Obama Administration Says It’s Legal To Track Citizens’ Every Movement Without A Warrant

Obama Administration Says It’s Legal To Track Citizens’ Every Movement Without A Warrant

The Obama Administration will argue today that warrantless tracking of the location of Americans’ mobile devices is perfectly legal, Declan McCullagh of CNET reports.
In 2010 a court ruled against government requests for mobile location data, declaring that “[c]ompelled warrantless disclosure of cell site data violates the Fourth Amendment.”
On appeal federal prosecutors are asserting that they should be able to obtain records revealing the movements of mobile users over a 60-day period, even if the phones are off, without first having to ask a judge to approve a warrant.
The Justice Department argued in February that its position is “consistent with the Fourth Amendment because a customer has no privacy interest” in GPS location records since that information has been “voluntarily conveyed” to the wireless provider.
The Fourth Amendment protects against “unreasonable search and seizure,” and while it’s unclear if a citizen’s cell phone data is protected, the ACLU reports that all levels of law enforcement routinely track cell phones.
In July Congressman Edward J. Markey released a report revealing that authorities made 1.3 million requests to wireless carriers for customer information last year, and said that the number of requests is increasing every year.
McCullagh reports that the Electronic Frontier Foundation (EFF), which is arguing the pro-privacy side before the Fifth Circuit Court of Appeals, will bank on the January opinion of Supreme Court Justice Antonin Scalia in a case that found police installation of a physical GPS bug on a car for 28 days violated the Fourth Amendment.
In the majority opinion, Scalia said: “It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy, but the present case does not require us to answer that question.”
This case will most likely require it as EFF lawyer Predicts Fakhoury told CNET that this is “exactly the type of situation the Supreme Court is going to get involved in.”

Read more: http://www.businessinsider.com/government-says-its-to-track-cell-phones-2012-10#ixzz2I4YV9hqm

Scanning paper to go paperless? Have a plan!

Scanning to ‘go paperless’? Have a plan!
By Morgan Records Management, LLC

For nearly 30 years, since the advent of the desktop computer, everyone has talked about ‘going paperless’, but here we are in 2010, with all of the capabilities and technology one could ask for, and we’re still producing paper – mountains of it. So, what of the paperless office? Well, the dream has not died, but what the dream requires is a plan.

There are those industries in our midst that are primarily taking advantage of software platforms that may be standardizing their business/office information management practices, providing a vehicle with which to make the very long leap to a paperless environment. An example would be the efforts to standardize medical records and the billions of dollars being poured into that very complex proposition. However, what about the rest of the business world that day-in and day-out relies on the most heavily used and oldest recording media available: paper?

Well, some companies have still tried to ‘go paperless’ by combining two elements of records management, namely, hard copy record scanning and subsequent hard copy record archiving. This process of scanning (turning the hard copy record into a digital copy such as a TIFF or PDF) and archiving (long-term storage of the original hard copy) has become commonplace in all industries from manufacturing to law and from accounting to real estate. The goal? Have all of the same information available to you that you would normally have by keeping the hard copy record, but without keeping the hard copy record.

This process, though common, has some problems with it both from a regulatory stand point and a cost stand point. We’ll deal with the regulatory issues first.

Though there are many cases in which a scanned image of an original hard copy record will suffice to meet industry or government regulations, this is far from being a standard that applies to even most records in most industries. In order to be in total compliance with all regulations, one must first understand the retention requirements for each record type. Retention requirements vary according to the length of time a record must be maintained, and in what format that record must be maintained. Some records, for example, must remain in hard copy format, immediately accessible, for a certain period of time; some can then be archived or perhaps scanned and subsequently disposed of. Other regulations might require a record to be kept in hard copy format for the entirety of its retention period, but can be stored off-site immediately. The different scenarios can go on and on in a multiplicity of different record-specific requirements. These requirements vary industry to industry and state to state.

The second major issue is cost. Generally, the cost of scanning all of your paper files and capturing them electronically is simply too expensive. This is because of the manual nature of the record preparation involved in scanning. When scanning records, there can be no paperclips or staples present or the scanning machine might jam or break. In addition, there is a quality-control element involved that requires human approval. An image of a contract had better be crystal-clear so that it will be easily printed and read long into the future. Another manual process that is often overlooked is the keying in of data with which one might identify or index the image in the future when retrieval becomes necessary. These three elements, to say nothing of the storage and maintenance needs of the electronic file over time, are usually cost-prohibitive for a company to engage fully in a PET (paper-to-electronic transition) program. At an industry average of between $0.10 to $0.15 per scanned page, a typical 1.2 cubic foot records carton containing 2500 pages will cost between $250 and $375 to scan fully. That’s just one carton of records. Even for a small business with only 75 cartons, this is a tall order and usually is not achievable. That same carton would cost mere dollars per year to archive for its full retention period.

But there is good news in all of this. Scanning technology and equipment is improving all the time. OCR (optical character recognition), quality control, and document recognition capabilities in image-capture software have come a long way in the last few years, allowing many companies to begin to lay the foundations of making this transition at a lower cost, perhaps over an extended period of time.

Here are five recommendations:
1. Make sure you understand what the government (federal and state) requires for retention of particular record types for your industry.
2. Make sure you are implementing industry best-practices for record creation, usage, retention, archiving, and destruction so that no one will question your commitment to your customers and business partners.
3. Don’t worry about scanning everything from the past 10 years in order to make the paperless transition. You can scan all of those cartons at $250 to $375 per carton, or you can archive them for a few dollars each per year.
4. Scan what you need, when you need it. Many commercial records centers offer ‘scan-on-demand’ services so that you can still access your important records when you need them. When you have no use for the hard copy, but need the information contained in it, this is an imminently more cost-effective approach. In addition, an average company only accesses 5-10% of its archived records during their retention period. So why waste all those dollars on scanning records that will never be accessed?
5. If you are serious about ‘going paperless’ have only the new, active records scanned. This process of incremental PET (paper-to-electronic transition) over time will position your company for growth (by creating an electronic records archive) and enable it to transition more smoothly to adapt to the many technological changes that are sure to come in the future.

As you choose a vendor to store, manage and maintain your records, make sure they are able to retrieve and deliver your records to you in multiple ways. They should also be helping you to create and implement policies, procedures and best practices to make sure your records are always secure, yet always available to you. With a small investment of time a good records management company will be able to provide your business with a clear pathway to a better, more efficient, lower cost and more compliant records management program than almost anything you may be engaged in currently.

Morgan Records Management, LLC provides comprehensive records management services including storage, retrieval, scanning and destruction. They also provide no-cost Client Needs Assessments designed to provide businesses with clear, objective feedback to help determine the best course of action to achieve greater compliance, work process efficiency and productivity while reducing current records management expenditures.
Dan Fawcett can be reached at (800) 604-3994 x15 or via email at DFawcett@MorganRM.com, more information is available at http://www.MorganRM.com.

Nothing Is Preventing The Feds From Putting You In A Facial Recognition Database

There is a lot of buzz about the FBI’s facial recognition system that’s being installed nationwide, with some people saying that it signals the end of privacy while others say the distress is overblown.
Whatever your level of concern, two things are certain: currently there are no U.S. laws that limit government agencies or private companies from storing facial recognition data, and this type of database already exists.
“Many Americans don’t even realize that they’re already in a facial recognition database,” Electronic Frontier Foundation attorney Jennifer Lynch told the Senate Subcommittee on Privacy in July, PC World reported. “Facial recognition allows for covert, remote and mass capture of identification and images.”
We previously reported that Walt Disney World is responsible for the nation’s largest collection and statistical analysis of biological data, through visitor fingerprint scanning and facial recognition software.
The FBI has shown an interest in using facial recognition to monitor people at political rallies—or Occupy Wall Street protests—although the bureau maintains it will only use its database to catch criminals.
“The best-case scenario when it comes to privacy protection is that an image would not be stored after it has been determined that there is no match of it in the database,” Dr. Rob D’Ovidio, associate professor of criminal justice at Drexel University, told CBS. “If they’re retained, those people going about their everyday lives not doing anything criminal run the risk of the government being able to re-create their travels and understand patterns of behavior.”
We noted yesterday the FBI’s facial recognition system could feasibly be integrated with the National Security Agency’s domestic spying apparatus, which whistleblower William Binney revealed can build profiles of citizens and their associates through all types of electronic communications.
Adding biological information from TrapWire or FBI facial recognition systems to the NSA’s electronic communications database would enable an unprecedented level of surveillance.
The NSA’s warrantless surveillance methods arguably violate the Fourth Amendment, which protects U.S. residents against unreasonable search and seizure.
But Duke law professor Nita Farahany told the privacy subcommittee that facial recognition does not create an unreasonable search since it is done at a distance.
“No physical contact, proximity or detention of an individual is necessary for law enforcement to obtain a face print,” PC World quoted her as saying. “A face print is a form of identifying information that is the bread and butter [of] law enforcement.”

Read more: http://www.businessinsider.com/nothing-is-preventing-the-government-from-placing-you-into-a-facial-recognition-database-2012-9#ixzz2HVOmYxYX

The FBI’s Nationwide Facial Recognition System Ends Anonymity As We Know It

The FBI’s Nationwide Facial Recognition System Ends Anonymity As We Know It
Michael Kelley | Sep. 10, 2012, 4:35 PM | 11,420 | 18

The FBI has begun installing state-of-the-art facial recognition technology across the country as part of an update to the national fingerprint database, Sara Reardon of the New Scientist reports.
The agency’s $1 billion Next Generation Identification (NGI) program will also include iris scans, DNA analysis and voice identification by 2014.
RT reports that as of July 18, 2012, the FBI said the NGI program “is on scope, on schedule, on cost, and 60 percent deployed.”
Reardon notes that the best commercial algorithms can identify someone in a pool of 1.6 million mugshots about 92 percent of the time, even if they aren’t looking at the camera. (There are ways to fool them.)
According to a FBI “Facial Recognition Initiatives Presentation” at the 2010 Biometrics Conference, the technology will be used for identifying fugitives, missing persons and unknown persons of interest; tracking subject movements to/from critical events; conducting automated surveillance at lookout locations (like Occupy Wall St. congregations); identifying subjects in public datasets (e.g. Facebook); and verifying mug shots against National Criminal Information Center (NCIC) records.
The system has privacy advocates very concerned about the “faces in the crowd” because anyone in public could be placed in a federal database or subjected to warrantless real-time surveillance.
The FBI already has facial recognition software installed at DMVs in at least 27 states, so the FBI can potentially match any citizen’s with their ID, license or passport photos in real time.
“The combination of face recognition, social networks data and data mining can significantly undermine our current notions and expectations of privacy and anonymity,” Carnegie Mellon University professor Alessandro Acquisti told the subcommittee.
And the system could be easily be integrated with the National Security Agency’s domestic spying apparatus, which whistleblower William Binney said can track electronic activities—phone calls, emails, banking and travel records, social media—and map them to collect “all the attributes that any individual has” and build a profile based on that data.

Read more: http://www.businessinsider.com/the-fbis-nationwide-facial-recognition-system-2012-9#ixzz2HQCCJVIu

Can storing my records offsite really save my firm money?

 

“We used to always manage our closed files in- house but now we use Morgan Records to manage all of our retired files off site and to handle certain other records management needs of my law firm. Morgan Records is highly professional and responsive to our needs. Their service has eased our records management burden tremendously and made our document retention procedures much more efficient.”

            Jamie N. Hage, Managing Partner HageHodes, P.A. Attorneys at Law

 

Secure Destruction – is it spelled out in your Retention Policy?

“To drive home the scope of data breaches affecting the healthcare industry, and the need for improved data protection among hospitals and other medical institutions, The Washington Post recently highlighted some of the most significant data breaches that have occurred in recent months.

As the news source noted, until recently, healthcare organizations that suffered data breaches were not under any obligation to inform anyone outside the institution. As a part of the 2009 stimulus, however, new rules were established that require these groups to alert the Department of Health and Human Services as well as the news media.

In that time, there have been numerous data breaches affecting millions of patients.”

Is Facebook Tracking Your Every Move?

Facebook Is Tracking Your Every Move on the Web; Here’s How to Stop It
Over the weekend, Dave Winer wrote an article at Scripting.com explaining how Facebook keeps track of where you are on the web after logging in, without your consent. Nik Cubrilovic dug a little deeper, and discovered that Facebook can still track where you are, even if you log out. Facebook, for its part, has denied the claims. Regardless of who you believe, here’s how to protect yourself, and keep your browsing habits to yourself.
The whole issue has stirred up a lot of debate in privacy circles over the past few days. Here’s what the fuss is about, and what you can do to protect your privacy if you’re worried.

The Issue: Facebook’s Social Apps are Always Watching
For quite some time now, Facebook’s user tracking hasn’t been limited to your time on the site: any third-party web site or service that’s connected to Facebook or that uses a Like button is sending over your information, without your explicit permission. However, Winer noticed something mostly overlooked in last week’s Facebook changes: Facebook’s new Open Graph-enabled social web apps all send information to Facebook and can post to your profile or share with your friends whether you want them to or not.

Essentially, by using these apps, just reading an article, listening to a song, or watching a video, you’re sending information to Facebook which can then be automatically shared with your friends or added to your profile, and Facebook doesn’t ask for your permission to do it. Winer’s solution is to simply log out of Facebook when you’re not using it, and avoid clicking Like buttons and tying other services on the web to your Facebook account if you can help it, and he urges Facebook to make its cookies expire, which they currently do not.

Digging Deeper: Logging Out Isn’t Enough
Nik Cubrilovic looked over Winer’s piece, and discovered that logging out of Facebook, as Winer suggests, may deauthorize your browser from Facebook and its web applications, but it doesn’t stop Facebook’s cookies from sending information to Facebook about where you are and what you’re doing there.

Writing at AppSpot, he discovered that Facebook’s tracking cookies-which never expire, are only altered instead of deleted when a user logs out. This means that the tracking cookies still have your account number embedded in them and still know which user you are after you’ve logged out.

That also means that when you visit another site with Facebook-enabled social applications, from Like buttons to Open Graph apps, even though you’re a logged out user, Facebook still knows you’re there, and by “you,” we mean specifically your account, not an anonymous Facebook user. Cubrilovic notes that the only way to really stop Facebook from knowing every site you visit and social application you use is to log out and summarily delete all Facebook cookies from your system.

Why You Should Care
If you’re the type of person who doesn’t really use Facebook for anything you wouldn’t normally consider public anyway, you should take note: everything you do on the web is fair game. If what Cubrilovic and Winer are saying is true, Facebook considers visiting a web site or service that’s connected to Facebook the same thing as broadcasting it to your friends at worst, and permission for them to know you’re there at best.

Facebook says that this has nothing to do with tracking movements, and that they have no desire to collect information about where you are on the web and what you’re doing. They want to make sure that you can seamlessly log in at any time to Facebook and to sites and services that connect with it and share what you’re doing.

In fact, a number of Facebook engineers have posted comments to Winer’s original post and Cubrilovic’s analysis pointing this out. There’s also some excellent discussion in this comment thread at Hacker News about the issue as well. Essentially, they say this is a feature, not a problem, so if you have an issue with it, it’s up to you to do something about it.

What Can I Do About It?
Whether or not Facebook is tracking your browsing even when you’re logged out, if you don’t want third-party sites to send data to Facebook, you have some options. You could scrub your system clean of all Facebook.com cookies every time you use Facebook, but a number of developers have already stepped up with browser extensions to block Facebook services on third-party sites. Here are a few:

Facebook Privacy List for Adblock Plus is perfect for those of you who already have AdBlock Plus installed (get ABP for Chrome or Firefox). Just download the subscription and add it to AdBlock Plus to specifically block Facebook plugins and scripts all over the web—including the Like button-whenever you’re not visiting Facebook directly.
Facebook Disconnect for Chrome keeps Facebook from dropping those tracking cookies on your system in the first place, and disables them when you’re finished using Facebook-enabled services. It’s essentially an on/off switch for third-party access to Facebook servers, meaning you’ll still be able to log in to Facebook and use the site normally, but when you’re visiting another site or using another application, that site or service won’t be able to use your information to communicate with Facebook.
Full size
Disconnect for Chrome and Firefox is a new plugin from the developer behind Facebook Disconnect, but it doesn’t stop with Facebook. Disconnect takes protection to a another level and blocks tracking cookies from Facebook, Google, Twitter, Digg, and Yahoo, and prevents all of those services from obtaining your browsing or search history from third party sites that you may visit. The app doesn’t stop any of those services from working when you’re visiting the specific sites, for you can still search at Google and use Google+, but Google’s +1 button likely won’t work on third party sites, for example. The extension also lets you see how many requests are blocked, in real time as they come in, and unblock select services if, for example, you really want to Like or +1 an article you read, or share it with friends.
Ultimately, the goal of all of these tools is to give you control over what you share with Facebook or any other social service, and what you post to your profile, as opposed to taking a backseat and allowing the service you’re using to govern it for you. What’s really at issue is exactly how deep Facebook has its fingers into your data, and how difficult they-and other social services-make it to opt out or control what’s sent or transmitted. That’s where extensions like these come in.

However you feel about it, Facebook likely won’t change it in the near future. If you’re concerned, you should to take steps to protect your privacy. As a number of commenters at Hacker News point out, it’s not that there’s anything inherently “good” or “evil” about what Facebook is doing-that would be oversimplifying an already complex topic. It’s really an opt-in/opt-out issue.

What do you think of the assertions? Do you think Facebook has a vested interest in knowing as much about you and your browsing habits as possible, or is this much ado about nothing? Share your thoughts in the comments below.

Update: Nic Cubrilovic has posted an update to his story after discussing the matter with Facebook engineers. They have agreed to make changes to the way their cookies are stored and handled so your account information is not present when you log out of Facebook.

However, while Facebook has changed its cookie-handling process, the cookies are still retained and not deleted after logout, and do not expire. They remove your account information when you log out, but they still contain some non-personal data about your browser and the system you’re using. Nic still recommends you clear your Facebook cookies after every session, and we still suggest that if you’re concerned, that you do the same, and try one of the extensions above, or Priv3 or Firefox to protect yourself.

Cold Call Phone Scam – Watch Out!

Yeah, yeah, yet another coldcall scam post, but featuring a ploy I haven’t come across before, intended to convince you that the scammer really knows something about your system, so that you’re likelier to fall for the scam.

Rebecca Herold reports for InfosecIsland that she was contacted by one of those helpful “support desk” people who call you up to help you with problems you didn’t know you had such as malware you don’t have. (Hat tip to @FSecure for the pointer to the article.) She reports that the caller was from a company calling itself EProtectionz and using what looks like a New Jersey number. However, I notice that company’s web site also has phone numbers for Australia and the UK, so it looks as if the usual English-speaking populations are being targeted, using ammyy.com and logmein.com to get remote access to your system – there’s actually an ammyy.com link on their web site, which is registered in Illinois, though Herold’s caller had the Indian accent we’ve come to expect from this kind of scam.

The really interesting feature, though, is the way that the scam seems to have moved on from giving you your address (which they get from a telephone directory)and a fake IP number to convince you that they can really see your system. According to Herold (and a quick google indicates that others are experiencing much the same thing) the scammer now asks you to check a CLSID.

A CLSID is a Class Identifier stored in the Windows Registry — at HKEY_CLASSES_ROOT\CLSID, but I don’t recommend that you go digging into the Registry unless you really know what you’re doing. Fortunately (from the point of view of interfering with Registry entries), the scammer doesn’t need you to edit the registry to find the CLSID he’s looking for. He simply has to persuade you to run the ASSOC command. It’s easy to do: you click on the Start button, Run, type in CMD to get to the command prompt (DOS prompt) and type ASSOC. That runs through a long list of file associations, telling you (for instance) that “.xltx=Excel.Template”.

Since it’s a long file it scrolls straight to the bottom, but if you’re really interested in seeing exactly what it contains, you can get it to go through page by page by typing in “assoc | more”: however, the scammer wants you to go straight to the bottom so that you’ll see this entry:

ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

That’s the CLSID on both the PCs open on my desk at the moment. Amazingly, it’s also the one that the scammer quoted to Herold. And I bet that if you have a recent version of Windows and go through the same steps you’ll find that you have it too. In other words, the scammer can’t see your CLSID or anything else on your PC, including your Event Viewer logs. Unless, of course, you fall for the scam and give him remote access with AMMYY or LetMeIn.

Event Viewer? That’s the tool he uses to persuade you that the transitory errors inevitably flagged in its logs are “evidence” of a system problem or malware infection. Of course, they’re no such thing. See http://www.eset.com/us/resources/white-papers/Hanging-On-The-Telephone.pdf for more information.

The good news, though, is that if they’re using a local number and other local presence, you may have some legal recourse if they insist on phoning you even though you’re signed up to a Do Not Call registration service. I don’t know anyone who’s gone that route yet, though, so no promises. All the scam calls I’ve had (and there’ve been many!) have been international.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Secure Shredding Big Breaches

Big breaches

The most significant of these, according to the news source, occurred in November. An organization responsible for handling health insurance for members of the U.S. military, announced that a large number of its backup computer tapes were stolen from one of its contractors in Virginia. According to the news source, these tapes contained data for almost 5 million patients. The information included Social Security numbers, home addresses and, in certain cases, lab test results.

While this is the largest breach of electronic health records, it is far from the only. Earlier this year, the Utah Department of Health revealed that cyberattackers had gained access to its servers and stolen nearly a million individuals’ healthcare records, including children and Medicaid applicants.

Scary New Malware Targets Android Phones, Steals Images, Reconstructs Rooms

The fellas at the Massachusetts Institute of Technology are calling it, “The Malware that will steal your life,” and their doomsaying is not unfounded.
The Technology Review reports that scientists at the Naval Surface Warfare Center in Crane, Ind., have designed an Android Operating System malware that secretly takes images (muted, so no shutter sound) and logs the orientation of the phone at the time each image is taken. Then, through reverse construction, and image enhancement, the malware recreates whatever room in which you may be standing, including the objects in that room.
The Review stipulates that the technology could even be used to gleen credit card numbers, or serve to provide intelligence for thieves looking to steal certain items, or case living areas from the inside—Or, more likely, to steal secret documents from other unfriendly governments.
From the Review:
[They] call their visual malware PlaceRaider and have created it as an app capable of running in the background of any smartphone using the Android 2.3 operating system. Their idea is that the malware would be embedded in a camera app that the user would download and run, a process that would give the malware the permissions it needs to take photos and send them.
The Review’s report comes in conjunction with another report that a smart phone crowdsourcing app can map the floorplans of any building.
The military applications for these technologies, it bears mentioning, are virtually limitless. But like the sonar imaging technology in “The Dark Knight,” the recon technology represents a slippery moral slope when it comes to privacy of innocents.

Read more: http://www.businessinsider.com/military-phone-malware-targets-androids-2012-9#ixzz2GHBCNdhW