More on the Tax Fraud Epidemic

On Friday you received a message from C&IT and the VP for Administration talking about the epidemic of income tax fraud that has hit the country. This morning it made the front page of the Free Press:

Detroit Free Press article by Susan Tompor on tax fraud

A large number of Wayne State folks were hit (since my name was listed as contact person I was contacted by a number of people, most of whom I know from other directions).

Unfortunately there’s little you can do, other than following the directions on the IRS website. This is apparently now a feature of our modern, ‘connected’ world.

If you were a victim of this scam and would like to help further, you can request a copy of the fraudulent return from the IRS (unfortunately with the name of the bad guy ‘redacted’). Then you can compare the adjusted annual income amount with your W2. If they match, that means somebody got your annual income, so let me know (DO NOT TELL ME THE AMOUNT–JUST WHETHER IT MATCHES–I am the Chief Privacy Officer, after all 🙂 ). This is how you do that.

Meanwhile, welcome to the club (I was hit too, last year).

Taking control of your microphone

Last week I wrote about how some (perhaps) rogue apps use your microphone to listen for subsonic signals coming from your TV or laptop to tell advertisers what you are watching or viewing.

You can stop this from happening by denying those apps permission to use your microphone. Here’s what you do.

On iOS (iPhone or iPad)1 open the Settings app and scroll down to Privacy. Touch that, then you’ll see this:

Microphone Control Panel with marking

Select Microphone and you’ll see a list of apps that use the Microphone. Here’s mine (somewhat edited):

Microphone details

Slide the on-off switch to the right to deny the app access to the microphone. And the next time you install a new app and it asks you whether to allow it access to your mike, think before you click.™


1 This process is generally similar on a Droid, but may vary depending on version of the operating system.

The Debate on Apple Backdoors Continues

Declan McCullagh (well-known IT commentator and software developer) has a take on why software companies are up in arms about the FBI’s request for assistance with breaking into a terrorist’s iPhone.

And, in case you want some sense of how many important contemporary software and hardware companies are frightened by this development, here’s a list of those who have filed Amicus briefs in the case.

A careful reading of the list shows there aren’t many major players who aren’t taking Apple’s side, including many of their rivals. And here’s the inside story on how Apple marshalled their colleagues to join the fray.

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

Apple vs. the FBI

If you’re interested in what this Chief Privacy Officer thinks, my colleague and friend Dan Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School has an excellent blog featuring a cartoon he drew that gets at some of the essence of this issue (click that link if the images below aren’t loading for you):





Here’s a nice discussion in Wired of what’s really involved from a technical, but comprehensible point of view.

The Internet of Things will become a Being

In a couple of recent articles Bruce Schneier, the internationally known security and privacy guru has started thinking deeply about what has come to be called The Internet of Things.

The Internet of Things is the label that is being given to the fact that more and more devices are directly talking to the internet. Thermostats, smoke detectors, fitness bands, house door locks, burglar alarms–the list goes on and on. Not to mention cars that can be unlocked, and perhaps even started with our smartphones. And I’m not even bringing up autonomous cars, which, while real, are not yet ready for prime time.

What Schneier is interested in is the fact that these objects could all talk to each other, either about themselves, or about us. Simple things like the fact that many internet-enabled house door locks will unlock when we walk up to the door, if we’re carrying our phones. Already my car allows me to unlock it if my key is in my pocket (and, incidentally, won’t allow me to close the trunk if the key is in the trunk.) At the moment the key doesn’t talk to the web, but I wouldn’t be surprised if some brands already do. And, as Schneier notes, not only do the ‘things’ in the internet sense the world around them, they also act on it, raising the house temperature, shutting off the house fan if the smoke alarm is triggered (the Nest smoke alarm will do this if there’s a Nest thermostat in the loop). So what do you call something that senses the world and then acts on it in a very generalized way? Schneier calls it a ‘robot’. And, he suggests, its properties, and probably its behavior, is no longer predictable. It’s almost autonomous, and, for those who are interested in the behavior of systems, it’s emergent meaning its behavior is no longer totally deterministic.

Here are the articles–food for thought in both of them.

Forbes article (can’t be read if you have an ad-blocker, incidentally)

CNN Article on what this ‘robot’ might be capable of.

Privacy and Big Data–Why everybody should care

As I have mentioned here, I am now the university’s Information Privacy Officer. As part of educating the campus on the increasing importance of privacy, especially as it relates to the electronic data about each of us sprinkled around the world, I’ve invited the University of Michigan’s Chief Privacy Officer, Sol Bermann, to give a talk on why privacy is something we all need to worry about. The talk will be Tuesday January 26 at 2 PM in Bernath Auditorium, UGL.

Here’s a formal notice.

Hope to see you there.

Big Data, Privacy and How the Empire Should Have Struck Back

The Second Death Star Under Construction


My colleague Dan Solove has a column on how the Empire would have won, had they made proper use of big data techniques. Here is his opening paragraph:

If the Empire had used big data:

. . . the Empire would have won. A search of records would have revealed where Luke Skywalker was living on Tatooine.  A more efficient collection and aggregation of Jawa records would have located the droids immediately.  Simple data analysis would have revealed that Ben Kenobi was really Obi Wan Kenobi. A search of birth records would have revealed that Princess Leia was Luke’s sister. Had the Empire had anything like the NSA, it would have had all the data it needed, and it could have swept up the droids and everyone else, and that would have been that.

You can read the rest here

On January 26 the Chief Privacy Officer at U of M will be presenting a talk about the tension between privacy and the use of big data.

Bernath Auditorium at 1:30. All welcome.

Some geeky privacy-related legal issues you really do need to know about

In October the European Court of Justice handed down a ruling invalidating the EC’s Safe Harbor Decision, because some governments have access to electronic data that was supposed to be private. Although this seems both esoteric and remote, it will actually affect everyone on the internet.

In 1995 the European Union passed a law protecting data privacy for Europeans’ data. The principles enshrined in the law (the ‘Data Protection Directive’) include these:

    • Notice – Individuals must be informed that their data is being collected and about how it will be used.
    • Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.

(For the rest of the items in the list go here).

In 2000 the European Commission (EC) announced that US companies that declared that they were following the above principles, and registering that declaration were permitted to receive European data covered by the law (the so-called ‘Safe Harbor scheme’).

In 2015 an Austrian citizen lodged a complaint against Facebook, based on the Snowden revelations that the US government was accessing data supposedly protected by the Safe Harbor scheme, in particular because the US Patriot Act forbid American firms from disclosing whether they had supplied data to US intelligence agencies.

In October the European Court of Justice ruled 1

in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities.

Needless to say, the US government was not pleased. The ultimate significance of this decision remains to be seen, but suffice it to say that it has sent a chill across the collective bodies of major American firms with significant presence in Europe, including Microsoft, Google, and Facebook. It does not actually make transferring data across the Atlantic illegal per se, but almost certainly will entail companies like the preceding posting a warning to their European users that data is no longer safe from snooping by the US Government, a warning that is likely to cast a pall on European operations of American companies. Stay tuned…


1Warning–this is the text of a full legal ruling, and is not for the faint of heart.

Introducing the Chief Privacy Officer


As perhaps my readers may have heard, I’m assuming a new role at Wayne State—Information Privacy Officer. If you’re an avid reader of my posts you will probably realized that privacy, particularly internet privacy, has been an interest of mine for several years. As privacy becomes an increasingly important concern around the world, universities are appointing a Chief Privacy Officer (CPO) whose ‘portfolio’ is ensuring that the personal data entrusted to the university is properly protected, and who is an evangelist for the importance of safeguarding our privacy not only at work but in our lives in general.

I will continue to write this blog, occasionally commenting on other, non-privacy-related topics. These will include C&IT initiatives that will impact your work at Wayne and ways in which the new electronic world have affected various aspects of scholarship (such as copyright and open source publishing). However,  I will be increasingly focusing my interest on the problem of our identity data and the forces that threaten to steal it or profit from it without our consent.

So what are privacy issues? At a university it includes such simple issues as having controls in place covering which employees are able to view social security numbers (there is, just to set your mind at ease, a ‘mask’ in the relevant field in Banner for everyone other than those who actually need to see SSN’s in order to do their jobs), but also making sure that the websites that accept credit cards have the correct legally-required controls on what machines they run on and how they are connected to the bank (a set of rules known as PCI-DSS, in case you’re interested).

But it also includes ways of keeping us safe as individuals, such as giving guidance on privacy settings on Facebook and other social networking sites, as well as reminding folks not to tweet that they’re on a riverboat on the Zambezi, especially if there’s no one staying in their house.

And it also means keeping track of national privacy issues (such as whether our federal government is, or ought to be, vacuuming up all our phone call records, and what happens to EZ-Pass records) and even international ones, such as the fact that the European Court of Justice has told European countries they may not store European citizens’ data in American-owned websites because of the Snowden revelations. Here’s a recent story about how this has impacted Facebook.

I will be blogging about several of these issues over the coming months. In addition, look for a couple of campus-wide events highlighting some of these issues in the coming months. One, on protecting privacy while doing ‘big data’ research on student performance at universities is tentatively scheduled for January 26.