Digital Rights Case Studies
Add case study details, for example, the wrongful arrest of David Merry[1]; people[2] who've made it on to America's no-fly list for no good reason; and other abuses of people's digital rights.
UK
See also: UK Privacy Debacles
Delores McNamara's details accessed by Tax and Social Welfare officials after she wins EuroMillions: http://www.timesonline.co.uk/article/0,,2091-2014750,00.html
Andrew Rowe recently got sent away for a long time for possessing a small piece of paper on which were scrawled a few dozen words, and corresponding codewords. http://www.chiark.greenend.org.uk/pipermail/ukcrypto/2006-May/080784.html Ross Anderson was asked to give an expert opinion on its fitness for alleged purpose, and wasn't too impressed.
Now the bungling Home Office steals our good names After all the recent revelations of Home Office incompetence, the disclosure that almost 1,500 citizens have been wrongly said to have criminal records is less shocking than it would once have been.
Ross Anderson: Security of Medical Information Systems. An example of likely problems comes from a report that the Real IRA penetrated the Royal Victoria Hospital in Northern Ireland and used its electronic medical records to gather information on policemen to target them and their families for murder. A particularly shocking case was that of Helen Wilkinson, who needed to organise a debate in Parliament to get ministers to agree to remove defamatory and untrue information about her from NHS computers.
Indymedia Server Takedown On Thursday, October 7, 2004, more than 20 Independent Media Center (IMC) websites and other Internet services were taken offline pursuant to a Commissioner's Subpoena. The hard drives were handed over in the UK, following an order by a US federal agency which acted on the request of another country, possibly Italy and/or Switzerland, complaining about a website run by French volunteers. Or, as Indymedia volunteer Micah guessed on IRC-chat the very day of the event: "So this is about Swiss police, on a French site, on a server in England, taken away by American federal police..." Kurt Opsahl, Staff Attorney of the Electronic Frontiers Foundation, states: Oct 8 "This seizure has grave implications for free speech and privacy. The Constitution does not permit the government unilaterally to cut off the speech of an independent media outlet, especially without providing a reason or even allowing Indymedia the information necessary to contest the seizure."
In a significant number of the Operation Ore cases, it now appears that the poor chaps who had their doors broken down at 4am were not bad people who had downloaded filthy pictures - they were unlucky people who were the victims of credit card fraud. Operation Ore Exposed
Royal Bank of Scotland and its NatWest subsidiary are being investigated for allegedly dumping customers' financial details in bins
Tax credit fiasco: 8,800 identities stolen
One of Britain’s biggest high street banks knew about a security loophole in its online banking service that left millions of accounts open to fraud and did nothing about it for almost two years. HSBC initially denied the defect in its computer banking but conceded yesterday that the problem had been known about since the system was introduced. HSBC knew about security loophole in online banking
TK Maxx loses payment details Retailer TK Maxx has warned UK customers that their credit and debit card details may have been stolen in a when there computing systems where cracked into by attackers. The attack occurred in December, but, on the advice of investigative authorities, they only alerted customers at the end of January.
Norway
DVD Jon released DeCSS a program for viewing DVDs, he was prosecuted in Norway for computer hacking. The trial opened in the Oslo district court (Oslo tingrett) on December 9, 2002 with Johansen pleading not guilty to charges that had a maximum penalty of two years in prison or large fines. The defence argued that no illegal access was obtained to anyone else's information, since Johansen owned the DVDs himself. Also, they argued that it is legal under Norwegian law to make copies of such data for personal use. The verdict was announced on January 7, 2003 acquitting Johansen of all charges.
In June 2006 NextGenTel, one of the biggest broadband providers in Norway decided to deliberately limit the bandwidth from the Norwegian Broadcasting Corporation (NRK). The CEO of NextGenTel, Morten Ågnes tells the Norwegian newspaper Aftenposten that they will give priority to the content providers that pay for better bandwidth. It seems like the customers won this battle (link, to Norwegian article). Due to bad publicity and reactions from customers, on October 3rd NextGenTel removed the limit and NRK is now back on full speed in their network.
Sweden
The Swedish police attempted to take down The Piratebay, several sources reported that the MPAA initiated the attack by directly influencing Swedish authorities on governmental level, in this case the Ministry of Justice, to intervene in this specific case, which is considered illegal in Sweden. It also turned out that the US had threatened to put Sweden on WTO’s black list because they didn’t take the Pirate Bay down, something that should’ve made the Swedish government move even quicker.
Australia
Australian ID card database misused by Government staff. Australia's identity card system was routinely searched for personal reasons by Government agency employees, some of whom have been sacked. Police are now investigating allegations of identity fraud resulting from the security breaches. Centrelink staff sacked for spying The government's welfare agency has confirmed it uncovered almost 600 cases of staff wrongfully accessing client records during the last two years. The head of the Australian government’s Smartcard Privacy Taskforce, Professor Allan Fels said the breaches highlighted why data on the proposed new card should be kept to a minimum.
Brazil
Google complies with a "small and narrow" court order for information about hate groups in a Brazilian court. The case highlighted concerns that "as long as Internet companies retain data that can identify people, which they use for marketing purposes, they will become targets of law enforcement" according to the article. Google said "it is and always has been our intention to be as cooperative in the investigation and prosecution of crimes as we possibly can" however "European and Latin American laws permit prosecution for hate speech -- an approach the U.S. Constitution does not allow" according to the Post.
USA
- Personal information belonging to more than 650,000 US customers of J.C. Penney at risk after backup tape lost
- A senior database administrator for a consumer reporting agency in Florida stole more than 8.4 million account records and sold them to a data broker. He netted $580,000 over five years from the scheme.
- Data Theft Puts 26.5 Million Veterans at Risk. In a shocking illustration of the truism that more integrated databases make for larger and more lucrative honey pots/disaster magnets, the data of approximately 26.5 million US veterans was stolen recently. [3] UPDATE: Also includes 2.2 million active U.S. military personnel, including nearly 80 percent of the active-duty force, raising concerns about national security as well as identity theft. [4]
- Russian programmer Dmitry Sklyarov was prosecuted for writing a program that read ebooks aloud so that blind people could read them. The case began in July 16, 2001, when the FBI arrested Dmitry Sklyarov at the Defcon conference in Las Vegas. Sklyarov was the lead engineer on an Elcomsoft product known as the Advanced eBook Processor (AEBPR), which software giant Adobe Systems Inc. claimed was a "circumvention tool" prohibited by the DMCA. A federal jury in San Jose today returned a verdict of not guilty on all counts in the criminal trial of Sklyarov's employer, a Russian software company called Elcomsoft Ltd. The case was the one of the first criminal cases to be brought under the Digital Millennium Copyright Act of 1998 ("DMCA").
- Florida laptop loss sparks ID theft fears The theft of a laptop containing the unencrypted personal details of 133,000 Florida residents has sparked a major security alert. The PC was stolen from the car of a worker at Florida’s Department of Transportation, making it the latest in a spate of US organisations airing the private credentials of individuals in public.
- Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday. The incident apparently occurred when an employee downloaded a contaminated file from a po</spam>rn site. The "trojan" program attached to the file may have sent taxpayer information back to the source when the computer was turned on again.
- A Chronology of Data Breaches TOTAL number of records containing sensitive personal information involved in security breaches: 88,931,692 since Feb 2005. That's just in the US.
- UCLA Hacked, 800,000 Identities Exposed A central campus database at UCLA containing the personal information (including SSNs) of about 800,000 UCLA affiliates has been compromised for possibly over a year. The data may have been available to hackers since October 2005 until November 21, 2006, when the breach was finally detected and blocked.
- What the heck was on that stolen laptop? Four in five (81 per cent) US firms have lost at least one laptop containing sensitive data in the last year, according to a new study.
- 10 worst privacy debacles of all time Wired
- Federal education loan site exposes personal info of up to 21,000 including names, Social Security numbers, addresses and birth dates
- Inspectors: IRS lost 490 laptops, many with unencrypted data A government audit of the IRS finds that the organization has lost 490 laptops in three years, and routinely fails to encrypt sensitive data or secure its off-site backups
- Fidelity employee steals 2.3 million consumer records Fidelity National Information Services, the major US financial processing company, said today a senior level database administrator at one of its subsidiaries stole 2.3 million consumer records containing bank account and credit card information as well as other personal information.
Canada
- A security flaw in Passport Canada's website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver's licence numbers - of people applying for new passports.
International
In 2009, the Open Society Foundation funded research into the campaigning methodologies of six groups: from Brazil, the US, New Zealand, Canada, France and the UK. The research was carried out by former ORG Executive Director Becky Hogge. Click through for a summary of the report and to download a copy.