So today we have some excellent coverage via the always-interesting Mocana DeviceLine blog (have I blog-rolled them enough do you think?) covering a technical deep-dive on Google Wallet from ViaForensics.  An interesting read.

According to their inquiry of how Google Wallet works, they’ve determined that there’s some scary data stored cleartext on the phone, including:

• Card type and last 4
• Card holder name
• Current balance
• Available to spend
• Statement balance
• Payment due date
• Citi contact number

Well, that’s interesting. Folks might object to this kind of data being stored in cleartext within Google Wallet (I sure do), but I’d like to point out that the problem isn’t so much Google Wallet (although, guys… really?  Statement Balance?  Really?)  but instead the fact that mobile devices are blurring the lines between what’s a payment application vs. what’s not.

You see, right now, shy of actually storing the whole credit card number, there’s not really much guidance on what is or is not acceptable here from a protection standpoint.  Technically, Google Wallet falls into what the standards council has defined as a “Category 3 Payment Acceptance Application.”  What is a Category 3 mobile payment acceptance application, you ask? Per the council:

Payment application operates on any consumer electronic handheld device (e.g., smart phone, tablet, or PDA) that is not solely dedicated to payment acceptance for transaction processing.

Sounds like Google Wallet, amirite?  So how do you validate such an application?  For example say Google wants to do the right thing and have someone review their app to avoid these kinds of shenanigans… to ensure that the security of the application is consistent with the defined requirements of PCI?  Short answer: you can’t.  Longer answer —  from the council:

The PCI SSC recommends that mobile payment acceptance applications that fit into Category 3—and are thus not eligible for PA-DSS validation at this time but are intended for use in the cardholder data environment—are developed using PA-DSS as a baseline for protection of payment card data and in support of PCI DSS compliance.

OK, so you can’t validate it.  They recommend that you maybe skim through the PA-DSS to check out how to protect cardholder data from an application standpoint, but it’s discretionary… So you can’t validate to PA-DSS.  Unfortunate.  So what is the oversight for these apps? Who’s responsible?  From the same document:

Applications used for payment-initiation—for example, those downloaded by consumers onto their mobile phones and used for consumers’ personal shopping—are seen as similar to the payment card in a consumer’s wallet. The Council’s purview does not currently extend to, nor is PA-DSS applicable to, consumer-facing mobile payment initiation applications.

And there you have it.  My reading of this is that — at least currently — the expectation that we should have for security of “consumer-facing mobile payment initiation applications” is the goose-egg.  In other words, Google didn’t cross a regulatory boundary.  One might argue that there should be a regulatory boundary here… but if there is, I can’t find it.

Anybody disagree?  Would love to hear from a PA-QSA on this.

Image source: gyakutenphoenix.deviantart.com

I admit it, I tend to get worked up about stuff…  A few examples: people passing on the right, that actress from Sex and the City, clowns… oh, and Google Health.  Google’s “hack and slash” personal EHR/EMR.

It was really getting me angry there for a while.  Between their lack of interest in complying with HIPAA Security, their failure to meet the security requirements or demands of transparency from providers, and their apparent intention to litter the information superhighway with people’s medical records (okay, so maybe I made up that last one), it really seemed like a bad idea to me.  Or at least the intention of a personal EHR without any security or regulatory oversight seemed problematic to me.

Anyway, there I was all spun up about it only to learn that Google has decided to nuke it.  Ahhh, there it is.  Refreshing like a warm bathtub.   Instead of security, Google cites poor adoption as their rationale for slashing it.  But I think maybe security concerns have something to do with it.  Maybe just a little?   Like maybe the recent HHS clarifications about HIPAA Security applying to everyone and not just providers/payers (i.e. business associates, etc.) impressed upon Google their need to address the requirements?  Or maybe patients and providers really were as scared of this service as I was.  Whatever the reason, it’s gone… and I’m celebrating.

It makes me feel like the universe sometimes really does tend to unfold as it should.

So it turns out that Facebook hired a PR firm to plant negative publicity about Google. I came across this bit of interesting coverage via the always-helpful PogoWasRight blog this morning, which had a link to the full coverage over at the Daily Beast.  It’s an interesting story, and one that I highly suggest you go read.

I’m not entirely sure why Facebook feels so threatened by Google – but the fact that they are is clear.  Recall the whole snafu about importing contacts a while back?  It’s clear that Facebook feels like Google is encroaching.

So what we see in response is a campaign by Facebook on a couple different fronts to undermine Google: from a usability standpoint (contact/information import) and in the court of public opinion.  One wonders what else they might be doing in this respect that we don’t know about yet.  That part makes me slightly nervous.

So, did you happen to notice today’s news about Eric Schmidt?  I love this: apparently, in reference to people’s privacy concerns about street view, his response was “So, you can just move, right?”

Not only are people not sure if he was kidding or not, but it’s not even the first time that he’s done it.  Remember when he suggested that people change their name in order to recover some semblance of privacy on reaching adulthood?  He was apparently kidding then too, but now that kids are growing up in an age where every adolescent gaffe is not only broadcast for the world to see but also permanently recorded for future employers to mull over 30 years later… well, I’m not sure it’s funny.

Anyway, I’m not trying to make a federal case of it or anything.  I’m just trying to get my head around why he makes these types of statements.   I mean, is it just me or do others also feel like he should be approaching privacy issues with a certain gravity instead of (let’s face it, pretty dry) humor?

As you might have seen Diana tweet about over the weekend, there’s some interesting fall-out going on in reference to the City of LA’s move to Google Apps.  The migration is somewhat stalled due to security concerns raised by – among others – the LAPD.

I’m a huge fan of the cloud-based paradigm shift that seems to be going on right now, but I’ve also been pretty concerned security-wise.  It seems to me that it’s important to make sure security is addressed in the model – after all, the cloud vendor crowd may not be as invested in the security of your data as you are.  So this development in re: Google/LA makes me a bit more optimistic than I have been.

As you may know, I’ve had a hard time getting my head around the lack of security concern from folks making use of some of these services.  I’ve been watching people adopt services like Google Health with some consternation. I just can’t understand how providers are justifying deploying this.  But now the LAPD have stepped up and said that they’re not comfortable with the security measures currently implemented.  So, gogo LAPD.  Despite the tremendous static I’m sure you received internally to the city government, there are some of us watching from the sidelines who are reassured by your caution.

You did the right thing.

Source: community.wizards.com

The Deep End Blog over at InfoWorld had an interesting post yesterday about whether or not Google’s cloud services are more worthy of trust than other providers.  The author points out the tremendously invasive information that Google has about us and then goes on to ask several very pointed questions about whether they are appropriate stewards of that information or not.  All interesting stuff.

Now, I don’t consider myself an overly paranoid kind of guy (OK, well maybe just a little bit), but Google’s cloud offerings concern me too.   But it’s not because they keep meticulous records on what you search for, because they track where you go, or even because they’ve already gotten in trouble for snooping on wireless networks as they populate street view.

Sure, all that stuff is disconcerting.  But what really concerns me is Google Health.  Have you seen this service?  It lets you consolidate your medical records all in one place.  Mmmmm… Medical records.  All conveniently located in one place.  Not something I’d use, but if someone wants to opt-in, I suppose that’s their business.

But what I find very unwholesome about this service is what an individual is opting into when they decide to share their medical records with Google.  You see, doctors and hospitals have privacy and security requirements under the law – governing laws like HIPAA and HITECH spell out very clearly bare minimum security requirements that “covered entities” must employ to safeguard the data.  So a doctor just can’t look at any record they want or send medical records to whomever they want (well, they could I suppose, but they’ll go to jail for it.)  The requirements aren’t perfect and lord knows enforcement isn’t either – but it’s something at least.

Google claims flat-out that HIPAA security and privacy requirements don’t apply to them:

Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (“HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

So no mandatory security requirements for you.  And because the aren’t signing business associate agreements with the healthcare providers they’re partnering with, it’s arguable the extent they believe HITECH to apply (since HITECH carries over privacy and security requirements to business associates).  Yes… Apparently much like the bad guys in a Knight Rider episode, they believe that they operate above the law.

In theory, I get what Google is saying.  It’s voluntary for a patient to sign up for this.  Nobody’s holding a gun to their head and making them use it.  And if Google says outright they choose not to meet the bare minimum provisions of HIPAA security, maybe it’s OK for the patient to decide for themselves if that’s acceptable or not.  After all, if a consenting patient decides to take a diagnostic image (like an X-Ray or whatever) – or a copy of their chart – and tape it to a public notice board, that would be their prerogative, right?

But what’s creepy about the Google service is that (unlike the patient who posts their record to the bulletin board), a patient might not understand that they’re doing the equivalent when they decide to store their information in Google’s system.  OK, so they need to agree to the terms of service where it’s spelled out pretty clearly.  But how many people are reading through that with a microscope before making a decision?

Mark my words: this thing is going to end badly for somebody. Either they’ll get sued or some gaffe will wind up in the press.   Maybe some Google employee will do the stuff that hospital employees get fired for: looking at neighbors’ records,  family members’ records, or VIP (famous people) records.  Maybe because they’re not auditing access  (like they’d be required to under HIPAA), it’ll go on longer than would otherwise be the case.  Or maybe they’ll sell bulk identifiable diagnostic information to a marketer.     Either way, not good for anybody.

Over the past few months, I’ve had some questions from healthcare providers (hospitals mostly) about Google Health.  In case you’re not familiar, Google Health is basically a service where google hosts your medical records for you.

<sarcasm>Pretty cool right?  The company famous for liberating information from the tired restrictions of conventionality now has access to our collective medical histories?  Whoopity-dooda. You think they might have plans to search it for some reason?</sarcasm>

So the wisdom (or not) of a hospital using this aside for the moment, I have to admit that I’m a little confused about their stance from a security perspective.  So Google says:

Some have asked how Google Health relates and compares to the privacy protections for patients under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes privacy standards for patient health information. Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.”

Sigh.  Really, Google?  Really?  They then go on to tell us all not to worry about it because they have the same security and privacy controls as HIPAA.  Interestingly, they consolidate the entirety of the security rule into “reasonable and appropriate safeguards to prevent intentional or unintentional use or disclosure of health information”.  Not sure if they’re looking at the same federal register I am, but I’d recommend that they probably start with 45 CFR Part 160and Subparts A and C of Part 164 – you know: that document where things like data encryption, risk analysis, and access controls are required.   Does Google require any of this?  Guess what: we don’t know.  Why not?  Because apparently the rules don’t apply to them.

What really sizzles my bacon about the whole thing is that Google holds the position that HIPAA doesn’t apply to them – hence they won’t sign things like business associate agreements.  By their same logic, HITECH wouldn’t apply to them either.  But it’s totally bogus  - they are clearly a business associate, even under the most restrictive of interpretations.  How does that conversation go?

Google:  We’re not a business associate because we don’t interact with PHI in any way.  Nope, it’s all you.  No PHI for us – we just host it, maintain it, administrate it, conduct it over our network, index it, sort it, store it, and provide reporting back to you on it.

Why is it that people buy in to this line of reasoning?  Help me to understand why someone would use this service…

It’s a “banner day” for Google. They stopped the unholy union of AOL and Microsoft search capability, but everyone and their brother is coming out of the woodwork to criticize the move. Paul Thurrott says that Google has sold its soul and Thomas Claburn calls the integrity of Google into question in terms of how they represent themselves.

It’s certainly true that Google cannot continue to make the statement that they do not alter the order or “rank” of sites for money – because now they do. They also can’t make the claim that they clearly distinguish between paid and unpaid links – because now they don’t.

Of course, I’d be really interested in hearing what John Battelle has to say about it, but unfortunately I can’t right now because somebody has secretly replaced it with Folgers or whatever. On the plus side, the site that is now impersonating battellemedia.com has some really cool Internet maps like the one below.

Winn Schwartau tells the tale of a reporter finding US Gov’t classified information about the whereabouts of an aircraft carrier. Not to mention, all sorts of juicy information about the captain.

An interesting read that reminds us all that most organizations’ data is available electronically. And without proper security measures and access control to protect the sensitive data, well, anyone- even the US Gov’t, can get googled.