Monday, September 01, 2014

Data Privacy Issues; It's Time to Start Protecting Your Kids

I am absolutely amazed that people believe (a) there's nothing that can be done about privacy and (b) it's all for the good so why worry.

We're adults and that's okay.  But kids?  How do they defend their privacy?  Right.  That's our job.

I want to say in advance, people can take any kind of photo they want on their phone.  (But you might want to warn teenagers of the devastating outcomes if they do this. And trusting a friend/boyfriend/girlfriend is playing with fire in the teen years.)

But understand, there are smart people who want data - of any kind - to use for their own purposes.  You are not wrong for taking a photo; you are wrong to believe there is security in any kind of devise that you have apps or data that uploads to any data cloud.  

Here's the story of multiple celebs and their nude photos - taken on iPhones - and hacked out of the Apple"cloud."  

Experts are looking at whether a flaw in Apple’s iPhone operating system allowed a hacker to swipe naked pictures of dozens of stars — including Oscar-winner Jennifer Lawrence and model Kate Upton — and publish them on the Internet.

The glitch could be linked to the Find My iPhone app, according to The Next Web, which reported that the program had allowed hackers to attempt to log in repeatedly instead of getting locked out after several wrong tries.

That flaw would allow a hacker’s computer to guess millions of passwords in hopes of getting a match. The correct password then could be used to access the user’s iCloud account — and a trove of personal information.

ProPublica has a great story on how the State of Arizona hired a Chinese national to work in the law enforcement database and then he left after five months.  And the State of Arizona didn't tell anyone.  For five+ years. 
Embedded image permalink

 For five months in 2007, the Chinese national and computer programmer opened his laptop and enjoyed access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators.

Officials at the intelligence center discussed the wisdom of hiring a Chinese national for such sensitive work, according to Beasley, the counterterrorism director for the state’s public safety department. Beasley said he opposed it without success.

“Was there a concern? Absolutely,” Beasley said, “because China is not our friend.”

However, no one stood in Fan’s way when he packed his equipment one day in early June 2007, then returned home to Beijing.

More on the Arizona story:

For five months in 2007, the Chinese national and computer programmer opened his laptop and enjoyed access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators.

The worry?

No one has explained why Arizona law enforcement officials gave a Chinese national access to such protected information. Nor has anyone said whether Fan copied any of the potentially sensitive materials he had access to.

But the people responsible for hiring Fan say one thing is clear: The privacy of as many as 5 million Arizona residents and other citizens has been exposed. Fan, they said, was authorized to use the state’s driver’s license database as part of his work on a facial recognition technology. He often took that material home, and they fear he took it back to China.

Under Arizona law, then-Gov. Janet Napolitano and Maricopa County Sheriff Joe Arpaio, whose agencies admitted Fan into the intelligence center, were required to disclose to the public any “unauthorized acquisition and access to unencrypted or unredacted computerized data” that includes names and other personal information.

The state was supposed to have scrubbed drivers' names and addresses from the license data. State officials denied requests to discuss the extent of the data breach, including what personal information was in the files.

In fact, a review of records shows that David Hendershott, who was second-in-command at the sheriff’s office, moved aggressively to maintain silence, a silence that has now lasted some seven years. Two weeks after Fan departed, Hendershott directed others in writing not to discuss Fan and the possible breach. In an email to the outside contractor that had hired Fan, Hendershott wrote: “Keep this between us and only us.”
 The worry?

Paul Haney, a former special agent with Immigration and Customs Enforcement who was based at the Phoenix center, said discussion of the possible breach was kept to whispers. That reticence came as much from humiliation as security concerns.

“The whole thing was very embarrassing, what he had access to,” Haney said. “I’m embarrassed for everyone left with their asses hanging out.”

One email exchange shows that Hendershott contemplated reaching Fan in China and paying him to stay quiet.

“Make sure that he knows that I just want your stuff and no trouble,” Hendershott wrote to Greschner, the Hummingbird executive who had hired Fan. “Just want him to go away. Can he and his wife keep their mouth shut?”

Oh, THAT's what they are worried about?  Their reputations and their jobs?


seattle citizen said...

Well, it's only ARIZONA....;)

Patrick said...

But what can we do? The (unprintable) Secretary of Education says school districts can give away as much student data as they want to anybody who claims to be education related -- polsters, newspapers, Bill Gates. Should we lean on Congress to pass legislation to ban that? (Our Congress wouldn't even pass legislation that the sun will rise in the east if it might be a victory for the Obama administration!) Lean on the Seattle School Board or Washington State to pass rules or laws tightening it up?

Anonymous said...

One thing we can do is to educate our kids. My former middle schooler, for example, was apparently told to complete an online assessment to help determine interests and future college options (or something like that). They were supposed to sign up with their personal email accounts, then they spent a whole class period working on them. My kid tried to decline, but the teacher said it had to be done. So my kid sat at the screen for an hour and faked it instead. One unnecessary data tracking service successfully avoided!

For my current middle schooler, I'm updating our guidance to never give out your personal email address or info to someone you don't know and trust. If a teacher or school rep asks you to do so, say you first need a copy of the relevant privacy policy for your parents to review, because you're not allowed to give that info out without parental consent. Asking teachers to provide this info may get them to think about the risks they're asking kids to take, and whether it's worth it.


Anonymous said...
This comment has been removed by a blog administrator.
mirmac1 said...

and who is funding this BS effort....? 1 guess.

Melissa Westbrook said...

Reprinting for Anonymous:

The district job website has a posting for a "Partnership Data and Systems Manager" whose job will be to "facilitate improving partnerships between schools and CBOs (community based organizations) by leading the development and refinement of technology solutions that support data informed decision making through data collection, data sharing, and data use.