EDUCAUSE | Privacy

Free EDUCAUSE Webcast 10/22/08 on Identity Theft Rules

vvogel — Mon, 13 Oct 2008 10:50:04 -0500

New federal regulations to address identity theft go into effect November 1, 2008, and are likely to affect colleges and universities in nuanced ways. Compliance will require careful study and collaboration among business officers, human resources, legal counsel, student services, IT, and other affected campus units. The rules require users of consumer reports to develop reasonable policies and procedures to apply when they receive a notice of address discrepancy from a consumer reporting agency. They also require that institutions develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts.

Who is subject to and must comply with the regulations on ID Theft Red Flags and Notices of Address Discrepancy? What business practices at colleges and universities are covered by the rules? What are some of the things that entities subject to the rules must do? What role does IT play in compliance with the rules? What are the penalties for failure to comply? On Wednesday, October 22, from 2-3 p.m. U.S. Eastern Time, EDUCAUSE will host a webcast featuring Naomi Lefkovitz from the Federal Trade Commission (FTC) to address many of these questions and more. For details and connection instructions, visit http://connect.educause.edu/term_view/ID+Theft+Red+Flags. This webcast is open to the public at no charge and no registration is required. It will also be archived and accessible to all.

Brought to you by EDUCAUSE, in cooperation with the American Council on Education (ACE), Coalition of Higher Education Assistance Organizations (COHEAO), College and University Professional Association for Human Resources (CUPA-HR), International Association of Privacy Professionals (IAPP), National Association of College and University Attorneys (NACUA), and the National Association of College and University Business Officers (NACUBO).

Free EDUCAUSE Webcast 10/22/08 on Identity Theft Rules

Rodney — Wed, 08 Oct 2008 19:26:45 -0500

I'm tracking you, but at least you know it?

mpasiewicz — Fri, 12 Sep 2008 07:37:25 -0500

I kicked off my morning with a ho-hum daily web surfing ritual and a stout cuppajoe, but before the caffeine kicked in, I perked up a bit when I noticed that All Things Digital had a big front and center notice about their use of cookies. They even provided information about opting out.

Very interesting. Is this a sign of things to come? In an era of where widgets, mashups, viral video and analytic services are invading the web, should more disclosure be occurring? Should we be doing more to educate and inform those who look to our sites for news and information?

Might we see library web sites that enrich their sites with data from services like Amazon or Syndetic Solutions include such notices?

Might we see university web sites that use Google Analytics or other such services give a heads up to its constituents about awareness of the activity? Will that become (should that) become an ethical norm if institutions choose to use third party solutions where information floats about from one site to the next? I don't know, but it sure is an intriguing prospect.

Anyway, back to ATD ... Their notice was was presented in a fairly elegant way ...

There was the typical "read more" link which, to my surprise, provided a nice little in-line sliding div for more details. No pop-up windows, no loading a new page and loosing my context. I really appreciate small little touches like that! Nice work, ATD.

While it might be a while for even more progressive policies to emerge or for some type of universal "do not call" list to develop, I think these are steps in the right direction. I'd be interested in your thoughts.

Security Task Force 2008–2009 Strategic Plan: "Safeguarding Our IT Assets, Protecting Our Community's Privacy"

vvogel — Mon, 08 Sep 2008 11:57:45 -0500

The EDUCAUSE/Internet2 Computer and Network Security Task Force 2008-2009 Strategic Plan is now available online. The Security Task Force (STF) has adopted the theme of "Safeguarding Our IT Assets, Protecting Our Community's Privacy" for 2008-2009. The STF strategic planning process aims to anticipate higher education security issues, enabling campuses to forge joint efforts and solutions and recognizing that security challenges continue to evolve in our digital information world.

The following goals have been identified for 2008-2009 to help focus working group priorities in the near term (12-18 months):

Obtain Executive Commitment and Action
Manage Data to Enhance Privacy and Security Protections
Develop and Promote Effective Practices and Solutions
Explore New Tools and Technologies
Establish and Promote Information-Sharing Mechanisms

Contact us for additional information about the Security Task Force and its activites, as well as STF volunteer opportunities.

Security Task Force 2008–2009 Strategic Plan: Safeguarding Our IT Assets, Protecting Our Community’s Privacy

ckeller — Wed, 03 Sep 2008 12:23:23 -0500

The EDUCAUSE/Internet2 Computer and Network Security Task Force (STF) provides a focal point for the academic community to join together to strengthen the ability of the higher education sector to respond to growing threats to information security and to protect the privacy of our community members. This strategic plan is intended to set forth a vision for the higher education community and provide a concise roadmap to guide the efforts of the STF. This roadmap emphasizes continuous and evolutionary community investment in converting our understanding of risks and issues into solutions based on effective practices, as well as the urgent need to build the national capability across the higher education sector to respond quickly and effectively as a community to new threats and vulnerabilities.

Will Cuil be Cool?: The Latest Competitor for Google

agould — Mon, 28 Jul 2008 11:31:01 -0500

Anna Patterson, who has sold search engine technology to Google, is introducing her own search engine- Cuil, pronounced "cool." Claiming to have an index of over 120 billion Web pages, Patterson says she believes her index covers three times the amount of pages covered by Google. For privacy advocates, there is something to like about Cuil. The engine will not be tracking users' search histories- a practice that has earned the ire of many privacy experts and regular citizens alike.

For more information, see this AP article.

When the ISP Tracks Your Every Move: The Power (and Abuse) of Deep Packet Inspection

agould — Fri, 18 Jul 2008 15:55:23 -0500

As the temperatures rise in a typical Washington summer, so grows the pressure on some online advertising firms.

Yesterday the House Energy and Commerce Committee’s Telecommunications and the Internet Subcommittee held a hearing on the questionable methods for advertising currently being used by some Internet service providers (ISPs). The hearing was entitled, “What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies.” Panelists included: Bob Dykes, the CEO for NebuAd, David Reed, an early Internet pioneer and professor at MIT, Alissa Cooper, the Chief Computer Scientist for the Center for Democracy and Technology, Scott Cleland, President of Precursor, LLC, and Bijan Sabet, a General Partner at Spark Capital.

Committee members expressed concerns about ISPs working with third party advertising firms that monitor their customers’ web habits for advertising purposes. Several people compared deep packet inspection techniques on the Internet with the United States Postal Service opening people’s packages. They said a basic level of privacy is violated when an ISP employs DPI for the sake of increasing revenue, especially when unwitting customers are not aware their web browsing is being monitored.

DPI is a computer network packet filtering that allows for the inspection of data for viruses, spam, or other content. In other words, this inspection process would provide an ISP or other entity with the power of conducting data mining, eavesdropping or even censorship. While DPI has benefits, panelist Bijan Sabet said the Comcast/BitTorrent debacle demonstrates that is also has its drawbacks. A few weeks ago, it was revealed that Comcast was blocking BitTorrent on its network through the use of DPI technology.

This marks the second week that advertising firm, NebuAd, has testified before Congress on its “robust” security practices. Last week, NebuAd faced questioning by the Senate Commerce Committee. The firm says targeted advertising “provides consumers with significant benefits, serving them with more relevant ads, which they want, while ensuring they have robust privacy protections and control over their online experience.”

Taking NebuAd to task, Chairman Ed Markey said DPI “can indicate every site a user visits and much more.” He said he would not expect the postal service or UPS to open up his packages, and believes tactics used by firms like NebuAd are subjecting Americans to unwarranted invasions of privacy. Furthermore, he said the notices that are provided to users are lost in the fine print or ignored.

“When people use the world wide web, they don’t want it to turn into the wild, wild west when it comes to their personal information,” said Markey.

Ranking Member Cliff Stearns, on the other hand, urged Members to use caution when approaching this issue, saying the FTC testified last week that no new regulations were needed for the online advertising arena.

“As the overall economy continues to take a downturn, the government shouldn’t be contemplating how to make it harder for small businesses to succeed. Targeted advertising may be essential for small businesses to compete with larger ones,” said Stearns. “Let’s look very closely at these issues before we leap to legislative proposals that even the FTC is not calling for at this time.”

Other Members said a policy of opt-in should be the norm, rather than the current opt-out choice.

“Why is the burden [of opting out] on me?” asked Representative Greg Walden. “I think for the Internet to succeed as an instrument of commerce,” people need to opt-in to the system.

Citing another issue, Representative Hilda Solis said she was concerned that vulnerable populations, like the elderly or those who cannot speak English, may be targets for predatory advertising tactics.

WHAT THEY SAID: Here is a brief summary of the panelists’ testimonies.

Bob Dykes (NebuAd)- Dykes said his company, which he says does not use personally identifiable information, has designed a service “so that no one- not even the government- can determine the identity of our users.” Dykes said they do not store raw data that can be linked to individuals. He also said they provide users “with prior, robust notice.” Dykes, who faced tough questioning from Chairman Markey and others, said they continue to innovate on privacy controls, including the development of better notices. He said the Internet “is more than 50% supported by advertising,” so it is imperative that firms like his have access.

David Reed (Professor, MIT)- Reed, who began working on the Internet in the late seventies, said he believes DPI is “not at all necessary” for operating the Internet. He said DPI technologies “actually violate long-agreed standards and principles that have been part of the Internet’s design from the beginning.” Furthermore, Reed said they “pose major risks to the economic successes of the Internet … by normalizing non-standard and risky technical activity on the part of telecom operators who may choose to exploit captive customers.” He said DPI is particularly harmful for unwitting customers, especially when they do not know how their information is being tracked (or even that it is tracked in the first place). Reed said users must have informed consent and know exactly how their data is being used.

Alissa Cooper (Chief Computer Scientist, CDT)- Cooper said that while DPI is benign and even beneficial at times, it “runs the risk of violating the trust of consumers for the Internet.” She said this technology allows networks to see the political or religious sites a user may visit, while providing little notice they are doing so. Cooper suggested that current online advertising techniques may violate federal wiretapping laws and might also interfere with normal Internet use. She urged Congress to seek more information from ISPs and other companies about how they are using DPI, and asked that they consider a larger, comprehensive privacy bill to protect consumers.

Scott Cleland (President, Precursor, LLC)- Cleland said the hearing should have focused on the search engines like Google and Yahoo, which he says have a double standard when it comes to consumer privacy. He said the committee should focus on “a comprehensive approach to Internet privacy,” rather than attacking the ISPs alone. He said firms like Google are truly “Orwellian” in that they have access to a full spectrum of people’s information through Google searches, Gmail, Picasa pictures, Google health, Google calendars, etc… Cleland said, “We are worried about perfect blinds on the windows when there are no walls on the house.” For full disclosure purposes, he noted that his business involves working for ISPs, but said he was speaking on his own behalf.

Bijan Sabet (General Partner, Spark Capital)- Sabet said DPI is a significant technology breakthrough, which provides consumer and economic benefits. But he said DPI could be used to thwart net neutrality, since it allows ISPs to slow down or turn off third party services or applications. Sabet warned that a closed Internet will not thrive as incentives for innovation decrease.

In a press release, the American Civil Liberties Union (ACLU) warned consumers about the “privacy landmines inherent in DPI.”

“The expanding use of DPI is increasingly sophisticated, complicated and lacking in transparency. The risk to Americans’ privacy is massive,” said Timothy Sparapani of the ACLU. “Every time we visit the Internet, everything we read, everything we see- all of it is up for grabs with DPI. … Congress must be Americans’ firewall on this issue.”

Google-Yahoo, Continued...

agould — Wed, 16 Jul 2008 15:22:47 -0500

Yesterday, the Senate Judiciary Committee's Antitrust Subcomittee and the House Judiciary Committee's antitrust task force questioned representatives from Google, Yahoo, and Microsoft about the proposed Google-Yahoo advertising partnership. (Google and Yahoo signed the agreement, which allows Google to assist with Yahoo's targeted ads, on June 12.) Both House and Senate members have expressed concerns about competition and consumer privacy issues. In Tuesday's hearings, they wanted to learn more about the deal by speaking directly with the players involved.

Microsoft attempted to enter into a partnership with Yahoo, but Google ultimately won approval from Yahoo's board. In testimony before the House and Senate Judiciary Committees, Microsoft senior Vice President and general counsel warned that the Google-Yahoo deal would result in Google dominating 90% of the online search advertising market. He said Google currently controls 70% of this market, while Yahoo has 20%.

However, Google and Yahoo maintain that their partnership will result in targeted ads that are more relevant to users and consequently, make Internet advertising more efficient. Indeed, Yahoo went one step further and said this agreement will make them a stronger competitor against Google.

"Yahoo is here to stay and we intend to compete across countless platforms," said general counsel Michael Callahan. "We have every intention of fighting [Google] and winning in this and in other areas for years to come." (quote source: CongressDaily)

Currently, the U.S. Department of Justice and a few state attorneys general are investigating the Google-Yahoo deal. Meanwhile, Google and Yahoo contend that Congress has no power on this issue and cannot interfere with their business dealings.

Are Online Targeted Advertising Practices Violating Wiretap Laws?

agould — Thu, 10 Jul 2008 15:08:12 -0500

Released one day before the Senate Commerce Committee held its hearing on the privacy implications of online advertising, a new report says targeted ads may involve practices that violate state and federal wiretap laws.

On Tuesday, the Center for Democracy and Technology (CDT) issued a memo, saying Internet service providers (ISPs) that allow an advertising network to copy [their] customers' Web traffic contents are defying "reasonable consumer expectations and may [be violating] communications privacy laws."

Currently, some ISPs are working with third party advertising agencies, which are copying consumer data in order to target specific ads at users. One such firm, NebuAD, testifed before the Senate Commerce Committee yesterday. NebuAd claims it does not violate any laws because they do not collect personally identifiable information. Some, though, argue that any collection of data can ultimately be tied to an individual and disagree with NebuAd's assertion that privacy is completely protected. CDT's memo says the practice most likely violates legal protections provided in the Electronic Communications Privacy Act.

"Consumers do not expect their ISP to be copying their Internet communications and selling them to third parties," said CDT Vice President Ari Schwartz. He stressed that consumers need to be aware that their information is being sold to outside groups, and there should be "clear notice and prior consent."

CDT acknowledges that federal laws may allow these practices with the consent of subscribers, but they say they fear consumers are "ill-equipped" to know how or even if their information is being tracked.

And while CDT President Leslie Harris said the larger ISPs have shied away from using firms like NebuAd, she says this model is not going away anytime soon. Harris says they want to see the Federal Trade Commission adopt enforceable guidelines and a sensible privacy regime for handling these evolving challenges to Internet privacy.

Hearing Highlights: Senate Commerce Committee Holds Hearing on the Privacy Implications of Online Advertising

agould — Wed, 09 Jul 2008 15:12:01 -0500

Today the Senate Commerce, Science, and Transportation Committee held a hearing on privacy concerns related to online advertising. In what will probably be the first of several hearings, the committee asked panelists about their thoughts on privacy threats vis-a-vis online advertising. Chairman Dorgan noted that no Internet Service Providers (ISPs) wanted to participate at today's hearing, but he hoped to address this issue with them at another hearing in the future. Panelists at this well-attended event included Lydia Parnes of the Federal Trade Commission, Chris Kelly of Facebook, Leslie Harris of the Center for Democracy and Technology, Jane Horvath of Google, Robert Dykes of NebuAd, Mike Hintze of Microsoft, and Clyde Wayne Crews of the Competitive Enterprise Institute.

HIGHLIGHTS:

Chairman Dorgan acknowledged that there are benefits to having personalized online ads, since they are relevant to the user. He said he has personally enjoyed using amazon.com because that website will suggest books or other products related to the books you may already be buying. However, Dorgan said that while he understands the need for revenue from these ads, he is troubled by the privacy implications.
Another senator said that Congress has been arguing for years over the Patriot Act's controversial section on allowing government authorities to inspect library patrons' borrowed book lists. He noted that while this is not a "Big Brother" situation with the government, the same activity is going on with behavior advertising. The only difference, he said, is that private companies are gaining access to people's sensitive online search information.
Lydia Parnes, Director of the Bureau of Consumer Protection at the FTC, said many consumers have expressed concerns about privacy on the Internet, especially as it relates to health, finances, and children. After conducting hearings and a townhall on this topic, the FTC determined that 1) behavioral (targeted) ads may provide good benefits, 2) invisibility and the collection of data are concerns, and 3) businesses and consumers want more transparency.
Jane Horvath, Senior Privacy Counsel at Google, says Google makes privacy a top priority because they know consumers can choose other search engine competitors. Horvath said her company targets ads based on users' interests, but does not build up detailed profiles. She also said Google stresses transparency by providing privacy information, as well as choice in what information users provide. Additionally, Horvath said the "world's best engineers" are devoted to Google's security. Finally, she said they support a comprehensive privacy law and agree with the FTC's online privacy principles.
Robert Dykes, Chairman and CEO of NebuAd, said his advertising agency partners with ISPs in order to target specific ads at Internet users. He said NebuAd uses a select set of a user's activities to target the ads, but does not collect personally identifiable information (PII) on people. He also said his company allows for people to "opt-out," though some questioned whether consumers were even aware of the tracking or how to stop it.
Leslie Harris, President of the Center for Democracy and Technology, said behavioral advertising is growing and citizens are ill-equipped to protect themselves. She said that while each piece may not be identifiable, collections can ultimately be tied to a person. Additionally, she expressed concerns about data being maintained for extended periods of time. Harris said the fact that ISPs are disclosing consumers' traffic to unknown third parties may violate federal and state wiretap laws. CDT released a memo yesterday, offering information and evidence as to why they believe ISPs that work with companies like NebuAd are violating wiretap laws.
Chris Kelly, Chief Privacy Officer of Facebook, stressed that Facebook members have control over their privacy settings and that his company is constantly looking for ways to provide even more control to users. He said that while the targeted ads "generally benefit" users, Facebook does not provide outside businesses with profile information. However, people who choose to add applications do surrender some privacy, because application owners have a set amount of time to look at a consumer's personal page. Kelly said Facebook penalizes any application companies that violate his company's policies.
Clyde Wayne Crews, Director of Technology Studies at the Competitive Enterprise Institute, said there is no guarantee for privacy on the Internet, which he said is defined by its openness and constant evolving. He stressed that competition, rather than burdensome regulations, is better for addressing privacy concerns. Crews said that if someone does not like a search engine, there are literally hundreds of other ones from which to choose. The best ones, of course, will strive for greater privacy protections, thus encouraging more people to use their services.
Finally, Mike Hintze, Associate General Counsel at Microsoft, said his company has three privacy principles: transparency, control (ability to opt-out of features), and security. He said Microsoft advocates for a privacy policy even broader than the FTC's in order to better protect their customers.

Privacy on the Internet: Charter Communications Says It Will Delay Profiling Subscribers for Targeted Ads

agould — Wed, 25 Jun 2008 13:56:48 -0500

In a letter last month, Congressmen Ed Markey and Joe Barton of the House Energy and Commerce Committee asked that Charter refrain from using technology that would allow the cable company to profile its customers for targeted ads and content. After meeting with the congressmen, Charter announced yesterday it will delay using this technology in order to address privacy concerns.

According to CongressDaily, Markey and Barton argued "that federal law bans firms offering cable services from disclosing subscribers' personal information without prior consent."

In a statement, Charter said they "will continue to take a thoughtful, deliberate approach with the goal to ultimately structure an advertising service that enhances the Internet experience for our customers and addresses questions and concerns they've raised."

Because the issue if not fully resolved, Markey asked that other Internet service providers hold off on using such technology while privacy concerns remain.

(source: CongressDaily)

Cybersecurity Research Challenges

elilly — Mon, 16 Jun 2008 10:56:12 -0500

Today’s most prevalent and widely discussed attacks exploit code-level flaws such as buffer overruns and type-invalid input. We need to anticipate tomorrow’s attacks and think beyond buffer overruns, beyond code-level bugs, and beyond the horizon. To be ready for threats of the future, we need to be doing more basic research in cybersecurity today. This talk will outline a few suggestions for important research directions in cybersecurity: the foundations of trustworthy computing, security architectures, privacy, usability, and security metrics.

Holistic Approaches to Trustworthiness, Security, and Privacy

elilly — Fri, 13 Jun 2008 10:12:56 -0500

System trustworthiness is needed for security, reliability, survivability, safety, and for many application areas such as critical infrastructures, robust networking, and high-integrity elections. Trustworthiness ultimately requires many changes in the way systems are developed today. Being respectful of privacy needs requires further care. This talk considers a variety of approaches that can enhance system trustworthiness, sensible system development practices, and a system-oriented view toward achieving the desired changes.

A Cybersecurity Agenda for the Next President

drupal — Wed, 21 May 2008 12:55:14 -0500

There has been much improvement in securing cyberspace in the last five years, but much still needs to be done. The Center for Strategic and International Studies (CSIS) has established a Commission on Cyber Security for the 44th Presidency, the administration that will take office in January 2009. The goal of the commission is to identify a strategy and set of recommendations for the next administration to move ahead in securing cyberspace. This session will provide a status report on the commission's work to date. It will also provide an opportunity to offer input regarding progress that has been made in the higher education sector, remaining challenges and opportunities, and the role of the federal government to help improve cybersecurity at colleges and universities.

The State of the Internet According to the Congressional Internet Caucus

drupal — Wed, 21 May 2008 12:55:13 -0500

The Congressional Internet Caucus is a bipartisan group of over 170 members of the House and Senate working to educate their colleagues about the promise and potential of the Internet. EDUCAUSE is a member of the Congressional Internet Caucus Advisory Committee, which includes a diverse group of public interest, nonprofit, and industry groups working to educate Congress and the public about important Internet-related policy issues. This session will highlight the priority IT policy issues before the 110th Congress according to the cochairs of the Internet Caucus and provide an overview of the Advisory Committee’s programs and activities.

The FTC as an Educational Partner in Improving Data Security and Privacy

drupal — Wed, 21 May 2008 12:55:12 -0500

The Federal Trade Commission deals with issues that touch the economic lives of most Americans. The current portfolio includes protecting consumers in the areas of data security and privacy, identity theft, Social Security number misuse, identity management, spam, maintaining the National Do Not Call Registry, and other IT issues of interest to colleges and universities. The FTC's Bureau of Consumer Protection, although a regulator of businesses, is also an educator: it seeks to educate consumers and provide businesses and other organizations with the information they need to comply with the rules of the road and to provide consumers with the necessary tools to engage in commerce intelligently. This session will highlight information policy issues the FTC is addressing and educational resources institutions of higher education can leverage to improve student, faculty, and staff awareness of data security and privacy risks.

Collecting and Preserving Data in the Wake of a Tragedy

drupal — Wed, 14 May 2008 10:48:32 -0500

After the tragic events of April 16, 2007, at Virginia Tech, IT professionals and university legal counsel had to quickly address the need to collect and preserve data in the event of future litigation. Performing tasks while dealing with grief and protecting academic freedom and privacy issues has required a delicate approach.

Privacy and Personal Information in a Rapidly Changing World of Learning Spaces

drupal — Wed, 14 May 2008 10:48:25 -0500

Institutions are increasingly placing students' papers, discussions, and personal opinions in course management systems, wikis, or other shared learning spaces. This session will address the many critical questions that remain unanswered concerning what privacy protections and choices should be provided, and by whom, in learning spaces that fall outside the traditional classroom or online course shell.

Comments of the American Council on Education on the Family Educational Rights and Privacy Act

elilly — Mon, 12 May 2008 11:21:01 -0500

On behalf of several higher education associations, the American Council on Education submitted comments on the Family Educational Rights and Privacy Act

Comments of the EDUCAUSE/Internet2 Computer and Network Security Task Force on the Family Educational Rights and Privacy Act

elilly — Mon, 12 May 2008 11:07:49 -0500

Comments of the EDUCAUSE/Internet2 Computer and Network Security Task Force on the Family Educational Rights and Privacy Act; Proposed Rule, Federal Register, Vol. 73, No. 57, U.S. Department of Education, Office of Planning, Evaluation and Policy Development

Regulatory Compliance Training: Public Jobs, Private Data

gdobbin — Tue, 15 Apr 2008 07:42:18 -0500

This research bulletin details the procedures and processes undertaken by the University of Minnesota to ensure that all employees, from student workers and custodial staff through senior research faculty and administrators, received training about keeping private data secure tailored to their roles and responsibilities. It illustrates how the implementation of the training resulted in improvements in incident reporting and response procedures, awareness of institutional private data and expectations for securing them, and many aspects of data security.

Citation for this work: Janssen, Ross T., and Greg C. Sales. “Regulatory Compliance Training: Public Jobs, Private Data” (Research Bulletin, Issue 8). Boulder, CO: EDUCAUSE Center for Applied Research, 2008, available from http://www.educause.edu/ecar.

U.S. Proposes New Rules on Student Privacy

ckeller — Mon, 31 Mar 2008 12:46:08 -0500

"The federal law designed to protect the privacy of students’ educational records has been under scrutiny and stress from a variety of angles in recent years, most recently from those concerned (in the wake of last year’s shootings at Virginia Tech) about whether the Family Educational Rights and Privacy Act gives college officials sufficient latitude to report their fears about mentally ill students. "

Security Task Force Provides Briefing to CSIS Commission on Cyber Security for the 44th Presidency

vvogel — Wed, 26 Mar 2008 10:01:41 -0500

The EDUCAUSE/Internet Security Task Force provided a briefing to the CSIS Commission on Cyber Security for the 44th Presidency on March 12, 2008, during the event "Improving Cybersecurity: Recommendations from Private Sector Experts". A 1-page summary of the briefing is available, as well as the complete transcript.

Briefing to CSIS Commission on Cyber Security for the 44th Presidency

ckeller — Thu, 13 Mar 2008 09:35:11 -0500

This "Briefing to CSIS Commission on Cyber Security for the 44th Presidency" By Rodney Petersen and Jack Suess on behalf of the EDUCAUSE/Internet2 IT Security Task Force was presented to the Commission on Cyber Security for the 44th Presidency. The agenda was "Improving Cybersecurity: Recommendations from Private Sector Experts".

Insights on the Legal Landscape for Data Privacy in Higher Education

ckeller — Thu, 06 Mar 2008 15:18:58 -0600

This opening address was presented at the University System of Maryland's Workshop on Data Privacy for Maryland Higher Education.

Data Classification and Privacy: A Foundation for Compliance

ckeller — Thu, 06 Mar 2008 15:11:25 -0600

These slides were presented at the University System of Maryland's Workshop on Data Privacy for Maryland Higher Education.

Facebook 2.0

elilly — Fri, 29 Feb 2008 14:32:43 -0600

"What challenges remain with this killer app? I suggest three: (1) user education, especially for adolescents and their parents; (2) new features connecting higher education's missions to the popular site; and (3) legal and policy considerations on a global scale."

On People, the Death of Privacy, and Data Pollution

elilly — Fri, 29 Feb 2008 14:14:37 -0600

The following is an excerpt from an interview with Bruce Schneier. Matt Pasiewicz, EDUCAUSE content program manager, conducted the interview at the EDUCAUSE 2007 Annual Conference. The full podcast is available at <http://connect.educause.edu/blog/mpasiewicz/e07podcastaninterviewwith/45439>. In the interview, Schneier answers questions about security and privacy issues.

Privacy and Compliance for the Left Brain

drupal — Wed, 27 Feb 2008 12:04:13 -0600

Complying with privacy requirements is an institution-wide effort that involves end users, data stewards, policy officers, and security professionals. However, the individuals who are expected to actually implement technologies needed to enable privacy aren't always apprised or aware of the reasoning behind what they are being asked to do. If they were, ideas as to how to better satisfy the goals may well result. This session brings together the "right brain" policy people with the "left brain" technologists, in an effort to make each more "whole-brained," in the area of privacy and supporting technologies.

Lightning Talks

drupal — Wed, 27 Feb 2008 12:04:12 -0600

Do you have a practice or interesting approach to share in the security and identity management space? Or would you like to connect up with someone with a similar challenge and collaborate on a solution? This session will provide a final chance for attendees to discuss a good idea or opportunity for peer networking.

EFF keeps viral video free from infection

mpasiewicz — Wed, 27 Feb 2008 09:10:26 -0600

EFF recently blogged about the way they're using embedded video and steps that they've taken to protect the privacy of users visiting their pages. They've created a script that prevents embeded sources from automatically downloading when you visit a page. In effect, they've created a system that offers the ability to opt-in to view the embedded media, rather that force feeding content from third parties (and associated usage tracking) into the attention stream of their audience. This seems like an important step towards elevating thought and providing protective measures aimed at third party sources (whether that mean viral video, widgets, maps, images or mashups of various web services).

They've implemented these protection measures using a Drupal module and they'll be contributing this back to the community!

Thank you EFF!

Web Applications: Get a Grip on Privacy

drupal — Thu, 21 Feb 2008 12:11:08 -0600

Many institutions have developed a privacy approach for their legacy and business systems. For third-party hosted applications, institutions may have a contract in place that specifies privacy requirements. What we don’t have a grip on are the web-based collaborative applications, such as wikis and blogs, where we neither have a comprehensive policy nor a contract to govern privacy or data use. What are the privacy pitfalls and requirements for each of these three categories? This session will explore case studies of various models in place across higher education.

Appropriate Access: Privacy Requirements, Regulation, and Working with Auditors

drupal — Thu, 21 Feb 2008 12:11:05 -0600

Personal privacy is about protecting individuals and them control over their personal information. Institutional privacy is about protecting proprietary information. In either case, privacy requirements must reflect campus values and also meet the institution's legal and regulatory obligations. The requirements must be reflected in the identity management system: its flexibility, how it is used to support access to resources, and who makes the decisions about that access. IAM can provide for the externalization and consolidation of roles that can be used to determine permissions and access without that function being built into each resource. This session will discuss these topics from the auditor, identity management architect, and security staff perspectives and offer a case study on how one campus has addressed these issues.

Privacy related links of interest ...

mpasiewicz — Wed, 20 Feb 2008 09:57:06 -0600

I just discovered a series of interesting blog entries from Danny Weitzner, W3C Technology and Society Policy Director and co-director of MIT CSAIL. These aren't especially new links, but I thought they might be worth relaying ...

Reciprocal Privacy for the Social Web - provides an introduction for a proposal "to establish a reasonable privacy balance in social networking environment" using FOAF. Also of interest is a link from Shahan Khatchadourian describing the use of FOAF and OpenID to establish trust/prevent spam. Apparently the solution could be available from Ryan Lee as a Drupal module? In some ways, this sounds similar to the Social Network Portability concept mentioned by Stephen Downes.

Request Removal From Search Engines

ckeller — Fri, 15 Feb 2008 12:00:31 -0600

The web page provides links to several search engines FAQ pages on the topic of removal from a search engine cashe. Includes links to Google, Yahoo, Ask and MSN.

The Privacy Landscape in the Academy

drupal — Tue, 05 Feb 2008 10:11:13 -0600

Privacy is a concept established by law and often embraced as part of institutional policies, academic values, or professional practice. Innovations in information technologies and changing cultural norms present new privacy challenges and opportunities for academic organizations. This session will highlight the privacy issues that confront higher education IT professionals and offer a path for moving forward.

EDUCAUSE Podcast: The Privacy Landscape in the Academy

gbayne — Tue, 05 Feb 2008 04:50:49 -0600

On this podcast we feature a keynote speech from the EDUCAUSE 2008 Mid-Atlantic Regional Conference featuring Lauren Steinfeld, Chief Privacy Officer and Institutional Compliance Officer at the University of Pennsylvania. Her presentation is entitled, "The Privacy Landscape in the Academy".

Lauren B. Steinfeld serves as Chief Privacy Officer for the University of Pennsylvania. In that position, Ms. Steinfeld works on privacy issues involving medical information, student records, electronic data, Social Security numbers, and other personal information. Recently, Ms. Steinfeld has worked extensively on developing policies, procedures and tools to mitigate risks in the information technology area. Ms. Steinfeld has also taught a Privacy Law course at Penn Law.

The Privacy Landscape in the Academy (summary)

llarsen — Fri, 01 Feb 2008 14:46:05 -0600

This is a summary of “The Privacy Landscape in the Academy” presented at the 2008 Mid-Atlantic Regional Conference by Lauren Steinfeld, Chief Privacy and Institutional Compliance Officer, University of Pennsylvania

This presentation was recorded for podcast and is available from the EDUCAUSE website. http://connect.educause.edu/blog/gbayne/educausepodcasttheprivacy/46109

A pdf of the slides are available at http://www.educause.edu/upload/presentations/MARC08/GS02/steinfeld%20privacy%20keynote%20MARC%2011608.pdf

Steinfeld discussed definitions of privacy, perspectives, privacy at the University of Pennsylvania and specific initiatives for an IT focus on privacy.

She began by defining privacy as the ability of a person to know about and often control information collected about them and the use and sharing of that information. In addition, she said security is a major component of privacy because of the focus on protecting confidential data from unauthorized access and disclosure

We think of such questions as what is being done and what is being collected. Is there a choice of opt-in or opt-out? What is the access? Why, when, and how can who can see what has been collected. Privacy is different than security but they complement one another.

Steinfeld played an ACLU clip on what the world would look like to us if we had no privacy. The clip is available at http://www.youtube.com/watch?v=RNJl9EEcsoE.

What we have in place to protect privacy include legal and other standards such as

FERPA, HIPPA, GLBC, PCI. FACTA, CAN SPAM, state breach notification laws, state SSN laws, Electronic privacy policies, and CCTV policy.

Beyond the multitude of legal standards there is significant public and press scrutiny on privacy matters which are sensitive issues to people of alls ages, incomes, ethnicities, political views, etc. The sensitivity is because of the personal nature of the issues.

Personal privacy rights clearinghouse lists 19 issues biometric technologies to medical records, RFID and more. (http://www.privacyrights.org/)

Per Ernst & Young the areas to look out for in 2008 are:

Data classification
Minimizing use of personal information
Evolving use of encryption
Standards for vendors and business partners
Telecommuting
Emergency preparedness
Privacy procedures at home and abroad
Keeping page with privacy management technology

Steinfeld discussed privacy in relation to public opinion/action.

She recommended Microtrends by Mark Penn who lives and breathes polls and surveys. The book is based on counter-intuitive facts and findings. In the area of Privacy it was found that, out of 43 polls, everyone cares about privacy (Internet security, privacy, SSNs) but when there is a security breach

incidence of takers on credit monitoring services is very low
little change in loyalty to institutions causing the breach

Also

op-out rates are very low
online blogging, networking, etc, has increased putting private data out for public consumption

Steinfeld said the bottom-line is that there is a lot of variability in what people care about and what they actually do.

Steinfeld is one of many new privacy professionals. She said America’s legal and operational “handling” of privacy has evolved over the last 10 years. It has gone from reactive to proactive but it still siloed around laws, incident by incident.

Developments over recent decades that have contributed to the issues and growth of the profession include both the significant increase in countable databases from the 70s in which only a few industries had them to countless data sets of sensitive data in the hands of potentially millions today and innovation in IT business structures which has meant much newer collections and uses of data. The potential for things to go wrong has driven the new push and this trend leads to more pro-active privacy structures and more coordinated approaches.

The International Association of Privacy Professionals (IAPP) is only 6-7 years old and it has over 4,500 members across 32 countries.
Additionally, certifications for privacy professionals are now available.

See Privacy Protection and Compliance in Higher Education: The Role of the CPO http://www.educause.edu/ir/library/pdf/erm0654.pdf

Steinfeld went on to discuss Privacy at Penn

She described the higher education context:

Wide variability in type of services and processes in higher education
More types of data (re types of stakeholders – students, parents, grad students, staff, faculty, etc)
More complex regulatory landscape
Decentralized operation and distributed, more open systems (not locked down as in most of industry)
Culture of independence in higher education takes various forms

and the Penn response:

Privacy Office with CPO – part of office of audit, compliance, and privacy
Privacy senior exec committee
Privacy liaisons in 33 schools/centers
Specialized committees and teams – IT privacy most active committee but also SSN remediation, SPIA coordination
Other key partnerships – IT Audit, ISC Info Sec off of Human Relations, general counsel, IT roundtable, provost office

and policies, guidance, programs

*Confidentiality of student records
Conf of staff and faculty records
Privacy of alumni data
Policy on privacy in the Electronic environment – who can go into someone else’s computer and when
CCTV camera policy
(other policies)
- Temporary workers policy
- Incident response policy
- Critical host policy
- PCI policy
- SSN Policy – new

They are providing guidance for the following situations:

Requests for mailing lists
Website privacy statements
Email standards – CAN SPAM guidance
Disposing data and documents for people who have left Penn (new) what do you do for people who have deceased?

and new programs:

Security and Privacy Impact Assessments (SPIA)

Records destruction programs
Awareness (major program)
Almanac tips
Student, faculty, staff guides
Online training

She suggested visiting Penn’s privacy website (http://www.upenn.edu/privacy/)

The Privacy office works with IT daily on a number of things including:

Policy development
Policy compliance
IT audits
Scanning programs
Self-assessment tools
Incident response

How it plays out:

Website privacy statements
CAN SPAM guidance
SSN policy
SPIA
Secure file and transfer data
Login data – access and controls
Using automated tools to find sensitive data
Procedures for finding and/or wiping lost laptops (and when and when/what do you decide)
Work at home rules
PDA policy (currently in draft form)
Encryption and laptops

Steinfeld says the successful program was started by top down influence and grass roots development made it work. The environment is increasingly sensitive to privacy issues. They are looking at:

Risk equations – what risks, what controls, what challenges remain
Volume of data including unnecessary data
Number of people working with data
Volume of rules and best practices
Changing landscape

Virginia Tech’s STAR program was an excellent model for Penn’s development including SPIA. (process & tool) The people process is intended to raise awareness deep in to the organization and one of the things they have done is to establish common vocabulary. You can find information about how the program was developed on the Penn privacy website. It includes a three year planning cycle – conduct risk assessments – current future state, probability times consequence scoring. For each system they have a tool which includes types of threats, current state, possible safeguards, and more.

They summarize the findings via an annual executive level report process which includes:

Observations
Impacts surpassed high expectations
Number of people brought in to privacy and security discussions
IT and operations components working closely together
Self-assessment, voluntary aspect –‘for you - not to you’
Opening dialogue
Roadmap
Community

Steinfeld mentioned that SSN cleanup is not an easy or overnight program

Assignment of PennID broadly
Conversion utility to convert
Changes central systems for PennId
Stronger security requirements
Develop of local sec officer role

Their SSN policy includes:

Third parties and institutional data
Risks posed by 3rd parties
Baseline protections – contract terms
Additional due diligence
Challenge to IT and privacy communities

In conclusion, Steinfeld said that the issues are numerous, distinctive, and changing. Awareness and engagement are critical to the program because PEOPLE create understanding and change.

Q&A

Q: Process gives form to something very complex, but how do you convince federal offices that your system is good even if it’s not the same? A: Just getting this question may be good because it will start other discussion.

Try to match SPIA controls with security controls

Q: How do you navigate between paranoia and reason? A: FTC is the watchdog for us on the credit reporting services.

Can’t tell what is legit and what isn’t quite often – but there are some indicators of who you can trust.

Q: How does a Chief Privacy Officer relate to the Chief Security Officer? A: Many of the project/programs are in concert – they don’t report to the same boss and expertise can be different but interest is the same.

Q: To what do you contribute your success at getting attention? (University of Minnesota has great awareness pieces) A: People are concerned and they know that they don’t know where all the info and how to access it. Do dog and pony shows. People want to get in front of this because we’re nervous and we want to do the right thing and appreciate the road map to get there.

Q: Do you have to alert people about the liability of what you find and do, or don’t do, about it? A: Be careful of what you write and what you promise. (Don’t send proprietary information everywhere)

Q: Spreadsheet of the spreadsheets (discussed earlier) – what about compiling the data and should it be used? A: Collective data with executive summary

People leading the effort will try to help manage the documentation

Q: Grass roots approaches – do they pass muster with those who care? A: The privacy program is not a compliance effort – compliance efforts are separate – HIPPA etc., they have not put these out externally – it’s an internal tool. Robust risk assessment tool and no one has asked for it. If someone did ask for it, they could show HIPPA regulators the HIPPA documents but they not the same and are not the driver for the privacy efforts at Penn.

Q: Doesn’t the IT audit also do this? A: Yes – and they might recommend SPIA. They were very involved in the development of the tool. Security Review & Assessment at VA Tech - even if not a compliance program it is still more helpful.

One Step Closer to Open Social Networks?: Google and Facebook Join the DataPortability Workgroup

catherine — Wed, 09 Jan 2008 10:47:54 -0600

After the recent scuffles between tech blogger Robert Scoble and Facebook over data portability and privacy, comes the announcement that Facebook - along with Google - has now joined the DataPortability Workgroup - (announced yesterday by Ben Metcalfe, the DataPortability founder, on his blog).

The optimistic vision for open social networks, where users will be able to share content freely across social networking sites, seems to be getting closer. Google and Facebook are, obviously, two of the biggest holders of social and personal information on the internet - on the one hand, they have enormous user populations clamouring for this facility, on the other, they presumably have a whole bunch of powerful advertisers and companies dying to "work with" all those rich user profiles.

Facebook (like Google) had already invested a lot in the concept of an open API, so why has it taken them so long to join the party? Donna Bogatin, quoting Eran Hammer-Lahav of ReadWrite Web, offers a dissenting voice to the hype around this new collaboration.

Kingsley Idehen has an interesting take on this, too. Like Mark Evans and others he is interested in using URIs and RDF to address the problems of data export from a different angle. As a semantic web kind of guy, Kingsley is very much an advocate of the concept of the web as a richly "Linked Data mesh". He points out that Facebook's "underlying data model is relational", and argues that Web Services APIs have to be seen "as part of a processing pipeline". This is his approach:

"I am able to make my Facebook Data portable without violating Facebook rules (no data caching outside Facebook realm) by doing the following:

Use an RDFizer for Facebook to convert XML response data from Facebook Web Services into RDF "on the fly" Ensure that my RDF is comprised of Object Identifiers that are HTTP based and thereby dereferencable (i.e. I can use SPARQL to unravel the Linked Data Graph in my Facebook data space)
The act of data dereferencing enables me to expose my Facebook Data as Linked Data associated with my Personal URI
This interaction only occurs via my data space and in all cases the interactions with data work via my RDFizer middleware (e.g the Virtuoso Sponger) that talks directly to Facebook Web Services.

In a nutshell, my Linked Data Space enables you to reference data in my data space via Object Identifiers (URIs), and some cases the Object IDs and Graphs are constructed on the fly via RDFization middleware."

Data Breaches in Higher Education: From Concern to Action

ckeller — Thu, 03 Jan 2008 09:56:53 -0600

"When is higher education going to get serious about safeguarding the private information of students,
faculty, and staff?"

Registration Now Open for February CAMP: Bridging Security and Identity Management

cluckett — Thu, 13 Dec 2007 11:17:07 -0600

Designed for both management and technical staff, the Campus Architecture and Middleware Planning (CAMP) workshop, "Bridging Security and Identity Management," February 13-15 in Tempe, Arizona, will address practical approaches for addressing issues surrounding three themes:

Privacy and compliance
Threat and risk mitigation
Scalability

Each of these requires a bridge between security and identity management. Explore the program and register before January 11 to take advantage of low early-bird rates.

Note: Those arriving Tuesday morning or earlier may wish to participate in the Net@EDU Identity Management Working Group meeting occurring from 1:00 to 5:00 p.m. before the workshop begins. All are welcome to attend (admittance is complimentary).

University requires GPS enabled phones of students?

mpasiewicz — Wed, 05 Dec 2007 15:50:11 -0600

Wow, this is an interesting move. Above and beyond the potential for unintended side-effects, I wonder what kind of interesting ways they'll be able to leverage this in the classroom and beyond.

http://www.engadgetmobile.com/2007/12/04/montclair-state-mandates-use-of-gps-enabled-phones/

Social Network Sites: Definition, History, and Scholarship

ckeller — Tue, 04 Dec 2007 10:21:21 -0600

Social network sites (SNSs) are increasingly attracting the attention of academic and industry researchers intrigued by their affordances and reach. This special theme section of the Journal of Computer-Mediated Communication brings together scholarship on these emergent phenomena. In this introductory article, we describe features of SNSs and propose a comprehensive definition. We then present one perspective on the history of such sites, discussing key changes and developments. After briefly summarizing existing scholarship concerning SNSs, we discuss the articles in this special section and conclude with considerations for future research.

Poke 1.0 afterthoughts

catherine — Tue, 04 Dec 2007 08:45:38 -0600

On 15 November 2007, Matt Riddle and I attended the “Poke 1.0” symposium at London Knowledge Lab organised by Neil Selwyn. Some brief thoughts and notes on the day here: overall, it was a really exciting and energising event, and I felt there was a strong sense of a nascent research community starting to coalesce. Here are parallel reviews by Lewis Goodings and Juliet Eve.

“Poke 1.0” sought to bring together UK-based social science researchers with an interest in Facebook, as an example of an innovative “social networking” application that is currently used by the majority of students in UK higher education. The audience heard a range of research papers, from media consultancy Human Capital's “macro” view, involving web metrics from Nielsen NetRatings, to Sonia Livingstone's “micro”-level qualitative study of UK teenagers’ use of social networking sites. Our paper represented a “mid-point” between these two extremes, presenting a single-institution case study and focusing on Facebook’s impact on staff/student relations at Cambridge. We also demoed a Facebook mashup widget developed by CARET developers Nicolaas Matthijs and Nick Desmet. The widget allows Facebook users to expose personal Sakai VLE resources on their profile (only the owner can see / access their personal resources). So, we've proved it's possible to do it, the real question now is do students want it, and is it desirable, both educationally and in terms of privacy?

The best came at the end of the day, with a really lively discussion on research ethics and methodologies. The problematic bits are always the most interesting... The consensus in the group seemed to be that many of us are finding that many "gold-standard" research ethics guidelines (e.g. BERA, BSA, Assoc. of Internet Researchers) are not adequate to cover this new research terrain. Is it possible, or desirable, to do "covert" observational research in a "semi-public" environment, for example? (There seemed to be some general agreement among the group that social networking sites are effectively "semi-public" environments, despite their privacy settings and access / searchability constraints.) It's early days yet of course and this sense of newness generated a certain collective enthusiasm, alongside the feeling that, to some extent, we're re-inventing the rules as we go along.