Category Archives: Privacy

The risks of Smart Devices

As I have reported before, retailers don’t really care whether the smart devices that you buy are secure. Home Depot is one of those vendors and when asked about dumb smart devices, they said: “We require all vendors to follow applicable laws, regulations, and industry standards”. Of course, there are virtually no laws, regulations or even standards when it comes to smart device security or privacy, so that is a pretty low bar.

Other vendors such as Amazon, Walmart and Best Buy kept their mouths shut when asked about the security of the products that they sell.

Its not hard to find vulnerabilities in devices where cost is the main driving concern. A student found found design flaws in the devices of 11 manufacturers. If a college kid can find these vulnerabilities, you would think that major corporations could. But the reality is that consumers don’t care about security; they care about features.

Except when their camera vendor (ADT) is discovered to be spying on them (the ex-employee is now in jail).

What this means is that you are left to your own to figure out whether it is safe to buy a particular device. Here are some things you should consider before you buy:

  • How long will the manufacturer support this device with technical support and patches. Typically, this time is based on some number of months from when it was released initially, not from when you buy it. If you plan to keep it longer than that period, you are on your own.
  • Does the manufacturer regularly release feature updates and patches. If the last time they did so was 2013, find a different device.
  • Does the device automatically install patches or automatically tell you that patches are available. Auto install is definitely preferred.
  • How important is security for this purchase? If this is a smart door lock and you would prefer that crooks can’t stand on your front doorstep and unlock your door when you are not home, make sure that the vendor checks all the boxes. On the other hand, if it is a kitchen blender, you might not care. In fact, you might not connect it to the Internet at all.

These are just some thoughts. Remember that the ball is in your court and none of the law, the manufacturer nor the store care. I’m not bashing them, just telling you want the deal is.

In fact, there is typically a document that comes with these devices that say that they disavow any responsibility, to the maximum extent allowed by law, for whether the device is appropriate for whatever purpose you intend to use it for. Credit: Refirm Labs

Your Car is Just a Computer With Wheels

The average car or light truck has somewhere between 50 and 200 computers in it, depending on the model. Those computers both create data and consume data. Sometimes that fact can be quite useful.

In 2017 the body of a mechanic, Ronald French, was found in a cornfield in Kalamazoo County, Michigan. For more than two years, detectives tried to figure out what happened with no luck.

But then, one of the detectives heard about digital vehicle forensics, the science of extracting some of that data from those vehicles.

They returned to the truck – I guess it had been impounded? – to see what they could find. In the case of vehicle forensics, just like any other type of forensics, time is your enemy. If that truck had been driven for the two years since Ronald died, there would be no evidence. But apparently, they were lucky.

The first thing they found was that someone had used the voice controlled system to play music. That command was stored in one of those many computers. And it was time stamped right around the time of the murder. They took that voice command and played it for some people who knew the victim. The voice was identified by the now alleged murderer’s wife. The detectives were then able to reconstruct events. The guy who’s voice they had has now been arrested and charged with murder. He is awaiting trial.

Newer cars store information like location, speed, acceleration, especially if the car has a built in navigation system. What calls were made when and for how long if the user’s phone is being controlled by the car’s infotainment system. Voice commands. Web history.

Of course, some of this is only there if you use the car’s features. If you pick up your cell phone and dial a number, the car won’t record that, but if you push a button on the steering wheel and say call mom, then the car has that data.

Semi-autonomous cars collect even more data, including pictures of the driver and what the driver was doing, say, just before a crash.

If the car has telematics and many new cars do not come with an option not to have telematics, the car knows every turn you made, when you turned the lights on, if the seat belts were in use and other information.

It also knows the ID of any phone that has been plugged into the system.

And car computers have almost no security. They are not worried about your privacy (remember that when you sell that car).

With a warrant or maybe less, the police can go through that data and try to connect the dots.

The tools are also growing more powerful. Berla Corporation makes a tool to extract that data. In 2013 the tool worked on 80 car models. Now that number is 14,000.

Some police departments have funded forensics teams to make sure they do this in a way that stands up in court. And people are getting convicted, while others are getting cleared.

In one case, police recovered data from a stolen car. It showed that the car had stopped and the driver’s door opened at an RV dealership. Surveillance camera recordings matched the time and pointed to a former employee. With pictures. The guy pleaded guilty and is serving time.

Of course there are privacy implications here.

People rent cars, connect their phones and the car sucks a lot of data out of that phone. Then they return the cars. But the cars don’t return the data.

Over the next few years, cars will get more computers, more data, more evidence and more privacy concerns. High end cars can generate a gigabyte of data a minute.

Of course if someone else can get that data they can stalk someone.

Or get the car to unlock itself or even start.

There is a law, the Driver Privacy Act of 2015, that regulates the data in the car’s crash event data recorder. But only that data.

Privacy4Cars, an app maker that sells an app to tell you how to erase at least some of the data in many different cars, test drove used cars at 72 dealers. 88% had the former owner’s personal data still in the car.

A dealer is not required to wipe your data from your car when they buy it.

Just something interesting to think about. Credit: NBC

Facebook Considers Begging iOS Users: Let us Track You

Apple is preparing to add a new prompt to iOS that requires users to opt-in to tracking by app developers like Facebook. It used to be that you could opt-out — if you could find the place to do that.

Facebook is going to have its own screen telling you how wonderful it is to have your every website click tracked.

Here are sample mockups:

Facebook's message to users about privacy

Facebook’s reasoning is that you get better ads and it helps their bottom line. I am not sure that many people care about Zuckerberg’s income and how many people think that advertising of any type is a benefit.

Facebook’s beg screen is on the left and Apple’s do you really want to do this screen is on the right.

If you agree to this it does not mean that Facebook is going to collect more or different data – although it might if they find it beneficial to them. It means that they want you approve of them continuing to do what they have been doing for years – mostly silently.

This is a follow-on to Apple’s version of a food safety warning when they revealed how much data Facebook is collecting next to the app in their app store.

Since Apple earns no revenue from selling your data or serving up ads, screwing up the business model of a competitor like Facebook is perceived to be a good or at least not negative.

Neither Facebook nor Apple has said when these changes will roll out. Credit: The Register

Covid. Vaccines. Privacy.

We definitely live in interesting times.

The virus is surging and at the same time morphing.

Two different vaccines have been approved for emergency use. More are on the way.

The country is discovering that actually getting vaccines in people’s arms is harder than talking about it.

AND, there is talk of you having to install an app on your phone to prove that you have been vaccinated in order to get on a plane, enter some venues or visit some countries. Which vaccine. How many does. What dates.

The makers of these apps promise that your data is secure.

Maybe it is safe. To be honest, I don’t know.

Unlocking your phone and giving it to some stranger in a foreign country to prove you have been vaccinated doesn’t seem like a great strategy to me.

The process works by generating a QR code and displaying it. Maybe that can be done with the phone still locked.

And of course, everyone has their own smartphone. Everywhere in the world. Including your grandma.

Of course, there are going to be multiple apps. I am sure they will all be compatible. And certainly no one is going to say that they only accept app ‘X’ and not the one that you already have installed.

Finally, I am sure that there won’t be a black market for fake credentials and all of the apps will be hacker proof.

I wonder if there is going to be a service that you can pay for to fake whatever QR code you want.

Granted this qualifies as a “first world problem”, but we will watch what happens and report back over the next several months. Credit: CNN

HHS Proposes Changes to HIPAA Privacy Rule

As is often the case when the feds do something, there is probably at least one thing that is good in this notice of proposed rulemaking and probably others that are less good.

The HIPAA privacy rule is designed to protect the privacy of patient data, but other than stopping providers from selling your health information to the media, they already share it with most of the healthcare ecosystem anyway.

The only way to REDUCE (but not eliminate) the sharing of healthcare information is to pay cash and not make an insurance claim. Other than the rich, no one does this.

The Republican administration claims that this change will offer more flexibility for disclosures in cases such as opioid overdoses and Covid-19, but of course, these changes are not limited to that.

Among the changes they propose are:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Clarifying the form and format required for responding to individuals’ requests for their PHI.
  • Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
  • Reducing the identity-verification burden on individuals exercising their access rights.
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
  • Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
  • The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management, according to OCR – creating an exception to the “minimum necessary” standard. It would “relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations,” according to the proposed rule-making.

The goal, they say, is to allow your doctor to disclose your personal health information the the authorities (like social services) , community based organizations (whatever they are) and other similar third party providers without having to ask your permission.

Among other changes, OCR would replace the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on “professional judgment” with a standard permitting such uses or disclosures based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual,” according to the proposed rule.

But not to worry – you can sue your doctor, spend 5 years going through the court system and spend tens of thousands of dollars if you think your doctor didn’t have an (undefined term) “good faith belief”. How do you PROVE a lack of a belief in a doctor’s head?

There are probably some legitimate changes to be made to HIPAA. I am not sure that this is the list that I would propose. It seems like mostly it is designed to loosen restrictions on what the healthcare community can do with your digital health information without asking your permission or even telling you that they are doing it.

You can probably figure out what I think of these changes. Credit: Health Care IT News