Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

Declassified documents obtained (but not published) by WIRED Magazine indicate that the FBI has been hard at work expanding a database of Americans' personal and financial information.  According to WIRED, the FBI's National Security Branch Analysis Center (NSAC) has compiled a database of  "more than 1.5 billion government and private-sector records" and has been mining this database for use in criminal investigations. The data, which apparently has been obtained from a number of private companies, includes transaction records from hotels, rental car companies and retailers. [Note, that this database dwarfs the largest know data breach to date, which involved a mere 130 million records. One hopes that they have policies in place to prevent abuse.]  The records include:

• International travel records of citizens and foreigners
• Financial forms filed with the Treasury by banks and casinos
• 55,000 entries on customers of Wyndham Worldwide, which includes Ramada Inn, Days Inn, Super 8, Howard Johnson and Hawthorn Suites
• 730 records from rental-car company Avis
• 165 credit card transaction histories from Sears
• Nearly 200 million records transferred from private data brokers such Accurint, Acxiom and Choicepoint
• 17,000 traveler itineraries from the Airlines Reporting Corporation

This program is picking up speed. Declassified documents obtained by WIRED apparently show that the FBI has 103 full-time employees and contractors devoted to the protect and has requested funding for 71 more.   Funding for the program has expanded from $47.5 million in 2007 to $78.7 million in 2008.  A U.S. Department of Justice document (.pdf) indicates that in 2009 alone, NSAC received 18 new employees and a more than $10 million increase in its budget.

This is not the first data mining project developed for the purposes of investigating terrorism and criminal activities.  In the wake of the September 11, 2001 attack, the U.S. government began development on a data mining project called "Total Information Awareness" or "TIA" which would analyze vast amounts of information regarding financial transactions, travel, health records and other types of customer data to detect terrorism and criminal activity.  The Defense Advanced Research Projects Agency (DARPA) and the Pentagon's short-lived Information Awareness Office was chiefly responsible for this project.  Based on concerns about the scope and privacy implications of the project, Congress pulled funding for the TIA program and shuttered the Information Awareness Office in September 2003. 

The current NSAC program makes it clear that the governments has not given up on efforts to use large-scale data mining in criminal investigations.  To many, however, the program implicate the same privacy concerns as TIA and should be subject to strict scrutiny and oversight.  In 2007, congressmen Brad Miller and James Sensenbrenner sent a letter (.pdf) to the Government Accountability Office asking them to look into the NSAC project. One year later, congressman Miller sent a second letter (.pdf) to the House Committee on Appropriations demanding that funding to NSAC be suspended until the FBI outlines the program's purpose and provides "a clear idea of how NSAC intends to ensure that the program complies" with privacy guidelines.  According to congressman Miller, the U.S. Department of Justice refused to provide any information on the FBI's plan for the program and what information they planned to obtain.  In addition, the FBI apparently told GAO officials that the NSAC program was "not yet 'operational'" in an April 3, 2008 meeting.  In contrast, documents obtained by WIRED apparently indicate that the NSAC data mining operations have been used in prosecuting a number of individuals.

Links:

• Ryan Singel, "Newly Declassified Files Detail Massive FBI Data-Mining Project," WIRED Magazine (Sept. 23, 2009)
• The Federal Bureau of Investigation (FBI) and its page on the National Security Branch Analysis Center (NSAC
• 2007 letter (.pdf) from Congressmen Miller and Sennsenbrenner to the GAO requesting an investigation into the activities of the NSAC
• 2008 letter (.pdf) from Congressman Miller to the House Committee on Appropriations.
• EPIC's page on the "Total Information Awareness" Program

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Earlier this year, the Wisconsin and New York state courts split on whether police may install a covert GPS tracking device on a suspect's car without a warrant.  On September 17, the Massachusetts Supreme Judicial Court addressed the GPS tracking device issue, ruling that Article 14 of the Massachusetts Declaration of Rights requires a warrant before such a device may be installed and used. 

The defendant, Everett Connolly, was a suspected drug dealer and who was investigated by police for more than a year.  The investigation included surveillance and controlled drug purchases by confidential informants and, towards the end of the surveillance period, by an undercover officer.  Based on this investigation, the police applied for a warrant to place a GPS tracking device on Connolly's van for fifteen days.  The application was granted and Connolly was eventually arrested (based on a separate arrest warrant), tried and convicted.  He argued to the SJC that, among other things, "surreptitious GPS monitoring without a warrant constitutes an unreasonable search and seizure that violates the Fourth Amendment . . . and art. 14 of the Massachusetts Declaration of Rights."  He based this argument on the theory that, although police had a search warrant, they continued to obtain information from that warrant after it had expired.

Read on for more detail and analysis of the SJC's opinion.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This morning, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) held a public hearing in connection with its promulgation of revisions to the Commonwealth's information privacy regulations, 201 CMR 17.00.  The standing-room-only crowd endured a modest, unventilated conference room in the Transportation Building to make comments on the stringent regulations.  OCABR Undersecretary Barbara Anthony led the meeting with OCABR Deputy General Counsel Jason Egan and Assistant Attorney General Diane Lawton.  The principal author of the original regulations, OCABR General Counsel David A. Murray, could also be seen in the audience.  The highlights of the hearing include:

• Undersecretary Anthony suggested that the OCABR may make additional revisions to the regulations in issuing final rules. 
   
• The Undersecretary admitted that the provision of the regulations governing third party service providers [201 CMR 17.03(2)(f)] "is taken essentially verbatim from the [FTC's] Safeguards Rule" that was promulgated in response to the Gramm Leach Bliley Act in 2001.  The Undersecretary indicated that while OCABR "stole it" from federal regulators at the FTC, she is aware that there may be "confusing language" in the provision and stated that the "final rules will clarify" this aspect of the regulations. 
   
• Confronted with requests for a model information security program, additional training and other outreach efforts, Undersecretary Anthony indicated that "this is something we definitely will do."
   
• There was no mention of any further extensions to the current compliance deadline: March 1, 2010.
   
• The lead enforcement officer of the new regulations and Chief of the Consumer Protection Division, Scott Schafer, began the hearing with a prepared statement crediting the OCABR with successfully addressing an "important issue" and indicating the Attorney General's support for the revised regulations.  In his statement, Mr. Schafer indicated that he believes that the revised regulations provide businesses with "appropriate flexibility" while protecting consumer confidence in the security of personal information involved in commercial transactions.

Over a dozen individuals presented comments to Undersecretary Anthony.  In general, there was a broad call for additional revisions to the requirements with respect to service providers.  There was also repeated request for "practical guidance" from regulators, in the form of revisions to ambiguous elements of the new regulations, as well as model programs, explanatory guides and materials, training and presentations.  After the jump, you will find more detail from my notes on the public comments. 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

In a press release issued last week, Massachusetts Attorney General Martha Coakley announced the opening of a "new, state-of-the-art Computer Forensics Lab in Boston" as part of the Attorney General's Cyber Crime Initiative.  Under the Initiative, the Attorney General's office received funding from the U.S. Department of Justive to "develop a sustainable cyber crime information sharing program in Massachusetts" for the Massachusetts law inforcement community.

According to the press release, the lab "will expand the office's forensic capabilities, allowing it to conduct exams on a variety of digital media such as computers, cell phones, laptops, PDAs and GPS devices."  The lab is 3,000 square feet and is the largest of its size for any attorney general's office in New England.  It will have the latest technology available to forensic investigators to allow them to extract information such as text messages, videos and pictures from mobile devices, and will also have imaging machines that can be used to capture information that cannot be extracted from a device or hard drive.  In addition, lab space will be used to train police officers on how to "bag and tag," using the proper techniques for evidence seizure at a crime scene. 

According to the press release, the Attorney General's Office has trained more than 1,000 Massachusetts law enforcement officers and cyber crime experts from across the nation, focusing primarily on investigation of identity theft.  While it certainly seems that Attorney General Coakley has made prevention of cyber-crime one of her top priorities (indeed, the office recently received and award from the National White Collar Crime Center for its work in cyber crime), it will be interesting to see what happens if she is successful in her candidacy for the U.S. Senate.

Links:

• September 15, 2009 Press Release: Attorney General Martha Coakley Announces Opening of New State-of-the-Art Computer Forensics Lab
• Massachusetts Attorney General Cybercrime Initiative

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Thomas Raffanello, global director of security for Stanford Financial Group (SFG), now faces charges of obstruction of justice based on claims that he directed employees at SFG's Fort Lauderdale office to shred evidence of fraud. 

In February, the Securities and Exchange Commission (SEC) filed a complaint against SFG (.pdf) in Texas alleging that the double-digit returns it promised potential customers was part of a fraudulent scheme.  Prosecutors obtained a temporary restraining order (.pdf) that expressly prohibited any attempt to destroy documents (among a litany of other bad behavior).  In the indictment filed against Raffanello (.pdf), federal prosecutors allege that on the day SFG received the SEC's complaint and court order, Raffanello and another executive corresponded by email and planned to hire a commercial shredding service to pay a visit to SFG 's office so they could unload a 95 gallon container of evidence.

Apparently, during their hurry to destroy the evidence, they did not manage to delete the emails discussing their plan.  This reminds me of something a friend once told me: if you are setting out to bury the truth, remember to bury the shovel too.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Federal Trade Commission will host a series of public "roundtable discussions" to explore the privacy challenges posed by "technology and business practices that collect and use consumer data," including social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The FTC's expressed goal of the meetings is to determine how best to protect consumer privacy while supporting beneficial uses.

The first of these free, public meeting will be held Monday, December 7, 2009, at the FTC Conference Center in Washington, DC.  A live Webcast of the program also will be available at FTC.gov.  Individuals and organizations may submit requests to participate as panelists and may recommend topics for inclusion on the agenda.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In August, Albert Gonzalez was indicted for the theft of credit and debit card information from Hartland Payment Systems, the largest known breach of its kind, while awaiting trial for a similar attack against TJX, the second largest known breach of its kind.  Last week, Gonzalez pleaded guilty to nineteen charges relating to his role in the TJX breach (see Gonzalez's 2008 indictment (.pdf) for list of the various charges).

One of the most interesting facts that has come out about Mr. Gonzalez in the wake of news that he was responsible for the Heartland incident is that he was employed by the Secret Service as an informant in the TJX matter. It appears that Mr. Gonzalez first became an informant when he was arrested in 2003 as the leader of an identity theft ring, and he apparently continued to work as an informant for the government even while he was allegedly committing these thefts. 

Interestingly, there are some indications that Mr. Gonzalez may have been aided by another government informant in committing the Heartland attack. The indictment for the Heartland attack lists an unindicted coconspirator by initials only, which means, in the words of Mark Rasch, a former Justice Department cyber crime prosecutor, “[I]t's quite likely that the government is using an informant against Gonzalez, their previous informant.” So, of the four people the government believes to have been involved in the Heartland attack, fully half of the alleged hackers (and the only Americans believed to have been involved in the attack) were apparently employed by the Federal Government to help prevent attacks of just this sort.

Links:

• AP, “Man Charged with Stealing 130M Credit Card Numbers in Record Identity Theft”, Devlin Barrett, 8/18/09 (as reprinted in the Chicago Tribune).
• NPR, “Massive ID Theft Charges Betray Government Trust”, Interview of Mark Rasch by Scott Simon, 8/22/09. 
• Security, Privacy, and the Law, “Incident of the Week (Year?): Hacker Responsible for Largest Data Breach in U.S. History Indicted” Jeff Bone, 8/18/09. 
• Snitching Blog, “Committing Crime While Working for the Government”, Alexandra Natapoff, 8/18/09.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, a federal indictment issued charging four individuals for their role in the "Rabid Neurosis" or RNS, an alleged "Internet music piracy group" that distributed copies of music prior to their commercial release.  According to the seven-page indictment (.pdf) filed in the federal court for the Eastern District of Virginia, between 1999 and 2007, RNS obtained and distributed a number of notable albums before they were released, including "Blue Print 2" by Jay-Z, "Encore" by Eminem and "How to Dismantle an Atomic Bomb" by U2. 

The indictment claims that Adil R. Cassim, who used the handle "Kali," was the leader of RNS, while Matthew D. Chow ("RL"), Bennie L. Glover ("ADEG") and Edward L. Mohan, II ("MistaEd") all played high-level roles in the group.  According to federal investigators, these individuals set up and maintained a number of file transfer sites containing thousands of copies of copyrighted music, movies, video games and commercial software.  The Department of Justice press release states that, if convicted, the RNS Four face five years of jail time and a $250,000 fine.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

It just became a little cheaper and a little easier to access public court filings through PACER (the Public Access to Court Electronic Records), thanks to RECAP, an open-source Firefox plug-in designed to create a free secondary archive of PACER materials.

Court filings contained in PACER are public documents, and are, in theory, open to the public. But, in the past, the fact that these materials were either maintained in individual courthouses or, once digitized, were behind password-protected log-ins and per-page charges generally prevented them from being widely disseminated. Open society advocates have long criticized PACER for charging the public itemized fees to access public court filings, arguing that this pay-as-you-go system effectively removes public filings from the public domain and discourages a fully transparent legal system. 

Princeton University's Center for Information Technology Policy, with assistance from Harvard University's Berkman Center for Internet and Society, unleashed the latest salvo against PACER in the form of RECAP (“PACER” spelled backwards, not by coincidence). RECAP is a free open-source software plug-in for the popular Firefox web browser that automatically uploads all PACER documents a user is viewing onto a growing archive maintained by the non-profit group Internet Archive. When the next RECAP user attempts to view a PACER document that has already been archived, the RECAP plug-in automatically uploads the copy to prevent that user from paying for those materials. This system essentially allows users of PACER to slowly create a secondary archive of these public documents that can be accessed for free.

I have previously discussed the controversy surrounding PACER's security failings and pricing. After the jump, my colleague Aaron Wright and I discuss whether the RECAP plug-in  magnifies or minimizes PACER's security problems and risks of identity theft, the pushback RECAP has received from courts, and RECAP's creators' response to criticism about the plug-in's security and privacy safeguards.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned "Should you receive this package or a similar package DO NOT run the CDs."  The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union. 

As it turns out, the credit union was undergoing security penetration testing and the security firm involved, MicroSolved, Inc., put together the fake Fraud Alert to test whether the credit union was secure against this sort of social engineering scam.  When it learned of this wrinkle, the NCUA issued an update to its Fraud Alert stating:

This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel. The bogus alert was forwarded to NCUA, prompting the issuance of the August 25 Fraud Alert. The false Fraud Alert appears to be confined to that credit union, and is not wide-spread.

It appears that the original credit union passed its security test with flying colors. ComputerWorld obtained a number of noteworthy comments in its article on the subject, but one that stands out is from SANS Institute security researcher, Johannes Ullrich, who observed that the tactic of sending fraudulent regulatory alerts with malware was something seemingly invented by security consultants.  "I thought, 'Finally this is in the wild, because I've only seen it in pen tests before.'"

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 As we reported on August 17th, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) has promulgated a revised set of information security regulations (201 CMR 17.00 et seq.) and will hold a meeting for public comment on September 22, 2009.  For those who are still wondering what revisions were made, here is a redline comparison of the amendments (.pdf).

• Email This
• Print
• Comments
• Trackbacks
• Share Link