Saturday, September 26, 2009

Bank invents silver bullet to delete personal records from Google's evil grasp

Serendipity. There is no other word to describe Rocky Mountain Bank's latest discovery. But before explaining this modern miracle, let me ask you if you are worried about Google's pervasive presence and how much they know about you?

Are you worried about Google Street View knowing where you live? Are you worried about Google combing through your Gmail account and sending you ads? Are you worried about the Biggest Brother (TM) technology patented by Google that lets them track your every search you perform on

Then fear not! Rocky Mountain Bank (RMB) just struck a blow for freedom-loving people everywhere. And the sheer simplicity of it is pure genius. Of course, they were aided by an idiot judge, but every discovery has one such sidekick.

Lets go to the report:
On Aug. 12, the bank mistakenly sent names, addresses, social security numbers and loan information of more than 1,300 customers to a Gmail address. When the bank realized the problem, it sent a message to that same address asking the recipient to contact the bank and destroy the file without opening it. No one responded, so the bank contacted Google to ask for information about the account holder.

In keeping with its privacy policy, Google told the bank it would have to get a court order to obtain such data. The bank then filed papers asking a court to order Google to disclose the information and deactivate the account.

The bank attempted to file its papers under seal, but U.S. District Court Judge Ronald Whyte denied that request. Earlier this week, the case was transferred to Ware from Whyte.

Some lawyers say the Ware's order is problematic because it affects the Gmail account holder's First Amendment rights to communicate online, as well as his or her privacy rights.

"It's outrageous that the bank asked for this, and it's outrageous that the court granted it," says John Morris, general counsel at the Center for Democracy & Technology. "What right does the bank have and go suspend the email account of a completely innocent person?"

He adds: "At the end of the day, the bank obviously screwed up. But it should not be bringing a lawsuit against two completely innocent parties and disrupting one of the innocent party's email contact to the world."

Oh no Mr. Morris--you could not be more wrong. Don't you see RMB actually found the silver bullet to slay the behemoth that is Google? One by one, they will send emails to Gmail users. Then they will file lawsuits to shut down those accounts. Google will be forced to disclose the name of the account holder. Given the lack of privacy, very soon, people will stop using Gmail. Google's resources will be spent on lawyers. And Rockey Mountain Bank would emerge victorious, having finally crushed Google.


Saturday, September 19, 2009

Swayze-baited Malware

Google searchers for news on Patrick Swayze's funeral may come across links that are loaded with malware.

Watch where you are going and what you are clicking on. More from SecurityFocus/F-Secure.

Friday, September 18, 2009

Fool me once...

Hmm.. looks like this is not the first brush of data breach at Akron Children's Hospital. In our last post we wrote about how a misdirected spyware was installed on a computer there, and subsequently leaked financial and medical information.

In 2006, an intruder broke into their network and compromised a database. Here is what the FAQ says:
Akron Children's Hospital recently identified that during an expansion of its computer systems, there were unauthorized entries (breaches) into two separate computer databases. The first database contained personal information of our patients, and of the parents or guardians who provide their health insurance. This personal information included names, addresses, social security numbers and patient birth dates. We have found no evidence that any medical or financial patient information was exposed.

The second breach involved a server containing information about individuals who have made donations to the hospital. This breach may have exposed personal financial information, specifically some unencrypted bank account and routing numbers. Social security numbers were not included in this database, and credit card information was protected through the highest level of encryption.
There is a report from the local NBC affiliate that says pretty much the same thing, but adds that the intruders came in via a number of intermediate hops.

Typically, it takes a security breach to wake up a company--it is their "come to Jesus" moment. If after that 2006 breach they did not include simple things like educating employees to not open attachments and blocking outside email access, they were not doing a very good job.

Spyware causes HIPAA violation at Ohio Hospital

Man emails spyware to ex girlfriend's Yahoo account. What could go wrong?

The woman happens to work at a hospital. She opened it at a work computer, and the spyware happily emailed out billing and healthcare information for 65 patients. As other people used that computer, it also emailed out their email and financial information (presumably they looked at their online accounts from there)

CIO Magazine reports:
He allegedly sent the spyware to the woman's Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital's pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

The complaint does not explain how Graham managed to convince the woman to install the program, but clever attackers often trick their victims into clicking on files by saying that they are interesting videos or some kind of useful software.

Between March 19 and March 28 the spyware sent more than 1,000 screen captures to Graham via e-mail.
 The hospital is also to blame. It is unclear if they provided any training to employees about not opening attachments from emails, but it is absolutely clear that they were not blocking 3rd party email access from work.

The article is also unclear about if the girlfriend is still employed at work or not.

Wednesday, September 16, 2009

In Oregon, a manual on Public Records is NOT Public

We just wrote about how some Boston City Hall employees were deleting emails so they would not be subject to Public Record Laws. But in Oregon, Public Record laws are taking an interesting turn.

The state attorney general publishes a manual for dealing with public record requests, and sell it for $25. He (not personally, his office) also claims copyright over this (public) manual

Oh, the irony.

But lets look at the mundane issue first. He claims the $25 is the cost of publishing the hard-copy version of the manual. Yeah? Hasn't he head of PDF files, and "click here to download"? I know Oregon has lots of trees, but shouldn't he at least pretend to care?

Next: if he can not claim an exemption from the public records law, then he is required to provide this to, hey presto, THE PUBLIC. How can he (or his office) claim copyright to something created with public funds?

So a professor at University of Oregon has challenged him by posting a scanned copy of the manual on his blog.

Every 2 years the Oregon DOJ publishes the "Oregon Attorney General's Public Records and Meetings Manual", a very useful guide to public records law. It's essential reading for people trying to use their right to get public records from Oregon government agencies. The DOJ has been trying to keep me from redistributing this manual, on the grounds that they own the copyright to it. Trying to use copyright law to keep the public from getting information about how to get public records strikes me as wrong, so I've posted the manual online at my official UO faculty website. As the email below explains, I am posting this despite the fact that the AG's office has explicitly warned me not to redistribute this manual. Here are the links. (now fixed)

Any bets on when the attorney general will blink? I am predicting around 4:55 PM local time in oregon on Friday, 18th September 2009.

Sunday, September 13, 2009

Records retention in local government, and Boston City Hall

I have a city-hall as my client. Last month I was teaching an awareness class there, and when I mentioned that they should not have any expectation of privacy when using their computers, there was not a single raised eyebrow. Being the employees of a city government, they all knew about public record laws and freedom of information act requests.

This is different from a private enterprise, where there is always someone who will argue that point.

(as an aside, I had to throw away most of my examples of what is "confidential". Individual's salary figures? Not confidential. Next year's budget numbers? Not confidential. Agh).

Looks like the City of Boston's senior management knew all about the "no expectation of privacy" too:
The acknowledgement came after the Globe filed several requests for e-mails sent and received by Menino’s Cabinet chief of policy and planning, Michael J. Kineavy. He is one of Menino’s most powerful and trusted advisers, intimately involved in nearly everything at City Hall, but a search of city computers found just 18 e-mails he had sent or received between Oct. 1, 2008, and March 31 of this year.

The unusually low figure prompted administration officials to question him about what happened to the rest of the e-mails he was presumably sending and receiving during that period. Kineavy, who is also one of the mayor’s chief political advisers and a strategist on Menino’s reelection campaigns since 1993, told them that he deletes all his e-mails on a daily basis, in such a way that they are not saved on city backup computers, administration officials said.

There are indications that Kineavy was not the only city employee who may have violated the law. In June, the Globe filed requests for copies of six months’ worth of e-mails sent or received by five other employees, including Transportation Commissioner Thomas Tinlin. City officials said that a search for Tinlin’s e-mails turned up only those he had received, none he had sent.