Identity Fraud

Seems identity fraud is on the up in the U.S., at least as regards to tax fraud. In 2008 there were 52,000 cases and in 2010 reported were 245,000 cases!

However a significant number was due to mistaken flagging of dead projects using social security numbers. Actual known victims of fraud are 56,000, but that is still a lot, and significant if you happen to be one of them.

What is interesting is how a person’s social security number is stolen, full list is here at blog reuters. The list includes dishonest employees with access to personal records, hacking, dumpster diving, etc.

In Sweden your personal ID is often handed out when you purchase something, or to get membership, whatever, it is used everywhere and this means that just about anyone can get hold of your ID number, which is not so complicated to work out either as includes your date of birth as first 6 digits. This in theory would make identity fraud easy in Sweden, although I haven’t seen much said about it yet. It could be that much is tightly tied in to a central authority, but normally I would have seen this as a core weakness.

Maybe I am missing something in the local news? Comments from my Swedish friends?

Cloud and conflicting privacy laws

One of the biggest dilemmas with cloud services is that in theory it shouldn’t matter where your data is stored in the public cloud, just that it is secured appropriately, and only you get appropriate access and nobody else gets inappropriate access 😉

But it’s much more complicated. Every country has its own laws about the transparency of data stored and accessibility from nosing government authorities. The real problems occur when there is a conflict of privacy laws between different countries. So you have personal data stored in a Google public cloud, your data could be stored physically anywhere in the world. And the fact that Google is a US company means requirement to comply with US law (e.g. USA Patriot Act) for the organisation worldwide, not forgetting the regional laws where the data is physically stored. This conflicts with EU privacy law whereby the rights of the data subject are preserved.

Google have been quoted as follows “As a law abiding company, we comply with valid legal process, and that – as for any US based company – means the data stored outside of the U.S. may be subject to lawful access by the U.S. government.” Taken from Softpedia.

This could be an interesting time for organisations to set-up clouds but only in a single country in an organisation that is registered in the hosting country. Otherwise, can you really trust the data-holding authority to protect your rights as an EU citizen for example? I know I can’t!

LinkedIn is being sneaky over your privacy settings!

Just in case this hasn’t come to your notice yet, but linkedin has the right to use your photos for advertising if you don’t opt-out 🙁

Read more here. There is already discussions in progress on which privacy laws it is potentially breaking.

To opt-out you need to do the following:
1) go to your name on the top right hand corner and select settings from the drop down
2) select account on the settings page (bottom left)
3) under privacy controls, select manage social advertising
4) untick it > save

A little belated, but thanks to Eoin Fleming for the tip, more than 10 days ago!

Zoombie cookies

David S. Misell asked me to share the privacy issues of html5, and I thought that no better place to do this than by creating a post.

Html5 is really about these zoombie cookies, cookies that keep coming back from the dead, even after you’ve deleted them…. scarey or what?

According to Wikipedia “Zombie cookies were first documented at UC Berkeley, where it was noticed that cookies kept coming back after they were deleted over and over again. This was cited as a serious privacy breach. If you delete a cookie, it should remain deleted. Since most users are barely aware of these storage methods, it’s unlikely that users will ever delete all of them. From the Berkeley report, “few websites disclose their use of Flash in privacy policies, and many companies using Flash are privacy certified by TRUSTe.

Ringleader Digital made an effort to keep a persistent user ID even when the user deleted cookies and their HTML5 databases (RLDGUID). The only way to opt out of the tracking was to use the company’s opt-out link which gives no confirmation.”

To read more techie stuff on how this annoying cookie is working go here where ars technia has written an insightful article on this.

Ringleader Digital claim on its privacy page that it only collects “non-personally identifiable information, such as browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID and web sites visited. Now the question is what happens when you link this information together?

Now according to the UK for example an IP address in isolation is not personal data under the Data Protection Act, according to the Information Commissioner. But an IP address can become personal data when combined with other information or when used to build a profile of an individual, even if that individual’s name is unknown.

And there is significant discussion on this around the world. In Seattle a Federal judge ruled that IP address is not personal information, however in the EU it is understood how easily an IP address can become an element of PII.

As to my personal opinion, it’s simple… I want visibility, i.e. if I delete a cookie on my PC or mobile device, I want it deleted. I don’t want a zoombie. It could be that I like the convenience of having a cookie there, but I want the choice to delete, and when deleted I don’t want any zoombies rooming around on my devices… my devices, yes, they are linked to my very person, and have become a part of my DNA..