Big problems for AT&T with Apple Data Breach

A massive breach of data security by AT&T’s has exposed some very high profile users’ email addresses and contact information from the celebrity hotlist of Apple’s select early-adopter iPad 3G users. An in-depth report by Ryan Tate (Valleywag) says, “The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.”

This is a big blow for Apple, and more so for their already rocky relationship with AT&T. With data breaches like these happening more and more frequently, maybe we’ll see the end of these ridiculous ‘exclusive’ deals we’ve been subject to in both the US and the UK, where we end up locked into AT&T or O2 (in the UK) just because we want a particular type of phone. From now on, maybe the lack of trust that this sort of data loss will undoubtedly breed, will benefit the rest of us as exclusive lock in deals with just one provider might not seem so clever. Then we all all have the privilege to choose which cellular provider we will pay to lose our personal data and leave us pen to fraud. And, as we know… it’s all about freedom of choice!




Digital Forensics crossing into other specialisms

I’ve been working at editing a book review for Issue 3: and what an excellent book it is (the review is pretty good too, I may add). The reviewer could not have praised this book any more than he did and there is good reason for this. Dr John Olsson’s latest book on Forensic Linguistics is a fantastic read and really open up your eyes on what’s possible through the study of words alone. To be able to point the finger at a culprit on nothing more than the phrasing in a fake suicide note takes a lot of skill and experience, but also the understanding of the linguistic formulation of the prose, which is where John’s book really wins, is vital. John has done an article on the role of forensic linguistics in convicting the culprit in the recent terrible events that led to the death of a young girl using Facebook. He discusses the dialogue used between murderer and victim and how, with careful screening, we can discover the motivations of unseen people at the other end of a virtual connection in cyberspace. What intrigues me is the crossover here. SMS, for example, has created the need for a new language and cryptic annotation that is used mostly by teenagers today. When we, the mobile forensic examiners, extract this information, we need to make sense of it to help with the overall investigation. And how can we determine is the suspect is actually the person who sent the incriminating text? This is exactly where Dr Olsson’s skill comes in, and he’s finding himself more and more involved in computer crime investigation. We know that the Forensic Science Regulator in the UK is focusing on integrating digital forensics into the mainstream role of other forensic sciences, which I believe is a great move, allowing a lot tighter collaboration between the various branches of our profession. Dr Olsson shows the benefits in terms of this one case realating to Facebook, but I feel we need to start looking for other such stories in DFM to really show the importance of cross-field collaboration.

Tony Campbell



An Enumeration Shall Be Made The Census

The United States Constitution authorized the federal government to conduct a decennial census. Article 1, Section 2, states that, “[An] Enumeration shall be made … within every … Term of ten Years, in such Manner as [Congress] shall by Law direct.” Twenty ten is, of course one of the decennial census years. With both mistrust of the powers of the federal government and fears of privacy violations, some people are refusing to return census forms, in violation of federal law. In response, the Census Bureau assures the population that census information is private, protected and secure. But is it?

First off, I am not one of those paranoid people who believe that, in filling out the Census forms, black helicopters will swoop down and surround me. Nor do I believe that the government will use the Census forms for particularly nefarious purposes – unless you include federal funding as nefarious. Indeed, I filled out my form in about two minutes, and popped it into the mailbox with reckless abandon. Sure, the government used Census records during World War II to locate Japanese Americans for interment camps. Sure, General Sherman used Census records to identify population centers during his 1864 march to the sea. But this was under a different legal regime. Certainly the government couldn’t use these records again – or could they? The Government’s Promise The Census Bureau points out that individual census forms are protected by law. Title 13 United States Code Section 9 provides:

(a) Neither the Secretary, nor any other officer or employee of the Department of Commerce or bureau or agency thereof, or local government census liaison, may, except as provided in section 8 or 16 or chapter 10 of this title or section 210 of the Departments of Commerce, Justice, and State, the Judiciary, and Related Agencies Appropriations Act, 1998 or section 2(f) of the Census of Agriculture Act of 1997 – (1) use the information furnished under the provisions of this title for any purpose other than the statistical purposes for which it is supplied; or (2) make any publication whereby the data furnished by any particular establishment or individual under this title can be identified; or (3) permit anyone other than the sworn officers and employees of the Department or bureau or agency thereof to examine the individual reports. No department, bureau, agency, officer, or employee of the Government, except the Secretary in carrying out the purposes of this title, shall require, for any reason, copies of census reports which have been retained by any such establishment or individual. Copies of census reports which have been so retained shall be immune from legal process, and shall not, without the consent of the individual or establishment concerned, be admitted as evidence or used for any purpose in any action, suit, or other judicial or administrative proceeding.

(b) The provisions of subsection (a) of this section relating to the confidential treatment of data for particular individuals and establishments, shall not apply to the censuses of governments provided for by subchapter III of chapter 5 of this title, nor to interim current data provided for by subchapter IV of chapter 5 of this title as to the subjects covered by censuses of governments, with respect to any information obtained therefor that is compiled from, or customarily provided in, public records. Seems pretty simple. Census records may ONLY be used for statistical purpose, and individual records cannot be disclosed or subject to legal process. The IRS, CIA, NSA, FBI or other agencies theoretically cannot obtain individual census forms no matter how hard they try. Indeed, the Census Bureau had put up a privacy policy in its website which says:

• Private Information is Never Published It is against the law to disclose or publish any private information that identifies an individual or business such as: o No names o No addresses including GPS Coordinates o No Social Security Numbers o No telephone numbers

• We Collect Information to Produce Statistics We use your information to produce statistics. Your personal information cannot be used against you by any government agency or court.

• Sworn for Life to Protect Your Confidentiality Every person with access to your information is sworn for life to protect your confidentiality.

• Violating the Law is a Serious Crime If anyone violates this law, it is a federal crime; they will face severe penalties, including a federal prison sentence of up to five years, a fine of up to $250,000, or both.

The policy also notes that census workers are sworn to a strict oath which says: I will not disclose any information contained in the schedules, lists, or statements obtained for or prepared by the Census Bureau to any person or persons either during or after employment. The Bureau goes on to say

• We promise that every person with access to your information is sworn for life to protect your confidentiality.

• We promise that we will use every technology, statistical methodology, and physical security procedure at our disposal to protect your information.

Sounds pretty good. Your information is safe and secure, It will NEVER be disclosed. All technologies will be used to protect it. Census workers will NEVER disclose the information TO ANYONE. Unfortunately, every one of these statements is both false and misleading. Not in an “evil” or “black helicopter” way. But in the same way that companies who inelegantly draft privacy policies or statements frequently and unnecessarily promise much more than they intend to or can deliver. Writing Privacy Policies Part of my legal practice is to help companies draft both internal and external privacy policies. Internal privacy policies are designed to help companies protect data and set out the rules for when they can monitor employee’s e-mail, phone calls, twitter feeds and the like. External privacy policies relate to the kinds of information they may collect about clients or customers, third parties, business partners and the like, and how they will use and protect that information. In drafting such policies, I invariably advice companies to avoid declarative statements like “we will never use your information for ….”

The privacy policy is a statement of policy and intention. There are far too many possible unanticipated circumstances to make an irrevocable statement. Companies are acquired or aquire other companies. They go out of business or declare bankruptcy. Assets are transferred. Computer hardware or software is lost, stolen, transferred. Information assets are insourced, outsorced, or transferred to “the cloud.” New business models develop new potential uses for information – sometimes even to enhance the privacy of the data subject. New laws and regulations come into effect. Companies which currently operate in one country or one legal regime expand their operations into new regulatory environments. Fires, floods, hurricanes, acts of God and acts of war all can lead to circumstances where a promise, made with all good intentions, becomes obsolete or impractical. Thus, rather than saying, “we will never use your information for…” or “we will never disclose your information…”, I prefer more general statements of intent. “We collect and use your information for ### purposes…” The goal here is not to be “sneaky” or to mislead the data subject, but to fairly and accurately inform the data subject of your real intentions. With this in mind, let’s look at the Census Bureau’s promises.


Really? If you live in the DC area, take a trip down to the National Mall on 7th Street to the National Archives. You know, the building featured in National Treasure which holds the Declaration of Independence and the Constitution which authorizes the Census in the first place. They have a geneology department there that will help you use Census records dating back to 1930 to help locate relatives. While these records do not contain addresses or specific answers to census questions, they do contain names and cities and dates of residence – you know, the kind of information that the Census Bureau says it will NEVER disclose. Indeed, the Census Bureau proudly notes, “In keeping with the Census Bureau’s commitment to confidentiality, the Census Bureau information collected in the Decennial Census of Population and Housing on individuals does not become available to the public until after 72 years.” In other words, to protect your privacy they will disclose your information after 72 years. Not NEVER. But after threescore and a dozen years. So when the Census Bureau says “Private Information is NEVER Published” and includes in its definition of “Private Information” things like names (including surnames), it may simply be concluding that making the information available to the public is not a form of “publication” and therefore is exempt. In that case, they are being disingenuous. Moreover, the promise is simply unnecessary. The privacy policy, like the rest of the website, could have said that the information will become available after 72 years, but it did not. In addition, the promise of confidentiality is contingent upon the statute that protects confidentiality. As we have seen, Congress can alter the statute at any time, and has done so in the past.

While current law protects the information, Congress can remove the protection, or indeed REQUIRE the Census Bureau to produce information to federal agencies. This fact should be at least acknowledged in the privacy policy. Moreover, there are a host of circumstances where census information may have to be turned over to someone. For example, if a census worker was terminated for falsifying forms or for failing to turn them in, the contents of the forms submitted would be relevant in either a hearing before the Office of Personnel Management or in a criminal prosecution, and would be appropriately disclosed in such proceedings. If a respondent was prosecuted under Title 18 USC 1001 for filing a false statement in a census form, and claimed that they did not submit the form, they would be entitled to see the form to defend themselves in a criminal case despite the fact that the statute they are alleged to have violated is not part of Title 13, and the fact that, by their own admission, the form is not theirs. In an emergency situation, where it might be necessary to find out where a census worker is (or was) the completed forms may be necessary to be turned over to law enforcement – not for statistical purposes on the data subjects, but for other, perfectly reasonable purposes. This is why you DON’T make unequivocal statements in a privacy policy. The Oath Next comes the Census employee’s oath. Paraphrased it says, “I will not disclose any [census] information to any person or persons ….” Really? Strictly construed this prohibits the use and disclosure of census information for perfectly legal and appropriate purposes. While the law permits disclosure by census employees to, for example OTHER CENSUS EMPLOYEES or other authorized recipients, the OATH forbids this. The oath says that the information will not be disclosed TO ANY PERSON OR PERSONS. Thus, a census enumerator who accepts forms and takes them to the office and hands them to a supervisor is in direct violation of their oath. It’s a simple fix. Change the oath to reflect reality. Sworn for Life The next promise is that “every person with access to your information is sworn for life to protect your confidentiality.” Really?

This now implies that every postal worker (who carries the letters), every government contractor, every records storage facility worker, every data storage or ISP that has access to the information has taken such an oath. Every single one. Oh, and lets not forget all the people who have access to the information after 72 years. They too have to take that oath – for life. One problem here lies with the definition of the term “access” to your information. Does this mean “authorized access?” Does this include physical access? Does it include the ability to see information contained in the forms? Without defining the terms, the oath requirement is meaningless. Every Technology Finally and most disturbingly is the promise that the Census Bureau “will use every technology, statistical methodology, and physical security procedure at our disposal to protect your information.” Really? The budget for the Census Bureau for 2010 is estimated at $7.4 billion. That puts and awful lot of technology “at their disposal.” Moreover, as time goes on, more technology will become “at their disposal.” And they promised to use EVERY technology – not just the good ones, or the effective ones or the reasonable ones. They COULD technologically shoot all census forms off to the Moon for protection. In theory. It’s a silly silly promise which is wholly unnecessary. All that people would ask is that the Census Bureau use appropriate technologies to protect the data, and reexamine these technologies in light of changes in the threat environment and capabilities. But they have promised to use EVERY technology. So does a respondent have any recourse when the government breaches each and every one of these promises –which in invariably will? Probably not.

You see, while the promises are intended to induce you to fill out the census forms, and if used in a consumer context would constitute “unfair and deceptive trade practices” a resondent is not entitled to rely upon these promises since they are legally mandated to complete the form irrespective of the promises of privacy. Thus, the privacy promises are doubly silly. And that I promise you.

M D Rasch