos in public and harvesting data-rich magstripe information from credit cards and identity cards:

"Phillips picks up one of the custom-designed pocket-P.C. scanners that go with the Aristotle 360 system. With them, canvassers working for campaigns will swipe credit cards and driver’s licenses, take pictures of voters using an embedded micro-camera, and instantaneously feed all of the resulting information into the database."

The inescapable conclusions I draw from this are that voting and making political donations are much more likely to result in an individual's inclusion in a database, whether the data mining effort is governmental, political, or for more direct monetary profit. The magnetic-strip scanners are a reminder about how electronic cards can facilitate mass surveillance of a type unintended by their issuers.

In situations when Social Security Numbers and Social Insurance Numbers can't be used as database keys or for matching individuals, mailing addresses and date-of-birth (DOB) is frequently used. Therefore, remember to keep your full name, DOB and mailing address (hopefully it's not the same as your street address!) to yourself as much as possible.