The Los Angeles Times reports that the nature of “repeated” and “extended” violations are giving lawmakers energy to introduce a new set of state laws:

In part because of the breaches, Gov. Arnold Schwarzenegger has endorsed legislation that would impose penalties on hospitals and healthcare workers for breaching patient privacy.

“Californians have every right to expect their medical records to be safeguarded and protected, and I am alarmed about repeated violations of patient confidentiality and the potential harm to the citizens of this state,” Schwarzenegger said in a statement. “By putting financial penalties in place for those employees and facilities that do not follow these laws, this legislation will lead to better care for all Californians.”

Under the legislation, being carried by Sen. Elaine Alquist (D-Santa Clara) and Assemblyman Dave Jones (D-Sacramento), healthcare workers who unlawfully view patient records would be fined from $1,000 to $250,000, depending on the seriousness of the violation. Hospitals and other health facilities would face fines of $25,000 to $250,000 for similar violations.

The legislation also would increase penalties for hospitals found to have put patients in jeopardy of harm or death, to $100,000 from $25,000.

Whether or not you agree with HIPAA, it is clear the CA state law that forced breach notification has been the most effective rule to date for information security practices and privacy. It will be interesting to see the effect of another CA privacy law dedicated to healthcare. Note, the governor recently struck-down a PCI-like bill in CA because he said the private sector was doing well enough regulating itself and did not need duplicate legislation or interference. So, for now, PCI might seem ugly to some but it is what an industry can do to keep ahead of hot-button topics for elected officials.

According to Attorney General Michael Mukasey, no number can be given to quantify the amount of losses. And yet, the attacks were apparently simple:

[US Attorney] Sullivan said the alleged thieves weren’t computer geniuses, just opportunists who used a technique called “wardriving,” which involved cruising through different areas with a laptop and looking for accessible wireless Internet signals. Once they located a vulnerable network, they installed so-called “sniffer programs” that captured credit and debit card numbers as they moved through a retailer’s processing networks.

The information was stored on two servers in Ukraine and Latvia — one with more than 25 million credit and debit card numbers and another with more than 16 million numbers, Sullivan said.

Homeland Security Secretary Chertoff is quoted in the article stating that an identity is “each individual’s greatest asset”. He alleged this “demonstrated the weaknesses of cybersecurity in the US”.

I guess he is not paid to speculate about other countries, but surely this is a world=wide weakness. Perhaps he is referring to the investigation tactics used in the US and some particular issues:

Gonzalez was a U.S. Secret Service informant who helped the agency take over a Web site being used to transmit stolen identifiers and stolen credit card numbers, U.S. Secret Service Director Mark Sullivan said at the news conference.

“That was the first time ever that a computer system was wiretapped,” he said.

But he said the Secret Service later found out that Gonzalez had also been feeding criminals information about ongoing investigations — even warning off at least one person.

“Obviously, we weren’t happy that a person working for us as an informant was double-dealing,” Mark Sullivan said.

Well, at least they caught him.

Apparently with 100 miles of listening coverage ShotSpotter claims a June average of 85 gunshots detected per night from 30 cities including Chicago, Minneapolis, Washington and Oakland.

Their technology is based upon earthquake monitoring systems (and we know how accurate those are). It uses a network of listening sensors to identify sound wave patterns, triangulate them, and then notify nearby law enforcement. The company marketing page makes some bold claims:

…ShotSpotter systems are not fooled by noises which sound like gunfire but are misleading (like car backfires, firecrackers, etc.). Similarly, the technology filters out echoes and other acoustical anomalies. Using a continuous feedback loop which constantly adjusts sensor trigger and other parameters, ShotSpotter is able to deliver instantaneous system reports to dispatchers within seconds of a weapon being fired.

Seems like a good thing, but I wonder if the sensors can be turned on for other listening purposes. The low density of sensors might be one key factor that limits this type of use today.

My guess is that with only 8-12 sensors needed per square mile, a sound could have to be very loud to be noticed. Some articles say it only has an 80-ft accuracy. This could be by design, but probably has more to do with cost savings and 12 is apparently still sufficient to hear gunshots inside homes. Besides, more sensors could always be deployed. I just imagine someone will eventually want to tune the system to listen for certain words like “bomb”, gang slang, or drug terms.

Nonetheless, unlike cameras, which are criticized widely for full-scale surveillance in their typical setup, a sound-based system has the advantage of being tunable for known-bad activity. In that sense, it is easy to see how it grew out of earthquake sensing.

Coupled with cameras, sound sensors could in theory allow cameras to use the same known-bad activation, bringing automation and reducing privacy concerns of cameras. When a shot is fired, it would then spin up cameras and start recording in a specific direction. Even more into the future, imagine drones and/or robots that spring to life when they hear a sound and rush to a scene to start recording video.

Back to current issues, KCBS reportsa “successful” use of the technology in San Francisco:

“Even though the young man ran after the shooting, meaning he wasn’t at the location where the shooting occurred, the shot spotter technology pinpointed exactly where that shooting occurred. In this case it worked perfectly, exactly how it’s intended to work,” said Mannina.

The technology also allowed officers to secure physical evidence that they otherwise would not have found, had the new technology not been up and running.

ShotSpotter was used again early Monday morning when a gunshot was fired inside a house on Ceres Street. Several people were inside the house at the time, including a couple of small children, but no one was hurt. Police did arrest one person inside the house.

I like how officers are coupling technology with existing forensics processes to increase the accuracy of their investigations, but it begs the question of the accuracy of their information. I am sure it has already gone to trial but I wonder how people have argued the accuracy of the sound triangulation system?

Oakland is reported to have spent almost $400K on 84 sensors ($4,620/sensor) in 2006, and as a result was faced with a data analysis problem:

In its first year, the system detected nearly 3,000 gunshots, overwhelming city dispatchers. To counter the deluge, the police department worked with ShotSpotter to develop a mobile system through which officers would monitor alerts through laptops in patrol cars.

Interesting solution. Officers were equipped with more localized data, rather than having it route through a central dispatch system. Again, this could reduce privacy issues if local officers have to tie sounds to a case and thus no long-term central storage system is maintained.

It does not surprise me much that success of the system is said to depend on the talent, availability and training of those tasked with using it. This is just like any security logging and event monitoring technology:

ShotSpotter has proven more effective in some cities than in others. In North Charleston, S.C., for example, city officials say it helped to reduce the number of violent crimes in some of the more-dangerous neighborhoods by 35 percent in 2004.

But some larger cities have faced more limitations. Some Oakland lawmakers say that ShotSpotter has resulted in fewer than a dozen arrests since it was installed. The problem, they say, is that police don’t dedicate enough resources to follow up on the shooting calls.

Oh, well, I guess there still is no silver bullet solution. It is still a very interesting technology to watch, and I think it does far better integrated into other processes, rather than trying to stand on its own.