Employer not allowed to search for porn on employee’s home computer
In re Jordan, — S.W.3d —, 2012 WL 1098275 (Texas App., April 3, 2012) Former employee sued her old company for subjecting her to a sexually hostile workplace and for firing her after she reported it. She claimed that she had never looked at pornography before she saw some on the computers at work. During [...]
Demanding Social Media Passwords From Job Seekers Is Wrong
Today’s Slaw post: The issue of corporate or government employers asking for social media login ID’s and passwords for job seekers has reared its head again. See this CBC article entitled U.S. job seekers get asked for Facebook passwords. And see this article I wrote a year ago on the subject. This is wrong on [...]
Privacy rights getting clearer – Tort recognized for first time
For the London Free Press – March 5, 2012 – Read this on Canoe The Ontario Court of Appeal just released its decision in Jones v Tsige, recognizing for the first time there is a tort of invasion of privacy in Ontario. The gist of the facts in Jones was a bank employee looked up [...]
DHS OIG study of scanners silent on computer threats
The U.S. Department of Homeland Security Office of Inspector General (DHS OIG) released their report on safety of airport backscatter machines on February 29. The report has received criticism from ProPublica among others for what it says as well as wh…
DHS OIG study of scanners silent on computer threats
The U.S. Department of Homeland Security Office of Inspector General (DHS OIG) released their report on safety of airport backscatter machines on February 29. The report has received criticism from ProPublica among others for what it says as well as what it doesn’t, mostly focusing on issues of incremental risk to the traveling public, the large number of repair services, and the lack of data analyzing whether the machines serve their claimed purpose. (The report does not address millimeter wave machines, which most scientists believe are safer.)
But what’s surprising in both the report and the critiques about it is that they have only discussed the radiation aspects when used as intended, and not the information systems embedded in the devices, or what happens if the scanners are used in unintended ways, as could happen with a computer system malfunction. Like any modern system, the scanners almost certainly have a plethora of computer systems, controlling the scanning beam, analysis of what the beam finds, etc. It’s pretty likely that there’s Windows and Linux systems embedded in the device, and it’s certain that the different parts of the device are networked together, for example so a technician in a separate room can see the images without seeing the person being scanned (as TSA has done to head off the complaints about invasion of privacy).
The computer systems are the parts that concern me the most. We should be considered about security, safety, and privacy with such complex systems. But the report doesn’t use the word “software” even once, and the word “computer” is used twice in reference to training but not to the devices themselves.
On the safety front, we know that improperly designed software/hardware interaction can lead to serious and even fatal results – Nancy Leveson’s report on the failure of the Therac-25 system should be required reading for anyone considering building a software-controlled radiation management system, or anyone assessing the safety of such a system. We can hope that the hardware design of the scanners is such that even malicious software would be unable to cause the kind of failures that occurred with the Therac-25, but the OIG report gives no indication whether that risk was considered.
On the security and privacy front, we know that the devices have software update capabilities – that became clear when they were “upgraded” to obscure the person’s face as a privacy measure, and future planned upgrades to provide only a body outline showing items of concern, rather than an actual image of the person. So what protections are in place to ensure that insiders or outsiders can’t install “custom” upgrades that leak images, or worse yet change the radiation characteristics of the machines? Consider the recent case of the Air Force drone control facility that was infected by malware, despite being a closed classified network – we should not assume that closed networks will remain closed, especially with the ease of carrying USB devices.
Since we know that the scanners include networks, what measures are in place to protect the networks, and to prevent their being attacked just like the networks used by government and private industry? Yes, it’s possible to build the devices as closed networks protected by encryption – and it’s also possible to accidentally or intentionally subvert those networks by connecting them up using wireless routers.
Yes, I know that the government has extensive processes in place to approve any computer systems, using a process known as Certification and Accreditation. Unfortunately, C&A processes tend to focus too much on the paperwork, and not enough on real-world threat assessments. And perhaps the C&A process used for the scanners really is good enough, but we just don’t know, and the OIG report by neglecting to discus the computer side of the scanners gives no reassurance.
Over the past few years, Stuxnet and research into embedded devices such as those used in cars and medical devices have taught us that embedded systems software can impact the real world in surprising ways. And with software controlled radiation devices potentially causing unseen damage, the risks to the traveling public are too great for the OIG to ignore this critical aspect of the machines.
Video: This Week in Law Episode 150
Had a great time hosting This Week in Law Episode 150, which we recorded on February 24. (Thanks to Denise Howell for handing over the hosting reins while she was off for the week.) It was a really fun conversation with three very smart panelists — Mike Godwin, Greg Sergienko and Jonathan Frieden. We talked [...]
No restraining order against uncle posting family photos on Facebook
Court refuses to consider common law invasion of privacy tort to support restraining order under Minnesota statute. Olson v. LaBrie, 2012 WL 426585 (Minn. App. February 13, 2012) Appellant sought a restraining order against his uncle, saying that his uncle engaged in harassment by posting family photos of appellant (including one of him in front [...]
Teacher fired over Facebook post gets her job back
Court invokes notion of “contextual integrity” to evaluate social media user’s online behavior. Rubino v. City of New York, 2012 WL 373101 (N.Y. Sup. February 1, 2012) The day after a student drowned at the beach while on a field trip, a fifth grade teacher updated her Facebook status to say: After today, I am [...]
Six interesting technology law issues raised in the Facebook IPO
Patent trolls, open source, do not track, SOPA, PIPA and much, much more: Facebook’s IPO filing has a real zoo of issues. The securities laws require that companies going public identify risk factors that could adversely affect the company’s stock. Facebook’s S-1 filing, which it sent to the SEC today, identified almost 40 such factors. [...]
Privacy Commissioner explains problems with proposed lawful access law
That’s the title of my Slaw post for today. It reads as follows. With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without [...]
« go back — keep looking »
Categories
Blogroll
Ads and partners
