Privacy in the Twenty-First Century

Privacy policy wordcloud

For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.

In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?

Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.

Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).

The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:

http://events.educause.edu/educause-live/webinars/2017/big-data-whats-the-big-deal

Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.

The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.


Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator

What does the Yahoo Breach mean? Fix your password now!

You may have heard that Yahoo suffered a security breach which they revealed last week, although it’s not exactly clear when it happened, or even when they became aware of it. You probably don’t think this matters to you, but you might be surprised. There are some things you should do immediately, and some things you should do in the next few days.

First the facts: According to Reuters,  at least 500 million (yes, half a billion) accounts were hacked. That means that user names, email addresses, telephone numbers, birth dates, and encrypted passwords were all stolen. Unencrypted passwords, payment data (bank account information) were not taken. According to Bruce Schneier this is the largest breach in history.

Yahoo is claiming that the breach happened in 2014, and that they became aware of it recently, although some have questioned that claim.

So what does this have to do with you? First, if you know you have a Yahoo account, change the password now. Although they claim it happened two years ago, unless you’re sure you’ve changed the password since then, change it now.

Second, many other things are linked to Yahoo. For example, if you have a Uverse account, and use the email address associated with it, that’s the same set of credentials. The same for Flickr. Also, change the security questions (and especially the answers).[1]

Finally, if you used the same password for any other account, particularly your Wayne State email/Academica/AccessID account, CHANGE THE PASSWORD NOW!!! Especially if you have the same access ID (i.e. as I do, geoffnathan@yahoo.com)[2]

This is a good reason, unfortunately, for the annoying requirement for frequent password changes—people reuse passwords. On the other hand, if you use a password manager (like LastPass or Dashlane or Keepass) you don’t need to worry about it. You can read a discussion of the various password managers here

Finally, check back here later in the week to hear about a new security measure C&IT will be implementing that will change the way you get to things like your pay stub, your time sheet and your direct-deposit information in Academica.


[1]    This is a good time to reiterate that you should not use standard answers to security questions. So if it asks you your mother’s maiden name, LIE. Nobody cares, and that answer can’t be Googled, and isn’t on Facebook. Just make sure you record you answer somewhere where you can find it.

[2]    And, before you can get smart with me, as I am writing this I have already changed it.

Booking International Travel is About to Change

Getting to TravelWayne is going to get a little more complicated if you are planning international travel. Here’s why.

For a number of years the US Department of State, the Department of Commerce and the U.S. Treasury Department have had restrictions on what things can be exported to other countries. These restrictions come from the International Traffic in Arms (ITAR) regulations, the Export Administration Regulations (EAR) and the Office of Foreign Assets Controls (OFAC). However, ‘export’ doesn’t mean what you think it means. The US government defines ‘export’ as moving objects or data out of the country. That includes objects such as laptops that contain data. There are certain kinds of data that cannot be taken to certain countries. Probably most data you would put on a laptop (or tablet, or thumb drive, etc.) would not be restricted. But there is a large list of kinds of data that could get you, and Wayne State into big trouble if the Feds find out you have taken them to China, or Iran, or even France, in some cases.

Just as an example of how faculty members can get into trouble, you can read the University of Hawai`i’s website on the topic

Further complicating things is the fact that some countries forbid encrypted data from being imported into those countries. Here is a map showing which countries restrict the import of encrypted data.

So, to protect everyone involved (travelers and their ‘supervisors’–chairs and such, as well as the Office of Research), there is a new university policy on international travel that is going into effect in a couple of weeks, once the mechanisms are in place.

How will the policy affect the average traveler? If you are traveling within the US, it will have no effect. But if you are travelling internationally, you will see a new button in Academica saying ‘International Travel’. When you click that, you will be taken to a questionnaire that asks what you will be bringing with you. If one of your answers triggers a potential international travel issue, the system will generate an email to the Export Control office at Wayne. You will be urged to contact them so that they can make sure you are not violating laws against Export Control. After you do so, they will send you an email giving you clearance to travel.

For a preview of the questions, just go to ft.wayne.edu. At the moment it’s set up as a test version, so no emails are generated, and it doesn’t record who has visited.

The way the system will work is that when you begin the process of making travel plans (within TravelWayne) for each trip, you will have to go through the questionnaire. Thereafter, for each trip you can go directly to TravelWayne (say, to tweak you hotel reservation or whatever).

The kicker, once the policy goes into effect, is that you will not be reimbursed for your trip if you haven’t received clearance from the Export Control office, so it is definitely in your interest to get that clearance.

Associated with this policy are two helpful FAQ’s that make suggestions about safe ways to travel internationally, one on legal questions, the other on technical issues. These include always using the VPN when connecting to Wayne State resources (such as your email, or files stored on Wayne State sites). Note that you cannot even reach Facebook or Google from certain countries (including China) unless you use the VPN, by decision of the host country. Wayne State has nothing to do with these restrictions, of course.

 

The IRS is coming and they want to help–really!

As I mentioned in an earlier post and also here, a number of Wayne State employees were hit by an IRS hack that stole their identities and attempted to claim refunds. Wayne State C&IT and Internal Audit have investigated these hacks and have found no evidence that the source of the leaks was located at Wayne State, but nonetheless the IRS has volunteered to send an agent to campus to talk about how to avoid this kind of attack in the future.

We have contacted all the victims that we know of, but have also decided to open the IRS agent’s talk to the campus at large. Here are the details:

Tuesday, July 12, 10:00 AM

Partrich Auditorium (located in the Law School).

No need to RSVP—just come.

If you have any questions, you can contact the Office of Internal Audit at (313) 577-2128 or Carolyn Hafner at ab0414@wayne.edu.

The latest on the Apple-FBI Battle

Last week I noted that the FBI claimed that they were only interested in this one iPhone, and the claim that that they had no intention of using this case as a precedent was clearly not true. This was because they were already using the same request to get into a number of other iPhones.

Yesterday a Federal judge in the New York Eastern District ruled against the FBI in a similar case. The judge ruled that the Government’s expansive use of the ‘All Writs’ Act (passed in the eighteenth century) did not include the ability to force Apple to write new software to break the ‘nine strikes and you’re out’ feature of older iPhones — the feature that prevents multiple tries at guessing passwords.

It’s almost certain that this case will eventually end up before the Supreme Court, as it places the reliable security of our mobile devices in conflict with the government’s desire to search them. The FBI claims that they will be really, really careful with these tools, but the mere fact that they exist means that they will leak. Here’s a somewhat radical comment on that likelihood.

Go here for a comprehensive guide to all the issues.

Tim Cook and the FBI will testify before Congress this afternoon.

Amazon and Bestbuy are following me, and it’s creeping me out

BeAwareofWhatsBeingSharedYesterday I needed to find a price for a box of inkjet printer cartridges I have but no longer need (the printer broke and I bought a new one that uses different cartridges). I was trying to sell them.
This morning I visited my favorite political blog site, Reason Magazine’s Hit and Run and guess what showed up on the right hand side of the page–ads for Canon printers and HP inkjet cartridges. How did Hit and Run know?

Of course, they didn’t. But Amazon and Best Buy purchase ad space on lots of web pages, and my IP address is stored in various cookies, so totally unrelated sites know who I am and their ads target me. And what’s worse, one of those searches was on my iPhone, but the ad showed up on my office desktop.

So remember–if you’re searching for something sensitive, use an anonymized browser page (on Firefox select ‘New Private Window’, ‘New incognito window’ in Chrome, or in Safari a ‘Private Window’–these choices are usually available under the File menu, or at the three horizontal lines icon at the top left). Otherwise you may find ads for pregnancy tests or online tests for symptoms of schizophrenia showing up in your USA Today.

Bruce Schneier, my favorite IT security and privacy guru has a great column about how our mobile devices are now talking to our laptops and desktops and vice versa–long but worth a read:

Bruce Schneier on the Internet of Things

If this bothers you, or you are just interested in learning more about the relationship between privacy and Big Data, come hear Sol Bermann on January 26.

 

Nude photos online–the latest privacy outrage? Or not so much…

By now everyone knows that a number of (primarily young, almost exclusively female) Hollywood stars had compromising pictures of themselves posted to a public Internet site, provoking much social commentary.

The reason for this post is not the fact that it happened–it happens frequently, and sometimes goes under the heading of ‘revenge porn’. What is more interesting, from my point of view, is the nature of the reactions.

I was discussing this story with some of my younger colleagues at C&IT the other day, and found their response simultaneously startling and familiar. Their answer was ‘Who cares?!! Privacy is dead, get over it.’

What was startling was that I have friends who actually feel that way. What was familiar was the meme ‘privacy is dead’. It was first said in that form by Scott McNealy in 1999. For those who aren’t familiar with McNealy, he was the founder of Sun Microsystems, an early major computer hardware and software company (responsible, among other things for Java, MySQL and NFS).

Discussion of the leaked nude photos has varied widely. The initial response was outrage, particularly from some of the celebrities themselves (although some have also claimed that the photos were fake, for which there is some forensic evidence). On the other hand, much of the early response consisted of statements that could be paraphrased as ‘if you don’t want nude pictures circulating on the internet, don’t take them.’

Interestingly, subsequent commentary has had two directions. One is to suggest that blaming the stars for having nude pictures floating around is like blaming women for being raped because they wore [fill in your favorite meme] clothing.

On the other hand, a number of commentators have suggested the fault lies in the poor security structure of iCloud, or perhaps of the iPhone (apparently a hack of the Find My iPhone may have permitted the Apple cloud storage system to be breached, although that vulnerability has since been patched).

Other commentators (including my buddy Nick Gillespie) have suggested that this is something for which the cure would be worse than the disease.

Finally, danah boyd, a radical feminist blogger who works for Microsoft (yes, you read that right) wrote very thoughtfully several years ago about the morality of ‘outing’ people on the Internet, an activity somewhat related to this.

I have no words of wisdom to provide here–I’m an onlooker watching how the world is changing around me. Thoughts?

 

 

 

How to prevent your heart from bleeding

By now probably everyone has heard about the Heartbleed problem, but just in case you haven’t, here’s a quick summary. One of the programs1 that websites use to communicate securely with customers, called OpenSSL, turns out to have a vulnerability that would let bad guys snoop on traffic to and from those websites even though the data exchanged between them is supposed to be encrypted (as indicated by the icon of a closed padlock in the address bar, and https in the address itself).

The accidentally unlocked ‘door’ has been around for a while, and so there is a chance that your communications with Gmail, Facebook, tumblr and others have been snooped on. There is even a chance that your password has been swiped, and, of course, if you use the same password in various sites, any stolen password will work on all those sites.

What can you do? First of all, all your Wayne State data is safe–the WSU systems were not running OpenSSL, so they are all safe. The Wayne VPN is vulnerable, but the VPN itself was protected from external attacks in another way, so there is no risk there. But, of course, you have passwords on many other sites, and for some of those you should probably consider some password ‘maintenance’. Specifically, you should probably change those once a month for a while. I’ve already changed my Gmail and Dropbox passwords, and am working on several others.

The real takeaway from this event is that you should not reuse passwords from site to site. Of course, that’s easier to say than to do–most of us have dozens, if not hundreds of passwords, so some kind of password management device is becoming more and more necessary. I, myself, use Lastpass, which stores my passwords online (of course I use a unique, complex but rememberable password for that). It not only stores all my passwords, it even suggests complex non-memorable passwords. Since it will automatically fill them in for me I don’t need to remember them. If you don’t like having it fill things in automatically you can invoke it (there’s a plug-in for every popular web browser), display the password and copy it into the relevant website as you log in.

Note that I have no connection with Lastpass, and there are other worthy competitors such as Keepass and Roboform. You can read a review of them here

Lastpass has an interactive form you can use to see whether your favorite websites have been protected. You can find that here.

If you are interested in the technical details on how Heartbleed works you can watch this video , which lasts about 8 minutes. It’s not horribly abstruse–if you kinda know how websites communicate with your computer you can follow it.

Mashable  has a good summary of which websites you need to worry about.

One final thought. NEVER send your password to anyone for any reason through email. And, in fact, if an email tells you to change your password, if you think it actually is authentic, don’t follow a link in the email to change it. Instead, use a bookmark, or type in the web address yourself, so that you know you are changing the password in the right place, and not in a rogue server in Tuvalu.

———-

1 I know that calling it a ‘program’ oversimplifies things, but this characterization will suffice for our purposes.