Lawmakers Try To Ban Facebook ‘Shoulder Surfing’ By Employers

March 21, 2012

Time

By Martha C. White

“If a potential employer asks for your Facebook password, tell them to stick it. You know that guy or girl is going to be a horrible boss.” –KTRN

Even in a marketplace where people routinely trade access to their personal data for small freebies like online games and coupons, some employers have provoked outrage by demanding to see job applicants’ private Facebook pages. Now, lawmakers are wading into the fray with legislation that would prohibit the practice of “shoulder surfing” on the part of hiring managers.

In Maryland, a bill introduced last month by Democrat Ronald Young passed the Senate; a corresponding bill has been introduced in the House. If the House bill is approved by first a committee and then the entire chamber, this ban on shoulder surfing could become law in October.

In their current forms, both bills would prohibit employers from requiring job applicants to disclose user names, passwords or other login credentials to a “a personal account or service,” in the Senate bill’s verbiage. The Senate bill also aims to prohibit “an employer from failing or refusing to hire an applicant as a result of the applicant’s refusal to disclose certain password and related information,” although privacy experts have pointed out that would be an uphill battle for a rejected job-seeker to prove they were passed over for a job on these grounds.

Click here for the full report.

Google Data Breach Investigation Dropped By FTC

October 28, 2010

Financial Times

By: Stephanie Kierchgaessner and Richard Waters

The top US consumer protection agency has dropped an inquiry into data collection breaches by Google, even as regulators in Europe and Canada have stepped up their scrutiny of the internet giant’s privacy policies.

David Vladeck, the director of the bureau of consumer protection at the Federal Trade Commission, said the FTC had decided to drop its investigation into Google’s allegedly inadvertent collection of consumer data in 2007 because it was satisfied that Google had adequately addressed the issue internally.

The FTC decision marks the end of at least one major probe into the most damaging privacy breach to hit the company to date. But the company is still facing ongoing investigations by individual state attorneys general in the US, and regulators in Spain and Canada both last week concluded that Google had broken local laws while investigations are underway in other countries.

Google admitted for the first time last week that the cars it had used to photograph residential streets for its Street View mapping service had illicitly collected some personal e-mails and passwords from the homes it passed. The breach was first announced in May.

At that time, however, the company said it had only collected “fragments” of information. Mr Vladeck said the revelation had caused “concern” among FTC staff because Google had only discovered the 2007 breach in response to a request from data protection authorities in Germany.

But in a letter to a Google attorney posted on the commission’s website, Mr Vladeck said Google’s decision to improve its internal processes to address the FTC’s concerns, including the appointment of a new director of privacy for engineering, gave staff enough assurances that the company had addressed the issue. FTC chairman Jon Leibowitz declined to comment on the decision.

“Google has made assurances to the FTC that the company has not used and will not use any of the payload data collected in any Google product or service, now or in the future,” Mr Vladeck said. “The assurance is critical to mitigate the potential harm to consumers from the collection of payload data.”

Google said it was pleased by the news. But the decision was met by outrage from privacy advocates.

Marc Rotenberg, director of the Electronic Privacy Information Center, accused the FTC of making its decision based solely on Google’s own representations, without making any “independent” determination on whether the company had broken privacy rules.

Jeffrey Chester, another privacy watchdog, said he believed the FTC was giving Google a pass in part because of the White House’s close relationship with the company. Even though the FTC is the top consumer protection agency in the US, it has limited statutory authority to take enforcement action against companies.

The commission is due to unveil a new set of voluntary privacy guidelines in coming weeks. Mr Leibowitz has said that addressing the rampant collection of personal data by internet companies is a top priority.

Click here for the full report from Financial Times

Google Admits That It Took Emails and Passwords From Computers

October 25th, 2010

Daily Mail

By: Vanessa Allen

Google was accused of spying on households yesterday after it admitted secretly copying passwords and private emails from home computers.

The internet search giant was forced to confess it had downloaded personal data during its controversial Street View project, when it photographed virtually every street in Britain.

In an astonishing invasion of privacy, it admitted entire emails, web pages and even passwords were ‘mistakenly collected’ by antennae on its high-tech Street View cars.

Privacy campaigners accused the company of spying and branded its behaviour ‘absolutely scandalous’.

The Information Commissioner’s Office said it would launch a new investigation. Scotland Yard is already considering whether the company has broken the law.

Google executive Alan Eustace issued a grovelling apology and said the company was ‘mortified’, adding: ‘We’re acutely aware that we failed badly.’

Critics seized on the admission as the latest example of technology’s ever-expanding ability to harvest information about ordinary households, often without their knowledge or consent.

Google sent a fleet of specially equipped cars around Britain in 2008, armed with 360-degree cameras to gather photographs for its Street View project.

There were immediate complaints that the pictures were a security risk, after householders complained that house numbers and car registrations were easily identifiable.

Privacy fears followed when it emerged that individuals could be seen, including a man emerging from a sex shop in London’s Soho, three police officers arresting a man in Camden, North London, and children throwing stones at a house in Musselburgh, Scotland.

Earlier this year the California-based firm admitted that the cars’ antennae had also scanned for wireless networks, including home wi-fi, which connect millions of personal computers to the internet.

Google registered the location, name and identification code of millions of networks and entered them into a database to help it sell adverts.

The firm – which uses the slogan ‘Don’t be evil’ – was able to record the location of every wireless router and network without alerting households because wi-fi signals are ‘visible’ to other internet devices, including the cars’ antennae.

Google played down the significance of the wi-fi mapping and insisted it had not collected or stored data from personal computers.

It then backtracked and said its software had ‘inadvertently’ collected fragments of data which were being transmitted as the cars criss-crossed Britain.

The cars’ antennae skipped networks five times a second, it said, meaning each network was only accessed for one-fifth of a second.

But it has now emerged that entire emails, web pages and passwords were copied and stored during that split-second.

The information was only gathered from wireless networks which were not password-protected.

But it means the antennae potentially harvested millions of private emails and passwords around the country. It is not known how many householders have unprotected wireless networks.

Click here for the full report from Daily Mail

Five New Frightening Types of Cyberattacks

October 18th, 2010

AOL News

By: Sharon Weinberger

Worried about e-mails that appear to be from your bank but could well be part of a phishing scam? That may soon be the least of your problems. With concerns about cyberattacks on the rise, computer security experts are looking ahead to what they think might be the next wave of attacks.

What they find is that everything from your car to your computer webcam is vulnerable to attack. Here are five new types of attacks:

1) Social Network Attacks: Malware that steals your e-mail contacts, passwords and other personal information is old news. But a new technical paper by a group of Israeli researchers says the cybersecurity community is ignoring a new, more insidious type of attack: one that preys on your entire social network, working to slowly pilfer information about your behavior and life.

Dubbed “stealing reality,” these types of attacks, the researchers argue, are more insidious because the “victim of a ‘behavioral pattern’ theft cannot easily change her behavior and life patterns.”

“Most likely those attacks are currently happening,” lead author Yaniv Altshuler, a research scientist at Ben Gurion University, told AOL News.

Altshuler says the market for this sort of information already exists. “And If there is a buyer, there is a seller,” he added.

2) Attacks on Cars: Today’s automobiles often come equipped with the equivalent of advanced computer systems, which means that like your home computer, they could be vulnerable to attack. In a new paper, researchers at the University of Washington and the University of California, San Diego, say they have demonstrated “the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”

Everything from your car’s wireless tire-pressure sensors to its stolen-vehicle tracking and recovery system provides opportunities for hackers to gain control of your vehicle without you even knowing.

3) Medical Devices: Today, wireless pacemakers can send your doctor or hospital real-time data on your heart, showing just how far medical devices have come with the help of modern electronics. But with that new technology comes a new threat: the possibility of someone hacking into your medical device or injecting malicious code that disrupts the lifesaving device. Prosthetic limbs, wireless pacemakers and other implantable medical devices might all be at risk.

“This is very real — the bad guys would buy the pieces and just work on them a little bit,” Greg Hoglund, who heads HBGary, a computer security company, told an audience earlier this year at a Northern California Hospital Cyberterrorism Seminar. “It’s amazing someone hasn’t pulled this off yet.”

4) Hacking Your Webcam: Watch out for the light on your computer that shows the webcam is on, even after you think you’ve turned it off. It could be a Trojan computer program operating the camera, taking pictures or even video, and sending it over the Internet without your knowledge. For those who leave their laptops on and open, that’s the equivalent of having Big Brother in your bedroom or office without you knowing.

There are already cases of this happening, for example, in Germany. “A man has been arrested for spying on more than 150 girls in their bedrooms by hacking into their computers and using their webcams to watch them, provoking warnings that others will be doing the same thing,” DPA, the German press agency, reported earlier this year.

5) Smart Phone Attacks: Most consumers worried about cyberattacks associate the threat with their home PCs or laptops. So they often think nothing of downloading applications to their smart phones, which often contain just as much personal information as their home computers.

“Nobody’s making money at the moment with mobile security,” said Mikko Hypponen, the chief research officer of Finland’s F-Secure, according to the San Francisco Chronicle. “But all the players assume that sooner or later we will see a major outbreak or some other major event that will change the situation forever.”

Click here for the full report from AOL

37 States Join Probe Into Google Wi-Spy Collection

July 22, 2010

Los Angeles Times

By: Kristena Hansen

A multistate investigation is raising more questions about how Google Inc. may have improperly gathered people’s private information through their unsecured wireless networks while collecting data for its Street View feature.

Connecticut Atty. Gen. Richard Blumenthal, who has been leading the month-old investigation, sent a third letter to Google on Wednesday asking, among other things, whether it had tested the feature’s software before putting it to use. Doing so, he said, should have uncovered any glitches responsible for the unwarranted collection of e-mails, passwords and other personal data of those who failed to protect their networks with passwords.

“Google’s responses continue to generate more questions than they answer,” he said in a statement. “Now the question is how it may have used — and secured — all this private information.”

Blumenthal, who is running for Sen. Christopher J. Dodd’s seat, also said that attorneys general from 37 states and the District of Columbia have officially joined the probe, including those from Texas, Florida, Kentucky, Illinois, Missouri and Massachusetts. Eight states would not be identified because their laws bar them from disclosing investigations, he said.

The office of California Atty. Gen. Jerry Brown has not yet responded to a question about whether the state is a participant.

“As we’ve said before, it was a mistake for us to include code in our software that collected payload data, but we believe we did nothing illegal,” a spokesperson for Mountain View, Calif.-based Google said in a statement. “We’re continuing to work with the relevant authorities to answer their questions and concerns.”

The investigation, which follows similar probes in Germany and Australia, is also considering whether federal and state laws need to be changed or updated as a preventative measure.

The Street View function was launched in 2007 and since expanded to most major cities in the U.S, Europe, Africa, Asia and Australia. It uses vehicles to photograph street layouts in every direction to give Web users a 360-degree view of streets and roadways.

But the vehicles were also equipped to detect Wi-Fi access points, which Google hadn’t disclosed until recently, in order to help computers figure out where they are without having to use a GPS system.

At the same time, Google said it mistakenly picked up 600 gigabytes of data from unsecured networks over the last three years.

click here to read full article