May 7, 2024

You are here: Home / Archives for wi fi

Technophoria: Data Security Is a Classroom Worry, Too

June 22, 2013 by Leave a Comment

Edmodo’s free software allows teachers to set up virtual classrooms where they can post homework assignments, give quizzes and use third-party apps to complement lessons. Students can create individual profiles, including their photograph and other details, within their teacher’s class and post comments to a communal class feed.

Mr. Porterfield, an engineer at Cisco Systems, examined Edmodo’s data security practices by registering himself on the site as a fictional home-school teacher. As he went about creating imaginary students — complete with cartoon avatars — for his fictitious class, however, he noticed that Edmodo did not encrypt user sessions using a standard encryption protocol called Secure Sockets Layer.

That cryptography system, called SSL for short and used by many online banking and e-commerce sites, protects people who log in to sites over an open Wi-Fi network — like the kind offered by many coffee shops — from strangers who might be using snooping software on the same network. (An “https” at the beginning of a URL indicates SSL encryption.)

Without that encryption, Mr. Porterfield says, he worried about the potential for a stranger to gain access to student information, and thus hypothetically be able to identify or even contact students.

To test this hypothesis, he used a computer on his home Wi-Fi network to log in as an imaginary student; then, using another computer, he installed free security auditing software, called Cookie Cadger, to spy on the student’s online activities. Though the risk of this happening with actual students seemed small — Edmodo and other companies say they have no evidence that this kind of breach has occurred — he contacted his school district about his concerns.

“There’s a lot of contextual information you could use to gain trust, to make yourself seem familiar to the child,” he says. “As a parent, that’s the scariest thing.”

In response to an inquiry from me last week, Sara Mandel, a spokeswoman for Edmodo, said the service provided “a safe alternative to open, consumer social networking sites” because students could participate only in groups created by their teachers and because teachers decided whether students could send private messages to one another.

She added that “any school that chooses” had been able to use a completely encrypted version of the site since 2011 and that the company “is working to ensure that all of our users are using an SSL-encrypted version.”

SCHOOL administrators and teachers said they liked these online learning systems because they could control the information that students might share.

“Kids can’t talk to each other. They can only speak to the group,” says Heather Peretz, a special-education teacher at Great Neck South Middle School in Great Neck, N.Y., who uses Edmodo in her English class. “It helps them learn to be good digital citizens so they are not making inappropriate posts.”

But as school districts rush to adopt learning-management systems, some privacy advocates warn that educators may be embracing the bells and whistles before mastering fundamentals like data security and privacy.

Although a federal law protecting children’s online privacy requires online services to take reasonable measures to secure personal information — like names and e-mail addresses — collected from children under 13, the law doesn’t specifically require SSL encryption. Yet school districts often issue only general notices about classroom technology, leaving many parents unaware of the practices of the online learning systems their children use. Moreover, schools often require online participation so students can gain access to course assignments or collaborate on projects.

“What we are finding with this type of database is that parents are uninformed,” says Khaliah Barnes, a lawyer at the Electronic Privacy Information Center. “Most don’t understand how the technology works.”

Online security experts have long warned consumers about unencrypted Web sites that collect personal details. That is because on open Wi-Fi networks, hackers using simple software programs can see and copy the unique code, called a session cookie, that servers issue to authenticate a person who has logged into a Web site. By replicating that cookie, a hacker can acquire the same privileges, like the ability to edit a profile or grade a quiz, of the authenticated user for that session.

Article source: http://www.nytimes.com/2013/06/23/business/data-security-is-a-classroom-worry-too.html?partner=rss&emc=rss

Filed Under: Global Business Tagged With: , ,

Stern Words, and Pea-Size Punishment, for Google

April 23, 2013 by Leave a Comment

The penalty? $189,225.

Put another way, that’s how much Google made every two minutes last year, or roughly 0.002 percent of its $10.7 billion in net profit.

It is the latest example of regulators’ meager arsenal of fines and punishments for corporations in the wrong. Academics, activists and even regulators themselves say fines that are pocket change for companies do little to deter them from misbehaving again, and are merely baked into the cost of doing business.

Johannes Caspar, the data protection supervisor in Hamburg, Germany, who led the investigation into the Street View project, said the fine, which was close to the maximum of 150,000 euros, or $195,000, that he could legally impose, was woefully inadequate to stop the data collection practices of companies as large as Google. He called on lawmakers to significantly raise such fines.

“As long as violations of data protection law are penalized with such insignificant sums, the ability of existing laws to protect personal privacy in the digital world, with its high potential for abuse, is barely possible,” Mr. Caspar said.

In Europe, lawmakers are considering revisions to the main data protection law to allow for fines of up to 2 percent of a company’s annual sales. In Google’s case, based on last year’s revenue, that would have been up to $1 billion.

For several years, while Google took photos for its Street View maps, it also collected data like e-mail messages and photos over unencrypted Wi-Fi networks, outraging consumers and privacy advocates and prompting investigations in at least a dozen countries.

Peter Fleischer, Google’s global privacy counsel, said the company collected the data inadvertently, did not use it and cooperated with investigators in Hamburg.

For Silicon Valley companies, such middling fines are common. For the Street View violation, Google last year paid a $25,000 fine for obstructing the federal investigation, and last month agreed to pay $7 million to settle a lawsuit brought by 38 states. France fined Google 100,000 euros in 2011; Ireland and Britain did not impose fines after Google agreed to delete data collected illegally in their countries.

For another privacy violation, related to the Safari browser, the Federal Trade Commission last year settled with Google for $22.5 million, the largest civil penalty it had ever levied, though Google did not admit any wrongdoing. The commission similarly filed eight complaints against Facebook for “unfair and deceptive” practices related to privacy, with no fine or admission of guilt. In antitrust investigations, Google escaped a fine in the United States and is close to doing the same in Europe.

“Especially in these areas like privacy or online access to information, existing law hasn’t really dealt with these issues before because as technology changes, the law needs to play catch-up,” said Martin H. Pritikin, a professor at Whittier Law School who co-writes the blog the Collection Gap, about regulatory enforcement failure.

Still, the problem stretches far beyond the tech industry. After the 2008 financial crisis, for instance, lawmakers and even some judges questioned whether government fines amounted to a rounding error for the nation’s biggest banks.

Jed S. Rakoff, a federal judge in New York, called the Securities and Exchange Commission’s $150 million settlement with Bank of America over lax public disclosures “half-baked justice at best,” and its $285 million settlement with Citigroup “pocket change.” Even when Goldman Sachs paid a record $550 million fine to the agency in 2010, it amounted to less than 10 percent of the bank’s profit that year.

On Wall Street, the public hand-wringing also stemmed from a lack of criminal charges. When the authorities leveled a record $1.9 billion penalty against HSBC in a money-laundering case, they stopped short of indicting the British bank, saying that such a move could jeopardize the financial system. The decision raised concerns that Wall Street was not only too big to fail, but also too big to indict.

That reflects a broader attitude against fining companies too severely, Mr. Pritikin said. If a fine is too big, the argument goes, it hurts shareholders if the stock price suffers, and consumers if the company has to raise prices to pay the fine.

But when John H. Nugent, a management professor at Texas Woman’s University, studied the topic, he said he was surprised to find that the opposite was true, and that even large fines had little long-term effect on companies’ stock prices.

“Management will often choose to take actions they may know are improper because they realize the long-term consequences will not affect them,” Mr. Nugent said.

Still, even a trivial fine has some consequences, said James M. Anderson, who studies the role of law in regulating business at RAND Corporation.

“There may be some good that is accomplished even if the amount in question is all but nominal, in expressing some notion that as a society, we have collectively said this is a problem,” he said.

And the public relations fallout of any regulatory penalty can be significant for companies like Google, which is extremely sensitive about its reputation in the eyes of consumers, said Chris Hoofnagle, a lecturer on privacy law at the University of California, Berkeley, School of Law.

But Ezra Ross, a professor at the University of California, Irvine, School of Law and a co-writer of the Collection Gap blog, said the German fine had the opposite effect.

“They can say, ‘Look at the amount of the fine. Even the government obviously didn’t think this was a very big deal,’ ” he said.

He suggested that regulators find creative ways to punish companies, like preventing Google from using and profiting from the legitimate Street View data it collected while it was inappropriately collecting personal data.

Another solution, Mr. Pritikin said, is to punish individuals with fines or jail time, though that is also complicated because companies have insurance to cover such fines and it is often difficult to single out one person responsible for a decision.

Enforcement is at a turning point, Mr. Hoofnagle said, and fines could blossom, especially if a tech company’s privacy violation caused serious harm.

“We’re still working out as a society what the harms are for privacy violations, and we’re not likely to see hundreds of millions of dollars in fines unless blood is spilled,” he said. “But you can see how that could happen.”

Ben Protess contributed reporting from New York and Kevin J. O’Brien from Berlin.

Article source: http://www.nytimes.com/2013/04/23/business/global/stern-words-and-pea-size-punishment-for-google.html?partner=rss&emc=rss

Filed Under: Global Business Tagged With: , ,