Bad news:

Information such as email addresses, names, addresses and phone numbers was retrieved from this database and affects TD AMERITRADE retail and institutional clients.

Good news:

Client assets held in accounts with the Company remain secure as UserIDs, personal identification numbers and passwords were not stored in this particular database.

MSNBC Article: Some TD Ameritrade info stolen
TD Ameritrade Press Release

Google Privacy Quickies – Slashdot

One excerpt from the report states:

“We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google’s approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy.”

Some of you may remember last year the big fiasco Google raised when it challenged the DOJ’s subpoena request to review millions of user’s search requests. A feather in their cap for privacy advocates right? This along with their agreement to “sanitize” search data after 18-24 months has created some confusion as to just how Google could have received the lowest ranking of all companies analyzed. Privacy International came to it’s conclusions based off of 6 months of research conducted with 30 professors from the US and the UK.

Some of the takeaways from both the Washington Post article and Privacy International’s actual report are as follows:

• Out of 23 total companies, Google received the lowest ranking allowed and was the only one to receive that rank.
• “An independent European panel recently opened an inquiry into whether Google’s policies abide by Europe’s privacy rules.” – Washington Post
• Three consumer groups in the United States are pressuring government regulators to force Google to change some of it’s privacy policies before allowing the $3.1 billion deal with online ad service Double-Click.
• Google’s ability to match data gathered by its search engine with information collected from other services such as e-mail, instant messaging and maps is equally concerning.

I believe Google is keeping privacy in mind when it comes to third parties. I don’t believe they are sharing data with anyone else or advancing the rise in spam traffic. However, I also believe they are gathering and analyzing data in ways that will benefit them greatly and anyone else that had this same type of market research. They obviously won’t share this type of research with competitors but will use this information any way they can to serve their own interests. At least, that’s just my opinion.

Do I think they’re in bed with the government like Facebook has been suggested to be? No. Do I think they have very valuable information that the government and/or corporate entities would like to get their hands on? Absolutely.

A company by the name of National Payment Card has been working over the past couple years on a campaign to get gas stations to sign up with their e-check Driver’s License payment program. It’s a simple process really. All it takes is your driver’s license number and bank account information and you’re good to go. Government (Driver’s License) and Business (NPC) mixing together in a far too close manner. I just don’t like it from a privacy standpoint.

What happens if your DL gets suspended? What happens if your bank account gets frozen? Are the two entities, government and commercial, going to start sharing data and trends without your knowledge? Will hackers begin cloning debit cards based off of DL info? When you go into a bar that is using new DL scanning technology, will you have to worry about unscrupulous bar owners or bouncers compromising your account?

NPC claims to have tough security in place consisting of a PIN that must be entered for every transaction, just like a bank debit card. Also, after three failed PIN-entry attempts, the debit card portion is locked out. Most likely, this isn’t going to be a huge risk of your banking data, as the financial data is stored nowhere on your DL. However, your license information is stored on NPC’s servers to as to properly tie your information together.

Most Public Safety Departments are NOT endorsing NPC, or anyone else who “piggybacks” on any state-issued property. However, the majority of NPC users are loving the technology and wishing that more retailers would accept this type of payment. The gas stations and convenience stores already participating in this program are definitely in favor of the new payment method as they get to escape almost 80% of the normal transaction fee most credit card companies are charging. This in turn allows them to pass along some of those savings to you.

From a business standpoint, it’s bound to succeed in my opinion and make the investors mega bucks. This is why I wish I could invest in the program. Maybe that’s hypocritical since I’m condemning the idea, but since I’m a avid investor and business “watcher”, I can’t help but be intrigued by the potential of this new concept.

To be loyal to my privacy concerns and the business side of me as well, I offer this suggestion: Create an NPC card and send that to all your customers so they can use that, instead of their license. Now you may ask, what’s the difference between that and just another credit card? Not a whole lot on the outset. But if enough retailers begin to accept NCP cards as payment instead of their normal loyalty cards that you always have to swipe, then that could cut down on the amount of plastic in your wallet and still maintain your privacy. Well, as much privacy as can be had when you are a person that signs up for such things as loyalty cards (see my opinion on loyalty cards by visiting this site: http://www.nocards.org).

Somehow, someway, it hit me today how biometrics should be done. I thought, why not take a fingerprint and run the resulting normal biometric encoding through a one-way hash function (ie. MD5, SHA-1, etc). Then, the database that normally contains an encoded fingerprint or handprint, now contains a one-way non-reversible hash of the biometric encoding. Then whenever I need to authenticate, I submit to a scan, a hash is computed and then that result is compared to the value in the database. Similar to how passwords are transmitted and verified against a password database when logging onto a computer. Great idea right? Now no one ever has my uniquely identifiable information in their grubby little database. I’ve retained my privacy. Perfect idea.

Well as luck would have it, as usual, I’m a day late and a dollar short. More like a year late and thousands of dollars short. After much Googling, I found Privaris and their product line of plusID Biometric Scanners. They have created what I was thinking of the whole time. Their plusID product is a key fob with a fingerprint scanner built in. The only real big difference between what I was envisioning and what they have done is the presence of a database of hashes, or lack thereof. With their implementation, they’ve made it even more simple. Once a successful fingerprint is scanned on the fob, then the fob becomes activated and it becomes like any other proximity card, smart card, or password token. All the biometric computations and authentication are done right on the key fob. I love it already.

I really, really just wish I could one day actually come up with something that hasn’t already been invented.

Some of you may be looking at me and saying to yourself “Google keeps my search data?” Yeah they do. They track the search query, the IP address requesting the information (that’s your IP address), and other details from the cookie they put on your computer. This isn’t an underhanded deceitful source of trickery on Google’s part, it’s been widely known for years that Google keeps this data. The good news is that now it will be anonymized after 18-24 months by changing a few bits in the IP address so that the query can no longer be matched back to the requester.

While I would really like it if they just wouldn’t keep the data at all, Google states they need this data to continue gathering statistics and other business related data for its revenue generation. Google has stated they are seeking the proper balance between privacy and business necessity. So we’ll see; like I said earlier, it’s a step.

For you criminals out there, let it be known that law enforcement can still request that log data be held for a certain IP address or addresses, so technically, if you are being watched or monitored, then your IP address and the search terms associated, may be retained indefinitely.

If anyone is interested in truly private Google searching, and by that I mean no cookies, no IP addresses and no audit trail, just head on over to Scroogle. This is a “scraper” that proxies your search requests and returns just the results, no ads and in complete anonymity.

There’s been a number of people over the years that have looked into this already, so I won’t have to totally reinvent the wheel.  There are also a few good writeups on the web about how to build your own card reader and instructions on how to get that data into your PC.  One of those sites is by Billy Hoffman of SPI Dynamics.  A few years ago he wrote a suite of tools called Stripe Snoop that can read and import data from mag stripes.

There is also another gentleman by the name of Abend who did a presentation at ShmooCon 2006 about mag-stripe reading.  You can find his presentation and video here.   You can find his code here.

All that to say I’ve got a reader I picked up off eBay and I’m going to start gathering all the necessary parts to put together a reader I can hook up to my computer.  Then hopefully between Stripe Snoop, abend’s code, and some other sites, I’ll be able to get started researching.  I’ll post updates on my project here.

AT&T is also claiming they were named as a defendant in this case as a mere “guess” of the lower courts.  They claim that the court’s were only operating under the “unfounded and inexpert speculation that content surveillance requires the cooperation of a telecommunications provider.”

Uh, DUH! Of course content surveillance by ANY agency is going to require cooperation from a telecom provider!  How else are they supposed to get data and transmissions redirected to government taps and recorders?

As stated in the article from 27b Stroke 6, the EFF will most likely respond by the end of this month stating that it is a known fact (admitted by Congressional officials) that some of the nation’s largest telecom providers did turn over databases to the government.