Hotels use RFID in bath towels

Interesting use of RFID. Hotels are placing washable RFID in towels to prevent theft.

Current online privacy laws

The service DeleteMe (@_DeleteMe_) has a nice Your Privacy Rights page about current and upcoming laws concerning computer related privacy.

DeleteMe is a service that assists people with deleting information online. Their webpage lists Facebook accounts and Myspace accounts as common requests along with getting added to the US national Do Not Call list.

Google employee fired for looking at private data

Another incident of an employee being fired for looking at customer’s private data, this time at Google.

Online shopping, privacy, tracking and me on tv

KDKA news, in Pittsburgh, did an article on the FTC’s new ‘Do Not Track’ List proposal.

The exciting news is that I have a silent role in the video as a “shopper” and I’m using Ghostery.

Big brother vs YouTube

Which is scarier living in a an Orwellian world under the eye of Big Brother or living in today’s world of million’s of cameras wielded by the masses? At least Big Brother was predictable and had a goal.

The New York Times has a great article on this entitled Little Brother is Watching. It is well worth the read and is an excellent comparison between the world created by Orwell and the one we live in.

Possible mutations of a Gmail email address

The Blog Senseful Solutions has a good article on How Gmail Filter Email-Matching Works.

To quote them:

The default account you use (e.g. will match all variations of your address. This includes dot notation, plus addressing, and using the domain.

Here’s a brief explanation of each:

  • Using dot notation: You can enter as many non-consecutive dots in your email as you want. For example, if your email is, mail sent to will still arrive at your account.
  • Using plus addressing: After your account name, you can enter the + sign and whatever text you want afterwards followed by the Gmail domain. For example, mail sent to will arrive at
  • Using domain: Any mail sent to your will arrive at your address. For example, mail sent to will arrive at

Any of the above can be combined (e.g. will still go to

The Boucher Bill

Issues of behavioral advertising and online collection of personally identifiable information have been major issues of late. I previously blogged about behavioral advertising and the different ways online advertisers can track you as you move around the internet. But behavioral advertisers aren’t the only source of concern.

Large social networking sites have access to a bewildering amount of personally identifiable and potentially very private data. Sure they have privacy policies in which they claim to respect your privacy but most of the policies also state that the company can change their privacy policy at any time and the new policy immediately applies to all exiting data they have on you. The EFF recently posted a nice time lapse of Facebook’s privacy policy changes from 2005 to 2010 and the New York times recently showed that the current Facebook privacy policy is longer than the US Constitution.   Amongst its many clauses is the fact that other websites are automatically given access to your data when you use Facebook Connect, developers can infinitely store your data, and any applications your friends use have the right to access and store your data too.

The Boucher Bill is an attempt by law makers to force organizations who collect data online and off to provide informed consent to their consumers. The information law group has an excellent breakdown of the Boucher Bill which is definitely worth a read.

Some major points from the bill:

  • Organizations need to provide privacy policies but they can assume that users who use the service have implicitly consented to the policy (opt-out).
  • The bill requires companies to have users opt-in to major privacy policy changes.
  • Express affirmative consent (opt-in) must be obtained before personal data can be sold to other organizations.
  • Organizations can share personally identifiable information with parents and affiliates without notifying users provided the information is not used for marketing purposes.
  • Organizations must provide the policy and get express consent (opt-in) from customers before collecting any sensitive information such as medial information.
  • Consumers must opt-in to any sharing of location information.
  • Organizations cannot collect information about consumer’s browsing across site behavior unless they obtain express consent from the consumer before collecting information (0pt-in).
  • Organizations collecting information from less than 5,000 people per year are exempt.

Update: The CDT has a set of comments on the Boucher Bill.

Value of “who is stalking me” functionality

The Register has an interesting story today on a Facebook app which claims to offer the ability to see who is looking at your profile information but really is just a spam application. The claim is of course bogus as Facebook doesn’t give any application information about who has viewed your profile. Instead the application posts all over your wall and sends out spam messages with the goal of getting ad revenue from people visiting the site and adding the application.

What is interesting about this is that people are intrigued enough by an app that offers feedback on who has viewed their profile that they are continuously falling for the scam. In fact there are at least 25 different versions of this application on Facebook.

DHS: A roadmap for cybersecurity research

DHS has released a report entitled “A Roadmap for Cybersecurity Research” in which they outline what they consider to be the major research challenges in cybersecurity. Both “Privacy-Aware Security” and “Usable Security” made the list. Each research direction has several pages worth of discussion about the topic and the current interesting research challenges in that area. Both Lorrie Cranor’s book, “Security and Usability: Designing Secure Systems That People Can Use“, and SOUPS are cited under resources in the Usable Security section.

– Kami

Walmart servers hacked

Wired has a story about a hacker breaking into Walmart’s point of sales computer. Amazingly Walmart claims that the attacker didn’t get any costumer’s personal information or credit cards. While I’m a bit dubious of their ability to know this, I did find the description of how the attacker got in to be interesting.

Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company.