Chapell & Associates

Tuesday, May 31, 2005

I.B.M. Software Aims to Provide Security Without Sacrificing Privacy NY Times - May 24, 2005
International Business Machines is introducing software today that is intended to let companies share and compare information with other companies or government agencies without identifying the people connected to it. Security specialists familiar with the technology say that, if truly effective, it could help tackle many security and privacy problems in handling personal information in fields like health care, financial services and national security. "There is real promise here," said Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University. "But we'll have to see how well it works in all kinds of settings."

The technology for anonymous data-matching has been under development by S.R.D. (Systems Research and Development), a start-up company that I.B.M. acquired this year.

The Chapell View
Hurrah for Big Blue! While I recognize that this technology is still in development, I like what I see so far. Any time you can enhance an organization's (in this case Government) use of data while simultaneously decreasing the risk to privacy rights, you've got a win/win.

posted by Isaac on Tuesday, May 31, 2005 | |

Monday, May 30, 2005

After Theft, Bank of America Tightens Security Info World - May 26, 2005
Just days after confirming that information on about 60,000 of its customers had been stolen by an identity-theft ring, Bank of America on Thursday announced plans to tighten security for its online banking customers. Beginning next month, the Charlotte, North Carolina, bank will begin offering a new service called SiteKey that will make it harder for thieves to access Bank of America accounts. SiteKey will recognize when a Bank of America account is being accessed via an unknown computer and will generate a predetermined "challenge" question, adding another level of security to the process of logging in. The software also lets users choose a specific image -- a photograph of a dog, for example -- that can then be re-shown to users in order to reassure them that they are actually visiting the Bank of America Web site, and not some other site masquerading as

The Chapell View
I like the SiteKey program - a lot! To date, Citicorp is one of the few banks to actively use privacy and security as differentiators. I hope that Bank of America will use this program as a way to set their company apart from the competition.

I do see one problem with SiteKey, however. And this is a similar problem faced by almost all security and authentication programs. Users tend to have trouble remembering their passwords. This is the inherent difficulty when setting up a password or challenge response answer. You want to make it complex enough so that the bad guys don't get a hold of it, but not so complex that you can't remember it. And it would be bad enough if you only had to remember one or two passwords, but many of us have dozens of different passwords to remember. I, for example, have a separate password for:

  • My Computer

  • My Hotmail Account

  • My Yahoo Account

  • My Gmail Account

  • The Server

  • My Business Online Banking Account

  • My Personal Online Banking Account

  • My ATM Pin

  • The UID and Password to access my Blackberry

  • Half the Web sites I visit regularly...

And that's just off the top of my head.

My point being, that in order for me to be smart about my security, I would need to remember a dozen different passwords. Given that I can just about remember my own bank account number, that's a difficult task.

Someone in the technology world needs to come up with a better method of authentication.

posted by Isaac on Monday, May 30, 2005 | |

Friday, May 27, 2005

Friendster is no Friend of Privacy Q Daily News - May 20, 2005
Wow, Friendster just violated their own Privacy Policy and gave my email address out to a third party for use in administering a survey. How do I know it was them? Here's the story. At 4PM today, I received an email asking me to participate in an online survey about online social networks. Since it was about a topic other than penis pills, breast enlargement, poker, and child porn, the email immediately seemed different than the normal spam that slips through my filters, so I opened it to see what it was all about. It was sent to the unique email address I used ages ago to sign up for Friendster, so by that measure, it was clear that this wasn't just a blanket spam that happened to land in the inbox of someone who actually has used a social network site. Interested in how the third party (Q&A Research) had obtained the email address, I went to the survey website to see if I could find a way to call and ask; not finding any such contact information, I checked the company's WHOIS record, and called the listed number.

The Chapell View
I usually don't post other blog postings unless I know and trust the poster. In this case, I don't know Jason from Q Daily News, so I can't make any representations about the accuracy of his posting. Having said that, I thought it was an interesting read nonetheless.

User Generated Content (UGC) continues to proliferate. Some of it is insightful - some of it is crap. Business will increasingly need to deal with UGC, although many companies are choosing to ignore UCG for the most part. I think that's a mistake, because there is a good deal of information that can be mined from UGC. The key is figuring out a way to sort through all the clutter in order to find information that is useful. And that can be like finding the proverbial needle in a haystack. Case in point - I spend a certain amount of time each day sorting through various anti-spyware blogs. Some of them are right on the money, while others are confused, convoluted rants from people who could barely operate a cash register let alone run a business. But if I want to get to the good stuff, I need to wade through the bad. I wonder if someone couldn't figure out a way to automate this process?

This posting also gets me to revisit a previous rant regarding the privacy policy of an online travel website. Back when I first blogged on this subject, I was reluctant to mention the websites' name. I figured that with a little bit of patience, that I'd be able to convince the company to do the right thing. Well, it's been well over a month, and I haven't gotten anywhere with these people. In case you were wondering the site is, a wholly-owned subsidiary of IAC/InterActiveCorp.

Anyway, here's the story...

As a result of a purchase I made on this, I was somehow enrolled in a "Travel Rewards" program from one of their affiliates. Now I have ZERO recollection of signing up for this program, and but for the $10 charges to my credit card, I would not have even known that I was enrolled. When I confirmed that I'd been enrolled as a result of a purchase I'd made on the, I decided to end my relationship with Here's where the fun started.

I sent an email to's Customer Service group - asking them to remove all my personal information from their records. One would figure that this wouldn't be big deal as their web site privacy policy states states,

If a visitor's personally identifiable information (for example, their zip code, phone, email or postal address) changes or if a user no longer desires our service, we provide a way to correct, update or delete/deactivate visitor's personally identifiable information. (I paraphrased this to protect the company).

Well, I'm on my TENTH email requesting that they remove all my info, and here are the responses I've been getting from their CS group:

  • "Thank you for your reply. We can remove your e-mail address from our system so that you will not receive anymore offers. However, we are unable to remove your account from our site. Once you have registered with our services the account always remain active."

  • "Please be advised your email address has been deleted from our newsletter."

  • "Due to security reasons, we do not hold your personal & confidential information."

  • "Please be advised if you have made a reservation or submitted information to us, this information will remain. This is not to be deleted, nor is your confidental information given out."

I've also called a number of times, and was assured that they would have my information removed.

Finally, I asked them repeatedly to have their general counsel contact me. The CS person finally agreed, indicated that someone from their legal team would contact me. That was at least two weeks ago.

If you are a reporter and are looking for a good story, here it is. I am happy to provide any information you'd like. And needless to say, I will never patronize again!

posted by Isaac on Friday, May 27, 2005 | |

© 2005 by Alan Chapell & Associates LLC