CERIAS is pleased to announce the launch of a new initiative to increase the security of K-12 information systems nationwide.  We’ve developed a comprehensive set of self-paced multimedia training modules for K-12 educators and support staff titled Keeping Information Safe: Practices for K-12 Schools.  The goal of these modules is to increase the security of K-12 school information systems and the privacy of student data by increasing teacher awareness of pertinent threats and vulnerabilities as well as their responsibilities in keeping information safe.

The modules are available for free for K-12 teachers, institutions, and outreach organizations.

CNET has published an excellent resource for protecting oneself from identity theft.  The site includes an ID theft FAQ with many good tips, a roundtable debate, and a few little multimedia gems.

One of my favorite pieces is the pie graph in the sidebar that illustrates risks to ID theft.  The most prevalent risks still come from offline.

I gave an ID Theft talk several months ago, and the audience was looking for any way to protect themselves online, to the point of absurdity.  But when I suggested that they cut down on all the stuff they carry in their wallets and/or purses, they nearly revolted: “What if I need to do XYZ and don’t have my ID/credit card/library card/customer card/social security card/insurance card/etc.?”

To me, this illustrates that we have a long way to go in educating users about risks. It also illustrates that we need to push back from all the noise created in the infotainment industries, who are perpetuating the online myth and ignoring the brick-and-mortar threats.

A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft.  The report does not investigate why this age group is more susceptible, so I’ve started a list:

• Willingness To Share Information: If myspace, facebook, and the numerous blog sites like livejournal are any indication, younger adults tend to be more open about providing personal information.  While these sites may not be used by identity thieves, they nonetheless illustrate students’ willingness to divulge intimate details of their personal lives.  Students might be more forthcoming with their SSN, account information and credit card numbers than are their elders.
• Financial Inexperience: Many college students are out on their own for the first time.  Many also are in “control” of their finances for the first time.  With that lack of experience comes a lack of experience with and knowledge about tracking expenditures and balancing checkbooks.  College students are an easier target for identity thieves who can ring up several purchases before being noticed.
• Access to Credit: A walk around campus during the first few weeks of the year also reveals another contributing factor. Students are lured into applying for credit cards by attractive young men and women handing out free T-shirts and other junk.  It is not unusual for a college freshman to have three or four credit cards with limits of $1000 to $5000.
• Lost Credit Cards and Numbers: This might be a stretch, but I know many college students who periodically loose their wallets, purses, etc. and who did not act quickly in canceling their debit and credit cards.  I also know many who have accidentally left a campus bar without closing their tab.  It would be trivial to get access to someone else’s card at these establishments.  Along with this reason comes access to friends’ and roommates’ cards.

I’m sure there are many more contributing factors.  What interests me is determining the appropriate role of the university in helping to prevent identity theft among this age group.  Most colleges and universities now engage in information security awareness and training initiatives with the goal of protecting the university’s infrastructure and the privacy of information covered by regulations such as FERPA, HIPPA, and so on.  Should higher education institutions extend infosec awareness campaigns so that they deal with issues of personal privacy protection and identity theft?  What are the benefits to universities?  What are their responsibilities to their students?

For educational organizations interested in educating students about the risks of identity theft, the U.S. Department of Education has a website devoted to the topic as does EDUCAUSE.

The results are in from the EDUCAUSE Security Task Force’s Computer Security Awareness Video Contest.  Topics covered include spyware, phishing, and patching.  The winning video,  Superhighway Safety, uses a simple running metaphor, a steady beat, and stark visual effects to concisely convey the dangers to online computing as well as the steps one can take to protect his or her computer and personal information.

The videos are available for educational, noncommercial use, provided that each is identified as being a winning entry in the contest.  In addition to being great educational/awareness tools, they should serve as inspiration for K-12 schools as well as colleges and universities.

This morning, wamu.org : The Diane Rehm Show featured guests Robert O’Harrow, author of “No Place to Hide,” Bruce Schneier, security expert and blogger, and Joe Whitley, the former general counsel of the Department of Homeland Security.  The show outlined the current tensions between security and privacy and highlighted the threats to privacy brought about by advances in infomation technology, data minining and even medical technology.  While some of these issues may seem a bit tiresome for those who study security and privacy, the guests emphasized an important point: Threats to privacy are not well-understood by the public, which may be a reason for the general lack of concern over the overextension of the NSA’s surveillance powers.

It has been argued that, since the 1960’s, an emphasis on individualism and personal autonomy have shaped public policy debates, including debates about the right to personal privacy.  While many scholars and advocacy groups claim that privacy is under siege, an alternate view of privacy exists, one in which it is weighed against other public interests.  In The Limits of Privacy, Amitai Etzioni espouses a communitarian approach to determining the relative value and, as the title suggests, the limits of privacy.  Privacy, the author argues, is not an absolute right, but is a right that must be carefully measured against the “common good,” which for Etzioni is defined as public health and safety.  At the heart of this book is the question of if and when we are justified in implementing measures that diminish privacy in the service of the common good.

To answer this question and to identify criteria for evaluating the relative trade-offs between privacy and the common good, Etzioni examines several examples in which privacy, depicted as an individual right, is in conflict with societal responsibilities.  Five public policy issues—namely the HIV testing of newborn babies, Megan’s Laws, encryption and government wiretapping, biometric national ID cards, and the privacy of medical records—are examined in detail.  Through his analysis, Etzioni attempts to prove that, in most cases, champions of privacy have actually done more harm than good by stifling innovation and curbing necessary democratic discussions about privacy.  A notable exception is in the case of personal medical records:  The author notes that, while “Big Brother” is normally associated with privacy violation, in the case of medical records, unregulated private industry, which Etzioni aptly coins “Big Bucks,” is a pertinent and immediate threat.

Etzioni’s analysis, while flawed in several respects (e.g. Etzioni largely ignores evidence suggesting that national IDs will do more harm than good from a security perspective), results in four criteria that can be used in examining the tension between liberty and the public interest, or in this case privacy and public health and safety.  The four criteria are as follows:

• First, society should take steps to limit privacy only if it faces a “well-documented and macroscopic threat” to the common good;
• second that society should identify and try any and all means that do not endanger privacy before restricting privacy;
• third, that privacy intrusions should have minimal impact;
• and fourth, that the undesirable side effects of privacy violations for the common good are treated (i.e. if a patient’s medical record must be digitized and shared, the confidentiality of the record must be guaranteed).

The Limits of Privacy is necessary reading for anyone involved in accepting, shaping, debating, and enacting privacy policies, both at the organizational and public-policy level.  While many readers, including this reviewer, disagree with many of Etzioni’s proposed solutions to the problems he examines, his four criteria are useful for anyone attempting to understand the intricacies involved.  Likewise, while Etzioni’s views are contrary to many of his peers, whose arguments he credits in his analysis, his arguments for justifiable invasions of privacy are a useful foil for privacy advocates and a useful reminder that privacy issues will always present real and costly trade-offs.