Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA enforcement policy and procedure.

Direct Accountability

The ARRA amends original legislation and holds business associates accountable by federal and state authorities for failure to comply with any applicable provisions of the HIPAA Privacy and Security Rules. The original Act states that government authorities are unable to hold business associates accountable for failing to comply with their agreements; only covered entities can be held liable for the actions of their business associates in limited circumstances.

Criminal Penalties

ARRA provides important clarification that HIPAA’s criminal penalties can be enforced against individuals. This includes, but is not limited to, employees of a covered entity. This provision essentially overrules a Department of Justice memo issued during the Bush Administration that declared only covered entities could be criminally prosecuted for violations of HIPAA.

ARRA also clarifies that Health and Human Services (HHS) and state attorneys general can pursue a civil HIPAA violation in cases where criminal penalties could be imposed, but the Department of Justice declines to pursue the case. The Secretary is required to formally investigate any complaint where a preliminary investigation of the facts indicates a possible violation due to willful neglect. The Secretary must also impose a civil monetary penalty if a violation is found to constitute willful neglect of the law. The Government Accountability Office (GAO) will need to develop a methodology for individuals affected by HIPAA violations to receive a percentage of any penalty or monetary settlement collected.

There is also a new tiered penalty structure, based on the level of the HIPAA violation, which is capped at $50,000 per violation and an annual maximum of $1.5 million.

Enforcement by State Attorneys General & Secretary Auditing

There are a number of states that authorize their attorneys general to enforce federal consumer protection laws, which include HIPAA. ARRA expressly authorizes all state attorneys general to enforce HIPAA in federal district court. This means that attorneys general in all states are able to enforce the law, even if no state authorizing statue exists. Penalties imposed in such situations are limited to former statutory minimum set by the HIPAA: $100 per violation and $25,000 annually for repeat violations of the same provision.

The Secretary has the right to intervene in the application of this provision where necessary. The ARRA also requires the Secretary to perform periodic audits to ensure compliance with the new provisions.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA enforcement.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

Main Policy Points

The body of Circular A-130 discusses the policy for managing information resources. The information management policy is briefly outlined below:

• Agencies are required to plan in an integrated manner for managing information throughout its lifecycle.
• Agencies should provide for public access to records where required/appropriate.
• Agencies should collect or create only the information that is necessary for the proper performance of agency functions, or that which has practical use.
• Electronic collection techniques should be used in order to reduce the burden on the public, increase efficiency of government programs, reduce costs to the government and public and/or provide better services to the public.
• Agencies are responsible for providing the public information on their missions.
• Agencies must maintain and implement a management system for all information dissemination products.
• Agencies should avoid improperly restrictive practices.
• Agencies shall use electronic media and formats (as well as public networks) to make government information more accessible and useful to the public.
• Agencies are responsible for safeguarding sensitive or personally identifiable information.
• Agencies should promote the appropriate application of federal information resources and carryout the necessary activities for evaluation and performance management.
• Agencies should establish and maintain strategic information resources management (IRM) planning processes.
• Agencies should establish information system management oversight mechanisms.
• Agencies should create and maintain management and technical frameworks using information resources that document linkages between mission needs, information content and information technology capabilities.
• Agencies are responsible for the acquisition of information technology in an appropriate manner.

Revisions to Circular A-130

The OMB Circular A-130 was revised during 1993 in two phases. During the first phase, issued on June 25, 1993, changes primarily focused on information policy. Revisions were carried out in order to encourage agencies to utilize new technologies to improve public access. In the second phase, revisions were made in the way the government manages its information technology resources.

According to Sally Katzen, Administrator of OMB’s Office of Information and Regulatory Affairs (OIRA), the office charged with developing and implementing government information policies, the revisions of Circular A-130,

“… will help bring the Federal government into the information age. This is a major step toward realizing the vision of a government that uses technology better to communicate with the American people… These long-awaited revisions to Circular A-130 are an integral part of the President and Vice-President’s technology initiative… We will use information technology to make government information available to the public in a timely and equitable manner, via a diverse array of sources, both public and private. We will also ensure that privacy and security interests are protected.”

Revisions to the original Circular emphasized integrated management of information dissemination products. Agency electronic information products (e.g. computer tapes, CDs, online services) would then fall under the same policy umbrella as printed publications or audio visual materials. Agencies were then asked to develop and maintain indexes and other tools to facilitate the location of government information for members of the public.

As a result of Circular A-130, the OMB made a commitment to take various other steps to improve information management and the technology initiative at that time. Such steps included:

• Sponsoring a coordinated initiative to improve email amongst agencies
• Promoting the establishment of an agency-based Government Information/Inventory Locator System (GIILS) to help the public locate and access public information
• Using the Paperwork Reduction Act to encourage agencies to convert paper documents such as purchase orders, invoices, health insurance claims, environmental reports, customs declarations and other regulatory filings to electronic form

Summary

This article takes a look at OMB (Office of Management and Budget) Circular A-130,  first released in 1985, in order to meet the requirements of the Paperwork Reduction Act of 1980. Circular A-130 establishes policy for the management of US federal government information resources. It provides a brief outline of the basic objectives of the policy. It also explores the two phases of revisions that took place in 1993 in order to bring the policy up-to-date.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Management Process – OMB Circular A-130 (II.B.a.i.)

According to the commentary in President Obama’s Budget for Fiscal Year 2010:

“These incentives, coupled with other activities authorized in… [ARRA], are expected to result in a dramatic increase in the percentage of health care providers using health IT within five years. Computerized health records – while protecting the privacy and security of personal health information – is expected to facilitate improvements in the quality of health care, prevention of unnecessary health care spending, and a reduction in medical errors.”

Provisions on privacy and security were found in ARRA’s Title XIII, Subtitle D and certain parts of Subtitle A. The ARRA provisions were generally effective as of February 17, 2010, but a more specific implementation timeline is available here.

Four Main Areas of Change

There are certain aspects of the ARRA that make significant changes on the types and level of privacy and security requirements healthcare providers are required to follow. The ARRA imposes substantial modifications in the following four areas:

1. HIPAA (Health Insurance Portability and Accountability Act) statutory requirements
2. Increased enforcement of HIPAA
3. Provisions to address health information held by entities not covered by HIPAA
4. Other changes including administrative changes, studies, reports and educational initiatives

The modifications in each of these four areas are discussed in separate articles in this series. This article focuses on the ARRA’s changes to HIPAA statutory requirements.

Business Associates & Compliance

Prior to the enactment of the ARRA, HIPAA required that covered entities (e.g. hospitals, physicians and health plans) enter into contracts (called “business associate agreements”) with entities performing functions or providing services on their behalf, where those functions/services involved the exchange of health information. The business associate agreements required the business associates to use appropriate security safeguards to protect health information they received and were responsible for. It is important to note that before the enactment of the ARRA, business associates were not directly subject to governmental enforcement action; covered entities would have to sue them for breach of contract.

The ARRA requires business associates to comply directly with most of the provisions of the HIPAA Security Rule. Business associates must also comply with Privacy Rule provisions that are made applicable to them by their contract with the covered entity. This means that they must comply with any changes to the Privacy Rule that are part of ARRA, whether or not those provisions are included in their contracts with the covered entities.

Data Breaches

Originally, the HIPAA did not require covered entities to notify affected individuals in the case of breaches of their protected health information. Now, the ARRA requires that individuals be notified if their unsecured health information has been breached. In the case of outsourcing, business associates should notify the covered entities of any breaches and the covered entities should then notify the individuals concerned.

Restricting Disclosures

ARRA imposes a requirement on covered entities (and their business associates) to honor an individuals’ request to restrict disclosure of protected health information to a health plan for purposes of payment or health care operations if the information pertains solely to a health care item or service that the individual has paid for in full or out-of-pocket.

“Minimum necessary” Amounts

The Privacy rule outlines that only the minimum necessary amount of protected health information should be accessed, used or disclosed (except in cases of treatment and other specific circumstances). The rule also outlines that a limited data set should be used. This data set should be stripped of a number of categories of patient-identifying information and can be used pursuant to a data use agreement for research, public health and health care operations purposes. The ARRA requires the Secretary to establish guidance on what “minimum necessary” means.

Disclosures of Personal Health Information

The Privacy Rule initially stated that covered entities needed to provide – upon request – an accounting of disclosures of protected health information made from the individual’s medical record for the previous six years. However, a number of disclosures are exempted from this requirement, including disclosures for treatment, payment, and health care operations. The ARRA states that covered entities using electronic health care records may no longer exempt such disclosures. However, the accounting only needs to cover the previous three years, rather than six.

No “Sale” of Protected Health Information

ARRA prohibits direct or indirect remuneration in exchange for an individual`s protected health information without the individual’s authorization. This authorization must also specify whether the information can be further exchanged for remuneration by the original entity that receives the data. There are of course, exceptions to this provision.

Right of Access

The HIPAA Privacy Rule always protected individuals’ right to access and obtain a copy of their health records, normally within thirty days of their request. The ARRA requires covered entities using electronic health records to provide individuals with an electronic copy of the record. The record must directly be transmitted to an entity or person specified by the individual. Fees should be kept to a minimum reasonable amount in relation to the labor costs.

Marketing Communications

ARRA imposes more stringent restrictions and regulations on authorization for marketing purposes. If a covered entity is paid by an outside entity to send a communication to a patient, the communication is considered “marketing.” This means that it will require prior authorization from the patient.

There are some exceptions to this regulation. For instance, protected health information is permitted to be used without authorization if it is for communications that describe a drug or biologic that is currently being prescribed/administered to the individual, as long as the payment received by the covered entity is reasonable in amount. Communications that have patients’ authorization may also be sponsored by outside entities.

Opting Out of Fundraising

Previously, covered entities were able to use an individual’s demographic information as well as the dates during which they received health care to send fundraising communications without pre-authorization from the individual. The ARRA now requires the Secretary to create a rule requiring that individuals be able to opt-out of receiving such communications in a clear and conspicuous way.

Summary

This article takes a look at the American Recovery and Reinvestment Act (ARRA) of 2009, which created some significant changes to privacy and security regulations which were outlined in the Health Insurance Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health (HITECH) Act. The ARRA imposes substantial modifications in four main areas: 1) HIPAA statutory requirements; 2) Increased enforcement of HIPAA; 3) Provisions to address health information held by entities not covered by HIPAA; and 4) Other changes including administrative changes, studies, reports and educational initiatives. This article takes a look at the modifications the ARRA made to HIPAA statutory requirements around privacy and security.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Amendments under the American Recovery & Reinvestment Act of 2009 (I.B.a.i.3.)

Compliance

The DHS has a very specific privacy compliance process. The DHS Privacy Office is responsible for the assessment of all new or proposed Department activities in order to ensure responsible handling of personally identifiable information (PII) and to mitigate privacy risks.

The following explores the methods by which the Privacy Office ensures compliance in all departmental activities:

• Privacy Threshold Analysis (PTA) – The PTA is a required document that serves as the official determination by the Privacy Office in order to determine if a DHS program or system has privacy implications. Also, PTAs are used to determine of additional privacy compliance documentation is required. PTAs are designed into all DHS processes for technology investments and security. They expire every three years.

PTAs serve the following objectives:

• Identify privacy-sensitive programs and systems
• Demonstrate inclusion of privacy considerations during the review of a program or system
• Provide the Privacy Office with a record of the program or system, as well as its privacy requirements
• Demonstrate compliance with privacy laws and regulations
• Privacy Impact Assessment(PIA) – The PIA is a decision-making tool that is used to identify and mitigate privacy risks at the start, as well as throughout the development lifecycle of a program or system. PIAs aid the public in understanding what PII the DHS is collecting, why the information is being collected, and how it will be used, shared, accessed and stored.

PIAs are required for the following reasons:

• When developing or procuring any new DHS program or system that will handle or collect PII
• For budget submissions to the Office of Management and Budget (OMB) that affect PII
• With pilot tests that affect PII
• When developing program or system revisions that affect PII
• When issuing a new or updated rulemaking that involves collection, use and maintenance of PII
• System of Records Notice(SORN) – A `system of records’ is a group of records under the control of any federal agency from which information is retrieved by a unique personal identifier assigned to an individual. A SORN is a formal notice to the public that identifies the purpose for which PII is collected, from whom and what type of PII is collected, how the PII is shared externally (i.e. routine uses) and how to access or correct any PII maintained by the DHS.

DHS Privacy Office

The DHS Privacy Office is the first statutorily created privacy office in the Federal government. The Office operates under the direction of the Chief Privacy Officer, a position that is discussed in further detail in the following section. The mission of the Privacy Office is: “… to preserve and enhance privacy protections for all individuals, to promote transparency of DHS operations, and to serve as a leader in the privacy community.”

The Privacy Office carries out the following activities:

• Requires compliance with the letter and spirit of Federal laws that protect privacy
• Centralizes FOI and Privacy Act operations to provide policy and programmatic oversight and to support operational implementation within the DHS components
• Provides education and outreach to build a culture of privacy and adherence to the Fair Information Practice Principles (FIPPs) across the DHS
• Provides transparency to the public through published materials, formal notices, public workshops and meetings

The Privacy Office is made up of the following operational teams:

• International Privacy Policy
• Departmental Disclosure and FOIA
• Privacy Compliances
• Privacy Policy (includes communications and training)
• Privacy Incidents and Inquiries
• Privacy Technology and Intelligence
• Legislative and Regulatory Analysis

Chief Privacy Officer, DHS

The Chief Privacy Officer (CPO) is a position within the DHS, appointed by the US Secretary of Homeland Security. The CPO also serves as the Chief Freedom of Information Act (FOIA) Officer at the DHS Privacy Office.

According to Section 222 of the Homeland Security Act of 2002, the CPO is primarily responsible for the privacy policy at the DHS. Duties include:

• Assuring that technologies used by the DHS to protect the US sustain, rather than erode, privacy protections related to the use, collection and disclosure of personal information
• Assuring that the DHS complies with fair information practices set out in the Privacy Act of 1974
• Conducting privacy impact assessments (PIA) of proposed rules at the DHS
• Evaluating legislative and regulatory proposals involving the collection, use and disclosure of personal information by the Federal government
• Preparing an annual report to Congress on DHS activities that affect privacy

Summary

This article takes a look at the privacy policies and practices at the US Department of Homeland Security (DHS). In addition to compliance with federal privacy legislation, the DHS also has its own privacy guidance, which include security methodologies, as well as a Privacy Office that is responsible for the oversight of systems and programs that deal with personally identifiable information. The article takes a closer look at the DHS Privacy Office, the first statutorily created privacy office in the US federal government, as well as the unique role of the Chief Privacy Officer/Chief Freedom of Information Act (FOIA) Officer.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Approaches – Department of Homeland Security (II.A.e.ii.3.)

Background

CALEA was passed in 1994 in order to facilitate law enforcement authorities’ wiretapping of digital telephone networks. It was the first piece of legislation in history that required telecommunications companies to modify their equipment in order to facilitate government surveillance. The FBI originally proposed the CALEA in 1992. This proposal was broadly inclusive – for instance, computer networks would have been part of this Act, in the name of government surveillance.

The CALEA essentially forced telephone companies to redesign their architectures in order to facilitate wiretapping. Notably, the CALEA did not regulate data traveling over the internet.

According to privacy watchdogs, wiretapping of suspected criminal activity by law enforcement agencies can rapidly degenerate into suspicionless monitoring of the general public, which violates the Fourth Amendment.

According to the Privacy Rights Clearinghouse, “Wiretapping is any interception of a telephone transmission by accessing the telephone signal itself.” Another related concept is ‘electronic eavesdropping,’ which is defined as “the use of an electronic transmitting or recording device to monitor conversations without the consent of the parties.”

Under US law, there are very few situations in which wiretaps are legal. However, technological improvements have made it increasingly easier to illegally wiretap communications.

Evolution of CALEA

In August 2004, the Federal Communications Commission (FCC) released a Notice of Proposed Rule Making (NPRM), which expanded the boundaries of CALEA by redefining what constitutes telephone service, concluding that broadband Internet access providers and managed VoIP systems substantially replace local exchanges and therefore are subject to the requirements of CALEA.

In August 2005, the FCC announced a Final Rule, which expanded CALEA to Internet broadband providers and certain VoIP providers.

Critics Say…

In response to the expanding reach of CALEA, the Electronic Frontier Foundation (EFF) has listed a number of objections and concerns. These are briefly summarized below.

• Wiretapping Convenience – According to the EFF, wiretapping is already a relatively easy practice as is. Existing legislation already permits law enforcement agencies to place Internet users under surveillance, regardless of what programs or protocols being used to communicate. The reality is that most types of surveillance has gotten easier in this day and age.
• “Tappability Principle” is Problematic – The FBI suggested that if something is legally searchable sometimes, it should be physically searchable all the time (the “tappability principle”). However, this could lead to all individual phones having built-in bugs, leaving consumers to trust that the phone companies or law enforcement would not activate those bugs without a legitimate reason.
• Increased Costs for Services – Expanding CALEA in the manner suggested by the FCC’s NPRM would cause broadband providers to spend millions of dollars restructuring their network architectures and design and manufacture surveillance-friendly technologies. This would cause telecommunications bills to skyrocket. It would also eliminate privacy-friendly technologies from the marketplace.
• Takes a Toll on Innovation – CALEA compliance would significantly reduce the scope of technological research and development. It would also allow the FCC to have authority over a wider range of technologies. CALEA’s requirements might result in economic incentives for software developers to create new programs (e.g. email, IM programs) that are more surveillance-friendly. This would mean that innovators will need to work within the guidelines of CALEA’s surveillance.
• Phone Regulations are not Applicable – The NPRM assumes that regulations that apply within the phone network (a closed, insulated system) should be extended to the internet (an open, always-changing system). This could severely hamper technological development and innovation on the Internet, where new services and devices are being introduced all the time.
• Internet Insecurities – Unfortunately, many of the technologies that are used to create surveillance-friendly computer networks might increase the risk of attacks or breaches of personal data. Broadband service providers who must make their networks or applications more tappable end up introducing potential points of vulnerability into their system. Many users are unaware of this reality when they register for such services.

Surveillance-Industrial Complex

Services that facilitate wiretapping, and the types of policies that are necessitated by such legislation as the CALEA essentially facilitates what the American Civil Liberties Union (ACLU) refers to as the surveillance-industrial complex, which involves the integration of private individuals and organizations with a government-sanctioned surveillance network. Private entities motivated by profiting from surveillance activities have an incentive to lobby for increased government surveillance authority.

Regarding the CALEA, the ACLU comments,

“Americans have long feared the specter of the government maintaining dossiers filled with information about the lives of individual, innocent citizens. Data retention, whether mandatory or de facto, achieves the same goal indirectly, by ensuring that information is stored by corporations – from where, as we have seen, it can easily be accessed by the authorities.”

Summary

This article takes a look at the Communications Assistance for Law Enforcement Act (CALEA), which was passed in 1994 to facilitate law enforcement authorities’ wiretapping of digital telephone networks. In 2004, the FCC suggested substantial expansions in the scope of the CALEA in its Notice of Proposed Rulemaking (NPRM). In August 2005, the FCC’s Final Rule expanded the CALEA to include Internet broadband and VoIP providers. This article also explores privacy watchdogs’ criticism of government surveillance expansion.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Communications Assistance to Law Enforcement Act – CALEA (I.B.a.iii.3.)

US Census Bureau: Data Stewardship

The Census Bureau’s objective is to produce accurate, relevant statistics on US economy and population. It is legally and ethically obligated to protect the privacy and confidentiality of the individuals who offer their data. According to the Bureau’s mission statement, “We honor privacy, protect confidentiality, share our expertise globally, and conduct our work openly.” One of the Bureau’s strategic goals is to “Foster an environment that supports innovation, reduces respondent burden, and ensures individual privacy.” The approach that the Census Bureau takes to maintain the trust of US citizens is referred to as “Data Stewardship.”

Data stewardship is the formal process by which the Bureau remains responsible and accountable for data protection throughout the data lifecycle. This is the time which someone responds to a survey, all the way to the release of statistical data products. Each survey and program under the Census Bureau’s responsibility is required to comply with data stewardship policies at every step in the process.

There are three ways that the Bureau protects personal information:

1. Federal Law – Federal law protects personal information. Title 13 of the US Code protects the confidentiality of all information provided to the Bureau. Violation of Title 13 results in severe penalties.
2. Privacy Principles – In addition to federal legislation, the Bureau has developed its own set of privacy principles, which are guidelines for all its activities. Privacy principles include the Bureau’s responsibilities to protect personal information, as well as individuals’ rights as survey respondents.
3. Statistics Safeguards – These include methods to ensure that statistics released by the Bureau do not identify individuals or businesses. All data products are extensively reviewed and analyzed. Disclosure avoidance methodologies (e.g. data suppression, data modification) are also applied.

IRS: Privacy Office

Like other federal agencies, the IRS is committed to protecting Americans’ privacy rights. It notes that individuals’ privacy rights are protected by the following:

• Internal Revenue Code
• Privacy Act of 1974
• Freedom of Information Act
• IRS policies and practices

In addition to adhering to the above, the IRS also has a Privacy Office, which ensures that personal information entrusted with the IRS is protected appropriately. The Office addresses questions regarding IRS privacy policies and concerns regarding how the IRS uses and collects personal information.

Department of Defense: Privacy Policy

The Department of Defense (DoD) provides a website as a public service by the Office of the Assistant Secretary of Defense – Public Affairs. Like other websites, there are options for individuals to offer the DoD personal information and the DoD is responsible for treating this information appropriately. The Dod maintains a wide variety of physical, electronic and procedural safeguards to protect personal information from unauthorized disclosure or data breach.

According to the DoD’s website Privacy Act Statement:

“If you choose to provide us with personal information… we will only use that information to respond to your message or request. We will only share the information you give us with another government agency if your inquiry relates to that agency, or as otherwise required by law. We never create individual profiles or give it to any private organizations. Defense.gov never collects information for commercial marketing.”

Summary

This article takes a look at approaches to privacy protection at various agencies of the US federal government: the US Census Bureau, the Internal Revenue Service (IRS) and the US Department of Defense (DoD). Each department or agency is guided by federal privacy legislation, as well as internal policies and practices.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/US Government (CIPP/G) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Policy Enforcement – Sample Approaches (II.A.e.ii.)

An example of behavioral marketing is advertising popular related items next to a news story that readers might find interesting. Another example is how large e-commerce sites, such as Amazon, will list products that other customers have also purchased when browsing. The objective of behavioral marketing is to identify and advertise to your target audience, to ensure that marketing efforts are directed towards individuals who are most likely to purchase the product.

FTC Report on OBM Principles

On February 12, 2009, the FTC issued its Staff Report on Self-Regulatory Principles for Online Behavioral Advertising. The report defined online behavioral advertising as “the tracking of a consumer’s online activities over time – including the searches the consumer has conducted, the Web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests.”

The report went on to outline principles that ensure:

• Transparency and consumer control
• Reasonable security and limited data retention for consumer data
• Affirmative express consent for material changes to existing privacy promises
• Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising

These principles apply equally in the context of mobile devices.

Responses to FTC Report

In response to the FTC’s guidelines, consumer privacy advocate groups began to claim that the document was not stringent enough and that the commission does not sufficiently investigate privacy threats and wrongful practices targeting children, adolescents and multicultural consumers. According to Pam Dixon, executive director of the World Privacy Forum,

“I think that the issue of self-regulation has been on the FTC’s plate for ten years and it’s disturbing that only one commissioner chose to question the self-regulatory model. I think my disappointment in the FTC approach is there weren’t specific renegotiations on the self-regulation model.”

According to Chris Hoofnagle, director of information privacy programs at the Berkeley Center for Law and Policy Center, Berkley, CA. “The FTC failed to address the clearest examples of sensitive information and that there is certain user data that should never be used for targeting.”

Cory Wright, senior counsel and adjunct professor at Georgetown Law commented, “The commission’s report does not heed the concerns we have been having. The policy is not meaningful. The document fails to define children in terms of what age group can be referred to as children. The FTC says affirmative consent will work but does not go into detail about what that means. The guidelines don’t go far enough to protect kids.”

Mobile OBM

Many advertisers are looking eagerly at the potential of the online mobile market. Perhaps companies could then connect with clients on the go to let them know about their nearby products and services. In response, the FTC and Congress have voiced their concerns regarding the potential for abuse and misuse of consumer information in this context. Furthermore, there is a quickly-diminishing distinction between personally identifiable information (PII) and non-PII, including a user’s IP address and other computer/mobile device identifiers.

It has been discussed that the FTC’s guidelines regarding mobile marketing does not do enough to control applications. It is challenging to create effective disclosures, especially given the size limitations in the mobile context, as well as continuous developments in mobile-based products and services.

Summary

This article takes a look at online behavioural marketing practices and how these are used in e-commerce. The article explores the FTC’s report on Self-Regulatory Principles for Online Behavioral Advertising, which was released in early 2009. It also looks at responses to the principles, from privacy rights groups in the United States. Finally, the article explores possible privacy issues inherent to mobile online behavioural marketing.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

• Online Behavioral Marketing (OBM) (III.B.j.ii.)

What is SEM?

SEM (search engine marketing) is a new form of marketing, and as such, is not yet standardized. SEM methods are continuously evolving, along with the changing perceptions of optimization. There are two distinct concerns regarding SEM practices, which can be classified into investors’ concerns and users’ concerns.

Major investors’ concerns are as follows:

• Placing paid search campaigns on search engine results pages have been to topic of significant controversy. In 2002, the Federal Trade Commission (FTC) mandated disclosure of paid advertisements on search engines.
• Private interest groups are reducing the definition of SEM and rendering it synonymous with “pay-per-click” campaigns. This means that search engine optimization (SEO) would fall outside of the SEM definition.
• Trademark infringement by third-party bidding has also been an area of concern.

From a user’s point of view, major privacy and security concerns are as follows:

• Certain advertisements contain external applications, which can often affect users’ browser settings, or show pop-ups in non-affiliated pages. Such applications might also be spyware.
• Third-party cookies can seriously compromise the user’s privacy or anonymity. Such cookies can enable advertisers to trace the address of the browser.

Google Analytics

In June 2010, a controversy arose around new additions to Google Analytics and the privacy issues that it touched upon. With these new additions, it became possible for website operations to use the search engine optimization suite to sift through Facebook profiles and Twitter posts. The software allowed individuals to conduct search engine marketing campaigns to find Facebook and Twitter profiles of individuals who have visited their websites, including a certain amount of personal information about these individuals.

Google’s privacy practices have often been criticized. Privacy professionals have often warned users to be aware of ways to protect their personal information. Regarding this particular Google controversy, the blogger Antoine Pace stated,

“The capacity for linking from Google or Twitter is quite well known and popular. There should probably be a warning saying that, by doing this, you are potentially disclosing you information, or something similar. If you are concerned about the use of your personal information, then you need to protect it. If you are scared about someone stealing your wallet, you don’t put it on the fence outside. Make sure your information is protected from the public.”

Scroogle

In response to search engine privacy concerns, certain web users have begun to use a search engine nicknamed the “Anti-Google.” Scroogle, developed by David Brandt in 2005, is a search engine that has no advertising, rather relies on small donations from its users. Scroogle ensures user privacy by masking the IP address of users who want to use Google search capabilities anonymously. It also offers an option for SSL encryption (256-bit AES key) of all communication between their computer and the search page.

Scroogle functions as a proxy for Google searches, which means that search terms, IP addresses and other search information that Google typically records is anonymized. The service then deletes all logs and cookies on their services within 48 hours, for additional privacy protection.

The increasing use of Scroogle and other similar proxy search engines remains a concern for Google advertisers and other search engine marketers. Although it is only a relatively small percentage of users who are currently using these services, the number is bound to increase, unless user privacy is taken seriously by the big players.

Summary

This post takes a look at search engine marketing (SEM) and search engine optimization (SEO), and how these relatively new ways of marketing can impact the security and privacy of users. The article takes a look at some of the major concerns from an investor’s and user’s perspective. The article also sites a recent SEM controversy, with new features offered by Google Analytics. Finally, the article introduces Scroogle, a search engine that allows users to mask their IP addresses in order to use Google search capabilities anonymously.

CIPP Exam Preparation

In preparation for the Certified Foundation Examination (Foundations), a privacy professional should be comfortable with topics related to this post, including:

• Search Engine Marketing (SEM) (III.B.j.i.)

What’s an APT?

An advanced persistent threat (APT) is a cybercrime category that aims for business and political targets. APTs require a high degree of stealth over a prolonged period of time in order to be successful. The objective of the attack is to compromise a system over the long term, as affected systems continue to be of service to the organization, even after the breach and once the initial goals have been reached.

Another way to understand APTs is outlined below:

• Advanced – Criminal attackers behind the threat use the full spectrum of computer intrusion techniques and technologies. Although the individual components of the attack may not be defined as especially advanced, the attackers can usually access and develop more advanced tools as necessary. Attackers will also combine a number of different attack methodologies and tools in order to gain access to and compromise their target victims.
• Persistent – Attackers will give priority to a specific task, instead of immediate financial gain. This means that the attackers are most likely guided by external entities. These targeted attacks are carried out through continuous monitoring and interaction. Rather than a constant stream of attacks and malware updates, these attacks will often take a “low-and-slow” approach (see below for more information).
• Threat – This indicates a high level of coordinated human involvement in the attack, as opposed to a mindless/automated piece of code. Attackers have a precise objective and are often highly skilled, motivated, organized and well-funded.

APTs effective breach enterprises through a number of vectors, despite the presence of well-designed and maintained defense strategies. The following is a brief outline of APT attack vectors:

• Internet-based malware infection
  • Drive-by downloads
  • Email attachments
  • File sharing
  • Pirated software and keygen
  • Spear phishing
  • DNS and routing mods
• Physical malware infection
• Infected USB memory sticks
• Infected CDs and DVDs
• Infected memory cards
• Infected appliances
• Backdoored IT equipment
• External exploitation
  • Professional hacking
  • Mass vulnerability exploits
  • Co-location host exploitation
  • Cloud provider penetration
  • Rogue Wi-Fi penetration
  • Smartphone bridging

“Low-and-Slow” Approach

A significant feature of APTs is that they remain invisible for as long as possible. Attackers using APT technologies tend to leverage “low-and-slow” approaches, meaning that they stealthily move from one compromised host to another, without generating regular or predictable network traffic. They use this approach to hunt for their specific data or system objectives.

Increasing Attacks

According to a recent Cisco white paper entitled “Email Attacks: This Time it’s Personal,” it appears that more and more attackers are swapping widespread malicious email campaigns for more targeted attacks which employ APT techniques:

“Cybercriminals are balancing competing priorities: Infect more users or keep the attack small enough to fly under security vendors’ radar? Spear phishing attack campaigns are limited in volume but offer higher user open and click-through rates… This is why the average value per victim can be 40 times that of a mass attack.”

The report went on to estimate that the returns for mass email-based attacks have gone from $1.1 billion per year in June 2010, to $500 million annually in June 2011. In the same period, daily spam volume fell from 300 billion messages per day to 40 billion messages per day.

Summary

An advanced persistent threats (APTs) are increasingly being used to compromise high-profile business and political targets over the long term. Such targeted attacks resort to stealthy online infiltration in order to steal valuable intellectual property. The reality of these threats to do significant damage on their targets is forcing organizational IT departments to rethink network security.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Unplanned Data Disclosure (I.B.g.)
• Security Safeguards (I.G.e.)
• Privacy Concerns – Organizational Practices (II.A.b.)
• System Monitoring (II.A.l.)

What happened?

McAfee first discovered the infiltration in 2009, when they came across a command-and-control server which was being used by the hackers for directing the remote administration tools (RATs). The earliest breaches date back to mid-2006, though it’s highly likely that there might have been other undetected intrusions.

The RATs were installed in victim organizations thorough spear-phishing techniques that are currently commonplace. Legitimate e-mails were sent to employees of the target organizations. The emails contained attachments that had exploit code, typically zero-day attacks, that compromise the employee’s system. Hackers then took advantage of the compromised computers to install RAT software, which permitted long-term monitoring, collection of credentials, network probing and data exfiltration.

This attack technique has been seen numerous times. For instance, this same pattern was repeated to break into RSA, the French and Canadian Finance Ministries and numerous oil and gas companies this year. Notably, it was also used during the Operation Aurora attacks in late 2009.

According to Dmitri Alperovitch, McAfee’s vice president of threat research:

“Even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators. What is happening to all this data… is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

McAfee reported that the total data stolen through Operation Shady RAT amounted to petabytes. The targets included governments; technology and defense companies; nonprofit sports bodies; and think tanks. McAfee points out that given the targeting of think tanks, the attacks were most likely perpetrated by a state actor, since the commercial value of sports bodies is relatively low.

Currently, McAfee is working with US government agencies to attempt to shut down the command-and-control server. The firm is also working with the victims, specifically, informing them of the attacks and offering assistance with their response efforts. Surprisingly, some victims continue to deny the attacks, though they have been presented with significant evidence to the contrary.

The parties responsible?

Jim Lewis, a cyber expert with the Center for Strategic and International Studies said that it was highly likely that China was behind the campaign, as some of the targets had information that would have been significant to Beijing. He pointed out that the presence of the International Olympic Committee and the Taiwanese government indicates China’s involvement. Speaking to Reuters, Lewis said, “Everything points to China. It could be the Russians, but there is more that points to China than Russia.”

In response to these allegations of state-sponsored hacking, the Google Chinese spokesman Hong Lei commented, “Hacking is an international problem and China is also a victim. The claims of so-called support for hacking are completely unfounded and have ulterior motives.”

According to McAfee’s Operation Shady RAT white paper:

“[The attacks have] been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate… This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.”

Summary

This article takes a look at Operation Shady RAT, a five-year hacking attack that targeted 14 different countries and at least 72 different organizations. Included in the victim list were governments; technology and defense companies; nonprofit sports bodies; and think tanks. Hackers used RATs (remote administration tools) to facilitate long-term monitoring, collection of credentials, network probing and data exfiltration of victim organizations.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy Concerns – Organizational Practices (II.A.b.)
• Government and Citizen Surveillance (II.A.k.)
• System Monitoring (II.A.l.)
• Privacy-Enhancing Technologies (III.B.c.)