EU – Flaws Found in Dutch Biometric Passports

A recent trial in the Netherlands to test the new biometric passport has revealed several practical problems and some technical flaws. Equipped with an electronic chip containing a facial scan and two fingerprints, the technology was tested out by 14,500 passport holders in six Dutch municipalities, who were enticed into participating by the offer of a EUR10 discount on the normal cost of a Dutch passport. However, taking a digital facial photo proved so troublesome, it was decided, for the time being, to create a digital equivalent by scanning a normal analogue photo. ‘Civil servants are no professional photographers,’ said the minister for government reform and kingdom relations, who is responsible for this project. Fingerprinting children, especially babies, also proved challenging. ‘It is especially difficult to get babies to unclench their fists in order to take good prints,’ wrote the Dutch institute for applied scientific research, TNO, in a report. [Source]

BC – Amendments Improve Selection of Privacy Commissioner

Labour and Citizens’ Services Minister, Michael de Jong, introduced an amendment to the Freedom of Information and Protection of Privacy Act on September 15, to ensure the orderly selection of a new Information and Privacy Commissioner. Currently, BC is the only jurisdiction in Canada that does not allow the re-appointment of an Information and Privacy Commissioner. This amendment will bring BC into line with other Canadian jurisdictions and will allow an all-party committee of the legislature the ability to consider the widest field of possible candidates for BC’s next Information and Privacy Commissioner. The government is expected to announce shortly which members from the government and the Opposition will make up the all-party special legislative committee that will search for a new Information and Privacy Commissioner for B.C. [Press Release]

CA – RBC Probes Possible ID Theft

RBC Dain Rauscher, a unit of Royal Bank of Canada, is investigating the possible theft of the identities of a small number of its customers. A person claiming to be a former employee of RBC Dain Rauscher sent anonymous letters to some of the company’s customers, saying their personal information had been stolen. [Source]

BC – Saanich School Board Information Breach

As a result of a break-in at the Saanich School Board Office on Monday, September 19, 2005, a number of items were stolen including a small safe. Damage was also done to the two buildings affected as the thieves broke into locked and secured areas. The contents of the safe included back-up computer tapes that contained employee, financial and student information records. All information was saved in a secure manner which would require significant technical expertise and the use of specialized computer equipment and software to access. While the potential for the data to be accessed in a usable format is small, the School District is now taking steps to inform employees and parents of the theft of these backup tapes. Releasing this information sooner had the potential of compromising the police investigation. Employees will be advised to take precautionary steps to address potential identity theft. Parents will be advised that the backup tapes included student information such as names, addresses, phone numbers, courses and grades. [Press release]

US – Survey: Consumers Angry After Notification Arrives About Data Breaches

A national survey on data security breach notifications commissioned by global law firm of White & Case LLP shows that consumers react to how and when they learn that their information was accessed in a breach. As Congress grapples with a national notification law, at least 18 states have adopted notification laws similar to California’s law. The survey found that compliance with the notification laws can be costly to companies. The survey by the Ponemon Institute indicates that an organization’s ability to protect its reputation and maintain customer trust depends in large part on the quality of the notification. The survey of 9,154 individuals shows that many consumers were annoyed after receiving complicated notices that failed to explain what new protections are offered to safeguard personal information. The survey showed that 5% hired lawyers and 20% ended their relationship with the company. [Source]

US – Consumers Get Cranky at Cash Register When Asked to Provide More Than Money

Customers are increasingly stingy at the check-out when store employees ask for phone numbers, zip codes and addresses. Fearful of identity theft and eager to protect personal information, many consumers are complaining or shopping elsewhere if store clerks seek to collect information, not just money, at the cash register. [Source]

US – Privacy Is Among the Concerns in a Shifting Landscape For Catalog Business

In 2002, only one data privacy bill was introduced in Congress. But this year, 95 bills dealing with the topic were introduced – thrusting privacy to one of the top concerns for catalogers, according to one industry official. [Source]

US – U.S. Do-Not-Call List Faces Criticism Over Effectiveness

Two years after the National Do Not Call Registry took effect -- and with more than 100 million numbers enrolled -- dinner-time conversations are still being interrupted by telemarketing calls. The FTC says it receives a “steady flow” of between 1,000 and 2,000 complaints about telemarketers every day, yet few fines have been levied. [Source]

AB – Important Elements of Privacy Architecture

Alex Campbell, executive director for privacy and policy assessment for the Government of Alberta , recently spoke at the at the Government and Health Technologies Forums 2005 held in Ottawa, and outlined a set of elements that should be included in any privacy architecture. To start with, any privacy architecture has to be based on privacy standards - specifically the OECD Data Protection Principles of 1980 and the CSA Model Privacy Code of 1995. Following that there is a set of elements that he said are critical to the foundation of such an architecture:

· A clear common terminology needs to be established.

· Any privacy system needs to be able to isolate and control personal identifiers.

· Information also needs to be consolidated from different organizations into one access point.

· There must be some accountability processes: logs, exception reports and other features to support the legal accountability of the organization. A set of common accountability features privacy impact assessments, security/threat assessments, private access, audit logs and, access control and monitoring.

· Privacy metadata must be included to record privacy-related data characteristics and policies.

· Policy automation encodes the rules and rules engines to automate routine privacy decisions at the transaction level and minimize time-consuming manual processes that have been the standard.

[Source]

ON – Project Management Should Be Core Competency of OPS

The Ontario government needs to pay more attention to the fact that major information technology projects are about business transformation, according to the report from a task force charged with examining the province’s approach to such projects. The Special Task Force on the Management of Large Scale Information and Information Technology Projects, chaired by former federal auditor general Denis Desautels, made a number of recommendations, including appointment of a deputy minister responsible for overseeing large IT projects, a portfolio management approach to major IT projects, more project-management training and a strong emphasis on benefits. “Major business transformation in the Ontario government is often treated merely as an IT initiative, as opposed to the complex organizational change management challenge that it actually is,” the report said. The task force recommended that the Management Board of Cabinet determine the government’s capacity for large IT-driven transformation projects and limit the number and size of concurrent projects accordingly. This goes hand-in-hand with the recommendation that the province take a portfolio management approach to IT investment and management. Desautels said some jurisdictions the task force studied give portfolio management more emphasis than Ontario does. [Source]

CA – Feds Not Aware of Impending IT Skills Shortage in Government

Among the recommendations that task force has come up with is that the Ontario Public Service review the pay of IT people to increase recruiting and retention of said people. If the province takes that advice, it will be in stark contrast to what’s happening to their colleagues in the federal government. The Computer Systems Group of the Professional Institute of the Public Service of Canada at press time were taking a strike vote in response to their employer’s - the Treasury Board - efforts to do away with the two to four per cent retention allowance they have been receiving since about 2000 until their latest contract expired. The government’s perspective seems to be that it no longer needs to offer incentives to IT workers to keep them, since the grass is now greener on the public sector side of the fence post-Y2K. [Source]

US – New York State Educates Government Employees About Phishing Scams

William F. Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, conducted an educational phishing campaign for state workers. After sending 10,000 employees a generic advisory on phishing, the same employees received an email a month later that sought their passwords and user IDs. About 17% fell for the legitimate-looking email from state government and provided the sought-after information. State officials then followed up with a message about the exercise’s purpose and a video explaining the dangers of phishing. [Source]

US – Oklahoma Man Wins $10 Million Judgment Against a Spammer

On Thursday the 22nd, Robert Braver, an Oklahoma ISP owner who is a long time activist against both spam and junk faxes, received a default judgment of over $10 million against high profile spammer Robert Soloway and his company Newport Internet Marketing. [Source]

US – Feds Unable to Search Own Anti-Terrorism Database

After receiving hundreds of requests from Americans asking to know what personal information the government has obtained about them, the Transportation Security Administration (TSA) told passengers that it “does not have the capability to perform a simple computer-based search” to locate individual records. [Source]

US – CIOs Acknowledge Data-Sharing Struggles

Customer privacy and regulatory requirements, such as Sarbanes-Oxley Act compliance, create data-sharing complexities that are difficult to overcome in some cases, according to CIOs attending the InformationWeek fall conference. A survey of 84 executives attending the conference found that 62% said they believe their companies in the past year have made improvements in sharing customer information between business units. [Source]

WW – Monster Enhances Job-Seeker Privacy

Monster, an online careers and recruitment resource, announced on September 20, 2005, a series of enhancements to help job seekers find and apply for more jobs in less time, while helping to provide employers with a more robust pool of quality applicants. One of the changes includes a new privacy feature that will soon let seekers prevent their resumes from being seen by specific employers. [Press Release]

US – Oracle CEO: Encryption Is Essential For Companies to Protect Information

Oracle CEO Larry Ellison says businesses need to protect against security threats by encrypting their databases. Ellison predicted security risks will escalate as more companies do business on the Internet. [Source]

US – Credit Bureaus to Adopt Encryption Standard

The top three U.S. credit reporting companies, Equifax, Experian and TransUnion, will collaborate on a single industry standard to protect sensitive consumer data. The team approach employed by rivals is viewed as proof of the commitment companies are prepared to make to combat cyber crime. [Source]

EU – Data Protection Chief Warns Against Data-Retention Plans

The EU’s data protection supervisor has criticized EU plans to retain phone and email data for use in anti-terrorism investigations, saying they failed to protect civil liberties and gave a free hand to national intelligence services. British Home Secretary Charles Clarke, who is chairing the EU negotiations, has called for the 25 governments to look at curbing some civil liberties to allow for improved police investigations into suspected terror groups. [Source] [Source] [Hustinx Commentary]

WW – The 11 Commandments of the Internet in China

“You shall not spread rumours”, “You shall not damage state security”, “You shall not destroy the country’s reputation”. There are just three of the 11 commandments ordered by Beijing, on 25 September, aimed at bloggers and websites managers. Reporters Without Borders expressed concern at this latest turn of the screw in an ongoing crackdown on freedom of expression. [Source - Reporters Without Borders]

ON – Premier McGuinty, Free Access to Information Is Our Right

John Tory, leader of Ontario's Progressive Conservative party, called a press conference at Queen's Park last week to expose the Liberal government's "manipulation and misuse," as he views it, of Ontario's freedom-of-information laws. This allegation, though pregnant with possibility, likely won't make the front page of your local newspaper or the evening news. All governments, to varying degrees, wrap themselves in a culture of secrecy. Some of the work they do involves confidential matters, so precautions are taken to ensure bureaucrats remain silent, that sensitive documents don't fall into prying hands and personal information is protected. However, while most of the vast paper and electronic storehouse of information collected by government is neither confidential nor personal, it's often treated the same way as the secret stuff. Since the public pays for every sheet of paper, every bit of computer memory, every binder, file, notepad and Blackberry our politicians and bureaucrats use in their work, not to mention their salaries, all their information ultimately belongs to the public. [Source]

US – Bill Would Permit DNA Collection From All Those Arrested

The Senate Judiciary Committee has approved an expansion of the national DNA database in a bill that would force suspects arrested or detained by federal authorities to provide a sample. Currently, only people convicted of crimes must provide a DNA sample. Privacy advocates, including civil libertarian Jim Harper, director of Information Policy Studies at the Cato Institute, oppose the expansion of the FBI-run national DNA registry. [Source] [Source]

US – Official: Katrina Lessons Underscore Need for EMR National Database

John Gallin, director of the National Institutes of Health Clinical Center, said a national database of e-medical records is “one of the top priorities for the health care delivery system” in the U.S. Gallin tells TIME that protecting privacy is an “absolute requirement.” [Source]

CA – National Bank Warns Customers of Security Breach

The National Bank of Canada is warning 700 customers to close their accounts because of the chance of fraud. A bank employee’s house was broken into, and a laptop containing client information was stolen. This raises questions among the public about identity theft and if whether or not bank employees should be able to bring personal client information outside the establishment. [Source]

US – U. of Ga.: Hacker May Have Student Info

The University of Georgia said a computer hacker may have accessed the names and Social Security numbers of at least 1,600 current and former employees. The university was working with state and federal authorities to investigate the breach, which was discovered Sept. 19. [Source]

UK – Report: ID Projects to Flourish

Citizens and governments are on the brink of a 'new electronic era' for ID technologies, says new research Governments are likely to face "cost overrun and system failure" in setting up new identification systems but ID projects will still proliferate, providing business for IT suppliers over the next 10 years, according to a report issued on 27 September 2005. The latest research from public sector IT analyst Kable says that over the coming decade, government departments are likely to set up a range of "medium sized" identity projects. Similar schemes to the £72m DWP customer information system and the £200m Every Child Matters child protection identity system are likely to be initiated, says the report titled Identity markets in the UK public sector. Also, by 2008 governments across Europe will have rolled out key components of major ID card projects. The UK ID card initiative is by far the most expensive at £5.8bn according to official estimates, compared to France, which costs its scheme at £700m and Spain (£300m). [Source]

US – Judge Doesn’t Compel Credit Cards to Disclose Breaches

Visa and MasterCard won’t have to inform customers that their personal details were exposed in a high-profile data security breach -- at least for now, a judge ruled. San Francisco Superior Court Judge Richard Kramer denied a request for a preliminary injunction that would require the credit card companies to tell individual California credit card holders that their accounts are at risk of fraud after a widely publicized digital break-in at CardSystems Solutions. [Source]

WW – BitTorrent Lands $8.75 Million in Funding

The creator of the popular online anonymous file-swapping software BitTorrent has lined up $8.75 million in financing from a venture capital firm in a bid to build his software into a commercial distribution tool for media companies. [Source]

US – Judge Wants Details from Visa, MasterCard on Security Breach

A judge has asked Visa and MasterCard to disclose details about their relationship with CardSystems Solutions, the payment processor that was the subject of a high-profile data security breach. The information, such as contracts between the companies, should help determine whether the credit card companies have responsibility under California law to notify consumers whose personal details were exposed in the CardSystems breach, a San Francisco Superior Court Judge said during a court hearing. [Source]

US – FTC Launches New Online Safety Website

The Internet Education Foundation (IEF) has teamed with the Federal Trade Commission to provide safety information for the Commission’s new public service Web site OnGuardOnline.gov. Founded by CDT President Jerry Berman, IEF created and operates the groundbreaking Internet safety site GetNetWise.org. OnGuardOnline.org will draw on IEF’s extensive database of tools, tips and guidelines recommended to help consumers fight spyware, guard their personal information, enhance their computer security, prevent unwanted e-mail, and protect their children online. [GetNetWise] [OnGuardOnline]

WW – On Website, Women Identify Cheaters

It reads like the FBI’s Most Wanted list, complete with mug shots, physical descriptions, aliases and modus operandi of alleged perpetrators. But the fugitives listed on www.dontdatehimgirl.com aren’t evading law enforcement. They’re on the run from wives, girlfriends and lovers. [Source]

US – Companies Strong on Cybersecurity May Get Tax Breaks

Congress may offer tax breaks to companies that adopt good cybersecurity standards, the chairman of a House of Representatives subcommittee said. But in legislating cybersecurity guidelines, lawmakers should avoid heavy-handed regulations, Rep. Dan Lungren, a California Republican, said. [Source]

US – New Insurance Protects Data Theft

Some insurance companies have begun providing mass-mailing organizations with data theft insurance. This insurance covers damages caused by external break-ins, especially breaches that occur because of unauthorized online access. Insurance premiums are based on the results of a third-party security audit, the type of services provided by the mailer, and the mailing company's annual revenue. As a result of recent high-profile security breaches, many banks, credit card firms, nonprofits, and securities brokers are requiring better data security and protection standards from their mailers. [Source]

WW – Can Zero-Knowledge Tags Protect Privacy?

A Danish startup is developing an RFID system that uses a zero-knowledge authentication protocol to protect consumer privacy, while allowing an item’s tag to remain alive. [Source]

US – Former DHS Chief Touts RFID to Track People

Former Department of Homeland Security (DHS) Secretary Tom Ridge Tells RFID manufacturers and users of the tracking technology that its use will make Americans safer. Ridge also said the government could be trusted to protect the personal information amassed from RFID tags. [Source].

US – Oracle’s Ellison Says Encryption is Key to Data Protection

Oracle CEO Larry Ellison says organizations need to look more closely at how they encrypt their databases to protect against security threats. Addressing an audience at Oracle OpenWorld, Ellison stressed that security risks will continue to increase as more companies put business applications on the Internet.

[Source]

WW – Credit Companies to Adopt Single Data Protection Standard

The top three US credit reporting companies said yesterday that they would adopt a single, shared encryption standard to better protect the huge amounts of sensitive electronic data they receive every day from banks, retailers, and credit-card companies. The joint effort would involve the development and adoption of a data-cloaking code built on encrypted algorithm and 128-bit, secret-key technologies. [Source]

US – Mortgage Company Settles With FTC

A New Jersey-based lender, Superior Mortgage Corp., has settled Federal Trade Commission (FTC) charges that it violated federal law by failing to provide security for sensitive information. The FTC also alleged that sensitive personal data was not properly encrypted despite the lender's claim that the information was encrypted. The FTC's Safeguards Rule requires financial institutions to adopt reasonable policies and procedures to secure the confidentiality of personal information. [Source]

CA – Smart Cards Still Stuck in First Gear in Government Due to Privacy Concerns

Smart cards have been with us for more than a decade, but they haven't exactly taken the public sector by storm. Yet there are some pockets of activity. On university campuses, smart cards are widely used for simple payment applications such as photocopying, and in some cases more broadly. At Mount Royal College in Calgary, for instance, smart cards are the official identification for faculty, staff and students, and provide access to libraries, food services and laser printers. For Toronto-based smart card technology vendor ITC Systems, universities are a major market. Cam Richardson, ITC's chief executive, says many campuses use the cards for a combination of access and payment. But most choose simpler memory cards as opposed to those containing microprocessors, he says, because of their lower cost. Transportation is also promising; smart cards can replace tickets and cash payment in what is sometimes called e-ticketing. GO Transit and other Toronto-area transit agencies are working on plans for a regional system. The GTA Farecard, now under the auspices of the provincial Ministry of Transportation, is intended for use on transit systems from Hamilton in the southwest to Durham region in the east, with the first phase of implementation scheduled for early 2007. [Source]

AU – Australia Proposes Smartcards for Millions of Citizens

The Australian government is working on a proposal to deploy smart cards to millions of citizens under a project to slash administrative costs and crack down on identity theft. All Australian federal public servants may be asked to carry a single chip-equipped identity card, which would replace the plethora of identification tokens that currently exist across the public service. More details would be made public in the next few months. The Department of Human Services and AGIMO (the Australian Government Information Management Office) are collaborating to develop these plans”. [Source] [Source]

US – New Case Reveals Routine Abuse of Government Surveillance Powers

The Electronic Frontier Foundation (EFF) is arguing that a New York federal court should stand by its decision to require probable cause to believe a crime has been or is about to be committed before letting the government secretly track people using their cell phones. [Source]

US – FCC Extends Wiretapping Rules to Broadband Internet Services

Late on Friday, September 23, the Federal Communications Commission issued a lengthy order explaining and attempting to justify its August 5 decision to force broadband Internet access and “interconnected VoIP” services to be designed to make government wiretapping easier, under the terms of the 1994 Communications Assistance for Law Enforcement Act (CALEA).” [FCC CALEA Order]

US – Clock Ticking for ISP VoIP-tapping

The FCC admits it’s on shaky legal ground, but is pressing ahead with a plan to force all providers of Internet access to allow monitoring of Internet telephony. [Source]

WW – Skype Security and Privacy Concerns

Software that says it’s completely secure, but without a good way to verify that claim, now owned by a company that will basically give up an astonishing amount of personal information about you at the slightest peep from the authorities. This looks and smells bad. [Source]

US – TSA Decides Against Using Commercial Data to Vet Air Passengers

Days after a critical report was filed by a working group, the Transportation Security Administration announced that it would not use commercial databases in the screening of airline passengers, at least not in the first phases of the program, known as Secure Flight. The working group of privacy, computer security and national security experts concluded that TSA had not yet defined basic goals and procedures of the program, and that until it did it was impossible to assess privacy and data security issues. [SFWG final report]

US – Census Awards $500 Million for 2010 Project

The Census Bureau has awarded a six-year, $500 million contract to Lockheed Martin to capture and standardize 2010 census data. The 2010 Census Decennial Response Integration System (DRIS) will include developing an option for filing census questionnaire responses through the Internet, according to a bureau press release. "The contract also includes systems, facilities and staffing to capture and standardize census data via paper census forms, telephone and the Internet," according to the release. Lockheed Martin is teaming with IBM, Computer Sciences Corp., Pearson Government Solutions and several other companies. The contract is a cost-plus, award-fee contract with firm fixed-price elements. [Source]

US – O’Connor Steps Down as DHS CPO, Calls 'Experiment' a Success

Nuala O'Connor Kelly, who won praise for protecting Americans' privacy rights at the Department of Homeland Security but drew criticism for her office's lack of independence, announced she will step down this week after two years as the department's first chief privacy officer. [Source]

US – Senate Committee to Vote on Disclosing Security Breaches

The Senate Judiciary Committee expects to vote on legislation making it a crime for data brokers to conceal a security breach involving personal data and increasing penalties for computer fraud when the act involves personal data. The bill adds a legal bite to legislation already approved by the Senate Commerce Committee in July requiring data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a “reasonable risk” of identity theft involved in the breach. [Source]

US – New York Governor Signs Law Requiring Consumer Notification of Data Breaches

Gov. George Pataki signs a bill this week that requires mandatory notification of consumers if businesses or government releases private information, such as Social Security number, driver’s license number or financial account information. When 5,000 or more residents are affected by a security breach, the state attorney general, other state officials and consumer reporting agencies must be notified. Violations of the law could result in civil enforcement by the attorney general, who could seek restitution for the victims and fines against violators. The law takes effect in December. [Source]

US – Advocates Say New Jersey’s ID Theft Law Among Most Comprehensive

Acting Gov. Rich J. Codey has signed a bill that the San Diego-based Privacy Rights Clearinghouse considers one of the most aggressive measures to fight ID theft. The new law, which takes effect Jan. 1, gives consumers the power to place a security freeze on their credit reports. It also limits how and when businesses may publicly display the Social Security numbers of customers. [Source]

US – North Carolina Consumers Gain New ID Theft Protections

Businesses are prohibited from using Social Security numbers to identify customers under a new identity theft bill signed by Gov. Mike Easley. The measure requires businesses not to print Social Security numbers on documents, such as health insurance cards. The law also requires businesses to notify customers after security breaches expose personal information. [Source]

--------