Live from Austin!

From the contract you have to agree to:

When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ("HIPAA"). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

And it’s still solving the wrong problem.

It’s been a bumper month for Transparent Society demonstrations.

• Michael Richards went into a racist tirade. He played Kramer on Seinfeld, but I’m guessing he won’t be doing any NAACP benefits now. Perhaps they could invite him to the Comedy Central Roast of Whoopi Goldberg.

  Allegedly he had ranted about Jews previously, but nobody had heard about it because nobody had had a camera handy.

• A Muslim student was repeatedly tasered by a campus cop with a history of police brutality and suspensions. The interesting thing about this one was how many assholes on the net tried to defend the cop.

  The facts, according to the dozen or more witnesses, are: The kid had the legal right to be in the library, he just didn’t have his student ID card with him. He was asked to leave, and had packed up his stuff and was already leaving when the cops showed up. He didn’t yell anything at them until one of them grabbed him as he was trying to leave. At that point, they tasered him. He hadn’t attempted to attack anyone, hadn’t threatened anyone, and was totally unarmed.

  Now, I think it’s pretty hard to justify that first tasering, but let’s for a moment entertain the remote possibility that the cops were in the right there. The problem is that as he was lying screaming on the floor, they tasered him again. They ordered him to get up, and (perhaps because all his muscles were in spasm) he didn’t get up, so they tasered him some more, and so on.

• Some US troops in Iraq videoed themselves tormenting Iraqi kids by making them chase their truck in the hope of getting some fresh water. Inevitably, the video hit YouTube.

• UK police are to get helmet-mounted video cameras which record up to 12 hours of video. This is a great idea, the only caveat I have is that the police should be required to keep the camera on when they’re working.

Of course, not so positive is the news that the UK police are setting up a precrime department called the Homicide Prevention Unit. I’m not sure whether precognitive mutants are involved.

Ironic quote:

You are sending me direct contact information that is sensitive. I protect your privacy in the following ways: (1) I will never sell, rent, or give away your address to any outside party, ever; (2) I will never send you any unrequested e-mail, besides e-mail in the regular course of business; and (3) Your information is stored behind network address translation and a software firewall.

That’s Jason Fortuny’s privacy policy, as stated on his web site before his prank.

At least one marriage has been ruined by the prank. I’m not going to name or link to the victim, for obvious reasons. Again, if you really want to know, read Fortuny’s web pages; he seems delighted, as it turns out it was someone who had thrown him out of an online community for previous anti-social behavior.

Lots of people seem to be focusing on a few of the victims who were married and cheating on their wives, like that justifies humiliating all the others.

Meanwhile, Fortuny has started scrubbing his contact details from his web site, removing references to past clients and employers, and deleting his résumé from the web. Perhaps he’s worked out that a reputation for hoaxing people and posting private e-mail to the web isn’t the best career move for a system administrator.

It also seems to me that Fortuny’s posting of sexually explicit photographs on the web places him squarely under 18 USC 2257 record-keeping requirements. Clearly he hasn’t complied with the law and obtained 100+ model release forms, and that could result in up to 5 years of jail time if the authorities choose to make an example of him.

I’ll end with another nice quote from his LiveJournal:

“I’m just going to quickly and quietly say that the refugees in New Orleans are human trash who don’t deserve to live.”

—Jason Fortuny

It’s nice to know the TrollJournal abuse team are so relaxed about the whole thing. Publishing public information may be grounds for dismissal, but linking to illegally published private information from your journal is just fine, apparently. If only I’d known, eh?

A few days ago a web developer in Seattle called Jason Fortuny posted a personal ad to the Seattle Craigslist. He apparently lifted the text from a personal posted to another city’s Craigslist.

The ad was a sexually explicit one, from a submissive woman seeking BDSM sex. Fortuny posted it using the Craigslist e-mail anonymizing option. He then collected the responses—178 or more, with at least 145 photos.

Then he published everything on the web. Every single response, unedited, including all the personal information and photographs that people had sent him.

You’ll find threads about it all over the place if you do a few searches. I’m not going to link to any of it, and I’m not going to give any clues to where the personal information was posted. Go search if you really feel you must know; I don’t feel the need to make the victims’ problems even worse by increasing Fortuny’s pagerank scores.

There are a few things I find interesting about the reaction I’ve seen.

Continue reading »

Now here’s a funny thing: state agencies are now using the “PATRIOT” Act to obtain private profiles from web sites such as facebook.com, for people applying for any state-related job.

[Redacted]

In other words: don’t count on your “friends only” or “private” postings not ending up in the hands of any government organization that takes an interest in you.

While this example involved Facebook, I’d put money on other social networking sites doing the same and handing over your data with no questions asked—including LiveJournal, Yahoo, Orkut, MySpace and so on.

Yet again, a business has been cavalier with tens of thousands of people’s personal data . If your W-2 was processed by PayMaxx in the last few years, any number of people might have read it. There could be thousands of identity thefts as a result.

Yet it’s not really PayMaxx who will be at fault if identity theft occurs. The real problem is that too many businesses use Social Security Numbers (SSNs) for authentication.

SSNs aren’t unique, they aren’t secret, and they were never intended to be used as universal identifiers, let alone authentication tokens. However, the relative obscurity of SSNs has led many businesses to misuse them to verify identity, even though they are completely unsuitable for the purpose.

The simple and obvious solution would be for the US government to legislate prohibiting use of SSNs for any purpose other than identifying taxpayers and social security recipients to the federal government. The legislation would be set to take effect some time at least 12 months in the future, to give companies plenty of time to issue new identity numbers to their customers.

It seems obvious to me that that will never happen, however. Too many corporations with a vested interest in cross-referencing their databases with everyone else’s, and no motivation to spend money on real security.

But I contend that we don’t need to wait for government to act. As I’ve already mentioned, SSNs aren’t actually secret. It’s apparently pretty easy for any random company to get a database of SSNs, and it seems clear that hackers can obtain such databases too. So let’s try a thought experiment…

Suppose a secretive band of hackers obtains a large database of SSNs, ideally the SSNs of the majority of people in the USA. They take out prominent ads in the major national newspapers, announcing that as of January 2007, the database of SSNs will be made available to anyone who wants it, via the Internet.

Companies misusing SSNs would have a simple choice: either stop doing so, or face massive fraud against them in 2007. Shareholders wouldn’t give them much choice.

On January 2007, the database of SSNs is published anonymously to the Internet.

Of course, the perpetrators of this civic act would need to be careful to remain anonymous, lest they suffer a hailstorm of lawsuits, possibly even spurious claims of ‘terrorism’. But in the end, we would live in a better world–one where SSNs were clearly only useful for identification.