Security experts raised privacy concerns after a US National Security Agency official revealed that the Agency collaborated with Microsoft during the development stage of Windows 7. The revelation was made in a prepared statement by NSA information assurance director Richard Schaeffer, before the United States Senate Judiciary Subcommittee on Terrorism and Homeland Security, which operates under the Judiciary panel.

Speaking during a hearing on cybersecurity on November 17, Schaeffer acknowledged that the NSA drew on its “unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft’s operating system security guide”. Schaeffer ‘s prepared statement is available on video here (forward to 32^nd minute).

Commenting on Schaeffer’s revelation, security experts and watchdog groups expressed privacy concerns, citing the Agency’s controversial domestic intelligence operations in recent years.

Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC), said “the obvious concern is [that the NSA has built] in back doors that enable tracking users and intercepting user communications”. This is the third time in recent years that the NSA is found to have collaborated with Microsoft in developing operating systems. The secretive Agency worked with the US-owned vendor on Windows 9X, Windows XP, Windows 2000 and Windows Vista.

The White House is collecting and storing comments and videos placed on its social-networking sites such as Facebook, Twitter and YouTube without notifying or asking the consent of the site users, a failure that appears to run counter to President Obama’s promise of a transparent government and his pledge to protect privacy on the Internet.

Marc Rotenberg, president of the Electronic Privacy Information Center, said the White House signaled that it would insist on open dealings with Internet users and, in fact, should feel obliged to disclose that it is collecting such information.

“The White House has not been adequately transparent, particularly on how it makes use of new social media techniques, such as this example,” he said.

Defenders of the White House actions said the Presidential Records Act requires that the administration gather the information and that it was justified in taking the additional step of asking a private contractor to “crawl and archive” all such material. Nicholas Shapiro, a White House spokesman, declined to say when the practice began or how much the new contract would cost.

Susan Cooper, a spokeswoman for National Archives and Records Administration, said the presidential records law applies to “social media” and to public comments “received by the president or immediate staff.”

(I’m attending this conference at Harvard University and will do some live blogging here as the mood or content strikes me. One of my reasons for being here is to make sure I’m up-to-date on HIPAA privacy and security requirements and to get a reality check on the emerging issues.)

Yesterday’s session fulfilled most of my expectations of what a great conference can bring to exploring ideas and opening up new areas of inquiry in a topic – privacy – that is getting beat to death every day with  tired clichés. So here’s hoping today’s speakers will help get us to the same level.

7:40 am Set up at the Harvard Faculty Club again, plugged in, with good wi-fi. Coffeed up as well.

7:55 am (Marc Rotenberg) will overview the Electronic Privacy Information Center (EPIC) 2008 initiative to get privacy into the Presidential Campaign.

8:00 am This is a prime moment, and this is the first audience, to launch “Privacy 08″. How do you get an issue into the race? We want it to be a grass roots campaign rather than the policy paper approach. Well get a button and a cool logo. Met with representatives of the campaigns of both parties and positions have been written by both sides. Have even set up a Facebook cause and Twitter Privacy 08! Got a ‘Privacy 08′ internet domain and are planning events to raise awareness. Will be getting materials to the political party conventions, and then holding a Candidate Forum. Will also use YouTube and questions sought from online audiences to pose to candidates. Rotenberg reviews some of the questions already submitted that they will ask the candidates, such as, “Should US firms sell surveillance technologies to the Chinese government?”  “Do you believe that the Constitution limits the ability of the President to to conduct warrantless wiretapping?”

8:30 am (Jeff Rosen) What is the future of privacy? Is it dead or on the verge of a dramatic resurrection? The truth is more complicated. Citizens want contradictory things. They don’t care until their privacy is threatened then they care a lot. He sees 5 possible privacy Chernobyls:

• Behavioral Targeted Advertising: Leaking of that tracking data (Danger of being judged “out of context.)
• Search Terms: Massive Data Leak of search terms.
• Facebook: Not a privacy free-zone. For example -The Beacon scandal: Exposes your purchases to your friends without your knowledge.
• StarWars Kid: A private video was place of the internet without permission followed by much embarrassment (and a lawsuit).
• Ubiquitous surveillance: Public likes the “security theater” of public video anti-crime surveillance. Could move from ‘closed circuit’ to ‘open circuit’. Google live-feeding public surveillance video is a definite possibility.

9:00 am (James Koenig) Talks on the “New, New Thing in Privacy.” Five things to consider now!

• Impact on privacy associated with the slowdown in the economy – Business goals versus privacy goals when companies are under financial pressure. Resources to prevent privacy breaches may be pulled back. More aggressive marketing techniques may ignore privacy concerns. Privacy officials could be eliminated or downgraded.
• Global expansion for new markets and operations – Privacy rules and cultures are not the same. Lower safeguards and infrastructure in Asian countries. China does not have a lot of privacy law history but this is changing. Public pressure is building for a comprehensive China privacy law. Or what about the tougher European standards? What is a privacy official to do? You will need a fleet of lawyers if you want to create a uniform business practice and it is quite difficult to set up a coordinated business governance structure for privacy.
• New Identity Theft Techniques – Number 1 FTC complaint! Impacts 5% of the US a year. Credit card fraud etc. Much of it is from paper and knowledgeable insiders that cause ID theft events!
• New Health care information laws driving disclosures and other risks – Electronic medical records (EMRs), personal health records (PHRs) pose more risks for breaches of medical information. Privacy legislation is on the move in the US Congress as we see in new laws on genetic information.
• Class action and litigation relating to privacy – A definite building impact on corporate behavior.

9:40 am Panel of various speakers on privacy advocacy issues and challenges.

• Convincing officials, policy makers that privacy is not an obstacle but a way to move health information technology forward.
• Privacy law is largely administrative and regulatory. What if the agency has a bad record? Congress wants to move forward through statute. A challenge for advocates.
• HIPAA not necessarily always a good thing. Many say HIPAA is enough. No more. Nobody wants to go back there politically especially for those who want health IT to move fast. Entrenched health interest do not want to reopen privacy. They’ve adjusted and want to keep it that way.
• Fake (Synthetic) identity theft – Fake private information to get credit cards. Not a mainstream issue but an opening into the technology that allows for entry into real ID theft/privacy issues.
• Chief privacy and security official roles are changing – focusing on breach prevention and response.
• How to get market competition on privacy – Car companies now compete on safety. What about businesses competing around their ability to secure the privacy of your data?
• There’s a lot of independent characters in this field and they are not well funded. Privacy advocates are usually not represented in conferences like this one and have been totally shut out of the debate in Washington. They blame us for HIPAA. Do we threaten corporate and government interests?
• People need to see the nexus between privacy and civil rights. The debate  and convergence is evolving.

11:15 am (Ken Anderson,Representing Ontario Privacy Commissioner) “Privacy by design, build it in”. For example use privacy audits and privacy impact assessments. Transformative Technology: Make the technology work for you (for ensuring privacy). Take a pragmatic approach. How to transform video surveillance technology for example? Short retention time of video, frequency of privacy audits, ensure adequate oversight, prevent voyeurism by using technology that block/unblock face recognition.

(Need to break for lunch)

1:35 pm The afternoon sessions will focus more on security issues related to HIPAA starting with an introduction and overview (John Parmigiani).

Where are we today? We  have spotty compliance with HIPAA. Is 2008 a year for HIPAA enforcement? GAO and OMB scrutiny? OIG and CMS audits? New political pressures (new national election and health care reform) and state data protection laws are entering the mix. We have an increasing number of data breaches. Medical identity theft rising (est. 1,000,000 incidents in 2008). The usual suspects are insiders, but new “outside” threats for medical identity theft from abroad and various black markets selling medical IDs. Mobile devices, remote access pose their own challenges as does the changing regulatory landscape. EMRs, PHRs, Google Health, Microsoft HealthVault and the general push for E-heath present new security issues. Corporate governance is driving compliance as are incentives, patient safety and consumers themselves.

2:00 pm (Kate Boren) Talking about security issues in working offsite. Hard enough to do in-house IT controls without looking beyond. Management often would look the other way when it comes to offsite work – A head-in-the-sand approach. We have to be proactive to protect information. HIPAA requires the protection of all devices, media and their surrounding conditions. What about personally own devices, public kiosks, wireless networks, hotels, airports etc. Do you know who works offsite? How do you identify users? Who should own the devices or laptops? We’ve got to recognize the situation. There is considerably more risk when you go outside the corporate home. There are many vulnerabilities and threats to the confidentiality, integrity and availability of our sensitive information. We have to be aware of them and manage them. CMS security guidance came out in December 2006. We are still seeing 1 or 2 security incidents each month reported in the press regarding remote access/media.

Well that’s it for now. It’s been a terrific conference. Back to BAU — Blog as usual.