tag:blogger.com,1999:blog-74889975399206048912023-11-15T19:07:01.037+00:00Practical PrivacyA non-political examination of practical techniques for maintaining personal privacy.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-7488997539920604891.post-61946840264284711192010-08-11T23:51:00.008+00:002010-08-12T00:25:22.475+00:00EXIF information from digital camerasDigital cameras are a huge boon to consumers and professionals alike, not least because of the privacy they offer. Photographers no longer have to choose between chemically developing the film themselves, or outsourcing it to some minimum-wage type who might call the police about photos of your grandchild. But there are still a few secrets to digital photography that the privacy-aware should know.<br /><br />Digital cameras usually store extra, "hidden" text metainformation in the digital pictures they take. The metadata specification for JPEG and TIFF files is <a href="http://en.wikipedia.org/wiki/EXIF">EXIF</a>. This isn't inherently nefarious: this information is kept as a record of the camera settings at the time of the photo, and is used by some image-manipulation programs like Photoshop. However, a photograph of your family members, home, current location, or assets could leak sensitive information without your knowledge.<br /><br />For example, here is the EXIF information from a potentially sensitive JPG file, obtained with <a href="http://www.sentex.net/~mwandel/jhead/">jhead</a>:<br /><br /><bold><pre><br />File name : pchsat1.jpg<br />File size : 3168150 bytes<br />File date : 2010:04:26 09:52:36<br />Camera make : SONY<br />Camera model : DSC-V3<br />Date/Time : 2010:04:24 15:30:51<br />Resolution : 3072 x 2304<br />Flash used : No<br />Focal length : 7.0mm<br />Exposure time: 0.0025 s (1/400)<br />Aperture : f/8.0<br />ISO equiv. : 100<br />Whitebalance : Auto<br />Metering Mode: matrix<br />Exposure : program (auto)<br /></pre></bold><br /><br />Note the time, 3:30:51 p.m. on April 24th, 2010, and the camera model: Sony DSC-V3. This is just an example of the most basic EXIF metadata found in digital photos. jhead is public domain software and works on Windows command line, MacOS X, Linux, FreeBSD and other versions of Unix. <br /><br />I originally came across the EXIF specification when I noticed that <a href="http://en.wikipedia.org/wiki/File:Federal-reserve-33-liberty.jpg#metadata">Wikipedia was automatically reading and storing photo metadata</a> from uploaded photographs.<br /><br />Some of the most sensitive data revealed is the DateTime of the exposure, the camera model used, and especially any <strong>embedded GPS location</strong> recorded by the camera at the time of the photograph, if present. Some professional-grade cameras may even include the camera serial number in the EXIF metadata. <strong>The biggest potential privacy threat is that Google and other web organizations will data mine time and location data from EXIF fields of photos published on social networking sites.</strong><br /><br />The shareware-licensed Windows program <a href="http://www.sharewareconnection.com/jpeg-japery.htm">JPEG Japery</a> can strip and modify EXIF information from JPeg files.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-27790258774430263522009-09-25T23:38:00.004+00:002009-09-26T00:23:16.423+00:00Oligarch's yacht uses laser defenses against passive optical spyingBillionaire Russian oligarch Roman Abramovich is known for the measures he takes to protect his privacy. Like Michael Dell, the interiors of his homes and vehicles aren't photographed.<br /><br /><a href="http://www.timesonline.co.uk/tol/news/world/europe/article6841380.ece">The Times reports that</a> Abramovich's 170 meter yacht <em><a href=http://en.wikipedia.org/wiki/Eclipse_(yacht)>M/Y Eclipse</a></em>, currently undergoing shakedown cruises, has been fitted with a state-of-the-art optics countermeasure system:<br /><br /><blockquote>Infrared lasers detect the electronic light sensors in nearby cameras, known as charge-coupled devices. When the system detects such a device, it fires a focused beam of light at the camera, disrupting its ability to record a digital image.</blockquote><br /><br />Although this report says a digital camera's CCDs are detected, it seems likely that this is instead an active optics detector. An optics detector works by emitting a brief laser pulse and then waiting for any glint from reflected optics. In this case, the system then targets a laser on the hostile lenses, flooding them with light and rendering the viewing optics ineffective.<br /><br />If this system indeed detects optics and not just camera CCDs, then all optics would be flared with laser light, including binoculars, telescopes, and film cameras lacking digital Charged-Coupled Devices.<br /><br /><a href="http://www.wired.com/gadgetlab/2009/09/russian-billionaire-installs-anti-photo-shield-on-giant-yacht/"><em>Wired</em> speculates on the legality of this system under British law</a>:<br /><br /><blockquote>UK photo magazine Amateur Photographer asked a London lawyer about the legalities of destroying photos from afar. Here’s what he said: "intermeddling with goods belonging to someone else, or altering their condition, is a trespass to goods and will entitle the photographer to claim compensation without having to prove loss."</blockquote><br /><br />Defense against optical surveillance isn't the Russian businessman's only concern: <em>M/Y Eclipse</em> is also fitted with armor plate, bullet-resistant glass and a missile defense system.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-22039914570719319942009-08-21T01:06:00.001+00:002009-09-26T00:31:13.355+00:00Facebook Privacy GuideErudite tech site <a href="http://arstechnica.com/web/news/2009/08/meshing-social-networking-and-privacy-on-facebook.ars"><em>Ars Technica</em> has published a short reference to Facebook privacy features</a>:<blockquote>Many users are aware that Facebook has numerous privacy controls, for example, but even the most experienced Facebook users often don't know just how much they can control who sees what. For instance, did you know that you can specify exactly who can see your status updates, down to different groups of friends (not just "friends" versus "everyone")? What about controlling which groups of people can even find you in a Facebook search to begin with?</blockquote>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-20934537912179101932009-04-21T23:41:00.000+00:002009-09-26T02:57:37.287+00:00Data mine online profiles with one keypress<a href="http://lab.madgex.com/identify/">Glenn Jones' <em>Identify</em> Firefox browser plugin</a> uses Google's Social Graph API to correlate identities between social networking and media-sharing sites. <a href="http://www.readwriteweb.com/archives/identify_google_people_with_two_keystrokes.php">Says ReadWriteWeb</a>:<br /><blockquote>Jones's tool is a Firefox plug-in you can evoke from any web page that has links tagged rel="me". Just click the control key and the "i" key to get a pop-up offering information put together from all around the web about the person the page is associated with. It works on Twitter profile pages, LinkedIn pages, blogs with good markup and other profile pages.<br /><br />The data that gets displayed can be frightening if you've exposed more information about yourself than you'd like on a rel="me" linked page.</blockquote><br />Explicit is the potential for <a href="http://practicalprivacy.blogspot.com/search/label/data%20mining">data mining</a> personally identifiable information online:<br /><blockquote>The tool is clearly very useful as a way to learn more about people whose usernames you come across online.</blockquote>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-89442645645007063272009-04-18T02:37:00.002+00:002009-09-26T02:39:26.047+00:00You may be a Canadian citizen. Then again, you may not...<a href="http://online.wsj.com/article/SB123993183347727843.html">The WSJ reports that an amendment to Canada's Citzenship Act automatically restores nationality</a> to many children of Canadian citizens forced to renounce it or born outside the country, and to <a href="http://www.cic.gc.ca/english/citizenship/rules-citizenship.asp">their children's children</a>:<blockquote>Eligible individuals automatically become Canadian citizens. <strong>But they don't get proof of that citizenship unless they apply for it, meaning other countries -- including those that allow people to be citizens of only one nation -- won't be alerted</strong>, according to the immigration office spokeswoman. Those people also may renounce their citizenship rights, she said.<br /><br />The citizenship bonanza is the byproduct of a decades-long struggle by a motley group of people who claim they were unfairly denied or lost their Canadian nationality. Canadian families who crossed the border in 1947 to 1977 to have their babies in a U.S. hospital found those children weren't recognized as Canadians unless the families registered them with the government. Some foreign brides of Canadian World War II servicemen lost their citizenship if they stayed out of the country for a decade or more.<br /><br />Then there are the Canadian Mennonites who moved to Mexico in the 1920s to the 1960s. When their children and grandchildren returned to Canada, many found their nationality unclear.<br /><br />Some such cases languished in litigation for years. Others surfaced in 2007, when new U.S. rules requiring passports for travel between Canada and the U.S. uncovered significant numbers of people who thought they were Canadian, but weren't.</blockquote>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-85294441747562743582008-04-05T02:54:00.003+00:002008-08-12T00:55:56.294+00:00Magstripe Bandits<a href="http://thedunningletter.blogspot.com/2008/02/chutzpah-or-arrogance.html">Jack Dunning</a> says the mail-order companies are really in the business of selling your personal information. Their partners in crime are credit agencies, and with the power of a card swipe they tie it all into a neat little package to be sold at a high markup:<br /><br /><h4>She even gives a blueprint of how to pull off the caper. You lift the information from the magnetic strip on the back of the card, which normally includes the card holder’s name and address. Then, proceed to the third party data service -- which Experian provides -- to append the extra juicy stuff like your age, income, occupation, education, home value, and the list goes on and on. They even know if you gamble, drink, smoke and have your medical ailments and prescriptions taken.</h4> <br /><br />The first rule of personal privacy: use cash. The second rule of personal privacy: <strong><a href="http://practicalprivacy.blogspot.com/2007/06/confessions-of-money-launderer.html">USE CASH</a></strong>.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-28895617405841826152008-03-01T01:01:00.002+00:002009-09-26T00:23:50.802+00:00Defeat infrared surveillance camerasA <a href=" http://www.oberwelt.de/projects/2008/Filo%20art.htm">German arts group is publicizing a technique to defeat surveillance cameras</a> that can see in the infrared range by overwhelming their arrays with infrared light from IR LEDs mounted on a headband or hat.<br /><br /><a href="http://www.boingboing.net/2008/02/20/infrared-leds-make-y.html">According to commenters</a>, this technique would work best against low-light surveillance cameras with particular sensitivity in the infrared range, optimized for low-light situations.<br /><br />Many cameras have sensitivity into the IR but wouldn't be so easily overwhelmed by the brighter infrared LEDs.<br /><br /><a href="http://www.securityinsider.blogspot.com/">Security Insider</a> claims this technique would only work intermittently against cheap CCTV cameras:<br /><blockquote>I can tell you that this may work for a second or two on cameras that have a cut filter (that's the real name for "IR sensitive" cameras), but all that is really going to happen is your face will get illuminated in between the frames that are actually "flared" out by the light. Also, you're more likely to be noticed doing this due to the motion detection alarms going off due to the large pixel change. You would be much better off with a laser, than an LED. We've been doing these type of tricks for years in the lab to try to trick the cameras. <strong>Anymore, its not the cameras you need to trick, but the intelligent video algorithms that are going to pick up on the anomaly and register it as an event</strong>. Oh, one more thing. Don't even try to attempt this during the daytime. Like another poster said, the cut filter doesn't activate until a timer either trips it (set on a schedule) or a preset low lux threshhold is met. (it gets dark). Even then many cameras these days have dynamic range circuits that will tame the bright spots and highlight the dark spots. Look up some Pelco, Panasonic, or Sony cctv specs for more info.</blockquote>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-36038363366331660942008-02-25T13:30:00.001+00:002008-03-02T03:13:59.250+00:00The black box in your car<a href="http://en.wikipedia.org/wiki/Event_Data_Recorder"><strong>Event Data Recorders</strong></a>, <strong>EDR</strong>s, have been used by car manufacturers on fleet vehicles since the 1970s to collect data about performance of airbags and other safety features in the event of a vehicle impact. Much like an aircraft "black box", current EDRs record vehicle speed, engine RPM, whether the driver's seat belt is latched, and the position of brake and accelerator pedals, as well as information about the status and deployment of the air bag.<br /><br /><a href="http://www.gm.com/corporate/responsibility/safety/event_data_recorders/index.jsp">General Motors started including black boxes</a> on higher-end models, like Cadillacs, in 1994, and was putting them in all passenger car models by 1999. Some other makes, like Toyota and Ford, have been using them in some cars since 1996, and Ford has included event data recorders in all models since 2000. Approximately <strong>64% of model year 2005 cars have event data recorders</strong>. <br /><br /><a href="http://www.iihs.org/research/qanda/edr.html">IIHS</a> says "General Motors, Ford, Isuzu, Mazda, Mitsubishi, Subaru, and Suzuki voluntarily equip all of their vehicles with EDRs, according to NHTSA's estimates. More than half of Toyotas have the devices, too. Passenger vehicles from BMW, Daewoo, Honda, Hyundai, Kia, Mercedes, Nissan, Porsche, and Volkswagen don't have what NHTSA defines as EDRs, according to the agency's estimates of 2004 and 2005 models."<br /><br />Tools are available to download Ford and GM EDR data, but only Toyota can read Toyota data recorders. One vendor provides an online <a href="http://www.crash-data-retrieval-system.com/pdf/CDRVehicleList.pdf">list of cars with event data recorders</a> accessible by their crash data retrieval tool. NHTSA has mandated manufacturers provide tools to download EDR data within 90 days.<br /><br />The biggest privacy issue is from police or <a href="http://www.johncglennon.com/automobiledatarecorders.cfm">accident investigators, working on behalf of lawyers or insurers</a>, using these tools to download data without consent from one or more vehicles involved in a crash. Police or private investigators could seek the recorded data for other types of cases, though, such as car theft or chops shop busts. It's not even hard to imagine a high-profile, high-stakes custody case where one parent is looking for evidence that their ex-partner was speeding with the kids in the car.<br /><br /><a href="http://www.ncsl.org/programs/lis/privacy/blackbox06.htm">Recent legislation</a> or court orders could force disclosure of EDR data even if laws give ownership of that data to vehicle owner or lessee.<br /><br /><h2><a href="http://www.vehicleinfo.com/articles.php?id=22">Insurers Encouraged to Harvest Data</a></h2><blockquote>[T]he Texas-based company offers insurance carriers the ability to retrieve, harvest, and store data concerning the events of a collision and provides analysis and interpretation of the data. [...] "for use in claims adjudication".<br /><br />The initial question which springs to mind is how insurers are obtaining the data in the first place. If the vehicle is repairable and the information is coming from a vehicle intended to be returned to the owner, is the insurer, body shop, or someone associated with Injury Sciences LLC extracting the information? Searching the company's website does not provide the answer, but it suggests that insurers and/or body shops are accessing the information themselves. Otherwise, the company offers "access to a network of service providers" who are equipped to harvest the data.<br /><br />If insurers are mining data without disclosing that activity to the insured or the third party, they may well be engaging in unfair claims practices or violations of privacy rights under individual state law. If insurers use this data against their own insureds, that action could easily be the basis for a bad faith insurance claim and could have broader implications as well.<br /></blockquote><br /><h2>Event Data Recorders and privacy</h2><br /><ul><br /><li>Experts agree that EDRs are extremely impractical to disable, because they are almost always integrated into the car's existing computers. They are factory installed and are not optional features on the cars that are built with them.<br /><li>Know if any cars you drive regularly have EDRs. Toyota, Ford and GM currently disclose the existence of the recorder in the vehicle owner's manual. NHTSA has ruled that <strong>all manufacturers will have to disclose EDRs included in their cars made after September 1, 2010</strong>.<br /><li>Check auto insurance and car rental contracts for stipulations requiring you to give the access to an EDR, or turn over EDR data in the event of an accident, perhaps under general provisions requiring you to cooperate with your insurer.<br /><li><strong>Don't consent to anyone downloading data from the EDR</strong> unless advised to do so by your lawyer. In this event, keep copies of your signed consent form.<br /><li>Assume that even if your car has no EDR, any modern car involved in an accident is likely to have one, and any collision is likely to be recorded by traffic surveillance cameras.<br /><li>EDR data belongs to the car's owner or lessee. Until served with a court order, there is no compulsion to turn EDR data over to any investigators, insurance companies or lawyers. You might be able to contract to have the EDR data <strong>preemptively erased</strong> before any such court order is issued, if you feel that erasure would protect your rights.<br /></ul>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-68646209087566347332008-02-16T03:55:00.001+00:002008-02-16T04:01:25.399+00:00The Anonymity ExperimentA Popular Science writer <a href="http://www.popsci.com/scitech/article/2008-02/anonymity-experiment">spends a week staying anonymous in the digital age</a>: paying cash, dodging surveillance cameras and using disposable cellphones.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-89918024721299257902008-01-16T13:06:00.001+00:002009-09-26T03:00:07.166+00:00Outfits mine Voter Registration records<a href="http://www.vanityfair.com/politics/features/2007/12/aristotle200712?printable=true¤tPage=all">Vanity Fair reports that database broker Aristotle is amassing, cross-referencing and selling voter registration and political donation information</a>:<br /><br /><h4>“People are getting hassled by marketing firms and hassled by consultants, and much of that information comes from signing petitions or off the voting databases."</h4><br /><br />In most states, voter registration databases are public information, by law. The governments sell this information, along with driver's license data.<br /><br /><h4>"One such [commercial data] supplier is Acxiom, the Arkansas-based behemoth that stores unimaginable quantities of data. In 2003, a single hacker stole Acxiom records on 20 million people, according to Washington Post reporter Robert O’Harrow’s 2005 book, No Place to Hide."</h4><br /><br />Aristotle's data gatherers might soon be taking photos in public and harvesting data-rich magstripe information from credit cards and identity cards:<br /><br /><h4>"Phillips picks up one of the custom-designed pocket-P.C. scanners that go with the Aristotle 360 system. With them, canvassers working for campaigns will <a href="http://practicalprivacy.blogspot.com/search/label/mass%20surveillance">swipe credit cards and driver’s licenses</a>, take pictures of voters using an embedded micro-camera, and instantaneously feed all of the resulting information into the database."</h4><br /><br /><br />The inescapable conclusions I draw from this are that voting and making political donations are much more likely to result in an individual's inclusion in a database, whether the data mining effort is governmental, political, or for more direct monetary profit. The magnetic-strip scanners are a reminder about how electronic cards can facilitate mass surveillance of a type unintended by their issuers.<br /><br />In situations when Social Security Numbers and Social Insurance Numbers can't be used as database keys or for matching individuals, mailing addresses and date-of-birth (DOB) is frequently used. Therefore, remember to keep your full name, DOB and mailing address (hopefully it's not the same as your street address!) to yourself as much as possible.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-67256988225008854712007-11-22T03:40:00.001+00:002008-03-02T03:19:47.441+00:00WSJ: Home invasions target wealthyThe <A HREF="http://online.wsj.com/public/article/SB119508694182293480.html">Wall Street Journal reports that the higher-profile rich are being targeted for home invasion robberies</A>:<br /><blockquote><br />One reason for the rise in home invasions is demographic: The numbers of rich people with homes to plunder has risen fast in recent years. But police and security experts say robbers are hitting homes more because their traditional targets -- banks, stores and offices -- have been hardened with closed-circuit video surveillance, alarms and guards. By comparison, security at many private homes remains lax, they say.</blockquote> <br /><blockquote>Increasingly, wealthy and high-profile individuals must step up security at home and be vigilant in their cars to avoid becoming victims, security experts and police say. They may also need to reduce the amount of information they reveal about themselves on the Internet in places like <a href="http://consumerist.com/consumer/privacy/facebook-ruins-christmas-325651.php">Facebook</a>, and in the media. And perhaps most importantly, they should thoroughly investigate the background of anyone who has access to their home, because many robberies are inside jobs.</blockquote><blockquote>Several security and alarm experts say crimes like these can be prevented with a perimeter motion-detection system that sounds whenever someone drives or walks onto a property. Many alarm systems wire only the doors and windows of a home; the problem with that, security experts say, is that by the time someone trips the alarm, it can be too late. Moreover, any alarm system has to be armed to work, and often, they aren't.</blockquote><br /><blockquote><br />Home-invasion robbers also pick their victims by staking them out in public and following them home.</blockquote><blockquote><br />Police and security experts say that to avoid this type of robbery, people should be alert to whether they are being followed before driving onto their property, and if they are, to call the police or drive to a police station. Houses should be well-lighted with automatic exterior lights. Additionally, security experts advise clients to avoid drawing attention to money and possessions while they're out and about. They also recommend reducing the amount of detailed personal information that can be found on the Web.<br /><br />While at home, it is a mistake to open the door without verifying the identity of a visitor first and to accept unscheduled deliveries. <strong>Security experts say homes should be equipped with a voice-video intercom system with cameras trained on the doors and the grounds, and deliveries should be sent to a post-office box or family office instead of to the residence.</strong></blockquote>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-53413498612264758942007-10-08T19:29:00.000+00:002007-10-08T19:37:58.655+00:00Keep your smartphone in your sightAnother reason why your mobile smartphone shouldn't be out of your sight:<br /><br /><a href="http://gizmodo.com/gadgets/cellphones/flexispy-pro-spy-on-that-cell-phone-162999.php">FlexiSPY Pro</a> is tracking software that can be installed on a "smart" mobile phone by anyone who has access to the phone for a few minutes. After installation, it copies the smartphone's SMS text messages, call history and other data to FlexiSPY's server four times a day to be accessed by the party who installed the spyware. The phone's microphone can even be activated remotely so the smartphone can be used remotely as a passive bug.<br /><br />I haven't tried the product, but <a href="http://www.airscanner.com/downloads/av/av.html">Airscanner for Windows<br />Mobile</a> claims to <a href="http://www.airscanner.com/blog/blog.php">detect threat spyware programs such as Mobile-spy and FlexiSPY</a>.<br /><br />So far, this software can only be installed if someone has physical access to the Windows Mobile (or other type) smartphone. Regular cell phones that can't run third-party programs are not vulnerable to this backdoor software.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-49305633929514324962007-08-16T18:42:00.000+00:002007-08-16T18:56:51.331+00:00"Dietrich" tracked by medical bills<a href="http://cbs2.com/local/local_story_222121312.html"><blockquote>(CBS) LOS ANGELES A 26-year-old man was in custody Friday after being on the run for more than a year following a high-speed crash in Malibu that left a rare $1 million Ferrari Enzo in pieces.</blockquote></a><br /><br />The driver of the Ferrari, Swedish national Stefan Eriksson, had previously claimed that a mysterious German man named "Dietrich" had been driving when the collision with the utility pole occurred. Eriksson failed two alcohol breath tests at the scene of the crash, and was later <a href="http://www.reghardware.co.uk/2006/04/18/ex-gizmondo_exec_pleas_not_guilty/">charged with embezzlement related to leased car exports and his video game firm Gizmondo</a>.<br /><br />Irish native Kearney, who was a passenger in the Ferrari Enzo during the crash, fled the country after the crash but was smuggled back into the U.S. a year later from Tijuana, Mexico.<br /><br /><blockquote>Authorities tracked him down this week, thanks to <strong>medical bills</strong> generated after his return to California and sent to a Marina del Rey address, the source said.</blockquote><br /><br />Kearney was charged with perjury and obstructing, both misdemeanor crimes. Why would police track this man via medical bills for two misdemeanors? In order to force him to testify against Eriksson in a media-frenzy drunk driving case, undoubtedly.<br /><br />Medical records are an open book to anyone with a subpoena. All too often medical professionals allow access to records after only an informal request from a detective or investigator. More troubling is the ease with which private investigators and other outside parties seem to get medical records via bribery, pretexting, or court-ordered legal discovery.<br /><br />If Kearney hadn't had his medical bills sent to his address of record -- the address he gave to police investigators at the crash site -- he might not be under indictment for two misdemeanors today.<br /><br />Remember, also, that lying to police is usually a misdemeanor and <a href="http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00001001----000-.html">lying to federal agents is a felony</a>. Just ask Martha Stewart.<br /><br />Read the <a href="http://library.findlaw.com/2004/May/11/147945.html">Findlaw article "How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to Government Agents"</a> for more information on lies within federal jurisdiction and how to decline a federal interview by invoking counsel.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-9296365406233909982007-08-15T22:06:00.000+00:002007-08-15T22:19:23.443+00:00Revenge website targets credit scoreFoxnews.com reports yesterday that an <a href="http://www.foxnews.com/story/0,2933,293097,00.html">illegal website offered to ruin the credit score</a> of anyone for a small fee, and even to arrange to have them suspected of bank fraud.<br /><br />Making numerous credit applications with the victim's <a href="http://practicalprivacy.blogspot.com/search/label/identity%20theft">SSN and DOB</a> and invented addresses and names will cause the person's credit to be put on hold, claims the website. <br /><br />The UK-centric web-based service also offered to create false bank documents, identity cards, automobile registry papers, paychecks and tax forms.<br /><br />Such fraudulent services are doubtless short-lived when discovered by the public and law enforcement agencies, but this report is illustrative of the types of financial and bureaucratic vulnerability most people have in modern society. You can imagine the potential ramifications in your life if your credit cards, credit line and bank account were suspended, even if only temporarily, and the trouble and costs to have the situation resolved.<br /><br />Let this threat serve as a another reminder to shred documents, jealously guard your financial privacy and personal information, <a href="http://practicalprivacy.blogspot.com/2007/04/fake-credit-report-sites.html">check your credit report</a>, and avoid situations that could compromise personal data.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-47824507778743410152007-08-08T22:21:00.000+00:002007-08-08T23:29:13.643+00:00Irish Grandparent? Irish PassportMany people who can <a href="http://hubpages.com/hub/Citizen_of_Both_Ireland_and_America">document that one of their grandparents was an Irish citizen</a>, can <a href="http://www.irelandemb.org/fbr.html">apply for Irish citzenship via entry in the Register of Foreign Births</a>, and then apply for an Irish passport. Children of those foreign-born Irish citizens with Irish grandparents are eligible too, as long as the child was born after the parent's citizenship was recorded by an Irish Consulate. <br /><br /><BLOCKQUOTE>Before applying, I investigated and verified that Ireland had no military draft law and did not tax citizens living abroad, thereby making it safe to proceed. What were the advantages beyond maintaining a link to our ancestral homeland being a conversation piece? The idea of having an EU passport that allowed me to travel and work in the, now 27, nations of the EU without having to hassle with visas and work permits that are usually required to travel, live or work in a foreign nation was appealing. Also, being familiar with the bloody history of the 20th century as well as having worked in both aviation and IT, two areas where backup systems are standard operating procedure, I felt that a costless backup citizenship might make sense for my descendants. The biggest reason was probably the potential advantages it would offer to my children and me in the global economy which, even then was the apparent trend for the future.</BLOCKQUOTE><br /><br />U.S. citizens can become dual citizens as long as the alternate citizenship is granted after their U.S. citizenship, as the U.S. citizenship process requires an applicant to renounce all other citizenships. Ireland, by contrast, does not require an applicant to renounce other citizenships.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-6508582510990595162007-07-30T14:12:00.000+00:002007-10-08T19:07:53.494+00:00Check your assets every yearThe San Francisco Chronicle on <a href="http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/07/02/LOSTPROPERTY.TMP">"unclaimed assets" seized under California state law, unbeknownst to its owners</a>:<br /><br /><blockquote>Years ago, Carla Ruff stored her grandmother's jewelry and a file of personal documents in a safe-deposit box at her bank in San Francisco's Noe Valley, thinking they would always be there when she wanted them.<br /><br />Not so. Without giving her notice or acting on evidence that she'd forgotten about her cache, the bank's staff, under the auspice of the state, determined the contents of her box to be unclaimed property.<br /><br />In July 1997, bank records show, the pearl necklace and diamond-encrusted pin, real estate and insurance documents as well as her birth certificate were all removed. The paperwork was shredded and thrown away. Her jewelry was auctioned off on eBay -- for a fraction of its $80,000 value.<br /><br />Ruff said she didn't know what had happened until January 2006, when an illness in the family sent her to the Bank of America branch looking for the deed to her house. Weeks later, the bank manager told Ruff that her property had been seized by the state under a law that requires the government to take control of lost or abandoned assets.</blockquote><br />Elaborate privacy arrangements can discourage us from checking up on our assets as frequently as we should. Sometimes it's difficult to verify financial arrangements while maintaining strict privacy procedures such as <a href="http://practicalprivacy.blogspot.com/search/label/mailing%20address">mail drops</a>, or depositing cash into accounts in person in lieu of automated transfers (to avoid creating a <a href="http://practicalprivacy.blogspot.com/search/label/paper%20trail">paper trail</a> linking the accounts together through the transaction).<br /><br />Nonetheless, it behooves anyone with assets held by an outside institution or with agreements with business associates to check their status occasionally. It's something we should plan for when setting up privacy arrangements:<br /><ul><br /><li><a href="http://www.usps.com/receive/businesssolutions/poboxfees.htm">U.S. Post Office box fees</a> can usually only be paid a year in advance -- a renewal notice should come 30 days before payment is due.<br /><li>Safe deposit boxes should be visisted at least yearly.<br /><li>Financial accounts should be checked monthly for evidence of unauthorized access or <a href="http://practicalprivacy.blogspot.com/search/label/identity%20theft">identity theft</a>.<br /><li>Many types of insurance contracts must be renewed yearly.<br /><li>LLC costs may be due after the first three years depending on provider.<br /><li>Trusts and attorneys should be contacted yearly or more frequently.<br /><li>Financial accounts with tax implications must be verified at the required tax intervals.<br /></ul>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-51957230765370263682007-06-13T19:28:00.000+00:002007-10-08T19:38:49.249+00:00How Insurance companies price your Car InsuranceInsurance can be an adversarial business relationship, unfortunately. In some circumstances, the more your insurer knows about you, the higher the rate they will charge you. This gives them every incentive to ferret out information pertinent to your insurance risks -- or what they believe affects your insurance risks, anyway.<br /><br />A <a href="http://consumerist.com/consumer/cars/10-confessions-of-a-progressive-insurance-rep-262641.php">Consumerist article gives insight into the privacy implications and pricing strategy of auto insurance</a>.<br /><br />Note that insurance companies access the following databases to actuarially determine liklihood of an insurance claim: CLUE report, credit report, and driving history.<br /><br />As with <a href="http://practicalprivacy.blogspot.com/search/label/credit%20report">credit reports</a>, a critical source of information is what <em>you</em> tell the insurance company:<br /><br /><blockquote>Driving histories go back 36 months, except in New York (which is 40 months). Your history is composed from three reports; your MVR or Motor Vehicle Report, the state database of your ticketed driving history; your <a href="http://www.privacyrights.org/fs/fs26-CLUE.htm">CLUE report, a collection of previous insurance companies reports</a> stating the numbers of claims you've had, and YOU. If you say you got in an accident, were never sited for it and never claimed it on your insurance, but you still tell us, it'll be put on your record with an approximate date.</blockquote><br /><br /><h2>Credit score and insurance rates</h2><br />It is illustrative <a href="http://www.progressive.com/shop/car_insurance_credit.asp">how your credit report affects your <em>insurance score</em>, and thus your insurance rates</a>. By 2001, 92% of insurers were considering credit scores when quoting insurance.<br /><br />Remember that information you give to an insurance company may well end up on your credit report. Along with the usual distinguishing characteristics (name, date of birth, SSN or other national number), insurers will likely report your submitted information to the credit reporting bureay. This could happen even if you're just getting an insurance quote, and needs to be taken into account if you're keeping your street address confidential.<br /><br />Complete truthfulness doesn't always pay when it comes to dealing with insurers who will collect every personal detail to accurately assess you with their actuarial tables.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-84027386642683447192007-06-13T03:26:00.000+00:002007-08-08T23:23:31.970+00:00Bermuda to track road vehicles with RFID<a href="http://www.rfidjournal.com/article/view/3321/">RFID Journal reports that the Caribbean nation of Bermuda plans to tag registered cars and trucks with RFID transponders</a> to increase road registration compliance and revenues.<br /><br />The ISO 18000-6B standardized, 915 MHz tags will be embedded in tamper-resistant windscreen stickers, and are made by 3M. The laser readers placed by the side of the road are made by <a href="http://www.transcore.com/">Transcore</a>.<br /><br />Sabotaging the RFID tag is ineffective because the RFID interrogation is combined with an <a href="http://en.wikipedia.org/wiki/ANPR">ANPR</a> system:<br /><br /><blockquote>If a car arrives at an intersection and no interrogation of an RFID tag can be performed, the system will take a picture of the car's license plate. Using optical character recognition software, the system will read the vehicle's plate numbers and input them into a database so a citation can be automatically issued. The same system will be employed to detect commercial vehicles operating in restricted areas during rush hour without permits.</blockquote><br /><br />Bermuda's Transport Control Department expects that all of the island nation's registered cars should be RFID tagged by June 2008. Motorcycles will be exempt from the RFID tagging requirement, though authorities may later decide to being them into the program.<br /><br />The privacy implications of the mandated RFID transponders are profound. It is very feasible for groups unassociated with Bermuda's Transport Control Department to develop the ability to read the RFID tags and track specific automobiles by their electronic ID. In fact, an older version of this technology was used by a United States intelligence agency during the Cold War to track Soviet attaches whenever they crossed one of a handful of Washington, D.C. bridges and passed outside the 20-mile unrestricted transit limit.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-16766353995413316502007-06-12T15:40:00.000+00:002007-06-12T23:04:22.205+00:00Confessions of a Money LaundererMoney launderer Kenneth Rijock kept a low profile and <a href="http://www.world-check.com/confessions/2007/05/06/confessions-money-launderer-part-31/"><br />avoided creating a paper trail despite constant financial entanglements</a> for his clients:<br /><br /><blockquote>"I maintained absolutely no bank accounts in the US, operating on a strict cash payment basis to ensure that no records of any business transactions for criminal clients existed. This is much harder that it sounds, for though one might use third-party accounts that don't alert law enforcement investigators, it is more prudent to avoid it all together. I had no US bank accounts for five years, using an overseas tax haven account to obtain cashier's cheques drawn on a New York correspondent account very sparingly, and only for totally innocent personal transactions."<br /><br />"Own nothing in your own name: rent your home and office, either lease an automobile or place it in the name of a third party. In short, make enquiries of your assets more difficult to discover, and information about your operation more difficult to link to you or your clients. If possible, reduce your profile even more by closing out legitimate business, whilst maintaining a fictitious facade that legitimate business is ongoing. return all telephone calls, but decline new business due to purported schedule overload."<br /></blockquote>Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-67505629360521211772007-04-23T20:17:00.001+00:002008-03-01T07:19:23.651+00:00Fake Credit Report SitesIf you're an American looking to get one of the free credit reports guaranteed by the <a href="http://en.wikipedia.org/wiki/Fair_Credit_Reporting_Act">Fair Credit Reporting Act (FCRA)</a>, the site you want is <a href="AnnualCreditReport.com"><strong>AnnualCreditReport.com</strong></a>. Their phone number is 877-322-8228.<br /><br />Ignore all other sites or offers unless you're looking for high-pressure inducements for pricey add-on services, or even flat-out fraud. Do you really want to be giving out your <a href="http://practicalprivacy.blogspot.com/search/label/data%20mining">vital information</a>, like SSN and DOB, to a potential scammer or <a href="http://www.ftc.gov/opa/2005/08/consumerinfo.shtm">some random unscrupulous type</a> who would portray themselves as an official source for data as private as a credit report?<br /><br />For more information about the reputability of credit report websites, read the <a href="http://www.ftc.gov/bcp/conline/pubs/alerts/fakealrt.htm">FTC report on <strong>fake credit report sites</strong></a>.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-42710902222544906692007-04-03T21:35:00.000+00:002007-06-29T21:51:25.977+00:00Keep those grandfathered bank accountsRemember the proposed <a href="http://en.wikipedia.org/wiki/Know_your_customer">"Know Your Customer" (KYC)</a> rules, where the U.S. government was <a href="http://www.wired.com/politics/law/news/1999/03/18821">going to force banks and related financial institutions to develop a profile on each of the insitution's customers</a>?<br /><br />But <a href="http://www.privacilla.org/government/kyc.html">Know Your Customer was defeated</a>, right? Not so fast.<br /><br />Know Your Customer rules have been quietly resurrected as two separate programs, with other benign-sounding names. <br /><br />Meet <a href="http://en.wikipedia.org/wiki/Customer_Identification_Program">Customer Identification Program (CIP)</a> and Enhanced Due Diligence (EDD).<br /><br />Customer Identification Program, or CIP, requires that financial institutions (including casinos, pawnbrokers, insurers and money transmitters) positively identify the individual or organization with which they have a formal business relationship. The actual CIP procedure will vary by institution, but will be documented.<br /><br />CIP requires the following information on each customer: legal name, date of birth (DOB), street address, and taxpayer identification number. Taxpayer Identification Number, or TIN, is usually a Social Security Number for U.S. citizens, or a Social Identification Number, or SIN, for Canadians. For addresses, P.O. boxes and accomodation addresses are explicitly disallowed for accounts opened after October 1, 2003.<br /><br />Almost all financial institutions require goverment-issued ID for the <a href="http://www.privacyrights.org/fs/fs31-CIP.htm">CIP process</a>, although many banks are accepting the <a href="http://en.wikipedia.org/wiki/Matricula_Consular">Mexican matricula consular card</a> in an effort to garner the business of Mexican nationals who may not have identification documents issued by U.S. agencies.<br /><br />Enhanced Due Diligence is a program where banks monitor their customer's activity on an ongoing basis for illegal activity or suspicion of illegal activity. Bank compliance officers are looking for evidence of terrorist financing, transactions with blacklisted entities, fraud, check kiting, identity theft, tax evasion and money laundering.<br /><br />Enhanced Due Diligence screening is usually done by <a href="http://practicalprivacy.blogspot.com/search/label/data%20mining">data mining</a> account transaction records, looking for patterns that might be indicative of these crimes. Many firms offer software packages to help automate the data sifting, but similar results can be obtained with basic data analysis tools like a spreadsheet, as long as criteria are previously defined. It's worthwhile to keep grandfathered bank accounts that date from before the Patriot Act. These accounts, and accounts at the same institution, <STRONG><EM>are not subject to Customer Identification Program requirements</EM></STRONG>.<br /><br />In other words, if you are a long-time customer of a bank, but that bank doesn't already have a full CIP profile on you, they are not required to collect all of the CIP information for you to open additional accounts or financial products with them. Sometimes bank procedures encourage account representatives to collect the information, but most do not.<br /><br />Be aware that this only applies if you are a <STRONG>grandfathered, existing</STRONG> customer of the bank. If you have previously closed all of your accounts with that institution, you're classified as a new customer for purposes of the Customer Identification Program and will have to supply all of the ID and documentation required of a new customer. Accounts opened after October 1, 2003 cannot be opened with P.O. box or commercial mailbox, as many people used to do to preserve their privacy. <br /><br />Keeping those grandfathered accounts around, with minimum balances if necessary, can save you from having to provide information that you'd rather not provide to open an account in the future. This includes keeping your old accounts open when you move, especially if you are going to open a new account at the local branch of the same institution at your new home or office.<br /><br />Remember, though, to keep old account checkbooks and paperwork in a very secure location with the rest of your <a href="http://practicalprivacy.blogspot.com/search/label/financial%20privacy">financial documents</a>.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com1tag:blogger.com,1999:blog-7488997539920604891.post-59590125052884396702007-03-25T00:29:00.000+00:002007-06-14T01:55:19.830+00:00Residential WiFi mapping database revealed<a href="http://www.theinternetpatrol.com/enormous-map-of-wifi-servers-including-yours-revealed-by-aol-and-skyhook-announcement"><br />Skyhook Wireless has been scanning American neighborhoods for WiFi access points and putting them into a database</a>. So far they've got 16 million detected wireless access points, covering the majority of the U.S. and Canadian population.<br /><br />Remember again, if computer privacy and security are more important to you than convenience, don't network without wires. Information is out of your control once it hits the airwaves.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-72535995191577374702007-03-12T22:53:00.000+00:002007-06-12T22:56:35.926+00:00Comparison of Prepaid Credit CardsRyan Barrett at snarfed.org has an updated essay on <a href="http://snarfed.org/space/privacy+through+prepaid+credit+cards">protecting your privacy with prepaid credit cards and gift cards</a>.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-72860506422337482192007-02-21T01:10:00.000+00:002007-04-14T05:31:29.380+00:00Prescription Records for SaleIn January 2007, the new <A href="http://www.nationalerx.com/">National ePrescribing Patient Safety Initiative (NEPSI)</A> debuted with a <a href="http://www.time.com/time/health/article/0,8599,1578074,00.html"> high-profile article in Time magazine</a>.<br /><br />This web-based system is supplied free of charge to physicians, ostensibly to reduce prescription error rates. Revenue to pay for the information system comes from the participating pharmacies and insurers who save time and money.<br /><br />Now there are accusations that this database has been developed to give drug marketers, insurance risk assessors, and employers access to patients' private prescription records.<br /><br />According to a <A href="http://www.governmenthealthit.com/article97686-02-19-07-Print">Government Health IT article</a>, all the prescription records stored in the new NEPSI database are for sale:<br /><BLOCKQUOTE><br />Security makes little difference because every identifiable prescription in the country is data mined and sold daily. Nobody needs to break into pharmacies to steal our prescriptions; they are for sale. For example, market intelligence firm IMS Health reported revenues of $1.75 billion in 2005 solely from the sale of prescription records, primarily to drug companies.<br /></BLOCKQUOTE><br /><br />In another article, Dr. Peel says that <A href="http://www.modernhealthcare.com/apps/pbcs.dll/article?AID=/20070119/FREE/301200001/1031/newsletter02">NEPSI sells data to large employers</a>:<br /><BLOCKQUOTE><br />In 2006, the national Blue Cross and Blue Shield Association announced its Blue Health Initiative to aggregate and sell the claims, medical and prescription data of all 79 million enrollees to large employers. This database will include far more detail than e-prescription records, making the sales of Blues data worth far more than the billions in revenue from selling e-prescription records alone.<br /></BLOCKQUOTE><br /><br />But <A HREF="http://tmlr.net/jump/?c=25002&a=296&m=4382&p=1670044&t=164">Allscripts CEO Tullman denies that prescription data will be misused</A>:<br /><BLOCKQUOTE><br />Patients and physicians will have unique access to all the information. It's not our data. We don't claim it's our data. [...] Google will have no access to data we receive as part of the electronic prescribing process.<br /></BLOCKQUOTE><br /><br />What can you do?<br /> <br /><li>Ask your medical care providers if they use the web-based NEPSI electronic prescription system.<br /><li>Consider refusing prescriptions for conditions that you would not want your employers or government to know about. Some doctors will give out samples to their patients, and this might be a sufficient quantity to forgo a formal prescription.<br /><li>A cash transaction by itself won't keep you out of the NEPSI database because it contains patient information and the prescription itself, not just billing information like an insurer's database might.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0tag:blogger.com,1999:blog-7488997539920604891.post-15382063848343724142007-02-09T19:59:00.000+00:002007-10-10T23:56:25.033+00:00Laptop data searches at border checksU.S. courts have approved <a href="http://privacyspot.com/?q=node/view/789">border agents' search of traveler's laptops</a> without articulable probable cause.<br /><br />Indications are that <a href="http://volokh.com/posts/1156897163.shtml">U.S. and Candian customs officials are searching laptops for pornography and obscene material</a>.<br /><br />Some travelers report being asked if the laptop they were carrying was a personal or company unit. Presumably, corporate laptops are less likely to be checked for obscene material than personal units are.<br /><br />Authorities also have the ability to <a href="http://arstechnica.com/news.ars/post/20060727-7367.html">conduct forensic computer searches at border crossings</a> and have done so in the past.<br /><br />Data transmitted across national borders via the Internet is more strongly protected than data hand-carried through Customs checkpoints, because wiretaps must comply with the requirements of Title III, 18 U.S.C. §§ 2510-2522, or the Pen/Trap statute, 18 U.S.C. §§ 3121-3127. The few advantages of hand-carry are totally lost if one cannot be assured that the data hasn't been copied, or that software or hardware spying mechanisms haven't been implanted within it.<br /><br />Travelers with sensitive or legally privileged data will want to <a href="http://www.politechbot.com/2005/05/03/proofing-your-laptop/">Customs-proof their laptop</a> before crossing a controlled border. <a href="http://www.truecrypt.org/">Strong encryption</a> is the best tool to protect data that must be hand-carried through Customs instead of residing on a remote server. Some organizational IT departments are investigating hardware hard-disk encryption, sometimes combined with hardware biometric readers.<br /><br />It is unclear at this time whether a traveler can be <a href="http://blog.ironkey.com/?p=23">forced to divulge a password</a>. One <a href="http://nestmannblog.sovereignsociety.com/2006/12/more_on_warrant.html">privacy wonk has suggested wearable or concealable USB drives</a> as a measure of protection.Mhttp://www.blogger.com/profile/05180720774992116392noreply@blogger.com0