Justice Department officials are presently determining whether they should ask the Supreme Court to consider a case involving the use of a GPS device to track a criminal. The matter stems from a U.S. Court of Appeals for the D.C. Circuit decision which vacated the life sentence of one Antoine Jones, a former D.C. night club owner, wherein evidence obtained by the warrantless use of the GPS device led to a successful drug trafficking investigation, linking the defendant to a Maryland stash house. The government’s latest court filing with reference to this Fourth Amendment rights case may be found at:
Videotaping Police Misconduct Activity
In a 6-1 Michigan Supreme Court ruling, rapper Dr. Dre won over a police officer’s right to privacy while “on the job” and engaged in law enforcement duties. The suit was filed by former police official, Gary Brown, now a Detroit City Councilman, who, with other Detroit police officers, was videotaped while attempting to close an Eminem concert should they show a sexually explicit video. Subsequently, the video of the police officers was included in a DVD produced about the tour. Brown’s lawsuit was dismissed on the basis that there is no right to privacy for police while performing their duties. This ruling makes it legal in the state of Michigan to video record the police while they perform their duties and will be used in other court cases arising in other states where such action is becoming illegal. There have been numerous incidents where cell phone users and persons with video cameras have recorded acts of police misconduct, resulting in the bystander witness who recorded such acts being arrested and the cell phone or video equipment confiscated. Massachusetts is one such state which we believe has proposed legislation to make it illegal to videotape police officers in the performance of their duties. Illinois passed such legislation. Civilian videos of police officers have revealed misconduct, abuse and filing of false reports throughout the U.S. The case also has First Amendment implications as well.
Google fined over Street Views “privacy breach”
France’s privacy watchdog Commission nationale de l’information et des libertés [CNIL] fined Google the equivalent of $141,000 for collecting personal data from Wi-Fi networks which included web browsing histories, emails and on-line banking details. This was done during the period of 2007 through 2010 via Google’s roaming camera mounted bicycles and cars. Complaints against Google had also been lodged by government privacy agencies in Canada and Germany about which ISPLA previously reported. Last November the U.S federal Trade Commission reached an agreement with Google and “closed its books.” However, some thirty European countries have complained over the manner in which Google has handled its information data gathering. Critics have labeled Google’s incidents as “Wi-Spy” and last October Jennifer Stoddart, Canada Privacy Commissioner issued a scathing report, about which we also previously made comment. According to the Associated Press, in reporting on the use of Google cars, “Google initially said it captured fragments of peoples’ online activities, but Canada’s investigation determined that the entire e-mails, passwords and website addresses had been obtained and stored.”
RSA Hacked: Cyber Attack – Significant Security Breach
Senior security analyst at Gartner, Avivah Litan has indicated that RSA’s recent statement that it’s the victim of hackers who have extracted certain information is related to its SecurID two-factor authentication tokens, which many banks use to secure their online banking programs and should be a wake up call for banks that rely too heavily on such security tokens.
“Tokens are like a front door lock, they make it harder to keep amateurs out, but banks need to use a layered security approach that includes robust fraud protection; monitoring of session, user and account behavior; and monitoring of very high-risk transactions,” she says. “They should also consider adding manual controls, such as dual authorization on high risk payments.” According to a “Bank Systems & Technology” item reported by Penny Crossman – “Banks and other companies give RSA’s SecureID tokens to their customers to authenticate online transactions.”
A March 17, 2011 EMC, parent company of RSA, filed an 8-K report with the SEC indicating they do not expect a financial diminution of earnings as a result of last week’s embarrassing security breach. Its president released the following letter to customers, which reads in part: “Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
“It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”
The RSA’s recommendations to its SecureID customers included the following steps:
- Increase security for social media applications and the use of those applications and websites by anyone with access to critical networks.
- Enforce strong password and PIN policies.
- Follow the rule of least privilege when assigning roles and responsibilities to security administrators.
- Re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
- Pay special attention to security around active directories, making full use of Security Incident and Event Manager (SIEM) products and implementing two-factor authentication to control access to active directories.
- Watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
National Child Protection Act of 1993
On March 19, Senator Charles E. Schumer [D-NY] introduced S. 645, a bill to amend the National Child Protection Act of 1993, which was referred to the Committee on the Judiciary. The bipartisan bill is cosponsored by Senators Sherrod Brown [D-OH], John Ensign [R-NV], Kirsten E. Gillibrand [D-NY], Orrin G. Hatch [R-UT], Mike Johanns [R-NE] and Sheldon Whitehouse [D-RI]. This bill just appeared on the ISPLA federal tracking system this week and has not yet been publicly released. As soon as it is, we will comment on it.
ISPLA Director of Government Affairs
“Real Investigators, Real Professionals, Real Representation”