The Week in Privacy and Online Safety, September 10, 2012
A weekly global roundup of online safety news, policy developments, research, and influence.

General Online Privacy
News (U.S.) -  Amazon confirms that the Kindle Fire's Silk browser tracks users, The Inquirer, Sep. 7, 2012

News (U.S.) - FBI Says Laptop Wasn’t Hacked; Never Possessed File of Apple Device IDs, Wired, Sep. 4, 2012

Research (U.S.) - A Critical Re-Examination of Health Data Re-Identification Risks, Daniel Barth-Jones, June 4, 2012

Research (Canada) - A Policy is Not Enough: It Must be Reflected in Concrete Practices, Ann Cavoukian, Sep. 2012 

General Online Safety
Research (U.S.) - Pro-anorexia Communities and Online Interaction: Bringing the Pro-ana Body Online, Pascoe, Sep. 2012

News (U.K.) - Most parents reject automatic broadband filtering, TalkTalk finds, uSwitch, Sep. 6, 2012

News (New Zealand) – Cyberbullying Law’s Effectiveness Questioned, New Zealand Herald, Sep. 6, 2012

News (U.S.) - 13 Year-Old Steals Car, Drives 13 Hours To Meet Her Xbox Live “Boyfriend”, Kotaku, Sep. 9, 2012

Advocates (U.S.) - What’s wrong with Net-safety ed … and what we can do about it, Anne Collier, Sep. 6, 2012

Advertising & Search
Policy (U.S.) - Guide to Help Mobile App Developers Observe Truth-in-Advertising, Privacy Principles, FTC, Sep. 5, 2012

News (U.S.) – Abine Software Let's You Count The Advertisers Tracking Your Web Activity, Business Insider, Sep. 7, 2012

News (U.S.) -  How Advertisers Use Facebook To Figure Out When You're Pregnant, Business Insider, Sep. 10, 2012

Mobile
News (U.S.) - Amazon's New Kindle Fire Has Innovative Parental Control Options, Forbes, Sep. 6, 2012

Research (U.S.) - More than half of app users have avoided an app due to privacy concerns, Pew Internet, Sep. 5, 2012

News (U.S.) - Toys"R"Us ® Introduces tabeo ™ - A Tablet Specially Designed For Kids, PR Newswire, Sep. 10, 2012 

Social Networks
News (U.S.) - How Instagram became the social network for tweens, CNet, Sep. 8, 2012

Legislation & Regulation
News (U.S.) - White House circulating draft of executive order on cybersecurity, The Hill, Sep. 6, 2012

News (E.U.) - US privacy, consumer groups back EU's proposed privacy rules, IDG News, Sep. 9, 2012

News (U.S.) - Dems Part Company With Republicans on Net Neutrality, Online Privacy, National Journal, Sep. 4, 2012 

-- Compiled by David Burt, CISSP, CIPP

Updated 9:14 A.M.  8/2/2011

Microsoft released a change to its geographic location positioning service on July 30, 2011, which addresses an issue highlighted in Elie Bursztein's blog on July 29, 2011.  This change adds improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted.  Microsoft is keenly aware of the sensitivity around all privacy issues, especially those surrounding geolocation.       

Microsoft's privacy and security team has been in contact with Elie and we will continue the ongoing dialog with experts in the privacy field to improve our service  offerings.   We thank Elie, Matthieu Martin from Stanford University, Jean Michael Picod and Ivan Fontarensky from Cassidian for working with us on this issue.  
 

Microsoft’s commitment to privacy means that not only will we seek to build privacy into products, but we’ll also engage with key stakeholders in government, industry, academia and public interest groups to develop more effective privacy and data protection measures. We will continue to update our service with improvements that benefit the consumer in both positioning accuracy as well as individual privacy.

Reid Kuhn is a Partner Group Program Manager on the Windows Phone engineering team at Microsoft

This year’s State of the Net Conference in Washington, D.C. on January 17th featured a number of lively sessions I attended that addressed issues of online privacy.

The day began with a keynote by Cameron Kerry, General Counsel, U.S. Department of Commerce.  Kerry discussed a number of technology policy issues, including the recent announcement that the DOC will open an office promoting online trusted identity technology, where Kerry emphasized that the DOC has no plans to implement “national identity cards.”   He also discounted the belief that young people don’t care about privacy, citing recent surveys showing the opposite.  He then discussed last month’s DOC green paper on privacy, and said that DOC wants to contribute to improving privacy, and that Americans need better privacy protections. 

The first afternoon featured a panel discussion titled, “Online Privacy on Trial: Has Congress Given Industry Self-Regulating Long Enough?”  The panel was moderated by Peter Swire, Professor, Ohio State University Moritz College of Law.  Swire outlined the issues regarding privacy legislation, and said that the biggest questions involve defining which areas of privacy should be self-regulated and which should be legislated. Swire stressed the need for reform of U.S. privacy laws because of possible conflicts with overseas laws and the possibility of individual US states are regulating, which could create a patchwork of state privacy laws.  A vigorous discussion ensued among panelists supporting and opposing privacy regulation in the United States.  

The last panel of the data addressed “The Clouding of Internet Policy: A Perfect Storm for U.S. Security & Privacy Policy?” and was moderated by Roger Cochetti, RJC Associates and featured Ed Felten, Chief Technologist, Federal Trade Commission; Ambassador Phillip Verveer, Deputy Assistant Secretary of State; and  Jim Dempsey, Vice President of Public Policy, Center for Democracy & Technology.

Conchetti started by describing some of the issues with cloud computing. He said that while most of cloud computing occurs within a single jurisdiction, cross-jurisdictional issues are unresolved.  He also wondered if a cloud service for consumers could become “too big to fail?”

Ed Felten said there were two main things new about cloud computing regarding privacy. One, data is now stored in more places than before, because it is stored in a data center and on your device. Each place where data is stored is a place where something can go wrong with privacy.  Two, the number of parties involved in managing data increases by at least one, and sometimes more as cloud services can involve multiple providers.  He said we need clear expectations regarding the responsibilities of cloud providers. He said consumers need to have effective disclosure and choice about what happens to their data and how it is stored. Phillip Verveer said that the cloud offers huge benefits, especially the ability of consumers and small businesses to access sophisticated computing.  But he also cited concerns about privacy, trans-border data issues, and complications for law enforcement. 

Jim Dempsey also said that cloud jurisdiction issues currently unsettled.  Dempsey said another thing about the cloud is the concept of protecting intermediates from liabilities for the content created, although this isn’t true in every country.  He expressed hope that the cloud will lead to deeper international harmonization of privacy laws.  He concluded that while the cloud is new, it brings us back to the same issues we’ve been struggling with for years regarding privacy and security.

-- David Burt, CIPP, CISSP

We just published a new article to help educate consumers on the risks of using location services and how to do so more safely:

Use location services more safely

Does your phone know where you are? If you've used your phone to find directions or locate a nearby restaurant, you've used its global positioning system (GPS) and it's likely that it would be able to pinpoint your location within a close range.

Location services can be convenient for automatically adding location information (geotags) to photos. Some people also use location services to post their locations to social networking sites, such as Facebook. Be aware, however, that others can use your location information, too.

The risks of using location services

• The apps and search engine you use may sell your location data to advertisers who might then deliver ads on your mobile phone related to where you are.
• Services, such as Foursquare, that track your location can be used for criminal purposes—for spying, stalking, or theft. If your location-sharing messages are tied to Twitter, there is no limit to who might know where you are and when you're not at home.
• If messages that share your location are tied to your Facebook account, your network of friends and family will know your location.
• Location information is added to all of the other data about you on social sites and blogs, comments you leave, and so on. It's likely permanent and searchable.

How to use location services more safely

Choose from among the strategies below to set the level of privacy that is right for you.

Pay close attention to the settings that use your location

• Consider turning off features that add location information (also called geotagging) in your tweets, blogs, or social network accounts.
• Consider disabling location services altogether. Be aware, of course, that this will restrict such features as maps, bus route data, or services that allow you to watch over your children.
• Use location features selectively. For example, turn on geotagging of photos only when you need to mark them with your location. Remember that it is safer not to geotag photos of your children or your house.
• Share your location only with those you trust. For example, in a service like Facebook Places, create a separate list of your closest friends. Use privacy controls to restrict access to location status updates, messages, and photos.
• Disable the option that allows others to share your location (check you in).
• Set your location data so that it's not publicly available or searchable.

Limit who knows your location

If you use location services, check in thoughtfully

Pay attention to where and when you check in.

• Does it enhance or harm your reputation?
• Does it put others at risk? For example, are you checking in from your kids' school or a friend's house?
• Are you alone? If so, is checking in safe?

Link to social media with care. Avoid sending your check-ins to Twitter, Facebook, or your blog.

Help protect kids who use location services

In addition to the other ways you can help preserve your family's online safety, consider these steps specific to location services:

• If you use a family location service to monitor your kids' whereabouts, make sure others cannot locate them. Otherwise, consider disabling the location feature on your child's phone—at the very least, turn it off in the phone's camera.
• Unless you feel your teenage children have the maturity to use these services responsibly, prevent them from using check-in services available on social-networking sites.
• Get more advice about how to take charge of your online reputation.
• Learn how to secure your smartphone.
• Learn about privacy and location services on Windows phones.

For more information

Stephen L Rose writes on the Windows Team Blog:

We’re just a couple days into TechEd North America in Orlando and already there’s a tremendous amount of excitement in the air, particularly around new information that we’re sharing about the enterprise capabilities of Windows 8. A few months ago, Erwin started the conversation around what Windows 8 means for businesses at CeBIT in Hannover, Germany, and followed-up later with a post on Windows 8 enterprise edition. Last week, he began talking about the business value of Windows 8 Release Preview and today followed up with more details in his “How Windows 8 Will Work for Your Business” post. In this post, Erwin discusses the great things that enterprises are already doing with the Windows 8 Consumer and Release Previews, as well as a series of updates to the Microsoft Desktop Optimization Pack (MDOP) suite.

MDOP helps IT Pros manage Windows features, virtualize applications and user experience, as well as restore productivity after a system issue. One of the biggest MDOP updates discussed at TechEd is to Microsoft Bitlocker Administration and Monitoring (MBAM) 2.0, with the beta launching today. For this blog post, I’m going to do a deep dive into some of MBAM’s key features.

When MBAM 1.0 was released late last summer, our goal was to address the top three pain points customers experienced when attempting to manage and support BitLocker and BitLocker To Go on Windows 7. Customers asked us to simplify the provisioning process, provide compliance reporting and overall, help reduce the costs of supporting users with encrypted devices.

MBAM 1.0 was successful at addressing these top pain points, but as customers began using 1.0 we received some great feedback on how to make it even better. This feedback led us to examine the following priorities for MBAM 2.0:

Reduce overall customer costs by:

• Empowering end users to support themselves with a self-service recovery portal
• Taking advantage of Windows 8 functionality to reduce the time it takes to provision encryption to devices
• Help customers maintain compliance with improved enforcement capabilities
• Integrate MBAM with the tools that customers are already using

Reducing costs by creating self-service and faster provisioning tools

In MBAM 1.0, we helped reduce the costs of managing an encrypted environment by simplifying the process of provisioning BitLocker to devices, while also making it easier for IT help desks to assist users when they ran into trouble with an encrypted device. And with those scenarios addressed in 1.0, we asked ourselves: where could we further reduce costs? There were two big areas that we knew could greatly impact our customers in our next version of MBAM.

First, Windows 8 will help MBAM realize even greater results by reducing the time that it takes to provision BitLocker to devices. On traditional storage disks, BitLocker and MBAM can perform Used Disk Space Only Encryption, which means that rather than encrypting the entire disk, just the portions of the disk that contain data on them will be encrypted. This can reduce the time that it takes to provision encryption to a new device by many times.

However, we found that even with Used Disk Space Only Encryption, provisioning BitLocker can still take quite a bit of time. Windows 8 devices that are equipped with a new type of disk drive called an Encrypted Hard Drive can be provisioned with BitLocker protection within seconds, regardless of the disk size. In this case, Bitlocker offloads all of the encryption tasks to specialized hardware on the disk drive, while BitLocker will perform all of the key management functions. Essentially, Encrypted Hard Drives are effectively already encrypted from the moment they are turned on.

Another area where we can help drive down costs is with BitLocker recovery scenarios. Currently, when a user loses their PIN and goes into recovery mode, organizations have their user’s call the IT help desk to assist with the recovery process. With MBAM 2.0, we’re empowering the user to help themselves by equipping them with a self-service recovery portal that will walk them though the process. Here at Microsoft, we experience thousands of calls per year for recovery assistance and when you combine the cost of the call, plus the cost of lost productivity, were talking about a very large expense. With MBAM 2.0, we can help customers eliminate most of that burden.

Better maintaining and enforcing compliance

MBAM 1.0 helped organizations improve encryption policy compliance by providing them with two primary capabilities. First, we made it easier to encrypt new devices as part of the PC provisioning process. Second, we made it possible to encrypt PCs that were previously delivered to users in an unencrypted state. These capabilities were effective in driving increased compliance, but limited in their ability to maintain, force or prevent devices from drifting from the desired state.

To address this, in MBAM 2.0 we’re including the ability to automatically enforce encryption compliance for cases where users perpetually postpone encryption or when administrators decrypt or suspend protection. MBAM 2.0 will automatically bring the devices back to the desired state. Additionally, to protect machines during the pre-boot authentication process, we’re adding complex PIN support to address situations where users attempt to set a weak PIN. Common PIN sequences like 1111, 1234, and others like them can’t be used.

We also heard that more and more organizations are adopting the Federal Information Processing Standard (FIPS) standard. This standard was supported with Windows 7 and BitLocker, but MBAM couldn’t manage machines using this configuration. MBAM 2.0 brings management support to devices configured in FIPS compliant mode.

Integrating with existing management infrastructure

Our strategy for MBAM 1.0 was to deliver a product that could scale to the largest size organizations, require the least amount of infrastructure, and could be run in any organization. The latter requirement consequently meant that MBAM could not take a dependency on System Center Configuration Manager (SCCM), so management tasks – like compliance reporting of BitLocker protected devices – would need to occur in another console.

Our customers understood the rationale behind this strategy, but also expressed an expectation that SCCM integration should be on the product roadmap. In MBAM 2.0, we deliver on that expectation and have enabled MBAM management experiences, such as compliance reporting and hardware management, within the SCCM management console.

All of the additions mentioned above represent a significant set of improvements for MBAM and we’re really excited to deliver them to customers. We look forward to hearing your feedback on the beta and encourage you to download MBAM 2.0 from the MBAM site on Connect.

In addition to all the MBAM updates, there are some other announcements that I want to mention: the beta for Microsoft Advanced Group Policy Management (AGPM) and the release candidate (RC) for the Diagnostics and Recovery Toolset (DaRT) are available today and can both be downloaded from the AGPM and DART sites on Connect. Also, the new beta for User Experience Virtualization (UE-V) will be available at the end of the month and all will provide new functionality specific to Windows 8 Release Preview.

Please remember that we encourage your feedback to help make these products great. We encourage you to take the time to download and evaluate them as soon as possible and look forward to hearing from you and responding to your feedback on Connect. And for more information on MDOP, please visit www.microsoft.com/mdop.