Privacy News Highlights

17—23 November 2006

Contents:

UK – New UK Biometric Passports Can Be Cloned Using Simple Microchip Reader 2

UK – Police to Fingerprint on Streets. 2

CA – Manitoba Province to Introduce Information Commissioner: Doer 2

CA – Saskatchewan Privacy Chief: Change Privacy Act to Prevent ID Theft 2

CA – Canada’s No-Fly List Runs Into Rights Storm.. 2

US – FTC, EDS Corp. Offer Online Shopping Tips. 3

US – IRS Reports 478 Missing Laptops. 3

US – Phishers Target Seniors in Attempt to Obtain Social Security Numbers. 3

CA – Nova Scotia Information System to Improve Patient Care. 3

WW – EU, U.S. Officials Explore Ways to Save Counterterrorism Banking Program.. 3

EU – German Draft Law on Data Retention Made Public. 4

EU – Swiss Big Brother Awards 2006. 4

CA – One in Three Canadians surveyed Not Protecting Their Identity: Survey. 4

UK – Less than Third Trust Local Government with Data Security. 5

US – FTC Axes Two Alleged Spyware Operations. 5

US – Justice, ACLU Argue 1998 Online Porn Law Before U.S. Judge. 5

EU – EU Agency Finds Data Transfers To U.S. By Swift Illegal 5

UK – Man Gets 32 Months for Using MP3 Player to Steal Data from ATMs. 5

US – Drug Law Faces Court Challenge. 5

UK – Doctors Wary Of National Medical Records Database: Poll 6

US – Credit Card Companies Confirm Data Breach Investigation in Michigan. 6

UK – Laptop Theft Exposes 11 Million to ID Theft 6

SA – ID Theft Increasing In South Africa. 6

CA – Saskatchewan Website Tracks Offenders. 6

WW – Surge in Spam Linked to Botnet Run by Russian Hackers. 7

US – FBI Targets Net Phoning. 7

WW – Microsoft Files 129 Lawsuits Against Alleged Phishers. 7

US – $66,000 Fine to Protect Phone Privacy in Australia. 7

US – Software Company Settles with FTC Over Failure To Secure Data. 7

US – FTC Axes Two Alleged Spyware Operations. 8

UK – UK Passport Security Has Weak Link. 8

WW – Cell Phones Are New Target of Phishing-Type Attacks. 8

UK – Information Commissioner Report Blasts Government’s Proposed Child Database. 8

CH – Real Name Registration Soon Mandatory for Chinese Mobile Phone Users. 9

US – IT Security Testing Weak, GAO Finds. 9

EU – Finland Data Ombud Says Web Search on New Employees Illegal 9

 

 


 

UK – New UK Biometric Passports Can Be Cloned Using Simple Microchip Reader

New Passports can be easily cloned using a microchip reader bought over the internet for less than £100. The revelation is a huge embarrassment for the Home Office, which has increased the cost of travel documents by 60% in less than a year. The rise to £66 paid for the introduction of a supposedly-secure biometric chip on the passport, containing the owner’s personal details and an image of their face. The idea was to make it harder to produce a copy of a person’s travel document. But it has now emerged that a simple microchip reader, purchased from the Internet for £95.73, can clone the information - including the photograph. It could then be used to produced an exact replica of the travel document, complete with a new microchip. Opposition MPs called for the three million biometric passports issued since March this year from the Home Office’s new £60m production lines to be recalled. [Source] [Source]

 

UK – Police to Fingerprint on Streets

Police across England and Wales are to begin taking fingerprints while on patrol using mobile electronic devices. The portable gadgets - similar to a pocket PC and linked to a database of 6.5m prints - will enable officers to identify suspects within minutes. Police say they will particularly help identify people using false identities. Bedfordshire will be the first of 10 forces to pilot the machines. But concerns have been raised about civil liberties. [Source]

 

CA – Manitoba Province to Introduce Information Commissioner: Doer

Premier Gary Doer said his government will introduce legislation to create the office of a new information commissioner, which will help the provincial ombudsman handle access-to-information requests. He made the statement after Tory Leader Hugh McFadyen asked why the NDP government had failed to establish such an office, even though the NDP had called for the establishment of a privacy commissioner before it was elected to office in 1999. Manitoba’s one of the last jurisdictions in Canada to not have an independent officer charged with the responsibility of dealing with issues of access to information and privacy,” McFadyen said during question period. [Source]

 

CA – Saskatchewan Privacy Chief: Change Privacy Act to Prevent ID Theft

Gary Dickson, Saskatchewan’s information and privacy commissioner, released an annual report this week that calls for an update of the Freedom of Information and Protection of Privacy Act. At issue are the current state of the province’s public registries, which are “a gold mine” for identity thieves, Dickson said. The report also recommends that the province create privacy laws that would subject violators to prosecution or heavy fines. The report also seeks a mandatory review of privacy measures every three to five years to assess the effectiveness of the laws on the books. [Source] [Saskatchewan told to update privacy laws that expose residents to risk]

 

CA – Canada’s No-Fly List Runs Into Rights Storm

Canada’s no-fly list - intended to keep suspected terrorists from boarding airplanes - is starting to run into turbulence just weeks before the security program is implemented in airports across the country. Critics of the list, known as Passenger Protect, say it could lead to the abuse of civil liberties, and are not satisfied by the federal government’s efforts to ease their concerns. Others are questioning the effectiveness of no-fly lists. Many security and law enforcement officials interviewed this week believe there are already immigration or law enforcement checks in place to ensure known terrorists or those deemed a risk to passengers are stopped from boarding flights. [Source] [Press Release] [Annual Report]

 

US – FTC, EDS Corp. Offer Online Shopping Tips

Concern over the safety of online transactions is heightened as shoppers are expected to buy about 25% of their gifts online this year. Increased online shopping means an increased risk of online fraud. To better prepare online shoppers, the FTC and the EDS Corp. are arming consumers with some tips to avoid falling prey to cybercriminals. For example, shoppers should rely on secure Web sites that use encryption to protect data and review privacy and security policies. [Source] [FTC Consumer Alert page]

 

US – IRS Reports 478 Missing Laptops

The IRS has reported 478 laptops either missing or stolen between 2002 and 2006. The agency reports that 112 laptops contained sensitive information such as Social Security numbers. Of the 478 missing laptops, 379 were stolen. The IRS has decided to install an automatic encryption system that will encrypt all information on the hard drives of its laptops. Additionally, the IRS plans to educate, train and make employees aware of the need to protect sensitive information through encryption. [Source]

 

US – Phishers Target Seniors in Attempt to Obtain Social Security Numbers

The Social Security Administration’s commissioner has asked the agency’s Inspector General to investigate the source of phishing emails that target seniors. The email purports to provide a notification to Social Security recipients about the cost-of-living increase expected for 2007. The fraudulent emails then direct users to a Web page that looks like the Social Security site. They are instructed to provide their Social Security number, bank account and credit card information. [Source] [Record Amount of Spam Predicted During Holidays]

 

CA – Nova Scotia Information System to Improve Patient Care

A new primary health-care information system was introduced Nov. 20 in Nova Scotia, intended to improve the way patient information is stored, used, and disclosed by Nova Scotia health-care providers. Through its Primary Health Care Information Management program, the Department of Health is working with district health authorities to implement the first provincewide electronic patient record system to improve quality of care and access to treatment for Nova Scotians. [Source]

 

WW – EU, U.S. Officials Explore Ways to Save Counterterrorism Banking Program

An EU committee this week is expected to release its findings about whether a global banking telecommunications network violated European privacy laws by turning over financial information on EU citizens to U.S. intelligence officials. In the meantime, EU and U.S. supporters of the program are exploring solutions to alleviate privacy concerns while saving the program, which officials have credited with disrupting terrorist activities in the U.S. and Europe. Belgium’s privacy chief has found that the Society for Worldwide Interbank Financial Telecommunication (SWIFT) violated EU privacy laws by providing information to the U.S. on cross-border wire transfers by EU citizens. Swift has maintained that it did not break any privacy laws when it complied with U.S. subpoenas seeking the data. [Source] [US and EU Officials In Talks On Common Data Privacy Rules]

 

EU – German Draft Law on Data Retention Made Public

On 8 November 2006, the German Minister of Justice presented a draft law aimed at transposing the EU directive on data retention. The law would override the recent jurisprudence on IP logging by mandating the retention of traffic data for a period of six months. Retention requirements are also to apply to anonymization services, making them practically superfluous. Furthermore anonymous e-mail accounts are to be banned. Access to traffic data shall be permissible for the investigation of “substantial” offences, but also for the investigation of any offence committed by use of telecommunications networks (including sharing of copyrighted content). The law is to enter into force on 15 September 2007. The draft law was sharply criticized by the activist Working Group on Data Retention for being unconstitutional and for going beyond EU requirements in relation to anonymization services, e-mail services and access to retained data. The activist group presented a class action to be submitted to the Federal Constitutional Court in case the proposed law is adopted. The Court is to be asked to provisionally suspend data retention in Germany while examining its constitutionality. According to the draft application published on the Internet, the EU directive on data retention is void for violating human rights and for lacking a legal basis. The planned class action is supported by several German jurists and is open for all German citizens to join. [Draft law on data retention in Germany] [Website of the Working Group on Data Retention including information on the class action against data retention]

 

EU – Swiss Big Brother Awards 2006

On 16 November 2006, the Swiss Big Brother Award winners of 2006 were presented. The trophy for the category “State” was awarded to the Federal Council of Corpore for the application of internal security measures involving phone tapping, secret search of information systems and installation of secret microphones in apartments without concrete basis just under the cover of preventive investigations. The winner of the “Business” category was the insurance company Assurance CSS for having given their collaborators large access to their clients’ data that included medical information and even HIV test results. Other candidates were companies such as Microsoft, Cablecom, Swisscom or Crédit Suisse as well as many sports clubs and associations and transport companies who survey their employees and clients. The “Working Place” category was won by the Dietikon branch of the Media-Markt chain where the employees were continuously under surveillance not only at their working place, but even in the rest rooms. The fourth award for the category “Activity” was received by the SRS (Strategic Information Service), a department created 5 years ago which is actually the military Swiss Intelligence Service, a service that uses ONYX telecom mass surveillance devices. Besides the negative awards, a positive “Winkelried” award was awarded to the Referendum Committee LMIS, made out of groups of sports fans and political groups that will launch a referendum in Spring against the introduction of an “anti-hooligan” law. [Press Release Big Brother Awards 2006]

 

CA – One in Three Canadians surveyed Not Protecting Their Identity: Survey

Nearly one in three Canadians surveyed are putting their identity at risk by not shredding their personal documents before throwing them in the garbage according to internet research issued today by Royal & SunAlliance Insurance Company of Canada. This is despite the fact that Identity Theft is becoming an increasing problem in Canada and approximately two million people have been affected at some point in their lifetime. Other statis: * A quarter of those surveyed will shop online this holiday season and eighty per cent will be using plastic. * Young Canadians surveyed are less security conscious with one in 10 keeping their PIN number in their wallet or bag. * 70% of Canadians surveyed are worried about this growing crime. [Source]

 

UK – Less than Third Trust Local Government with Data Security

Less than one in three people trust local government agencies to protect confidential information, according to a new survey. The study by polling firm NOP of 999 adults found that 27% scored local government’s ability to secure personal data from external threats either one or two on a scale of five. Banks fared better with 57% of people awarding four or five out of five for data protection. A score of one meant that the respondent felt information held by an organization was “not at all secure”, a score of five meant data was “extremely secure”. The research also found that 43% of respondents said are put off shopping or banking online by security concerns. Only 35% of people felt “very confident” in their employers’ ability to keep confidential records secure. Just over of third (34%) felt that data was more secure in the days when data was stored on paper than now where it is stored on disk. [Source]

 

US – FTC Axes Two Alleged Spyware Operations

The U.S. FTC announced this week that it has permanently shut down an alleged spyware operation run by Odysseus Marketing and its principal, Walter Rines. The FTC said Odysseus Marketing had deceptively installed spyware on consumers’ computers by advertising free downloads that turned out not only to be phoney, but also bundled with malicious software. [Source]

 

US – Justice, ACLU Argue 1998 Online Porn Law Before U.S. Judge

Closing arguments concluded this week before Senior U.S. District Judge Lowell Reed Jr., ending four weeks of testimony challenging the 1998 Child Online Protection Act. The ACLU, which is challenging the law, argues that filters are more effective than legislation because they let parents set limits based on their own values and their children’s ages. Justice Department attorneys argued yesterday that software filters often block valid sites that teens might seek out. [Source]

 

EU – EU Agency Finds Data Transfers To U.S. By Swift Illegal

Data transfers found to breach civil rights: A European Union monitoring agency concluded this week that a banking consortium breached EU data protection rules when it gave the Bush administration access to millions of records of private financial transactions. The consortium, known as SWIFT has come under scrutiny for participating in a program that allows analysts from the CIA and officials from other U.S. agencies to search for possible terrorist financing activity among the millions of confidential financial transactions it oversees. In a draft statement, which will be completed and issued on Thursday, the EU monitoring agency said financial institutions across the bloc shared responsibility with SWIFT for the breach of European civil liberties. [Source] [Hands of our Bank Data, EU tells US]

 

UK – Man Gets 32 Months for Using MP3 Player to Steal Data from ATMs

Max Parsons, of Manchester, England, was convicted of using his MP3 player to steal ATM customers’ card information. Parsons stole the data by plugging his MP3 player into free standing ATMs; he then created phony cards and used them to make purchases. Parsons was sentenced to 32 months in prison; authorities believe he had accomplices in the scheme. [Source] [Source] [Source]

 

US – Drug Law Faces Court Challenge

Outcome Of Federal Challenge To N.H. Prescription Drug Law Could Have Broader Impact: IMS Health Inc. and Verispan LLC are challenging the constitutionality of New Hampshire’s Prescription Confidentiality Act, which bars the sale of prescription drug information for commercial purposes, including data on what drugs patients take and which drugs doctors prescribe. The companies gather and sell the data, which helps pharmaceutical companies better market their products to doctors. The case, which goes to trial in January, may have ramifications outside the Granite State, as several other states and even Congress have considered similar measures. [Source]

 

UK – Doctors Wary Of National Medical Records Database: Poll

About 50% of family doctors said in a Guardian poll that they are planning to refuse to input patient records into a new national database because of security concerns. The survey found that four out of five doctors believe their patients’ confidentiality will be at risk to hacking, bribery and blackmail if they are stored on a new national e-medical records database. The poll, which was conducted by Medix, also found that 51% of doctors indicated they will not submit the patient records for uploading to the electronic database without the person’s consent. The agency overseeing the database said the Department of Health views the new system as a “great benefit to a great majority of people” that will improve healthcare and prevent unnecessary deaths. [Source]

 

US – Credit Card Companies Confirm Data Breach Investigation in Michigan

MasterCard and VISA USA have confirmed that an investigation is under way to determine the source of credit card and debit card fraud in Michigan. Banking companies cancelled thousands of credit and debit cards last week after evidence of a data compromise and fraudulent transactions. A Muskegon-based convenience store chain acknowledged that it was looking into the possibility of fraud associated with credit card transactions processed between July 25 and Sept. 7. [Source]

 

UK – Laptop Theft Exposes 11 Million to ID Theft

Nationwide, the UK’s largest building society, belatedly will notify consumers that an employee’s laptop containing customer information was stolen in August. The company, which is in no way affiliated with Nationwide Insurance Companies, said it has notified the authorities of the theft. The incident became public after media reports. The company said it plans to notify customers in the next few weeks. The UK’s National Consumer Council said the delay in notification of consumers was “appalling.” [Source]

 

SA – ID Theft Increasing In South Africa

The Alexander Forbes Risk and Insurance Services has issued a report warning that South Africans face an increased risk of ID theft. The group’s spokesman said identity thieves are accessing personal details over the Internet to help them create an identity to commit fraud. The report indicates that the increasingly sophisticated attacks take an average of more than 14 months to discover, typically after the fraud has adversely affected the target’s credit. [Source]

 

CA – Saskatchewan Website Tracks Offenders

With a click of a computer mouse, Saskatchewan residents can now find out if a high risk offender is in their neighbourhood. The provincial government launched a website Wednesday that gives the public access to information about high risk offenders, including their names, photographs and background information. “The police concern, and our concern of course, is with violent offenders who we believe are at high risk to reoffend,” said Justice Minister Frank Quennell. “The information is to assist [people] in protecting themselves, protecting members of their family,” said Quennell. [Source]

 

WW – Surge in Spam Linked to Botnet Run by Russian Hackers

The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers. Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with a trojan. [Source]

 

US – FBI Targets Net Phoning

Internet telephone calls are fast becoming a national security threat that must be countered with new police wiretap rules, according to an FBI proposal presented quietly to regulators this month. [Source]

 

WW – Microsoft Files 129 Lawsuits Against Alleged Phishers

Microsoft is helping law enforcers hunt down criminals who try to steal bank account details on the Internet and has initiated 129 lawsuits in Europe and the Middle East. One court case in Turkey has already led to a 2.5-year prison sentence for a so-called “phisher” in Turkey, and another four cases against teenagers have been settled out of court, Microsoft said, eight months after it announced the launch of a Global Phishing Enforcement Initiative in March. [Source]

 

US – $66,000 Fine to Protect Phone Privacy in Australia

After three years of delays, a massive database containing personal information on every Australian with a phone number could soon be protected. A bill before federal Parliament includes fines up to $66,000 or two years imprisonment for anyone misusing personal information in the Telstra-managed phone directory. The Integrated Public Number Database contains current contact information for all listed and unlisted phone numbers. An industry standard aimed at restricting business use of the database has met with a number of delays. [Source] [Source]

 

US – Software Company Settles with FTC Over Failure To Secure Data

Guidance Software has agreed to settle FTC charges that its failure to take reasonable security measures to protect sensitive customer data. According to the FTC complaint, Guidance failed to implement simple, inexpensive and readily available security measures to protect consumers’ data. Guidance’s data-security failure allowed hackers to access sensitive credit card information for thousands of consumers. The settlement will require the company to implement a comprehensive information-security program and obtain audits by an independent 3rd-party security professional every other year for 10 years. Guidance sells software and related training, materials, and services customers use to investigate and respond to computer breaches and other security incidents. This is the FTC’s 14th case challenging faulty data-security practices by companies that handle sensitive consumer information. [Source] [Agreement Containing Consent Orders] [Complaint] [Exhibits A and B] [Analysis of Proposed Consent Order to aid Public Comment] [News Release] [Coverage]

 

US – FTC Axes Two Alleged Spyware Operations

The U.S. FTC announced this week that it has permanently shut down an alleged spyware operation run by Odysseus Marketing and its principal, Walter Rines. The FTC said Odysseus Marketing had deceptively installed spyware on consumers’ computers by advertising free downloads that turned out not only to be phoney, but also bundled with malicious software. [Source]

 

UKUK Passport Security Has Weak Link

The UK’s new passports were designed to be secure with an RFID chip holding personal and biometric data. Although the passports are protected by “an advanced encryption technique,” it is still possible for ordinary people with some technical expertise to extract the data from the chip and view the data on a computer. The key for accessing the data comprises the passport number, the passport holder’s date of birth and the passport’s expiration date; this information is available on a printed page of the passport in machine-readable form. The specifications for the passports are available on a web site and include the information about the composition of the access key. The data on the chip are not encrypted. The communication between the chip and the reader is encrypted, but readers could be purchased for GBP250 (US$475) or less. [Source] This problem is also compounded as UK and other EU passports can be read remotely as they do not having shielding mechanisms similar to those employed in US passports preventing them from being read unless they are opened [Source]

 

WW – Cell Phones Are New Target of Phishing-Type Attacks

Phishers are launching new attacks that target cell phones by sending a short message service message to a person’s cell phone, according to PCWorld columnist Andrew Brandt. The messages alerted cell-phone users, for example, that a dating Web site would charge $2 a day unless they unsubscribed via a specific URL provided in the message. When the targets used their computers to click on the URL, the damage was done. Trojan horse software downloaded onto the computer to steal passwords and perform other nefarious operations to the PC. The columnist reminds cell-phone users that if they did not sign up for a service that required them to provide their cell phone numbers, they should ignore the message and its instructions. [Source]

 

UK – Information Commissioner Report Blasts Government’s Proposed Child Database

Parents will be devalued and family privacy shattered by the mass surveillance of all 12 million children in England and Wales, says a report today commissioned by Parliament’s Information Commissioner. In what is likely to be a major embarrassment to Tony Blair, it says proposals for a £224 million database containing details of every child will waste millions of pounds, undermine parental authority and actually put children in more danger. The report comes amid Government fanfare about “supporting” parents with parenting classes backed by a “super nanny” army of child psychologists. Mr Blair defended the super nanny idea saying it was right to give families a “helping hand”. “No one’s talking about interfering with normal family life,” he added. [Source] [Children’s Databases – Safety and Privacy: A Report for the Information Commissioner]

 

CH – Real Name Registration Soon Mandatory for Chinese Mobile Phone Users

Will Real Name Registration Harm Mobile Phone Users’ Privacy? The days of Chinese consumers getting mobile service without having to register with their real names are numbered. The Ministry of Information Industry (MII) has announced that in order to become cell phone subscribers, people will soon have to register with their ID cards. Detailed regulations are expected to be promulgated by the end of the year. [Source]

 

US – IT Security Testing Weak, GAO Finds

Despite the emphasis placed on IT security in recent years, federal agencies are not testing their security controls with any consistency or timeliness, and as a result may not realize their systems’ weaknesses, a new GAO report has found. “Federal agencies have not adequately designed and effectively implemented policies for periodically testing and evaluating information security controls,” the GAO concluded after surveying 24 major agencies and conducting in-depth case studies on 30 IT systems at six of the agencies. These problems are occurring despite the requirements of the Federal Information Security Management Act, under which agencies have been laboring since its passage in 2002. The study was initiated at the request of Rep. Tom Davis, chairman of the House Government Reform Committee and the originator of FISMA. [Source] [GAO Report]

 

EU – Finland Data Ombud Says Web Search on New Employees Illegal

BNA’s Electronic Commerce & Law Report reports that the Finland Data Protection Ombudsman has ruled that Finnish employers cannot use Internet search engines, such as Google, to obtain background information about potential employees. The decision stemmed from a complaint the ombudsman received from an unsuccessful job applicant who previously attended a conference on mental health as a patient’s representative. [Article]

 

 

--------