[AfrICANN-discuss] FTC to Look Into Copy Machine Privacy Breakdown

Anne-Rachel Inné annerachel at gmail.com
Wed May 19 22:29:10 SAST 2010

FTC to Look Into Copy Machine Privacy Breakdown
Print Version<http://www.technewsworld.com/edpick/70029.html?wlc=1274300647#>

E-Mail Article <http://www.technewsworld.com/perl/mailit/?id=70029>
Reprints <http://www.ectnews.com/about/reprints.xhtml>
[image: FTC to Look Into Copy Machine Privacy Breakdown]

By Brian T. Horowitz
05/19/10 11:15 AM PT

Add digital copiers to your list of things to be afraid of. Turns out most
of the machines built since 2002 have copies of every image they scanned
stored on their hard drives -- and when those machines change hands, they're
seldom wiped clean. The FTC has taken steps to inform manufacturers,
resellers and office supply stores about the risks, but what is the agency
really empowered to do?

he Federal Trade Commission <http://www.ftc.gov/> has
responded<http://markey.house.gov/docs/markeyftc.pdf> to
an April 29 letter from Rep. Edward J. Markey, D-Mass., expressing concerns
about sensitive data stored on digital copiers' hard drives. Markey's letter
followed CBS News' April 19 airing of a
report<http://www.youtube.com/watch?v=iC38D5am7go> on
its investigation into the matter.

The FTC said it was aware of the privacy issues and planned to take steps to
inform manufacturers, resellers and office supply stores about the risks
associated with digital copying and see that they were taking steps to
provide options for secure copying.

"We will work with these entities to help ensure that they provide
appropriate educational materials on this subject to their clients," wrote
FTC chairman Jon Leibowitz. He also directed Markey to educational materials
the FTC previously
disposing of computer hard drives.

"We are also reaching out to government contracting officials to advise them
of the risks associated with the use of digital copiers and ensure that the
government is taking measures to protect the information we collect from the
public," Leibowitz continued. The FTC routinely erases and destroys hard
drives when it returns copiers, the chairman said.

Leased Copiers Returned

The copier industry has failed to inform the public of the privacy risks of
using digital copiers, Ed McLaughlin, president of Sharp Imaging and
Information Company of America <http://www.sharpusa.com/>, admitted in the
CBS News report.

During its investigation, CBS found a machine used by a police sex crimes
division in Buffalo, N.Y., with information on criminal suspects and
domestic violence complaints. It also found pay stubs with Social Security
numbers and medical records from insurer Affinity Health
including names and physician diagnoses.

Companies such as Xerox <http://www.xerox.com/> (NYSE: XRX) supply overwrite
tools for hard drives, but the public may not have the knowledge to use

Copiers are leased for fixed periods and then shipped around the world with
sensitive data remaining on their hard drives, noted Markey in his
letter<http://markey.house.gov/docs/ftccopier_security4-29-10.pdf> to
FTC Chairman Leibowitz.

"I am concerned that these hard drives represent a treasure trove for
thieves," he wrote, "leaving unwitting consumers vulnerable to identity
theft as their Social Security numbers, birth certificates, medical records,
bank records and other personal information are exposed to individuals who
could easily extract the data from the digital copiers' hard drives and use
it for criminal purposes."

Business and government agencies need to take steps to erase the data before
returning the machine or disposing of it, Markey cautioned.

The FTC and Rep. Markey's office did not return TechNewsWorld's calls
requesting comment.

It shouldn't be difficult to apply the same methods of destroying computer
data to the data on digital copiers' hard drives, Rob Enderle, principal
analyst for the Enderle Group <http://www.enderlegroup.com/>, told
TechNewsWorld, but this is not something people have thought about.

"A lot of these things could be sitting in landfills and repurposed," he

"This shouldn't have been news," Enderle continued. "Something was
overlooked, because they're not sold as storage devices -- they're sold as
copy machines."
Educating the Public

The FTC will likely set in place automatic purge rules for digital copiers,
said Enderle. After a copying, scanning, or printing job is complete, the
files would have to be deleted.

"With the security [image: FireHost - Affordable Secure Web Hosting for
Every Company. Learn
aware of the problem, there will be efforts to encrypt data," he added,
noting that existing methods for disposing of PC and server data will be
extended to copier information.

"It shouldn't be particularly hard to use the same processes and rules. I
don't see the fixes as particularly onerous," Enderle said.

Yet there is doubt as to whether the FTC's efforts will be fruitful.

"To me it's going to be a fair amount of waste of time," said Ira Winkler,
author of *Spies Among Us* and president of the Internet Security Advisors
Group <http://www.isag.com/>, who appeared in the CBS News report that shed
light on this problem.

"What can the FTC actually do? The FTC has no control over the Buffalo
Police. I don't think the FTC has responsibility for medical records,"
Winkler told TechNewsWorld.

"They can write a report and tell Congress we need to pass this
[information] along. I mean, this is decades late," he said.

"They're going to spend lots and lots of money on something that's glaringly
obvious. This is like saying drunk drivers theoretically can kill people.
What type of study do you really need done?" Winkler asked.
A Major Oversight

"We have a surprisingly large exposure here," Enderle said.

Digital copiers' hard drives could hold personal medical or banking records,
conviction histories or lists of crime suspects.

"There are a whole series of regulations that may now come into play as
folks look at what appears to be an improper use of information," added
Enderle. "There could be some serious problems."

Disclosure and accountability laws such as Sarbanes Oxley could come into
play, he pointed out.
National Security Problem?

Imagine the scenario of a digital copier being leased at one time by a U.S.
Embassy and then ending up in the office of another country's embassy while
still retaining sensitive data on the hard drive, Enderle suggested.

"This is just one more example that printing confidential information is a
very dangerous practice," he emphasized, noting that the data could be
scanned and emailed to a million people.

"I'd like to assume it's not related to national security, but it probably
was," Winkler said. "But the FTC has no control over federal agencies, so
what difference does it make?"

CBS News reported that digital copiers dating back to 2002 store data.

So think twice the next time you head to the copy machine. You don't really
know for whom you're copying those tax forms, medical records and corporate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20100519/668cb5b9/attachment-0001.htm

More information about the AfrICANN mailing list