Security, Privacy and The Law

LifeLock To Pay $12 Million to Settle Charges That Identity Theft Prevention and Data Security Claims Were False

blogs@foleyhoag.com (Colin J. Zick) — Wed, 10 Mar 2010 18:06:57 -0500

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against a few types of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only about 17 percent of identity theft incidents. The FTC also alleged that Lifelock provided no protection against other types of identify theft, such as medical identity theft and employment identity theft.

The FTC’s complaint further alleged that LifeLock claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. Ironically, the FTC also charged that LifeLock’s own data repositories were not encrypted, and sensitive consumer information was shared inappropriately, and could have been exploited by hackers.

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement.

Incident of the Week: Israeli Soldier Posts Details of Planned West Bank Raid on Facebook

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 05 Mar 2010 11:20:00 -0500

This week the Incident of the Week title decisively goes to the Israeli soldier who updated his status on Facebook to identify the secret military raid on a town in the West Bank. His status apparently read: "On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home" and provided the exact time of the raid. After detecting the clear breach of OPSEC, the Israeli Defense Force (IDF) canceled the raid and jailed the soldier for 10 days.

The IDF has apparently begun distributing posters depicting a fake Facebook page with friend requests from Iranian and Syrian presidents as well as a Hezbollah chief with the question: "You think everyone is your friend?"

Microsoft No Longer Seeking Removal of Cryptome or Leaked Compliance Handbook

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 05 Mar 2010 10:45:00 -0500

Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft's "Global Criminal Compliance Handbook" that pulled website Cryptome.org from the Internet, at least temporarily. The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from websites. Microsoft's DMCA demand to Cryptome's service provider, Network Solutions, apparently resulted in removing Cryptome from the Web entirely, until Microsoft attorneys sent an email withdrawing the DMCA takedown demand.

Microsoft made this public statement:

Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.

Cryptome advertises itself as a site that "welcomes documents for publication that are prohibited by governments worldwide." The site also promises that "[d]ocuments are removed from this site only by order served directly by a US court having jurisdiction."

The Microsoft Compliance Handbook, dated March 2008, is a guide for law enforcement officers seeking to investigate users of Microsoft services such as Hotmail email, IM, Windows Live and other services. The Handbook outlines the data Microsoft keeps with respect to its users and provides law enforcement with instructions on what legal process is necessary for investigators to gain access to specific information. In the Handbook, Microsoft offers to provide the following information to investigators in response to a subpoena:

Basic subscriber information includ[ing] name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old . . . .

This provision contrasts with Microsoft's limits on access to other user data, such as recent email, "e-mail address book, Messenger contact lists, . . . [and] internet usage logs." According to the Handbook, Microsoft will release this data in response to a search warrant or court order which, unlike a subpoena, must be approved by a judge after the government presents sufficient evidence.

Posts at Cryptome, as well as CNet, Tom's Hardware, The Register,describe the Handbook variously as a "spy guide" and "wiretap guide." Cooperation with government agencies has been a touchy subject for privacy advocates and service providers in the wake of alleged abuses by some that occurred after the 2001 terrorist attacks. However, the heart of the controversy generally has been the disclosure of customer information without any legal process or court involvement. In this case, Microsoft's Handbook merely identifies what data is available in response to formal legal process, such as subpoenas, warrants and court orders.

"Data, Data Everywhere" -- Recommended Reading

blogs@foleyhoag.com (Colin J. Zick) — Wed, 03 Mar 2010 08:04:33 -0500

The February 27 issue of The Economist has an excellent special report, "Data, data everywhere: A special report on managing information." It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.

HHS Reports 35 Breaches Impacting 500 or More People

blogs@foleyhoag.com (Colin J. Zick) — Tue, 02 Mar 2010 08:54:17 -0500

At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals. OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a laptop to 501 individuals impacted by the theft of a portable USB device).

This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act. In particular, § 164.408 of this breach notification interim final rule implements § 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009.

Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form. Training materials and related guidance on breach notification can be found on the OCR web site.

Deadlines, Deadlines, Deadlines: Three Important Privacy and Security Dates

blogs@foleyhoag.com (Colin J. Zick) — Mon, 01 Mar 2010 11:55:04 -0500

In the past several days, three important information privacy and security deadlines have arrived. To recap, they are:

February 17, 2010: the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now). Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say. Others are waiting until they see the regulations to amend those agreements.
February 22, 2010: FTC rules regarding health information breaches went into effect. The FTC has provided a standard reporting form for such breaches. And the FTC is putting its money where its mouth is: in the Fiscal Year 2011 Congressional Budget Justification, the FTC is seeking two full-time employees for “data security enforcement and rulemakings."
March 1, 2010: Last but not least, the Massachusetts Data Security regulations went into effect on March 1, although we have not received word from the Massachusetts Attorney General as to how these regulations will be enforced. A recent Boston Globe article (for which I was interviewed) details the apparent state of readiness for these regulations.

FTC Tells Businesses, Schools and Local Governments: Stop Sharing Personal Information On Peer-To-Peer Filesharing Networks

blogs@foleyhoag.com (Gabriel M. Helmer) — Tue, 23 Feb 2010 12:00:00 -0500

The Federal Trade Commission (FTC) announced yesterday that it had notified "almost 100" companies and organizations, including schools and local governments, that sensitive personal information from those entities was being shared across peer-to-peer (P2P) filesharing networks. This has apparently resulted in circulation of customer personal information, health information, Social Security numbers and other sensitive data.

Poorly supervised use of P2P networks have frequently been the subject of unwanted attention, including from the FTC. For our coverage on P2P security issues, see our prior posts here ("Congressional Aide Shares Secret Ethics List With The World"), here ("Incident of the Week: Seattle Man Sentenced To Three Years In Prison For Using Peer-To-Peer Software To Steal Financial Records, Commit Identity Theft") and here ("Rep. Mary Bono Mack Introduces Informed P2P User Act To Combat Inadvertent File Sharing").

The danger with P2P filesharing software is that failure to select the proper settings can result in opening up all documents on a computer to anonymous users on the Internet. As the FTC warned in its press release: "when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network." The problem commonly arises when a business' staff load P2P filesharing software on company computers to access music or other downloads (which can be illegal in itself), but fail to properly configure the software.

The FTC has provided the following examples of the notification letters it has mailed to entities: FTC Sample Letter A (.pdf), FTC Sample Letter B (.pdf) and FTC Sample Letter C (.pdf). The FTC has also directed these entities to its newly-unveiled guide to taking proper security measures to prevent unauthorized P2P access. The FTC has indicated that it "has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks."

Incident(s) of the Week: February A Tough Month For Hackers

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 19 Feb 2010 14:00:00 -0500

1. Arrested: Russian Hacker Responsible for Two Minutes of Roadside Porn

The hacker who managed to compromise computer servers controlling a large commercial advertising screen in Moscow was arrested recently by Russian authorities. On January 14, 2010, commuters on Moscow's Garden Ring Road passed a large-scale video screen and instead of the normal commercial advertisements saw two minutes of hard-core pornography. The video, as well as the resulting traffic problems, was thanks to a hacker who is described as a 40 year old, unemployed man living in Novorossiisk. Apparently, the hacker directed his attack from computers in Chechnya believing that Russian authorities would not bother to track him down. A month later, the hacker is pleading guilty to criminal charges, insisting that "he only wanted to entertain people."

2. China Shuts Down Largest Hacker Training Site

Last week, Chinese officials arrested three individuals allegedly responsible for running the Black Hawk Safety Net, a website that was known as the largest hacker training site in China. The site apparently disseminated training materials and offered users the ability to download virus software, trojan programs and other hacker tools. According to China Daily, Black Hawk Safety Net had more than 170,000 users and collected more than 7 million yuan in membership fees by the time authorities shut it down. Authorities seized $1.7 million yuan, 9 servers and one automobile in the raid.

Incident of the Week: Patents Help Crack Encryption Used in Cordless Telephones

blogs@foleyhoag.com (Gabriel M. Helmer) — Thu, 11 Feb 2010 09:40:00 -0500

This week cryptographers Karsten Nohl from University of Virginia and Erik Tews of the Darmstadt University of Technology announced that they had broken the DECT encryption standard. Who cares, you ask? The Digital Enhanced Cordless Telecommunications or DECT standard is what prevents someone parked outside your house from being able to listen in on telephone conversations you are having on your 1.9 GHz DECT cordless phone. (So, that's what that label on the receiver means.)

Nohl told Dan Goodin from The Register that he cracked the code by putting the DECT chip under the electron microscope and then comparing his findings with information disclosed in the published patent(s). According to Nohl, it might take him 4 hours of monitoring to listen in on a particular telephone call, but only 10 minutes to crack the DECT encrypted credit card transmissions at a restaurant. Even more worrisome, is Nohl's expectation that better hackers are likely to be able to decode these transmissions even more quickly. "We expect that some smarter cryptographers than ourselves will find better attacks, of course. . . We found the algorithm and then implemented the first attack. It's almost guaranteed that this is not the best attack."

Incident of the Week: Free iPhone Password Breaker Released

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 05 Feb 2010 13:25:18 -0500

Back in October you may remember our post on Elcomsoft, a Russian software company that came out with program to decrypt common wireless network signals. Well, they're back this week with a program that will "enable[ ] forensic access" to password-protected backups for Apple iPhone and iPod touch devices. In other words, if someone obtains access to the computer you use to sync your iPhone they could also get access to "backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache." And while the program is in beta testing, Elcomsoft is even giving the program away for free.

The program apparently uses the computing power of the latest generation of video cards to perform a dictionary or "wordlist-based attack" to recover the password needed to unlock the backup files. This means that if your password can be found in a dictionary or a hacker's wordlist, there is a program out there that will unlock it. With technology like this out there to decode commercially available encryption schemes, the best protection we may have is to select a sufficiently complex password to defeat wordlist based attacks (and not to use the same password for all your online activities as Twitter's recent incident and Trusteer's recent survey (.pdf) have suggested are rampant problems).

Doctors and Other Health Care Professionals Challenge Application of FTC Red Flags Rule

blogs@foleyhoag.com (Colin J. Zick) — Fri, 29 Jan 2010 13:22:46 -0500

The FTC Red Flags Rule faces another likely challenge, based on a January 27, 2010 letter sent to the FTC by the American Medical Association, the American Osteopathic Association, the American Dental Association, and the American Veterinary Medical Association. In that letter, the four health care organizations requested that the Red Flags Rule not be applied to health care professionals (based on the reasoning of the recent court decision that it does not apply to lawyers). I assume that if the FTC rejects this request, suit will be filed by these groups, just as the AICPA has filed suit on behalf of accountants to except them from the Red Flags Rules.

Incident of the Week: OIG Reports that the FBI Routinely Circumvented Electronic Communications Privacy Act

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 29 Jan 2010 08:35:00 -0500

A report entitled A Review of the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records (.pdf) from the Department of Justice Office of the Inspector General (OIG) indicates that between 2003 and 2005, FBI routinely "circumvented the requirements of the Electronic Communications Privacy Act (ECPA)" by using so-called "exigent letters" to obtain telephone call data from telecommunications companies. The ECPA, 18 USC Sec. 2702, provides that service providers will not provide customer data to government authorities, absent a national security letter signed by the Director of the FBI or a subpoena.

The 700+ "exigent letters" examined by the OIG became common after the terrorist attacks on September 11, 2001. In reaction to the attacks, a telecommunications company (referenced as "Company A" in the report) provided a "fraud detection analyst" to the FBI's New York field office to access telephone records in response to subpoenas from the U.S. Attorney's Office. Apparently, over time the Company A analysts began to provide the requested customer data in response to "placeholder" letters signed by FBI special agents while the grand jury subpoenas were in the process of being obtained. These letters, which claimed "exigent circumstances" and requested the production of customer data before the submission of a subpoena, became known as "exigent letters." When the FBI's investigation moved to Washington, D.C., three service providers moved analysts into the FBI's offices to respond to the requests for telephone data covered by the ECPA.

Observations from the OIG report include:

The "concept of using exigent letter originated as a time-saving technique" in the wake of 2001 terror attack, but over the years the embedding of service provider analysts with the FBI "led to a culture in which exigent letters and other even less formal and equally inappropriate requests for information became the [FBI Communication Analysis Unit's] accepted and customer method of conducting business."
Some letters called for the production of thousands of telephone numbers and customer transaction data.
OIG concluded that exigent letters were issued and customer records were obtained even though the "circumstances . . . were not exigent," including "media leak investigations . . . and other investigations that did not include exigent or life-threatening circumstances."
The FBI special agent responsible for signing over 100 exigent letters told OIG investigators "that the communications service providers' employees often gave him exigent letters to sign after he had already been given the requested records -- and he simply signed the letters. This SSA also said that while he realized the exigent letters inaccurately states that grand jury subpoenas had been submitted, he signed the letter because he 'thought it was all part of the program coming from the phone companies themselves[.]'"
Another FBI special agent responsible for a large number of the letters told the OIG that the telecommunications analyst from "Company A" informed him about the letters and told him that the letters had been approved by legal counsel.
When asked, the FBI unit chief described the exigent letters as "standard operating procedure."
Telecommunications company analysts interviewed by the OIG described pressure from the FBI to accept the "placeholder" exigent letters. One noted: "personally, it wasn't my place to police the police."
FBI sought court orders under the Foreign Intelligence Surveillance Act (FISA) using customer data obtained through exigent letters in violation of the ECPA. Howeveragents mischaracterized how the FBI had obtained the data -- suggesting that the data had been properly produced in response to a national security letter or subpoena.
OIG "found that numerous, repeated, and significant management failures led to the FBI's use of exigent letters and other informal requests for telephone transactional records over an extended period of time."

Incident(s) of the Week: Recent Updates from Prior Incidents

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 22 Jan 2010 10:25:00 -0500

1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster

This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas. The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program. We first posted on this case a year ago, after the FTC filed its complaint (.pdf).

In addition to the dumping of consumer financial information, the FTC alleging that Navone had failed to implement physical and electronic security procedures and or take reasonable steps to secure the customer records he stored at home in his garage. According to the FTC, these activities violated the FTC Act, the Federal Credit Reporting Act (FCRA) and Navone's own information security policy which read:

We take our responsibility to protect the privacy and confidentiality of customer information very seriously. We maintain physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.

(See Complaint (.pdf), Para. 9). Everyone subject to document destruction laws may want to note this case and keep in mind that $35,000 is the fine imposed on an individual / small business.

2. Fight Breaks Out Over Whether Hacker Responsible For Largest Data Breach In History Suffers From "Internet Addiction"

In December, Albert Gonzalez, aka "segvec," "soupnazi" and "j4guar17" pled guilty to charges that he masterminded the theft of over 100 million consumer credit card numbers and other financial information from Heartland Payment Systems, 7-Eleven and other companies. We posted on his indictment last August and again on his curious role as government informant. The public recently gained a new window on Gonzalez's soul from filings made by defense attorneys that portray the hacker as an "Internet addicted" youth compelled to commit cybercrime. Collecting statements from Gonzalez's psychologist, family members and a former girlfriend, the defendant's sentencing memorandum (.pdf) provides an interesting point of view on the life of the hacker:

As a young boy, Gonzalez was an outwardly normal enough kid -- he had friends, engaged in activities, worked alongside his father, received good grades in school, and was part of a warm and loving family which continues to stand by him. In middle school, things began to change, and by high school Gonzalez had become a different person -- a loner, without friends, who passed up normal teenage activities, including dating, to devote himself to his new-found and rapidly escalating obsession: computers.

*    *    *

Seeking to break Gonzalez of his computer habit, his mother periodically sought to deny him access to his computer or to at least curtail his usage, once putting it in his sister's room. Rather than be deprived of access to his computer, Gonzalez would go to his sister's room in the middle of the night to use it. Gonzalez's social contacts narrowed to computer chat rooms where he communicated with others with knowledge of computers and to meetings of other computer-savvy individuals, many of whom were hackers and from whom he learned much that we would, unfortunately, later convert to unlawful purposes.

*    *    *

[B]y [ ] early 2002 -- Gonzalez, age 21, had developed a serious drug and alcohol problem . . . which played a substantial role in the subsequent course of his life. This is not to say that his substance abuse affected Gonzalez' [sic] ability to tell right from wrong. It did not, and he knew when he turned to cyber-crime that it was wrong. What it did do, however, was contribute to his inability to stop himself. What developed over time was a destructive cycle of using drugs to permit him to stay awake and alert for long hours at the computer but also using them to try to get away from the computer . . . .

*    *    *

Computers . . . had become the center of his life, his raison-d'etre, if you will. He and his computer in many ways became one: he though in computer-speak instead of normal words, and, when his computer was infected by a virus, [he] referred to the event as if it were he, himself, who had gotten the virus.

Describing Gonzalez as unable to stop his urge to commit cybercrime, defense counsel has asked the Court to sentence him to 15 years in prison, the minimum sentence permitted. Last week, federal prosecutors renewed their request to have a government psychologist examine Gonzalez to combat the defendant's claim that his "internet addiction" merits leniency within the 15 to 25 year sentencing range.

Is Your Password Still "123456"? If So, It's Time for a Change

blogs@foleyhoag.com (Colin J. Zick) — Thu, 21 Jan 2010 12:27:23 -0500

If you or your co-workers use any of the passwords listed below, you are asking to be hacked. According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking sites. Somewhat shockingly, the password "123456" was used by nearly 1% of all RockYou users; the "top 20" RockYou passwords are reproduced below:

1.    123456
2.    12345
3.    123456789
4.     Password
5.     iloveyou
6.    princess
7.    rockyou
8.    1234567
9.    12345678
10.   abc123
11.   Nicole
12.   Daniel
13.   babygirl
14.   monkey
15.   Jessica
16.   Lovely
17.   michael
18.   Ashley
19.   654321
20.   Qwerty

Hackers around the world now have this list of 32 million passwords and are using it to make brute force attacks on accounts and networks. How can you defend yourself? Change and toughen your passwords, lengthening them and adding a mix of letters and numbers. If you are trying to defend your company's network, you need to adopt and enforce more rigorous password policies. Tougher passwords will not make you or your networks hack-proof, but they will put you ahead of the thousands of people who still use "123456."

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

blogs@foleyhoag.com (Colin J. Zick) — Wed, 13 Jan 2010 16:29:58 -0500

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach. AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable electronic device.

The AG’s suit stems from events that occurred in May 2009, when he alleges Health Net learned that a portable computer disk drive disappeared from a company office. The disk contained protected health information, Social Security numbers, and bank account numbers for approximately 446,000 of its past and present Connecticut enrollees. AG Blumenthal further alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing information. The missing information is said to include 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.

According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software. The Connecticut Attorney General alleges that it was not until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on November 30, 2009.

Accountants Ask Court To Exempt Them From Red Flags Rules

blogs@foleyhoag.com (Gabriel M. Helmer) — Tue, 12 Jan 2010 11:45:00 -0500

Last week the American Institute of Certified Public Accountants (AICPA) filed papers seeking summary judgment in the lawsuit filed against the Federal Trade Commission (FTC) to exempt accountants from the FTC's Red Flags Rules. We first posted on this case in November, when the AICPA filed a complaint asking the federal court in Washington, D.C. to declare that accountants are not subject to the Red Flags Rules. This followed hot on the heels of the October ruling (.pdf) that lawyers were not required to comply with the Red Flags Rules in a lawsuit filed by the American Bar Association (ABA). It should be noted that the AICPA's motion will be heard by the same judge that issued the decision in favor of the ABA, Hon. Reggie B. Walton.

Since Judge Walton's preliminary ruling in the ABA case in October, the court published a lengthy opinion (.pdf) explaining his reasoning. In particular, the decision indicated that lawyers need not comply with the Red Flags rules because the Rules only apply to "financial institutions" and "creditors" and lawyers cannot be classified as such under the Fair and Accurate Credit Transactions Act (the FACT Act or FACTA) or the Equal Credit Opportunity Act (the ECO Act or ECOA). The FTC has taken the position that lawyers, accountants and anyone else that invoices a customer after services have been provided is extending credit and, which makes them "creditors" under the FACT Act, ECO Act and the Red Flags Rules. Judge Walton forcefully addressed this position in his opinion in favor of the ABA:

[T]he Commission is essentially taking the position that the period of time between when a service is provided to when a lawyer or law firm invoices a client for the service and the invoice is paid, amounts to a period during which credit was extended if there is any interval of time between the providing of the service and the payment of the invoice. . . This is clearly not what was intended by Congress by its use of the term credit in the ECO Act and its subsequent inclusion of the term in the FACT Act.

The Court further noted that noted that he found it persuasive that there is no evidence that identity theft is an actual problem in the legal profession, one that might necessitate the protections of the Red Flags Rules.

From the record before the Court (or more accurately the lack of a record), the best that can be gleaned is that identity theft in the attorney-client context is only a theoretical problem, especially given the role of state professional codes of conduct and other ethical codes to which attorneys must abide, and the Court cannot conclude that it is an actual problem given the absolute lack of any legislative, regulatory or other evidentiary findings that have been brought to the Court's attention.

The FTC will face the same arguments in the accountants' case. Will Judge Walton side with the AICPA and rule that accountants, like lawyers, are not subject to the Red Flags Rules as "creditors?" Or will the Court give the FTC more flexibility to extend the Red Flags Rules outside of the legal profession? Read the AICPA's papers below and let us know your thoughts.

The FTC's opposition papers are expected next week.

Is the FTC "Moving to a Post-Disclosure Era" for Online Consumer Privacy?

blogs@foleyhoag.com (Colin J. Zick) — Tue, 12 Jan 2010 11:15:12 -0500

Is the FTC moving to a "Post-Disclosure Era," in which consumer online privacy would be regulated in a radically different manner than the status quo? That was a suggestion made by the chairman of the FTC, Jon Leibowitz, and David Vladeck, chief of the FTC's Bureau of Consumer Protection, during a recent on-the-record discussion about online privacy, reported in the New York Times.

For some time, I have been asking the question, "Is Consent Dead, and Should We Even Care?" Now it appears the FTC is asking the very same question. According to FTC Chair Leibowitz, companies “haven’t given [online] consumers effective notice, so they can make effective choices” about the privacy of their online information. Mr. Vladeck similarly views traditional advise-and-consent privacy notice models as dependent upon “the fiction that people were meaningfully giving consent. The literature is clear” that few people read privacy policies.

What, if anything, will this new way of thinking mean in terms of future regulation of consumer online privacy by the FTC? More information may be forthcoming at the FTC's next privacy roundtable, to be held on January 28 (and available to the public via webcast).

Incident of the Week: Twitter Used In Sting Operation To Find Out Who Leaked TSA Security Directive

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 08 Jan 2010 13:30:00 -0500

Rumors are circulating that Special Agents from the Transportation Security Administration (TSA) have been posing as a Connecticut blogger on Twitter to find out who leaked airport security screening procedures put in place after the recent attack by the "underwear bomber." This is a new twist in what some are describing as an overzealous investigation of government documents posted online.

As many of us found out on Christmas Day, a 23 year old Nigerian man identified as Umar Farouk Abdulmutallab apparently ignite an incendiary or explosive device in his lap while he was sitting on Northwest Airlines Flight 253 to Detroit. While no passengers were harmed, the same cannot be said for the would-be bomber's lap, which combusted. In reaction to the attack, issued Security Directive 1544-09-06 directing TSA airport officers to pat down 100% of all passengers, "concentrating on upper legs and torso," with the notable exception of heads of state.

Two days later on December 27, 2009, the TSA Security Directive was posted to the Flying with Fish blog run by Steven Frischling and Chris Elliot's blog at Elliot.org. TSA was not pleased with this attention. Apparently, the TSA considered the Security Directive secret, even though it was sent to thousands of airports and airlines around the world and arguably was somewhat obvious to anyone in an airport around Christmas-time. The agency launched an immediate investigation, sending agents and subpoenas to Frishling's and Elliot's homes (the text of which is available at his blog).

Frischling ultimately cooperated with the probe, gave them access to his BlackBerry, iPhone and computers and let TSA agents know that his source had contacted him anonymously using a free email service.

Then an unusual message appeared on blogger Steven Frischling's Twitter account:

To the gentleman who sent Flying With Fish the TSA Security Directive … Thank You! Can you drop me an email?I have a question. Thanks-Fish.

According to sources interviewed by Wired, a TSA agent took possession of Frischling's BlackBerry, typed the Twitter update into the device and then directed Frischling to click on the “send” button to post the message to his Twitter page. According to Wired's source, this was an attempt to induce the anonymous informer to send Frischling an email and draw him or her out of hiding. Of course, implicit in this strategy is that the TSA already had or expected to gain access to Frischling's email, as well. The TSA deny this account. Other bloggers, such as TechCrunch's Michael Arrington, have pointed the finger at Frischling and have criticized him for caving to government pressure and cooperating in the effort to oust his own confidential source.

No doubt, the TSA is under considerable pressure to heighten its security since early December, when an employee inadvertently posted online the agency's highly classified airport security operating manual.

Texas to Destroy 5.3 Million Illegally Obtained Blood Samples

blogs@foleyhoag.com (Colin J. Zick) — Sat, 26 Dec 2009 10:00:49 -0500

As part of the settlement of a federal court action, the State of Texas has agreed to destroy more than 5 million blood samples taken from babies without parental consent and stored indefinitely for the purpose of scientific research. The Texas Department of State Health Services announced earlier this week that it would destroy the samples in connection with the settlement of a federal lawsuit filed in March 2009 by the Texas Civil Rights Project on behalf of five parents of children whose blood was being held for use in research without their consent.

The parents' complaint alleged that the state’s failure to ask parents for permission to store and possibly use the blood - originally collected lawfully in order to screen for birth defects - violated constitutional protections against unlawful search and seizure. The parents also expressed fears that their children’s private health data could be misused and that the disclosure of that data could lead to discrimination against them later in life. Under the settlement, the blood samples collected without parental consent must be destroyed by early next year. State authorities estimated that some 5.3 million samples would be destroyed as part of this process. The State of Texas also is required to publish a list of all research projects that used the blood specimens.

Incidents of the Week: Iranian Cyber Army Targets Twitter & $26 Software Application Intercepts U.S. Military Satelite Feeds In Iraq

blogs@foleyhoag.com (Gabriel M. Helmer) — Fri, 18 Dec 2009 11:29:00 -0500

1. Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army. Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site. During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites. Given the name adopted by Twitter's hackers, it may be no coincidence that the New York Times interview with a U.S. computer security expert in June 2009 described the Twitter DoS attacks as allowing Twitter users to "'become part of the cyber-army,' in Iran."

2. $26 Russian Software Has Been Intercepting U.S. Military Drone Video Feeds In Iraq

Ever since Iraq invaded Kuwait in 1990, we laypeople have been introduced to video from U.S. military missiles right before something like a building exploded in fuzzy black and white. Then came more advanced military drones, remote controlled airplanes, with greater resolution and improved arsenal. If you have been craving some low res military action, it may only cost you a satellite dish and $26. Using a $26 software package developed by Russian software company called SkyGrabber, Iraqi insurgents have reportedly been tapping into live video feeds from U.S. drone aircraft. This news comes from a U.S. official speaking anonymously with the Wall Street Journal who reported that U.S. troops have recovered laptops used by the insurgents with "days and days and hours and hours" of intercepted military video.

The SkyGrabber software, which allows users to tap into unencrypted satellite connections, apparently has been successfully used against the military feeds because they were (you guessed it) unencrypted. U.S. military officials commented to CNN that encrypting the signals is problematic because it slows down video transmissions that need to be seen by a number of different operators at the same time. Query as to whether having your adversaries monitoring your battlefield surveillance will justify adding encryption to the military's systems. (Just remember when you do that another Russian software application is capable of decoding the WPA encryption standard.)

Lest we begin criticizing the military too strongly, however, a moment of self-reflection might be worthwhile. The next time you connect to the Internet using a wireless connection, whether at home or at a coffee shop, ask yourself whether you are taking any precautions to prevent your activity from being intercepted or whether you are just rolling the dice that no one in 100 yards has purchased some software from Russia recently.