Off the Kuff Rotating Header Image

data privacy

Yet another Dallas ransomware update

May 29th, 2023
by Charles Kuffner.
Comments are off for this post

We’re three weeks out, how are things going?

Three weeks after Dallas was hit with a ransomware attack, city officials still haven’t publicly explained the full scope of the breach or the city’s progress toward restoration.

The ransomware attack hit May 3 and though some functions, like filing a complaint to 311 through the city’s app or residents paying their water bill online, have returned, other functions are still impacted.

The city libraries are still not able to process returned books, the police department isn’t able to access some data, and the municipal court is unable to hold hearings or process payments for citations.

“Progress is continuing with focus on public safety and public-facing services, and as departments’ service is restored it will be shared via city channels,” city spokeswoman Jenna Carpenter told The Dallas Morning Newson Wednesday.

The impacts have also included City Council meetings where the government body has been unable to use the electronic voting system when deciding on agenda items. The City Council met in closed session Wednesday for at least the fourth time since the May 3 cyberattack with information technology officials to discuss the city’s network security and other issues related to the incident.

The city in mid May said it could take several more weeks or months to fully restore the system from the ransomware attack, which includes reviewing and cleaning servers and devices to make sure they are safe to use. Ransomware is often used to extort money from organizations by threatening to block access to files or release confidential information unless money is paid.

City officials have declined to say if the city has been issued any ransom or to release specific details related to the attack, citing an ongoing criminal investigation involving the FBI.

The city said several servers were compromised with ransomware early May 3 and that it intentionally took others offline to prevent the bad software from spreading. During a May 8 city council committee meeting, Chief Information Officer Bill Zielinski said the city put in preventative measures that helped limit the effect of the ransomware attack, but city officials haven’t elaborated on what those were.

Royal, the hacker group suspected of being responsible for the Dallas breach, threatened last week to release personal information stored by the city. City officials have maintained since the attack occurred that they’ve found no evidence of information kept on employees and residents have been leaked.

The threat has led the Dallas Police Association and Dallas Fire Fighters Association to send a letter to City Manager T.C. Broadnax demanding the city provide free identity theft monitoring for all of its members for five years.

“We feel that this is necessary and the least the city can do to insure our personal financial information is not compromised” said the May 22 letter.

The city has not disclosed how much the attack has cost taxpayers so far and whether insurance will cover any of the financial hit.

See here for the previous update. Ginger noted this story in Friday’s Dispatches. The big question is whether Royal will follow through on their threat to release data they have exfiltrated. It still looks to me like the city of Dallas is not paying, which can mean any number of things, like feeling confident that nothing of value was taken or deciding that the risk of the data being leaked isn’t worth the payment that would be required. D Magazine takes a deeper dive.

The city has remained tight-lipped about the scope of the attack, citing an ongoing investigation. Statements insist that no personal information was obtained in the attack. Royal, the group claiming responsibility for the attack, says the opposite.

“So, we are going to indicate that the data will be leaked soon,” the group said on its website on May 19. “We will share here in our blog tons of personal information of employees (phones, addresses, credit cards, SSNs, passports), detailed court cases, prisoners, medical information, clients’ information and thousands and thousands of governmental documents.”

The city, in turn, said it was “aware” of the claim. “We continue to monitor the situation and maintain there is no evidence or indication that the data has been compromised.”

The city won’t say how it’s so certain, which servers were impacted, and whether it will pay any ransom.

Let me note that the above is cybersecurity-speak for “we have not found any evidence of data being compromised in the logfile data that we have analyzed so far“. If they have a comprehensive set of logfile data, including data from enterprise detect and respond tools like FireEye or CrowdStrike, and it has all been reviewed by them or a security consulting firm, then they’re probably fine. If not, well, they’re not out of the woods yet. From this perspective, all we can do is wait and see if they change their tune or some data starts to show up.

Royal’s warning that it would begin releasing data, [security expert Brett] Callow said, is designed to strike fear. Money is the main objective, but mayhem? Mayhem brings the payday.

“Mayhem increases the likelihood of getting paid,” Callow said. “The more abjectly miserable they can make life for their victims, the greater they—and the next victim—will pay up.”

Callow said that by scaring one city or school district into paying, ransomware gangs can build on that fear, causing a domino effect as each entity they threaten pays up. This is fueled by the earlier victim becoming concerned enough to hand over money.

Ransomware gangs have made plenty of concerning threats in their quest for Lamborghinis and tigers. Some are vague—like the threat against Dallas to release “documents”—but in 2021, a Russian-based gang threatened to release the names of confidential informants when negotiations broke down with the Washington, D.C. Metropolitan Police.

“That could be deadly,” Callow said.

[…]

Callow says ransomware gangs have also been known to exaggerate what they were able to obtain.

“It’s important to make clear—we don’t know what, if any, data Royal actually obtained,” he said. “They could be exaggerating, it’s not particularly unusual.”

But the length of time can also lead to the decision to pay the ransom. It takes significant time and resources for cities to stop the malware from spreading, secure the servers, determine where the infection is, bring everything back online, and conduct a forensic investigation into what data was obtained.

“The hackers attempt to use that period of uncertainty to their advantage by exaggerating the information they obtained, either in terms of its quantity or sensitivity,” Callow said. “But quite often, they don’t actually need to exaggerate because they actually did obtain extremely sensitive information.”

That sensitive information isn’t just police files—the contents of employee files could also cause concern.

“Just as an employer, cities have very sensitive information, and some of those types of things have ended up going online after other attacks,” Callow said.

Those items go beyond social security numbers and things that could be used to carry out identity theft. They also include disciplinary actions, drug testing results, appeals against terminations, performance evaluations, and even medical reports. All these things have ended up online in the past.

“Your financial information leaks, you can usually fix that eventually,” Callow said. “If highly sensitive information like that ends up online, it’s always going to be there. You can’t undo that.”

[…]

Callow says there is always the chance that Royal is bluffing. The organization has, however, made enough concerning threats that most victims opt not to gamble. (The city of Dallas will not say if it’s negotiating with the hackers or if it might pay the ransom.)

But that doesn’t mean Callow thinks organizations should pay the ransom. One recent analysis found that 80 percent of organizations surveyed paid a ransom demand this year.

“What you need to remember is the information is already out there,” he said. “Whatever information Royal obtained in the attack, they have it, and it can’t be undone, whether you pay them or not. What you have is a pinky promise from the criminals that they will delete the files. But numerous organizations have been extorted for a second time after they paid to have the files deleted.”

Callow acknowledges that ransomware victims don’t have many good options. But until public institutions can convince taxpayers the investment is worthwhile, they “will continue to have a security problem.”

He also says it’s a solvable security problem, too.

“When was the last time you couldn’t get money from your bank because the branch had been ransomed?” he said. “Probably never. It happens, but not very often, and that’s because branches don’t have to design their own security—its done for them by HQ. Yet public bodies all need to create their own. If bank branches needed to do that, it’d be safer to keep your money under your pillow.”

He also says the government could do more to tamp down on ransom paying. “The government should consider severely limiting the circumstances in which ransomes can be paid,” he said. “Should a victim be permitted to pay when the only reason for doing so is to obtain a pinky promise that the criminals will delete the stolen data? Or when a victim believes that paying for a decryption key will make the recovery 72 hours faster than using their backups? Bottom line, less profit would mean less ransomware.

“The alternative is for attacks to keep on happening at the same rate as now.”

Some good stuff there. Federal or state policies about ransomware, in particular a blanket ban on paying ransoms, could have that effect. It would be best if it were paired with a ton of money to improve the overall security posture in local and state governments, and enforce standards for how public data is kept and protected. Note the “ton of money” part of this, because none of this comes cheap. You need tools and you need people, and there’s a much greater need for the people than there is supply at this time. There’s a lot that could be outsourced, to get savings on scale and make it easier to meet standards. First we have to make this a priority. Think about what is happening in Dallas happening to your city, county, school district, hospital district, flood control district, and so on. How much is mitigating all that risk worth to you?

Dallas data leak threatened by ransomware attackers

May 21st, 2023
by Charles Kuffner.
16 comments

Not good.

An online blog post by a group claiming responsibility for Dallas’ ransomware attack says a leak of employees’ personal information and other data stored by the municipal government will happen soon.

In the post Friday, Royal noted the city saying there was no evidence that data from residents, vendors or employees has been released from Dallas servers after the May 3 attack. The hacker group in the post replied that “the data will be leaked soon.”

“We will share here in our blog tons of personal information of employees (phones, addresses, credit cards, SSNs, passports), detailed court cases, prisoners, medical information, clients’ information and thousands and thousands of governmental documents,” the post said. As of Friday morning, no city information has appeared on the website, which lists at least several dozen other organizations the group claims to have taken data from, such as the Lake Dallas Independent School District.

Some of the posts about other organizations are accompanied by links to download files Royal claims to have stolen, but many others have no link.

The Texas Attorney General’s website lists the Lake Dallas Independent School District in its reports of data security breaches as of May 4. It says almost 22,000 Texans were impacted with names, addresses, Social Security information, driver’s license numbers, and financial and medical information among the data affected.

The AG’s office’s website said potential victims were notified by mail, but doesn’t list the name of any person or group responsible for the data breach.

The city of Dallas in a statement Friday said officials were aware of the website post and that personal information hasn’t been exposed.

“We continue to monitor the situation and maintain there is no evidence or indication that data has been compromised,” the statement said. “Measures to protect data are in place.”

See here for the most recent update. This is a bad scenario for Dallas if what the Royal group is claiming is accurate. If they really do have this kind of personal data of various people and they make it public, that’s not only a legal liability for Dallas, it’s also a terrible look for them since they’ve been saying they didn’t think any such data had been exposed. Again, if this is accurate, it means that either they didn’t have a good handle on what had been done by the attackers, or they just weren’t honest about it. Perhaps the attackers are conflating data taken from one breach with data taken from another, in which case it might not specifically be the city of Dallas’ fault, but that won’t be of much comfort to anyone whose data may be involved. We’ll just have to see when it shows up.

If this kind of data does get published, and it can be traced to the city of Dallas attack, then that raises bigger questions about how they did their business and how they responded to the attack. It also raises the stakes for every other government entity in Texas, since at this point Royal has a track record, and the locals aren’t doing enough to defend and protect themselves. I’d consider this a much bigger and more urgent problem than anything the Lege is dealing with right now, but then I don’t get the vapors at the thought of a drag queen or a kid reading “Heather Has Two Mommies”. The Dallas Observer has more.

Meanwhile, even if the personal data question turns out to be less than threatened, there are still other ongoing problems that have no end in sight.

Dallas police are struggling to access physical and digital evidence amid an ongoing ransomware attack that is disrupting trials, according to defense lawyers who are exasperated after more than three months of pervasive evidence storage issues.

The consequences played out Thursday in a murder trial, where a man was found guilty despite evidence being unavailable to jurors or lawyers. Last week, a jury couldn’t reach a unanimous verdict in another murder trial, where police were unable to produce a phone or shell casings.

“It’s the Stone Age again,” said Douglas Huff, president of the Dallas Criminal Defense Lawyers Association.

“This has pretty extensive implications,” he said. “Ultimately, all of this is causing horrendous delays and a clear message is that justice that is delayed is justice that is denied.”

The ransomware attack initiated by the group Royal on the city of Dallas has stretched into a third week, downing several departments. The city has said it could take weeks or months until services are fully restored.

While the county, which administers the courts, is not directly affected, some cases could be paused because electronic evidence catalogs are inoperable, communication is breaking down and internal police share drives and servers are compromised, according to attorneys.

Before the attack, the Dallas Police Department’s digital media evidence team was already sorting through hundreds of murder and capital murder cases to look for deleted digital evidence — an “incredible problem” affecting people accused of crimes, Huff said. That review is now on hold, according to police spokeswoman Kristin Lowman.

Claire Crouch, a spokeswoman for the Dallas County District Attorney’s Office, said Wednesday that it would be impossible to determine whether any cases would be affected by the ransomware attack.

The next day, the office sent out a news release saying prosecutors are working with Dallas police to “mitigate the impact.”

“We understand that timeliness is crucial in maintaining public safety and public trust, and we remain resolute in our dedication to upholding the law and ensuring that cases are filed and prosecuted effectively,” the statement Thursday said.

“We anticipate that the longer this goes on, the greater chance for obligations on the DA’s part will be affected.”

Lowman said city officials are working to bring the police evidence cataloging software back online. Without elaborating, she said police are manually accepting, inventorying and retrieving evidence, and the property unit is locating evidence.

The department did not immediately respond to a request late Thursday afternoon for comment about specific cases cited by defense attorneys as having inaccessible evidence.

Additionally, the city’s municipal courts have slowed to a crawl. According to a notice posted on the Dallas Municipal Court’s website, there will be no court hearings, trials or jury duty for the duration of the outage.

My previous inclinations had been to say that Dallas must be confident in its ability to recover from the attack without paying the ransom. I’m less sure of that now, but even if that is still the case, it’s not so good if the recovery in question takes that long. Degraded services aren’t much better than unavailable services.

So about that DPS delay in notifying the victims of the credential stuffing attack

Mar 2nd, 2023
by Charles Kuffner.
Comments are off for this post

Here’s their explanation.

[DPS Director Steve] McCraw said DPS officials kept the news under wraps to avoid jeopardizing the agency’s investigation, including efforts to arrest the fraudsters who organized the scheme.

The explanation came in response to questioning from state Rep. Mary González, D-El Paso, who expressed bewilderment over the delay.

“So, hold on,” González said. “It could be my driver’s license, and somebody could be going around as Mary González right now for two months, and nobody has been notified.”

González also queried McCraw and one of his top deputies, Jeoff Williams, about whether the state could face fines for possibly running afoul of federal regulations requiring timely notice of certain security breaches.

Williams, DPS’ deputy director of law enforcement services, said that was not the case. He added that the criminal investigation — which includes at least four states — “has taken priority at this point.”

“We recognize that there’s a requirement to notify people, and we want to do that more than anyone, believe me,” Williams said. “ — We’re going to handle each one of those (affected Texans) with the individual care that’s required, given what occurred to them.”

On Tuesday, DPS confirmed that it had begun sending letters informing victims of “fraudulent activity that resulted in your driver license card being sent to an unauthorized party.” The agency reportedly told the victims they would be issued a new replacement license at no charge.

Under state law, anyone who “conducts business” in Texas and owns or licenses data that includes “sensitive personal information” is required to notify people within 60 days if their information is compromised in a breach. The law provides an exception, however, if a law enforcement agency “determines that the notification will impede a criminal investigation.”

“The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation,” the law states.

In 2021, state lawmakers tacked on a requirement to notify the state attorney general about any breach that involves at least 250 Texans. The attorney general’s office is required to post a publicly accessible list of the breaches on its website, updated within 30 days of each breach notice.

The attorney general’s office has tallied 468 such breaches since the law took effect in September 2021 — an average of 26 per month.

See here for the background. I get the reason for the delay, though perhaps there should be some limit to that, and the earlier stories mentioned that the FBI and Homeland Security were also involved, so that’s good. I just don’t trust Steve McCraw. But unless there’s some other nuance to this, I’ll have to get over it.

Of more interest to me is what DPS and the Texas Department of Information Resources will learn from this. Will they take proactive steps to notify their customers whose passwords are known to have been compromised? How about doing a better job of screening where these logons come from, and put in extra verifications to filter out unwanted foreign actors? McCraw specifically said there weren’t adequate controls in place. What controls does he have in mind, and who is responsible for implementing them? Put the cybersecurity stuff aside for a second, was this an unusual number of license requests, was there a way to detect that, and what if anything was supposed to be done if so? And if there wasn’t any way to flag that as suspicious, is there now? This is the kind of review process that an enterprise has to undertake when there is a successful attack like this. All of us drivers license holders need to know that this is happening. Please keep the pressure on them, legislators.

DPS victimized by credential stuffing attack

Mar 1st, 2023
by Charles Kuffner.
2 comments

That’s the technical term for this.

The Texas Department of Public Safety was duped into shipping at least 3,000 Texas driver’s licenses to a Chinese organized crime group that targeted Asian Texans, DPS Director Steve McCraw told a Texas House committee on Monday.

The crime group worked through the state’s government portal, Texas.gov. The agency, which discovered the security breach in December, will begin notifying victims in letters to be sent out this week, the DPS chief said. More victims are still being identified, he said.

“We’re not happy at all, I can tell you that, one bit,” McCraw said in testimony to a House Appropriations subcommittee. “They should have had — controls should have been in place, and they never should have happened.”

The crime organization, which McCraw did not name, was able to get its hands on the Texas driver’s licenses by first pulling personal data on individuals with Asian surnames from the “dark web” and other underground data-trading portals.

That info, including previous addresses and family names, allowed thieves to correctly answer password security questions on the Texas.gov site and use stolen credit cards to order duplicate copies of active licenses — such as those ordered by people who misplace their licenses or report them stolen. A replacement license costs $11.

The state-run Texas.gov site is the central portal for Texans wanting to renew licenses, obtain driving records and registration, and obtain birth and death certificates, among other things.

The investigation into the stolen driver’s licenses spans at least four states and also involves fraudulent licenses duplicated from victims in other states as well as Texas. The FBI and the Department of Homeland Security are also investigating, according to the DPS letter to lawmakers.

House Appropriations Vice Chair Mary González, an El Paso Democrat, blasted DPS agency chiefs for letting so much time lapse while Texans were unaware that their identities were being used fraudulently.

“Somebody could be going around as Mary González right now for two months, and nobody’s been notified, I [wouldn’t have been] notified,” González said.

DPS officials are not calling the incident a “data breach” because they say no hacking was involved and vast amounts of data were not being stolen. Instead, the crime group used data obtained from underground sources to bypass a simple password security system — laying bare a security vulnerability that “should never have happened,” McCraw said.

Texas.gov is operated not by DPS, but by the Texas Department of Information Resources.

DPS officials declined to provide details about the security loophole that left the site open to fraud but told lawmakers that it had been closed.

DIR spokesperson Brittney Booth Paylor dismissed the notion that the incident was a cybersecurity breach, calling it “a case of fraudulent criminal activity based on factors unrelated to state systems.”

[…]

The problem was first detected in December when a third-party Texas.gov payment vendor “alerted DPS to an increase in customers challenging credit card charges for online transactions,” according to a February letter sent to lawmakers from the DPS. The credit cards used to buy the fraudulent copies were also stolen, authorities said.

Before investigators shut down the operation, McCraw said, the license thieves were able to use the site, billed as “the official website of the State of Texas,” to obtain driver’s licenses that are “Real ID compliant” — not cheap copies, McCraw said.

These stolen licenses can pass verification methods and be used fraudulently all over the country because they are real driver’s licenses being used by people who can pass for the photo on the original card, McCraw said.

See here if you want to learn a bit more about what a credential stuffing attack is. Long story short, don’t reuse your passwords and enable two-factor authentication where you can.

Putting my cybersecurity hat on for a minute, I will say that the DIR response to this is disingenuous. It’s true that there are plenty of pwned password lists available on the internet, and that it’s not Texas’ fault if people reuse passwords. But there are services that the state can subscribe to that would alert them to email addresses in their database that have been found in those pwned lists, which would then give DPS or DIR or whoever would have that responsibility the impetus to contact those address owners proactively and tell them to update their password. They could also enforce, or at least offer, a two-factor solution, and there are other proactive steps available as well. DPS/DIR isn’t “responsible” for this, but DPS/DIR absolutely could have done something to prevent or minimize it.

Rep. González’s complaint about the delay in notifying the affected users is addressed in a later Chron story. I drafted this originally Monday night, so I will do a separate post on that. Short answer, there is a legal requirement in Texas to report data breaches, but there is an exception for when there is an active law enforcement investigation, which DPS has invoked here.

Given the upsurge in violence against Asian-Americans, Rep. González also asked if this could be considered a hate crime, which McCraw avoided answering. It may not be possible to tell from what they know right now, but it is possible to try to figure it out. I’m glad DPS is in contact with the FBI and DHS about that, and I hope that leads to some action. I hope the Lege will press DPS and DIR to do better, and to share the results of the investigation when it’s over. The Lege – and the media – should also focus on McCraw’s statement about controls not being in place and demanding to know what is now being done about that. Either we learn from this or we risk having it happen again. The Chron has more.

More dimensions for privacy in the post-Roe world

Jul 26th, 2022
by Charles Kuffner.
1 comment

The fall of Roe is a big boon for cyberstalkers.

All too frequently, people monitor our intimate lives in betrayal of our trust—and it’s often those we know and love. They don’t even need to be near us to capture our data and to record our activities. Surveillance accomplished by individual privacy invaders will be a gold mine for prosecutors targeting both medical workers and pregnant people seeking abortions.

Intimate partners and exes download cyberstalking apps to personal devices that give them real-time access to everything that we do and say with our phones. To do this, they only need our phones (and passwords) for a few minutes. Once installed, cyberstalking apps silently record and upload phones’ activities to their servers. They enable privacy invaders to see our photos, videos, texts, calls, voice mails, searches, social media activities, locations—nothing is out of reach. From anywhere, individuals can activate a phone’s mic to listen to conversations within 15 feet of the phone.

Now and in the future, that may include conversations that pregnant people have with their health care providers—nurses, doctors, and insurance company employees helping them determine their life’s course and the future of their pregnancies. Victims of such privacy violations are never free from unwanted monitoring. Abusers count on them to bring their cellphones everywhere, and they do, as anyone would.

For abusers, finding cyberstalking apps is as easy as searching “cellphone spy.” Results return hundreds of pages. In my Google search results, a related popular search is “spy on spouse cell phone.” More than 200 apps and services charge subscribers a monthly fee in exchange for providing secret access to people’s phones. When I first began studying stalkerware in 2013, businesses marketed themselves as the spy in a cheating spouse’s pocket. Their ads are more subtle now, though affiliated blogs and videos are less so, with titles like “Don’t Be a Sucker Track Your Girlfriend’s iPhone Now: Catch Her Today.”

Though we don’t have precise numbers of stalkerware victims, domestic violence hotlines in the United States help more than 70,000 people every day, and according to the National Network to End Domestic Violence as many as 70 percent of those callers raise concerns about stalkerware. A 2014 study found that 54 percent of domestic abusers tracked victims’ cellphones with stalkerware. Security firm Kaspersky detected more than 518,223 stalkerware infections during the first eight months of 2019, a 373 percent increase from that period in 2018. Millions of people, right now, are being watched, controlled, and manipulated by partners or exes. The United States has the dubious distinction of being one of the leading nations in the number of stalkerware users around the world. That destructive accomplishment has a disproportionate impact on women, LGBTQ individuals, and people from marginalized communities.

Abusers will use intimate data obtained from stalkerware to terrorize, manipulate, control, and—yes—incriminate victims. Now that a woman’s exercise of her reproductive liberty is soon to be, or already is, a crime in many states, abusers have even more power to extort and terrorize victims. They may threaten to disclose information about abortions unless women and girls give into their demands, including having unwanted sex or providing intimate images, both forms of sextortion. (Sextortion routinely involves threats to disclose intimate information like nude images unless victims send more images or perform sex acts in front of webcams.) If victims refuse to give into their demands (and even if they do), privacy invaders may post information about abortions online and report it to law enforcement. Two birds, one stone: the ability to humiliate, terrorize, and financially damage victims and to provide evidence to law enforcement. Exes can extinguish victims’ intimate privacy by enabling their imprisonment.

The law’s response to intimate privacy violations is inadequate, lacking a clear conception of what intimate privacy is, why its violation is wrongful, and how it inflicts serious harm upon individuals, groups, and society. Legal tools—criminal law, tort law, and consumer protection law—tackle some privacy problems, but few (if any) capture the full stakes for intimate privacy. In criminal law, privacy violations are mostly misdemeanors, which law enforcers routinely fail to pursue when reported. Criminal law is woefully underenforced when the illegality involves gendered harms, like privacy violations and sexual assault where victims are more often female and LGBTQ individuals. (Yet when the very same people are the alleged perpetrators, law enforcement eagerly investigates.) Because policymakers fail to recognize the autonomy, dignity, intimacy, and equality implications of intimate privacy violations, we have too few protections.

Call me crazy, but I don’t see any chance that legislation to deal with these issues will pass in the next Texas legislative session. Maybe in the next Congress, if Dems can hold the House and pick up a couple of Senate seats to overcome the Manchin/Synema blockage – in other words, possible but a longshot. We know the House can do it, at least. Otherwise, good luck to you.

Another place where existing law falls short: HIPAA doesn’t cover medical apps.

The Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA, does not apply to most apps that track menstrual cycles, just as it doesn’t apply to many health care apps and at-home test kits.

In 2015, ProPublica reported how HIPAA, passed in 1996, has not kept up with changes in technology and does not cover at-home paternity tests, fitness trackers or health apps.

The story featured a woman who purchased an at-home paternity test at a local pharmacy and went online to get the results. A part of the lab’s website address caught her attention as a cybersecurity consultant. When she tweaked the URL slightly, a long list of test results of some 6,000 other people appeared.

She complained on Twitter and the site was taken down. But when she alerted the Office for Civil Rights within the U.S. Department of Health and Human Services, which oversees HIPAA compliance, officials told her they couldn’t do anything about it. That’s because HIPAA only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners.

Deven McGraw is the former deputy director for health information privacy at the HHS Office for Civil Rights. She said the decision overturning Roe, called Dobbs v. Jackson Women’s Health Organization, should spark a broader conversation about the limits of HIPAA.

“All of a sudden, people are waking up to the idea that there’s a lot of sensitive data being collected outside of HIPAA and asking, ‘What are we going to do?’” said McGraw, who is now the lead for data stewardship and data sharing at Invitae, a medical genetics company. “It’s been that way for a while, but now it’s in sharper relief.”

McGraw noted how that’s not just the case for period-tracking apps but also some apps that store COVID-19 vaccine records. Because Congress wrote HIPAA, lawmakers would have to update it to cover those cases. “Our health data protections are badly out of date,” she said. “But the agencies can’t fix this. This is on Congress.”

Consumer Reports’ digital lab evaluated eight period-tracking apps this spring and found that four allowed third-party tracking by companies other than the maker of the app. Four apps stored data remotely, not just on the user’s device. That makes the information potentially subject to a data breach or a subpoena from law enforcement agencies, though one of the companies surveyed by Consumer Reports has said it would shut down rather than turn over users’ data.

In a press release last week, HHS sought to allay worries with some advice that sounds reassuring.

“According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care,” HHS said in the release.

The document quoted HHS Secretary Xavier Becerra about the protections provided by HIPAA: “HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” Becerra said. He urged anyone who thinks their privacy rights have been violated to file a complaint with the Office for Civil Rights.

See above in re: the chances of federal legislation passing. Also note that until the law is updated, if a Republican wins the Presidency, they’ll appoint the HHS secretary and will set the direction for that agency regarding patient privacy. How much faith do you want to put in that?

More on how abortion bans will be enforced

Jun 7th, 2022
by Charles Kuffner.
2 comments

It’s all about the data.

The Supreme Court is shortly expected to issue its decision on a challenge to Roe v. Wade that will—if a leaked draft version of the opinion holds—end federal protection for abortion access across the US. If that happens, it will have far-reaching consequences for millions of people. One of those is that it could significantly increase the risk that anti-abortion activists will use surveillance and data collection to track and identify people seeking abortions, sending authorities information that could lead to criminal proceedings.

Opponents of abortion have been using methods like license plate tracking for decades. In front of many clinics around the US, it remains a daily reality.

[…]

“The biggest fear, I think, is that there are going to be states that not only ban abortion in short order, but start criminalizing pregnant people who are seeking abortion services even out of state,” says Nathan Wessler, the deputy project director of the Speech, Privacy, and Technology Project at the ACLU.

Some states that protect abortion services might be able to limit what out-of-state law enforcement can do directly, he notes, but that “doesn’t mean that there won’t be anti-abortion vigilantes recording information [outside of clinics] and then sending it to aggressive prosecutors in abortion-banned states.”

There is evidence that anti-abortion activists are already keeping close track of legal abortion activity. In 2014, for example, a recording surfaced of a training session for Texas anti-abortion activists, led by Karen Garnett of the Catholic Pro-Life Committee of North Texas. In it, Garnett explained how license plate tracking is used to keep tabs on both a clinic’s clients and its doctors.

“You track license plates … coming into any abortion facility. We have a very sophisticated spreadsheet. This way you can track whether or not a client comes back,” she said in the video.

We’ve discussed this before, and I said at the time that any real enforcement effort is going to involve a lot of invasive searches. License plate tracking is an old technique – as the story notes, it goes back to at least the 90s – but there are much more modern strategies as well.

A location data firm is selling information related to visits to clinics that provide abortions including Planned Parenthood facilities, showing where groups of people visiting the locations came from, how long they stayed there, and where they then went afterwards, according to sets of the data purchased by Motherboard.

[…]

How data collecting intersects with abortion rights, or the lack thereof, is likely to gather more attention in the wake of the draft. The country may also see an increase in vigilante activity or forms of surveillance and harassment against those seeking or providing abortions. With this aggregated location data available to anyone on the open market, customers could include anti-abortion vigilantes as well. Anti-abortion groups are already fairly adept at using novel technology for their goals. In 2016, an advertising CEO who worked with anti-abortion and Christian groups sent targeted advertisements to women sitting in Planned Parenthood clinics in an attempt to change their decision around getting an abortion. The sale of the location data raises questions around why companies are selling data based on abortion clinics specifically, and whether they should introduce more safeguards around the purchase of that information, if be selling it at all.

“It’s bonkers dangerous to have abortion clinics and then let someone buy the census tracks where people are coming from to visit that abortion clinic,” Zach Edwards, a cybersecurity researcher who closely tracks the data selling marketplace, told Motherboard in an online chat after reviewing the data. “This is how you dox someone traveling across state lines for abortions—how you dox clinics providing this service.”

Read the rest and do a little googling yourself. It’s very possible to identify people who have visited abortion clinics from “anonymized” location data and census tracks, especially people who live in less populated places. Geofencing, which has been used in the past for targeted anti-abortion advertising, may be used by law enforcement agencies that are all in on the forced birth agenda. It’s scary stuff. And when you see it happen, don’t say you couldn’t have known.

More on DPS and data protection

Dec 1st, 2020
by Charles Kuffner.
1 comment

A followup from the DMN about that data breach involving every drivers license number you’ve ever had.

Some other states do not sell [drivers’ license] data, but Texas does. State lawmakers could change the law in their 2021 session.

I first reported this in 2015 when I learned that several state government departments sell information to outsiders. In an open records request that year, I learned that in 2014 the Department of Motor Vehicles earned $2.4 million in sales.

This year, CBS 11/KTVT reporter Brian New updated those numbers. DMV made more than $3 million in 2019 selling drivers’ names, addresses, phone numbers, email addresses and VIN information, he reported.

[…]

The buyers are data-mining companies, insurance companies, banks, police departments, car dealers, toll companies, school districts, corporations, private investigators, tax-collecting law firms, tow truck companies and electricity companies, to name a few.

Follow this — the biggest loophole. In Texas, it’s against the law for companies who buy the information to use it to sell to us. So to get around that some companies sell the lists to other marketing companies, which go ahead and use the information to sell — and annoy us.

Because our information isn’t sold directly to marketers, the state doesn’t have to give us a privacy statement when we buy a car or apply for a driver’s license. We don’t get to opt out, as residents of California are now allowed to do.

State lawmakers could fix this, giving us privacy statements and allowing us to opt out of the information sold. Or they could go one better and prohibit the sale of the databases entirely. Other states do.

If you bring this up, state departments other than DMV complain loudly about how these are open records that often can help consumers. (For example, your car is towed, and the towing company can figure out who it belongs to). Besides, selling our data makes a lot of money for the general fund.

One way to see how loosey-goosey Texas is with our information is on the paid subscription lookup site, PublicData.com.

Years ago, there were multiple states listed where you could quickly look up a person’s driver’s license information. Now there’s only Florida and Texas. The other 48 now have higher standards of privacy.

Same goes for vehicle information. Only five states are listed for searching, but four are marked “[OLD].” The fifth is up to date and active. That’s us.

If you get unwanted spam email, postal mail or phone calls and wonder how they got your information, often enough it’s because of our state’s lax laws. Thank you state leaders.

When it comes to cheap and easy data distribution that violates our privacy, we’re number one. Hoo-ray for Texas.

See here for the background. California has a data privacy law that is modeled on the European GDPR scheme. I work with GDPR quite a bit, and it gives people a lot of control over their data while putting some real teeth into enforcement. One of the main ways that GDPR works is that it requires notifications to affected individuals when their personal data is stolen, deleted, or otherwise inappropriately accessed. That’s a lot better than what we have now.

There’s some federal data privacy legislation out there, which largely has the support of the big players like Facebook and Google, which on the one hand means it has a chance to pass but on the other hand means it’s not anything those companies consider to be bad for their business models. I’d rather see something more stringent than that – to me, GDPR is a starting point. We’re not going to get anything like that in Texas, I feel confident saying that. But feel free to call your State Rep and State Senator and tell them that you would like to have the ability to opt out of having your drivers license data sold by DPS. The amount the state takes in for these sales is pennies compared to the state budget. We can very easily do with less of that.

UPDATE: This Slate story about the need for a federal data privacy law is a good read, and addresses the ways we can learn from GDPR for an American version of that law.