CDT joined in a "friend of the court" brief filed at the U.S. Supreme Court in what could be one of the major Fourth Amendment cases of the decade, U.S. v. Jones, which poses the question of whether the police can plant a GPS device on a person's car for 24/7 tracking without judicial oversight.

The brief says: The issue before the Court in this case is not whether GPS tracking ever may be used by the government. Rather, it is whether the government must obtain a warrant in order to employ this technology.

CDT's brief was filed jointly with our frequent partner in Fourth Amendment cases, the Electronic Frontier Foundation.  Several things make the brief special.  First, it is also signed by four technologists, whose expertise lends special credibility to the brief.  Moreover, one of the four is Roger Easton, often called the father of GPS for his groundbreaking work at the Naval Research Laboratory.  The other three represent the current generation of experts on networking, mobility and security: Andrew Blumberg of the University of Texas, Norman Sadeh of Carnegie Mellon, and Matt Blaze (who broke the Clipper chip) of the University of Pennsylvania.

And, the brief was written by Andy Pincus, a former Assistant to the Solicitor General of the United States and one of the leading Supreme Court advocates today.

True to CDT's approach to tech policy issues, half of the brief focuses on the technology of GPS, half on showing how that technology interfaces with legal precedent.  Our main point is that GPS technology is fundamentally different from the "bumper beepers" whose use the Supreme Court ruled in 1983 was not covered by the Constitution's search and seizure clause.  GPS, in contrast, is so different from human observation and generates such precise and pervasive data that it violates the average person's reasonable expectation of privacy, even on the public streets.

For example, the brief notes that: As receivers shrink in size, it will be possible to install them in a person’s clothing… the government would be able to use the technology to track the movements of large numbers of individuals even more directly and precisely than through the attachment of a GPS receiver to a vehicle.

Oral argument in the case is scheduled for November 8.  The Court may not rule on the case until next year.

This is an Article from Banking Technology by a sound and hugely respected friend David Birch

------

As the mobile payments area looks set to take finally take off, the next big area for payments services will be identity and authentication, according to a leading commentator.

Digital money specialist Dave Birch, a director of Consult Hyperion, this week told the annual Payment Strategies Conference - organised by Experian Identity and Fraud - that "the evolution of an identity market is the next big step" in developing mobile payments and related services. But he warned that "the technologies involved are very different to those in the connectivity space".

"In the mass market, biometrics are about convenience, not security," he said.

Birch lambasted traditional banks and payments providers for their failure to grasp the nature of the opportunities presented by mobile technologies, which has led them to miss the boat. "I'm almost embarrassed to stand before you and say that I thought that banks and mobile operators could work together," he told the conference. "It was a stupid fantasy for which I apologise."

This has meant that it has taken longer for the infrastructure to develop than he'd predicted, but more importantly, banks are still missing out: only recently, banks in the US had told him that there is no business case for subsidising the installation of contactless readers in retail premises, just as Google was announcing that it will.

It get ever so interesting as we separate Payments from Banking and Security from Networks ( especially in the mobile domain with eSIM or SoftSIM)  as this opens up the opportunity for any brand to get access to your transaction data.  As Google has already noted in their moves with Google Wallet, they don’t want 1% of a transaction fee (revenue) they want 100% of a companies marketing spend which is 10% of revenue – smart move, there is something in this identity and digital footprint!

https://www.tokenpay.com/

Mission is to provide a full service, 100% anonymous online transaction solution.  Claims to take privacy and security to all new levels of protection through a closed-loop network allowing for complete anonymity and untraceable online transactions. You are able to maintain undisclosed your online spending habits as we pass absolutely no personal or account information on to the merchant. With Token Pay you keep your money, financial details, and identity safe, secure and private. They offer

Indemnification of transactions and no chargebacks.

And they are located…. DRS Holdings, Chancery Court Leeward Highway, Turks And Caicos Islands, BWI

Assuming you keep your own “data” – this has the weakest of all levels of security !

Is Anything Private on Your Phone Anymore? is a blog/ article from Lookout

"Outlook decided to look at the range of personal information on your phone, explain the top privacy concerns and give simple steps you can take to put your mind at ease."  Fear, Uncertainty and Doubt sell - especially if you are selling security.  

A Council of Europe members propose resolution on 'Improving user protection and security in cyberspace"

"The Parliamentary Assembly is concerned that technological and commercial innovations in Internet and other digital information and communication media are taking place without an adequate analysis of the interests of the weakest part in this process: the user or consumer. For nearly a century, consumer protection principles have been established for traditional commerce of goods and services. However, they are more or less absent in modern cyberspace. Voluntary self-regulation by Internet stakeholders falls short of the legitimate expectations of protection.

In their use of the Internet, people come into contact with a multitude of intermediaries and software applications of third parties without knowing. Users of mobile communication devices change their intermediaries while moving. The Internet of things, cloud computing, social networks, peer-to-peer networks and other collaborative Internet services, for example, blur the enforceability of user rights and freedoms as well as the applicability of national law and the jurisdiction of domestic courts.

Individual users and our societies as a whole depend increasingly on Internet and other digital media services. Digital news services, e-learning, e-work, e-commerce, e-banking, e-administration, e-government, e-security systems and e-medicine are just a few examples. Shortcomings and failures may produce huge damages.

Greater transparency and accountability are necessary for improving security in cyberspace. The Assembly recommends that standards should be developed for user protection and security with regard to the Internet and new information and communications services."

Suggestion - stop building another solution and start working with the eco-system that is already doing the same!

Inspiring consumer confidence through data privacy legislation is the title of the post by David Hoffman. The full / original source is here

Essentially this is about new US law from Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introducing the "Commercial Privacy Bill of Rights Act of 2011", which is aimed at protecting individuals privacy. David Hoffman, director of security policy and global privacy officer at Intel Corporation believes that federal privacy legislation is essential to individuals’ continued use of and trust in technology, and urges Congress to begin discussion of the bill, so we can establish such a framework of trust.  To which I actually have no major issue with the underlying ideals and principles.  Assuming these principles are : what is yours is yours and you should able to protect it. aka the digital locker,

and you should be able to chose how to share your data/ content and with whom and on terms you can control.

Here comes the complexity of the issues. 

As argued in this post - controlling your data controls the source but not the true value to the market.  Knowing where you are is important and so if offering control over it; but knowing what you want to do at that location based on analysis is where the market value is and because the analysis is based on an algorithm built by a company who use it to differentiate themselves it is protected by IP law.

Privacy allows you to control your location, but nothing here is about control of the analysis/ algorithm or what is implied or released by others about you based on their analysis of your data.  If you want to hide and protect this is valuable legislation, however if you want to add to a global community and help build reputation, identity, influence and authority - this will not help at all.

Original blog : https://www.eff.org/deeplinks/2011/03/carrier-intransigence-harms-internet-security

Love little stories like this as who is paying.  Apple side load new updates via iTunes and therefore no OTA (over the air) update, therefore no cost to the operator. All the other create an OTA cost for the operator and why should the operator pay to update software that is not their business problem. However, who do I have the contract with!

Implication. Free sounds good until you actually need to call someone to fix it.

“By delaying or even blocking security updates for mobile devices, mobile carriers put their users, their business, and the country’s critical infrastructure at unnecessary risk. Mobile security problems plague the entire software stack — the baseband, the kernel, the application frameworks, and the applications — and carriers continue to resist shipping regular and frequent updates. Mobile carriers are chiefly to blame for this problem. Although Apple, Google, and Microsoft should develop security fixes faster, they are fundamentally limited by carrier intransigence.

Carriers should stop blocking frequent updates for mobile devices, and should work with subscribers and with platform vendors to ship security updates on an internet timescale.”

Roger Grimes posted a very insightful blog about reuse of user ID and passwords, with the usual sprinkling of fairy dust and FUD to create sales for security experts, however it co-insides with Microsoft publishing some data about the reuse of passwords on different web sites and a very good research paper from INRIA in France which asked “How unique and traceable are usernames”

Essentially can identities established on multiple web sites be linked together based on the usernames to recreate an “identity” and what are the implications for privacy?  INRIA experiment looked at over 10 million usernames from popular services such as Google and eBay. In some of the tests, Google profiles that listed multiple accounts on different web services were used to establish “ground truth” about linked usernames.

The first finding was that the usernames chosen by people on the various websites tend to be very unique, with a probability of duplication being approximately one in one billion. This was true for a variety of web services, including a corporate network, Finnish web forums, and MySpace.

Second, the researchers found that when people used different usernames for different services, many of the usernames were constructed by making very small changes to existing usernames (e.g., sarah, sarah2).

Third, the study demonstrated that more than 50% of the usernames created for different services could be linked to one another because the username was identical, or very similar, and unique from other usernames.

Whilst privacy is a setting and you choice to limit the data about yourself on a case by case basis which each digital service (ebay, picasa, flickr, facebook, twitter, google, blogger, etc, if your profile can be linked to other services from other providers than it would appear to be feasible to build a more detailed personal profile from the various bits of partial information.

That being the theory someone quickly wrote a software application as a demonstration that theory has some justification. A quick examination of people using anonymous file sharing services (private BitTorrent trackers) found that 13 out of the 20 usernames examined could be linked to other web services (e.g., YouTube, eBay) and 4 usernames could be linked to real-world identities.

Two Sides

1.      Having everything linked could save you a lot of time and bring you value and so what these are not critical services (but I bet you use the same for banking…)  Google will do this for you (new service 17 Feb 2010) as part of their social search.

2.      Breach one, breach all.

Outcome

We need something better then Username and Passwords

Image from http://twitter.com/#!/STOP_IDFRAUDUK