Privacy News Highlights
24 February—03
March 2006
Contents:
WW
– New Facial Recognition Technology Used To ID Unruly Bar Patrons. 2
CA
– Eminent Canadians Call for Review of Cases of Canadians Detained Abroad. 2
CA
– Saskatchewan Private-Sector Privacy Law Proposed. 2
US
– California Lawmakers Consider Internet Ban On Sale Of Phone Records. 2
WW
– Interest Groups Unite to Oppose Bulk E-mailing Fee. 2
WW
– AOL Vows to Institute Fee-Based E-Mail Despite Protests. 2
EU
– Data Protection Working Party Releases Email Screening Report 2
EU
– Data Protection Supervisor Issues Opinion on Exchange of Police
Information. 3
EU
– UK Info Commissioner Offers Professionals Guidance about Recording
Opinions. 3
UK
– Man Fined For Violating Privacy Law. 3
UK
– Parents to Get Online Check of 8m Child Workers Records. 3
US
– Florida Justices Hold Hearings to Explore Privacy Impacts of Technology. 3
US
– Online Medical Records Raise Privacy and Security Concerns. 3
US
– Bill to Promote Electronic Health Records. 4
US
– Bush Official Lauds California Health-Tech Plan. 4
US
– Ernst & Young Reveals 5 Laptops Stolen Contained Personal Information. 4
WW
– IBM-LED Project Aims To Fight Identity Theft 4
WW
– Project Higgins: IBM Security to Help Users Control Access to Their Data. 4
US
– Group Dissects ID Theft to Help Individuals, Companies. 5
WW
– Cyber Crooks Use Keylogging Programs More Frequently. 5
AU
– Australian Committee Issues TPM Implementation Report 5
WW
– Google Acknowledges New Search Software Could Pose Potential Privacy Risk. 5
US
– As Tax Season Approaches, Fake IRS E-mails Proliferate. 5
AU
– Corruption Watchdog Subject of Privacy Commissioner’s First Compliance
Notice. 5
US
– CardSystems Agrees to Tighter Security After Data Theft 6
US
– Senators Press for Details of NSA Spying. 6
US
– NY Times Files Suite Against Defense Dep’t Over Spying. 6
US
- Government Not Entitled to Google Records, CDT Argues. 6
US
– Survey Reviews Trust in U.S. Gov’t Department e-Security. 6
CA
– Canada May Face Shortage of RFID Implementers. 6
US
– Panel Participants: Data Security Key to Success of RFID. 7
WW
– Panelists: Expansion of RFID Technology Increases Privacy, Security Risks. 7
EU
– Spain Implements National Electronic ID Card. 7
CA
– Privacy Commissioner of Canada Issues Video Surveillance Guidelines. 7
US
– Justice Department Rejects Google's Privacy Concerns. 7
US
– Arizona Senate Approves Security Breach Notification Measure. 7
US
– Minnesota AG, Lawmakers Set to Unveil ‘Consumer Privacy Protection
Package’ 7
US
– New Montana Privacy Law Takes Effect March 1st 8
WW
– Corporations Fail to Enforce Net Acceptable Usage Policies. 8
A new technology, BioBouncer,
is helping some bar owners identify repeat rabble-rousers by snapping a picture
of a customer’s face and then comparing it against a database of known thugs.
The technology allows bars to share databases through a private network. Privacy
groups object to the use of the software. [Source]
In an open letter to Prime
Minister Harper, a group of eminent Canadians have called for a thorough review
and account of involvement by Canadian public officials. The letter was signed
by: Warren Allmand (former Solicitor General); Lloyd Axworthy; Allan Blakeney;
Ed Broadbent; Joe Clark; and others.
Bill 207, The Personal
Information Protection and Identify Theft Prevention Act is intended to be
"substantially similar" to PIPEDA and is based on
Web sites that sell private
cell phone records are the target of a legislative effort in
A coalition of unlikely
partners, including MoveOn.org Civic Action, Gun Owners of America and
Association of Cancer Online Resources, have joined forces to fight AOL's plan
to charge businesses for commercial e-mail. Calling the plan e-mail taxation,
the 50-member coalition – with combined membership of more than 15 million –
says e-mail from thousands of small businesses and non-profits could be blocked
if they don't pay. [Source]
AOL is vowing to carry out its
plans to institute fees for mass senders of e-mail, despite protests from groups
representing 15 million people that claim the move will stifle communications
instead of merely halting spam. Political group MoveOn.org Civic Action, the
AFL-CIO labour union, and other organizations have criticized the service, which
will charge senders a fee to route their messages directly to AOL users'
mailboxes without first passing through AOL junk mail filters. [Source]
The European Union Data
Protection Working Party has released new recommendations on email screening
practices including screening for viruses, spam, and certain content. The report
expresses concern with the false positive problem on spam filtering. Moreover, it is of the view that "email
providers are prohibited from engaging in filtering, storage or any other kinds
of interception of communications and the related traffic data for the purposes
of detecting any predetermined content without the consent of the users of the
services." [Source] [Report]
The European Data Protection
Supervisor (EDPS) has issued an Opinion on the proposal for a framework decision
on the exchange of information under the principle of availability. Introduced
by the Hague program, the principle of availability means that information that
is available to law enforcement authorities in one Member State should also be
made accessible for equivalent authorities in other Member States. The principle
raises a number of data protection issues, notably because of the sensitivity of
the data and the reduced control of the use of the information. [Opinion]
[Source]
Teachers, social workers and
doctors now have some new
guidance about complying with the Data Protection Act when recording their
professional opinions in people’s files. The deputy commissioner said that the
act gives everyone the right to review information held about them, including
opinions. The guidance instructs professionals to make it clear that the
information is an opinion as well as who gave it and when. [Source]
The Information Commissioner’s
Office has fined a man who unlawfully obtained information related to an
individual’s bank account. The man had pleaded guilty to violating the 1998 Data
Protection Act. The 1998 Data Protection Act makes it an offense to “knowingly
or recklessly, without the consent of the data controller, to obtain or disclose
personal data.” [Source]
The UK Government announces
plans for a massive data, security and privacy own goal, in the shape of the Safeguarding Vulnerable Groups Bill. The
Bill, which is intended to widen and centralise the vetting of people working
with children (approximately 8 million individuals), will allow employers,
including parents hiring nannies and childminders, to check the records of
potential employees online. [Source]
[Source]
As the Supreme Court in
Individuals' medical records
are slated to begin migration to online systems in
In an effort to dramatically
expand the use of "electronic health records," a key US House chairman said he
will propose legislation to promote their use in the federal employee health
insurance program. Rep. Jon C. Porter (R-Nev.), chairman of the House federal
workforce subcommittee, wants to create an e-health records system for nearly 8
million federal workers and their families. Creating a system for this many
workers would encourage insurance companies to expand the concept for
private-sector patients, according to Porter. The bill would provide some
start-up financing for the insurance companies. Porter noted that the Health and
Human Services Department and the Office of Personnel Management are working to
strengthen privacy-protection rules for an e-medical records system. [Source]
[Source]
Dr. David J. Brailer,
President Bush's National Coordinator for Health Information Technology,
recently praised the California Regional Health Information Organization for its
progress in linking health-care data networks. Brailer noted that he favors the
approach that involves expanding partnerships among state and regional efforts
to achieve progress in linking hospitals, doctors and pharmacies. Brailer warned
that supporters of the "organic' approach must demonstrate progress - while
building confidence that the system includes safeguards for patient privacy -
within two years. By then, pressure in
Ernst & Young has
acknowledged that it has lost a laptop computer containing customer data,
including Social Security numbers.
The company informed affected customers of the loss and potential data
security breach, but the loss was not made public until recently. The computer was stolen from an
employee's locked car. Scott
MacNealy, Sun Microsystems CEO, was reportedly among those affected. Speaking at the RSA security conference,
MacNealy indicated that he had been notified that his data were among some lost,
and added that the company that lost the data is employed by Sun to determine
its Sarbanes-Oxley compliance. In addition, four Ernst & Young laptop
computers were stolen from a conference room on February 9, 2006. A surveillance camera caught footage of
the laptop thieves, who were able to enter the room due to a built-in delay in
the room's door locking mechanism. [Source] [Source] [Source] [Source] [Source]
A group led by IBM has
unveiled a project to develop software that will allow people to manage their
personal information on the Internet, the latest effort to combat identity theft
and simplify how users access Web-based services. The open-source software
project, dubbed Higgins, comes a few weeks after Microsoft announced a similar
approach called InfoCard. Both efforts aim to help people secure their online
identities by managing personal information, bank accounts, and contact lists.
[Source]
IBM says that users should
have more control of the information that businesses store about them. IBM is
working on the project with open-source software vendor Novell,
A group of ID theft experts
from law enforcement and other disciplines have formed the Identity Theft
Prevention Special Interest Group. One of the group’s first goals was to break
down the loosely used term ID theft into specific ID theft crimes. For example,
one way criminals commit ID theft is to take over existing accounts. Another
method involves the use of someone’s identity to open up new accounts. The group
is tackling prevention by making free documents available to individuals and
businesses that explain best practices for the receipt, communication and
storage of personally identifiable information. [Source]
Phishing is not the scam of
choice among some cybercriminals who have turned their attention instead to
malicious software programs that secretly capture keystrokes of computer users.
In
The Australian House Standing
Committee on Legal and Constitutional Affairs has released its report on the
inquiry into technological protection measures exceptions entitled Review of
technological protection measures exceptions. The report takes a strong user
perspective incorporating 37 recommendations for exceptions and consumer
protections. [Report]
Google said last week that his
company’s new “Search
Across Computers” feature could compromise a user’s privacy. However, the
potential data leaks were a problem for IT administrators to handle. Businesses
must adopt security policies and strategies to keep internal data from leaking
out - especially as the line blurs between personal and work use of computers,
he maintained. [Source]
Marketing pitches masquerading
as the 1099 forms detailing non-payroll income have been arriving in taxpayer
mailboxes, while e-mails that appear to be from the Internal Revenue Service are
really identity theft scams designed to collect personal financial information.
Government officials say they are currently seeing about one widespread
IRS-themed e-mail scam a week, but Internet security experts expect them to
escalate as the April 15 tax deadline nears. [Source]
A data breach that left 40
million customer accounts vulnerable to hackers will lead to tighter security
measures to protect millions of credit and debit card users, Federal Trade
Commission officials said. CardSystems Solutions Inc. has settled charges that
the company broke the law by failing to ensure adequate safeguards for sensitive
customer information. [Source]
The New York Times sued the
U.S. Defense Department on Monday demanding that it hand over documents about
the National Security Agency's domestic spying program. The Times wants a list
of documents including all internal memos and e-mails about the program of
monitoring phone calls without court approval. It also seeks the names of the
people or groups identified by it. [Source]
In the dispute over the
federal government's demand that Google turn over millions of search terms to
assist the government in its defense of an Internet censorship law, CDT filed a
brief
arguing that, in its search function, Google is covered by the Electronic
Communications Privacy Act, which prohibits certain online service providers
from disclosing customer records under the kind of subpoena the government is
using in this case. see also Department of
Justice brief, Law
Professors' brief, Google brief. [Source]
The Ponemon Institute has
issued its 2006 Privacy Trust Study of the United States Government. The report
ranks public perception of the privacy protection practices of 57 federal
agencies, based on responses to various survey questions. The least-trusted
federal agencies, starting from the bottom, are: the Department of Homeland
Security, the Transport Security Administration, the CIA, the Department of
Justice, the Office of the Attorney General, the National Security Agency, the
Bureau of Citizenship & Immigration, and the Federal Bureau of Prisons. The
Ponemon Institute’s government privacy study has found that Americans rate the
U.S. Postal Service as the No. 1 government agency for protecting personal
privacy. [Source] [Source]
Lack of qualified personnel
could slow technology's progress – Experts warn that we can expect a shortage of
qualified personnel to install and run RFID when demand for the technology
begins to peak over the next few years.
Howard Beales, associate
professor of strategic management and public policy at George Washington
University School of Business, and Lee Tien, senior staff attorney at the
Electronic Frontier Foundation, were participants recently at the AIM Global
conference. Beales, a former senior member of the Federal Trade Commission,
cautioned that RFID companies need to “worry upfront” about information
security. Tien said laws have not kept up with technology’s impact on privacy.
[Source]
Speakers tackled the issue of
consumer privacy during a RFID World show discussion about the expanded use of
technology that will track goods. Executives warned that the technology's
increased success is closely linked to resolving privacy issues and giving
consumers notice of its use and the choice to deactivate the tags. [Source]
BNA's Electronic Commerce
& Law Report reports that the Spanish government Feb. 16 put into place its
electronic national identity card certification system, which will allow
citizens to use chip-equipped national identity cards for electronic
transactions starting as early as March. By replacing the standard national
identity card with the obligatory electronic version, the government said
citizens will be able to carry out transactions that previously required their
physical presence. [Source]
“OPC Guidelines
for surveillance of public places by police and law enforcement
authorities”
In an 18-page brief filed last
week, the Justice Department said Google’s refusal to turn over millions of its
users’ search queries on privacy grounds was unwarranted. The Justice Department
noted that it is not seeking to link the documents to specific users. And by
trying to block the government's efforts to review a week's worth of search
terms, Google is holding up efforts to protect children from pornography,
according to the Justice Department brief. [Source] [Source]
A package of legislative
proposals in
Businesses in
Employees
are ignoring Internet Acceptable Usage Policies, according to a survey published
this week by network security provider SmoothWall. Despite the recognition by
seven out of 10 companies that an AUP is crucial to the security of IT systems,
38% of employees that are governed by a policy are unaware of its contents. [Source]
--------