The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FTC Mobile Device Tracking Seminar Highlight – Customer Trust

On Wednesday, February 19, the FTC hosted the first event of its Spring Privacy Series on emerging consumer privacy issues, focusing on mobile device tracking, specifically as it is used to track consumer’s’ movements throughout and around retail stores.

After a mobile location tracking demonstration by FTC Chief Technologist Latanya Sweeney, Ashkan Soltani provided an overview of the technology. A panel discussion followed, including representatives from The National Retail Federation (NRF), Electronic Frontier Foundation (EFF),  analytics companies iInside and Mexia Interactive, and design firm Create with Context.

According to panelists, retailers and other users of mobile location tracking technology are strongly incented to maintain consumer trust because consumer loyalty is on the line. The way to consumer trust is transparency – transparency about what data are being collected, what’s being done with the data, etc.  Enabling transparency, however, is challenging because it is difficult to capture consumer awareness. There are three different ways to enable awareness: explicit, implicit and ambient. Studies have shown that explicit awareness, or signage, is ineffective. Consumers do not notice signs when they enter a retail establishment. And including signage on a mobile device is a limited communication tool because although 84% of shoppers use smartphones in a store, only 11% have it visible at any given time. The reason? Their hands are busy; holding a device while shopping is not practical. Also, the amount of detail that explicit signage is attempting to communicate poses a challenge. Including information on what is being collected, how it is being used, giving an opt out option and conveying consumer benefits is a substantial amount of print for a consumer to read and process while she is trying to get in a store, find items, and get out.  

Implicit awareness arises when a consumers understand that information is being collected about them because they are receiving a benefit or service that directly leverages that information. For example, when a user accesses Google maps to get directions, she understands that the map application is collecting her location information. The more a user receives a benefit from the tracking functionality and can intuit that information is being collected to provide that benefit, the higher the level of implicit awareness. Finally, ambient awareness arises from input on the periphery; it’s not directly a part of the consumer’s experience but she may be aware of it. An example of ambient awareness is the handicapped sign; people see it and immediately understand the message it communicates. At the same time, it’s not front-and-center like explicit awareness. Designers are working on creating a universal  “My Data” icon that would immediately communicate to consumers that their data is being collected. To date, over 300 iterations have been tested and the icon is still in development.  Using the three types of awareness together is a long term goal that would strengthen transparency.

Panelists were clear that the use of mobile location tracking technology is limited to collecting information in the aggregate and looking for trends, not profiling individuals. This, coupled with the fact that the information being collected is hashed MAC addresses, not actual MAC addresses or consumer’s individual names, should increase consumer confidence. There was debate among panel participants about whether the collection of information should be limited at the outset, or whether full collection should take place but with strong governance controls in place, such as not sharing data across multiple clients. Participants also addressed the fact that location data can be the most sensitive type of data of all, as it provides for multiple inferences regarding habits and associations, and thus yields the most insights.

The panel concluded with the NRF restating that retailers are using  information collected only in aggregate, are doing the best they can, and are providing choice to consumers so they can opt out across the industry (Future of Privacy Forum Mobile Analytics Opt Out (Beta)); EFF calling for a change to the underlying technology so devices don’t have unique identifiers; a call for good design to enable transparency and trust; and strong governance to protect the data being collected.

For more information about governance around mobile device location tracking, read about the Future of Privacy Forum Mobile Analytics Code of Conduct in Emily Tabatabai’s Secure Times blog on the topic, as well as view the the actual Code.

Leave a comment

Reactions to NIST’s Final Cybersecurity Framework – The Good and the Bad (but no ugly)

On February 12, 2014, the National Institute of Standards and Technology (“NIST”) issued the final Framework for Improving Critical Infrastructure Cybersecurity (“Framework”).  Issuance of the Framework was required by the Obama Administration’s February 2013 executive order, Improving Critical Infrastructure Cybersecurity (the “Executive Order”) aimed at increasing the overall resilience of U.S. critical infrastructure which is highly dependent upon cyber systems.

Businesses and industry groups have lauded the NIST effort for providing a:

  • Highly inclusive and collaborative approach. When developing the Framework, NIST (1) engaged with over 3,000 individuals and organizations to develop the Framework, working with them to identify and discuss current cybersecurity standards, best practices and guidelines; and (2) received over 200 responses, many of which were comprehensive reports, to its Request for Information. This approach will be continued as NIST continues to solicit feedback for future updates and iterations of the Framework. Also, one would expect to see further collaboration and communication between industries and government, and among businesses via the Critical Infrastructure Cyber Community C³ (“C Cubed”) Voluntary Program established as a partnership between the Department of Homeland Security (DHS) and the critical infrastructure community to help promote implementation and awareness of the Framework.
  • Common cybersecurity language. According to Tom Gann of McAfee the Framework provides, for the first time, a common language for technologists and executives and board members to communicate and make appropriate risk-based decisions. “This is important in and of itself, because C-suite executives can’t manage risk if they don’t explicitly understand what the risks are.” [1]
  • Useful tool. The Framework has also been praised for providing organizations with a tool that allows them to get an honest picture of where they are from a security perspective as well as identify what they want their security program to look like. According to McAfee’s McGann, “The delta between the two provides a means to identify a roadmap for improvement… and communication.”
  • Flexible approach. The Framework avoids a one-size-fits-all approach, recognizing that organizations will continue to have unique risks, including different threats, vulnerabilities, and risk tolerances, and that they will vary in how they implement the Framework. By employing an approach based on principles and best practices,  the Framework is applicable to organizations regardless of size, degree of cybersecurity risk or sophistication. Additionally, it makes sense of the current panoply of approaches to cybersecurity by organizing and structuring the standards, guidelines, and practices that are working effectively in industry today.

At the same time, business and industry groups have leveled some strong criticism at NIST and the Framework for several reasons, including:

  • Threats are largely ignored. One industry pundit, Bob Gourley, has harsh words for NIST: “By ignoring the prodigious threats we face and the threat information functions organizations should put in place NIST has shown an incredibly high naivete, with the result being a framework unable to improve critical infrastructure cyber security.” [2]
  • Cloud risks are dismissed. There is no attempt to address cloud-related risks. In fact, the word “cloud” is mentioned only once in the entire Framework, and only by way of an example. Such neglect seems foolhardy in light of Forrester Research’s prediction  that cloud will take off in 2014 as it is integrated into existing IT portfolios and becomes a de-facto way of doing business.[3]
  • Economic realities are not addressed. The Framework in no way addresses how to establish a cybersecurity program that is cost effective or supported by economic incentives. Cybersecurity programs are not cheap and this oversight will have real consequences for companies struggling to get a program off the ground or strengthen a currently existing program. Internet Security Alliance President Larry Clinton cautions, “If we don’t make real progress in these areas quickly all the work that went into developing the NIST framework will go to waste.”[4]  A voluntary program that doesn’t account for economic reality will quickly find itself with no volunteers.
  • Too simplistic. The Framework is presented in such an elementary, high-level format that it is unlikely to be of any use to sophisticated companies already employing robust cybersecurity defense programs. At the same time, because it is voluntary, it is unlikely to compel less sophisticated companies without a program to adopt the Framework.

Given NIST’s collaborative and inclusive approach to developing the Framework and its continued solicitation of feedback, there seems to be reason for hope that the criticisms leveled against the current Framework will eventually be addressed.

Leave a comment

Tributes and a Call to Action – Remembering Aaron Swartz

A year ago, on January 11, 2012, 26-year-old internet activist Aaron Swartz committed suicide while facing up to 35 years in prison and up to $1 million in fines. Charges against him included violations of the Computer Fraud and Abuse Act (CFAA) as a result of “unauthorized access” for downloading millions of academic articles while on MIT’s network. On this first anniversary of his death, a reinvigorated call to action is taking place. The Electronic Frontier Foundation (EFF) has launched a “Remembering Aaron” campaign and is reactivating efforts to reform the CFAA, activists are invoking his name for an upcoming day of action against NSA surveillance, “The Day We Fight Back” to be held on February 11, lawmakers are demanding answers from the Justice Department treatment of Swartz, and a host of articles and other tributes are appearing across the internet.

The EFF’s Remembering Aaron campaign includes a tribute to Swartz’s legacy and kicks off a month of action against censorship and surveillance, toward open access. The EFF is reinvigorating efforts to reform the CFAA, encouraging supporters to send a letter to their legislative representatives that criticizes the law for its “vague language” and “heavy-handed penalties,” and its disregard for demonstrating whether an act was done to further the public good. The letter calls for: “three critical fixes: first, terms of service violations must not be considered crimes. Second, if a user is allowed to access information, it should not be a crime to access that data in a new or innovative way — which means commonplace computing techniques that protect privacy or help test security cannot be illegal. And finally, penalties must be made proportionate to offenses: minor violations should be met with minor penalties.”

In addition to calls to change the CFAA, activists are also calling a protest against laws and systems that enable government surveillance to run unchecked. Specifically, a mass movement against government surveillance is being organized by a heavy-hitting group of organizations including  EFF; the organization Swartz co-founded, Demand Progress; Fight for the Future; Reddit; and Mozilla. Organized for February 11, 2014, “The Day We Fight Back Against Mass Surveillance” invokes Swartz’s legacy in its call for a day of mass protest against government surveillance: “If Aaron were alive, he’d be on the front lines, fighting against a world in which governments observe, collect, and analyze our every digital action.” In a show of support for the planned protest, on the day before the year anniversary of Swartz’s death, Anonymous defaced MIT’s SSL-enabled Cogeneration Project page, displaying a page that called viewers to “Remember the day we fight back.”

In addition to reinvigorating the fight against laws that are abusive and can be easily abused, the key players in Swartz’s prosecution are also coming under scrutiny: the DOJ and MIT. On Friday January 10, a bipartisan group of eight lawmakers, Sens. John Cornyn, R-Texas; Ron Wyden, D-Ore.; Jeff Flake, R-Ariz.; and Reps. Darrell Issa, R-Calif.; James Sensenbrenner, R-Wis.; Alan Grayson, D-Fla.; Zoe Lofgren, D-Calif.; and Jared Polis, D-Colo, sent Attorney General Eric Holder a letter calling out inconsistencies between the DOJ’s and MIT’s reports and the DOJ’s lack of forthrightness and transparency. Additionally, the letter issues this demand: “In March, you testified that Mr. Swartz’s case was ‘a good use of prosecutorial discretion.’  We respectfully disagree. We hope your response to this letter is fulsome, which would help re-build confidence about the willingness of the Department to examine itself where prosecutorial conduct is concerned.” In Boston Magazine’s Losing Aaron, Bob Swartz, Aaron’s father, voices his deep disappointment in MIT and articulates specific ways in which he believes the institution was complicit in the DOJ’s draconian prosecution contributing to Aaron’s suicide.

Additional tributes to Swartz this month include a documentary by Brian Knappenberger, The Internet’s Own Boy: The Story of Aaron Swartz, which will play at the Sundance Film Festival beginning this week. In Wired Magazine’s article, One Year Later, Web Legends Honor Aaron Swartz, author Angela Watercutter notes “Swartz’s fight for rights online has only been brought more intensely into focus in the year since his death, largely due to NSA whistleblower Edward Snowden. To see him talk about government spying in [Knappenberger’s] documentary at a time before the Snowden leaks is especially chilling now.”  Further, in Knappenberger’s forthcoming documentary  web visionaries, including founders of the World Wide Web and Creative Commons, speak of Swartz’s work and legacy:

“I think Aaron was trying to make the world work – he was trying to fix it…  he was a bit ahead of his time.” – Tim Berners-Lee.

“He was just doing what he thought was right to produce a world that was better.” – Lawrence Lessig


Leave a comment

Update on House Bipartisan Privacy Working Group

On August 1, the Commerce, Manufacturing, and Trade Subcommittee issued a press release announcing the creation of a bipartisan Privacy Working Group in the U.S. House of Representatives.  The group’s composition includes Representatives Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) serving as co-chairs, Representatives Joe Barton (R-Tex.), Pete Olson (R.-Tex.), Mike Pompeo (R.-Kan.), Schakowsky, Bobby Rush (D.-Ill.), and Jerry McNerney (D.-Cal.). The Subcommittee’s announcement stressed the group’s plans to take a bipartisan approach and the need to balance a consumer-oriented focus with fostering growth and innovation.

The group held its first meeting on September 26, inviting participants from the private sector for an informal, roundtable format discussion about how companies deal with online privacy issues and their thoughts regarding Congressional involvement. Representatives from Google, Walmart and data broker BlueKai attended, with discussions centering on the companies’ data collection practices.  Referring to the crash-course nature of the discussion, Blackburn called it “Privacy 101.”

In response to the closed-door nature of the September 26 discussion, consumer groups including the Electronic Privacy Information Center, Consumer Federation of America, Center for Digital Democracy, Consumer Watchdog, U.S. PIRG, and Consumer Action sent Representatives Blackburn and Welch a letter dated October 1, acknowledging the importance of the meetings but calling for the Working Group’s meetings to be conducted in a public format in accordance with the “Open meeting and hearings” provision contained in the Rule of the House of Representatives for the 113rd Congress. Specifically, the letter signatories stressed the need for the group’s meetings to be ones in which a public record is created, reporters and news organizations are in attendance, and various viewpoints are heard

While it remains to be seen what Blackburn’s and Welch’s response will be to the consumer privacy groups’ letter, nine additional sessions are planned for the next several months. The intention is to include members of industry, government and consumer groups and “create the conditions where there is some capacity for consensus,” according to Welch.

Leave a comment

FTC Issues Consumer Advice re: Hacked Email and Social Networking Accounts

On August 1, the FTC provided consumers with a new resource, Hacked Email,  to help them identify a hacked email or social media account, recover their account from a hack, and prevent it from happening again.  The need for such guidance is highlighted by statistics such as these:

  • Over 60,000 compromised account logins occur every day on Facebook, according to Sophos.  
  • 62 percent of users with compromised email accounts were unaware of how their accounts had been compromised, according to a study by Commtouch, State of Hacked Email Accounts.
  • Of the third of users who noticed their account was compromised, 50 percent did not know until their friends told them. (id)

Given over half of all hacked accounts are used to send spam to promote a product (according to Commtouch) and many others are used to promote scams and spread malware resulting in loss of personal information, security credentials and financial assets, the FTC has a vested interest in protecting consumers from hacked accounts. Here are ways it suggests consumers can start tackling the problem:

  • To identify a hacked account, users should pay attention to:messages they did not send (or social media posts they did not write) but appear to originate from their account; an empty sent-mail folder (indicating a hacker sent multiple emails from the account then deleted the sent-mail folder’s contents or set it to not save emails in order to cover his or her tracks); or email from other accounts, which the user cannot open.
  • To remediate a hacked account, users should ensure their security software is up to date and delete malware; change their passwords (tips for creating strong passwords are included); contact their account service provider for account-specific advice on account restoration; check account settings to ensure messages are not being forwarded to an unfamiliar address or no new “friends” have been added to a social networking account; and inform friends and family so they don’t run the risk of getting hacked themselves by opening emails from the user’s hacked account. By going above and beyond just telling users to change their account password, these tips are likely to be useful to consumers, as, according to Commtouch, most users (42%) do nothing to solve the problem except change their password and 23 percent do nothing at all.
  • To avoid getting hacked again in the future, users should employ unique passwords for financial and other important sites; use two-factor authentication when available; not click on links or open attachments from unknown users; and only download free software from known, trusted sites.  The FTC also gives guidance around using safely using public computers and wi-fi networks.

While the tips are useful to consumers, businesses can also benefit from leveraging the FTC’s consumer-facing tips to educate their employees and customers. For example, given that 29 percent of breaches involved social tactics like phishing (getting employees to click on fake emails) according to the Verizon 2013 Data Breach Investigations Report, one of the FTC’s tips of particular use is that users should avoid clicking on links or open attachments from unknown users.

Hacked Email is one of a series of educational materials consumers can leverage to protect themselves, available at, which is managed by the FTC in partnership with the Department of Homeland Security and the National Institute of Standards and Technology. Guidance on avoiding identity theft, scams and other issues touching on consumer privacy and security is provided on the site.